Continuing the discussion from Whonix-13-Workstation VPN-Firewall:
Working on Qubes!
VM Name: sys-vpn
VM Type: ProxyVM
NetVM: Whonix 12 Gateway
AppVM: Whonix 13 Workstation DispVM
sudo openvpn fails! (as it should)
SocksPorts traffic fails (obviously)
Just to confirm my understanding: the point of using user ‘tunnel’ is if attacker compromises openvpn process, he won’t gain root privileges but be limited to acting as ‘tunnel’, who does not have passwordless-root.
- ‘tunnel’ can change routes but can not alter whonix_firewall, meaning no traffic will bypass the tunnel (nor Tor - by Whonix design). However, tunnel can make connections through the vpn to the outside, as can any successful attacker.
- ‘tunnel’ should not have write access to openvpn.conf; otherwise, he can connect to a different vpn server, effectively bypassing the intended tunnel.
- ‘tunnel’ is not a member of group ‘user’ but will have read & execute access to most files in /home/user/ given Whonix default permissions. Would it break anything to chmod -R 750/751 /home/user?
Sorry, wasn’t able to check much of the documentation or the build since I didn’t have a Debian handy. On the bright side, I’ve got some notes on how to port to Fedora.
Assuming manual (non-systemd) openvpn launch: IN PROXYVM: ## CONFIGURE USER TUNNEL adduser tunnel chown -R tunnel:tunnel /var/run/openvpn ## To use openvpn conf dns script chown tunnel:tunnel /etc/resolv.conf touch /etc/resolv.conf.qubes chown tunnel:tunnel /etc/resolv.conf.qubes ## PERSISTENT IPTABLES (https://fedoraproject.org/wiki/FirewallD#Using_static_firewall_rules_with_the_iptables_and_ip6tables_services) (https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Security_Guide-IPTables-Saving_IPTables_Rules.html) dnf install iptables-services systemctl mask firewalld.service systemctl enable iptables.service systemctl enable ip6tables.service ## VPN-FIREWALL INSTALL clone repository cp /etc/vpn-firewall.d (add Qubes LOCAL_NET) cp /etc/sudoers.d/tunnel-unpriv (change to /sbin/ip) cp /usr/bin/ip-unpriv (change to /sbin/ip) "anondist-ify" /usr/lib/qubes/qubes-setup-dnat-ns cp lib/systemd/system/qubes-iptables.service.d/40_vpn-firewall.conf (customize) cp lib/systemd/system/qubes-firewall.service.d/40_vpn-firewall.conf (customize) systemctl daemon-reload edit vpn-firewall (add forward rules) sh ./vpn-firewall start /sbin/service iptables save (will restore rules on reboot) IN APPVM: edit /etc/resolv.conf to vpn's nameserver (which is on proxyvm resolv.conf - just need to query that somehow) no other changes (qvmm firewall is disabled)
Minor note (that cost me some hair):
Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
Standalone VPN-FIREWALL uses ip-unpriv (hyphen)
And a reminder:
Signed git tags and commits available. TODO: document how to verify, use some wiki template
Current signing key is expired. Probably can reuse documentation from https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation#OpenPGP_Verify_the_Source_Code
!PS: Just saw your post to qubes-users but I’m gonna post this anyway cause I started this many hours ago and I want to take my victory lap. Never knew what iptables was before I started using Whonix and never tried Fedora before using Qubes so I’ll grin for a bit before I go read your updates and see everything I did wrong!