Standalone VPN-Firewall (new Tunnel Firewall)

Continuing the discussion from Whonix-13-Workstation VPN-Firewall:

Working on Qubes!

Test Setup
VM Name: sys-vpn
VM Type: ProxyVM
Template: fedora-23-minimal
NetVM: Whonix 12 Gateway
AppVM: Whonix 13 Workstation DispVM

Fail-closed works!
sudo openvpn fails! (as it should)
SocksPorts traffic fails (obviously)

Just to confirm my understanding: the point of using user ‘tunnel’ is if attacker compromises openvpn process, he won’t gain root privileges but be limited to acting as ‘tunnel’, who does not have passwordless-root.

  • ‘tunnel’ can change routes but can not alter whonix_firewall, meaning no traffic will bypass the tunnel (nor Tor - by Whonix design). However, tunnel can make connections through the vpn to the outside, as can any successful attacker.
  • ‘tunnel’ should not have write access to openvpn.conf; otherwise, he can connect to a different vpn server, effectively bypassing the intended tunnel.
  • ‘tunnel’ is not a member of group ‘user’ but will have read & execute access to most files in /home/user/ given Whonix default permissions. Would it break anything to chmod -R 750/751 /home/user?

Sorry, wasn’t able to check much of the documentation or the build since I didn’t have a Debian handy. On the bright side, I’ve got some notes on how to port to Fedora. :slight_smile:

Assuming manual (non-systemd) openvpn launch:

adduser tunnel
chown -R tunnel:tunnel /var/run/openvpn
## To use openvpn conf dns script
chown tunnel:tunnel /etc/resolv.conf
touch /etc/resolv.conf.qubes
chown tunnel:tunnel /etc/resolv.conf.qubes

dnf install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service

clone repository
cp /etc/vpn-firewall.d (add Qubes LOCAL_NET)
cp /etc/sudoers.d/tunnel-unpriv (change to /sbin/ip)
cp /usr/bin/ip-unpriv (change to /sbin/ip)
"anondist-ify" /usr/lib/qubes/qubes-setup-dnat-ns
cp lib/systemd/system/qubes-iptables.service.d/40_vpn-firewall.conf (customize)
cp lib/systemd/system/qubes-firewall.service.d/40_vpn-firewall.conf (customize)
systemctl daemon-reload

edit vpn-firewall (add forward rules)
sh ./vpn-firewall start
/sbin/service iptables save (will restore rules on reboot)

edit /etc/resolv.conf to vpn's nameserver
(which is on proxyvm resolv.conf - just need to query that somehow)
no other changes (qvmm firewall is disabled)

Minor note (that cost me some hair):
Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
Standalone VPN-FIREWALL uses ip-unpriv (hyphen)

And a reminder:

Signed git tags and commits available. TODO: document how to verify, use some wiki template

Current signing key is expired. Probably can reuse documentation from https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation#OpenPGP_Verify_the_Source_Code

!PS: Just saw your post to qubes-users but I’m gonna post this anyway cause I started this many hours ago and I want to take my victory lap. :slight_smile: Never knew what iptables was before I started using Whonix and never tried Fedora before using Qubes so I’ll grin for a bit before I go read your updates and see everything I did wrong!

1 Like

To my surprise, because Fedora is entirely unconsidered and untested during development.

No. None of this. It is to separate out tunnel / vpn traffic from all other traffic. Otherwise from iptables level, there is no way to figure out which traffic is for the VPN. IP/PORT based filtering to allow only traffic to the VPN server alone is insufficient. ( https://github.com/adrelanos/vpn-firewall/issues/12 )

Now updated on whonix.org server.

These can be reused:


Should no longer be necessary.

If someone ever does the Fedora packaging for VPN-Firewall that could be automated with fedora specific packaging patches.

Please also regard:

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]