VPN Questions

Qubes-Whonix
1

current vm topology:

whonix, appvms -> proxyvm: firewall -> proxyvm: vpn -> netvm -> internet

  1. I installed vpn in its own proxyvm so as not to break netvm. I’m not sure that this is the best place for it. Watching netvm traffic with iftop and some connections are still being made (probably dom0, template updates). Will install vpn-firewall on vpn proxy vm and see if connections drop. Otherwise, may need to move vpn to netvm.

  2. Would like to install your vpn-firewall to proxy vm. Just became slightly familiar with debian and now back to 0 knowledge with fedora. Do any modifications need to be made to /usr/bin/vpnfirewall? Plan is to place script in /rw/… and modify /rw/config/rc.local to run vpnfirewall. Any other advice?
    edit:
    Looks like vpn-firewall needs to be on netvm regardless of where vpn is installed since everything needs to be routed to 10.137.1.1 (netvm). I don’t want to mess up any iptables in netvm though. Is there some way to change vpn-firewall so that it allows traffic to vpn.ip.00.00 via 10.137.1.1 ONLY?

  3. With vpn-firewall in place, proxyvm: firewall probably becomes redundant? I have no idea so I’ll leave it in place to be safe. Don’t understand yet how the update proxies work.

#1 probably belongs upstream to Qubes mailing list but have come to trust and value your advice. Thanks.

2

Seems like 2 ways to implement vpn-firewall:

A:

  1. cp ./usr/bin/vpnfirewall /rw/config
  2. chmod +x /rw/config/vpnfirewall
  3. append to /rw/config/rc.local : /rw/config/vpnfirewall
  4. start openvpn

B:

  1. cp ./etc/init.d/vpnfirewall /rw/config/init.d
  2. edit paths in /rw/config/init.d/vpnfirewall
  3. append to /rw/config/rc.local : chkconfig /rw/config/init.d/vpnfirewall start

Is this correct? Which is preferable?