Jump to content
Not connected, Your IP: 44.200.74.73
sumwutnormal

Qubes -> Whonix/Tor -> AirVPN -> World

Recommended Posts

Hey all, new to AirVPN. I've been trying to get the above setup working (only a day left until I have to renew) and it's definitely been a challenging one.

 

Essentially, I'd like to have Me -> Tor -> AirVPN within a highly secure Operating System, and at the moment Qubes/Whonix seem to fit that description best as actively developed OS'.

 

I have been trying to follow this guide: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts , installing the AirVPN client on the ProxyVM. and using it as a bridge between whonix workstation and wonix gateway however AirVPN fails to connect to any servers. Using the browser inside the AirVPN VM does work however, showing the Tor address.

 

An easy to follow guide from Air on how to set up something like this would be awesome. I read this as well: https://airvpn.org/tor/ but if I'm being honest I wasn't sure how to apply the concepts in that article to Qubes/Whonix. I'm also open to suggestions on an easier method of achieving my goal of secure OS + Tor/VPN, even if it means using a different OS. Thanks.

Share this post


Link to post

Ah, I've been thinking about writing a guide to setup the AirVPN client in Qubes for a few days, but I'm unsure about the modifications I've made thus far. For user -> Tor -> VPN, what is important to know is that you need a TCP connection for the VPN. Use the config generator to get a TCP openvpn file, then you should be able to follow the docs on the Qube's site to setup a manual OpenVPN connection. Note that Whonix Workstations require that they connect to a Gateway, so if your VM's networking looks like VM -> AirVPN -> sys-whonix -> sys-firewall -> sys-net, your VM must NOT be Whonix Workstation.

 

For the AirVPN (Eddie) client, it's a little bit more involved.. I might make a post on the forums here just as a general idea, but I'm uncertain about my current firewall rules and would not rely on it to absolutely not leak. In my current tests, it doesn't forward my AppVMs to the internet without the VPN and there are no DNS leaks, but I have yet to try manually blocking connections physically, e.g. at the router. Also for Tor users, there might be a benefit of randomization to turn off and on the VPN.. depends what the devs think though.

Share this post


Link to post

Ah, I've been thinking about writing a guide to setup the AirVPN client in Qubes for a few days, but I'm unsure about the modifications I've made thus far. For user -> Tor -> VPN, what is important to know is that you need a TCP connection for the VPN. Use the config generator to get a TCP openvpn file, then you should be able to follow the docs on the Qube's site to setup a manual OpenVPN connection. Note that Whonix Workstations require that they connect to a Gateway, so if your VM's networking looks like VM -> AirVPN -> sys-whonix -> sys-firewall -> sys-net, your VM must NOT be Whonix Workstation.

 

For the AirVPN (Eddie) client, it's a little bit more involved.. I might make a post on the forums here just as a general idea, but I'm uncertain about my current firewall rules and would not rely on it to absolutely not leak. In my current tests, it doesn't forward my AppVMs to the internet without the VPN and there are no DNS leaks, but I have yet to try manually blocking connections physically, e.g. at the router. Also for Tor users, there might be a benefit of randomization to turn off and on the VPN.. depends what the devs think though.

 

Thanks for your response.

I like that idea, using the config generator. Will give it a run, see how it goes and report back with my result. Would definetly like to see a functional secure setup with the AirVPN client as well though. Thanks again!

Share this post


Link to post

Qubes  very neat

 

Indeed, I find it very interesting!

 

Thanks for your response.

I like that idea, using the config generator. Will give it a run, see how it goes and report back with my result. Would definetly like to see a functional secure setup with the AirVPN client as well though. Thanks again!

I haven't personally tested it, but there's no reason it shouldn't work. I've tried other VPN services that offer TCP VPN connections and it works as expected. The major downside to this simpler approach is that there isn't randomization for the VPN session to restart, which kills some of the anonymity with it, if your threat model includes a global adversary. I've setup bash scripts before to randomly connect to a different server, but I'd have to redo them if you'd want that. I think the best thing to use is the Eddie client though. Maybe this weekend I'll get around to writing a guide for getting that setup, but it depends.

 

If you're eager to try and figure it out, here's a quick and dirty (pictureless) guide:

 

1) read the Network Lock documentation here: https://airvpn.org/faq/software_lock/ and use these rules to create a custom firewall (in /rw/config/qubes-firewall-user-script) that disables OUTPUT by default, allows connecting to the AirVPN servers (I just used the DNS results from earth.all.vpn.airdns.org, more here: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/) and doesn't allow forwarding to the eth0 device (In the Qubes docs, it is the last line for the /rw/config/qubes-firewall-user-script). Also, Eddie client runs as root during runtime, so you need to allow root user access to eth0.

 

2) For persistence of user data, since everything outside of /rw and /home are deleted upon reboot, I installed beesu in my TemplateVM so the AirVPN client can be started as a user, and my AirVPN login data is written to a persistent directory.

 

3) Then you need to disable Network Lock in the client (since qubes firewall will take care of it).

 

4) Edit the OpenVPN directives to allow running of the qubes-vpn-handler.sh on up and down like in the Qubes docs for manual configuration, and disable DNS

 

I think that's it.. There were tons of other things that I did for my own personal interest, but I think that's a good starting point if you (or anyone, perhaps an AirVPN employee? .) to get a Qubes ProxyVM with the Eddie client working. The main takeaway is that Qubes VMs do not play nicely with a service that runs iptables commands directly, especially flushing the firewall setup. Whenever a VM that is downstream from the VPN is powered on/off, or networking is modified, Qubes will flush everything and setup networking to allow the new VM to access the internet. This is problematic, since if all the firewall rules are flushed without Qubes knowing, VMs behind the ProxyVM will have no way to access the internet. With the release of 4.0 though, it might be fixed.

Share this post


Link to post

Hi.

 

​This sounds very interesting, indeed. I'll have a look, although it sounds quite challenging as well.

​Perhaps for your interest: I run following setup, recommended and written from a Qubes community member, successfully; it's without 'Eddie' client: https://github.com/tasket/Qubes-vpn-support – and I am not an advanced user. An AirVPN proxyVM (Debian 9 template) which gives me speeds around 60 MBit/s (100 MBit connection according to my ISP) with Turris Omnia 2GB router. The AirVPN config generator file is Linux/Netherlands/TCP/443, no special settings in the router.

​This setup, a little bit different from the »official« Qubes VPN proxy guide, works with Whonix/Tor as well – much slower speed, of course.

 

Best regards,

​O.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...