Search the Community

Hello! No I don't think so. Edit: There's a rough set of instructions here on Qubes-related things.

Is there any guide on how to use Eddie on qubes 4?

Hi Casper31. Thanks for the heads up. I'm a very much a novice here and am getting my head around QUBES and WHONIX. [One problem seems to be, I think I read, that QUBES has problems with some graphics cards.] A problem, I think, is that ToR appears to be compromised to some extent, according to news reports on the Snowden docs and also multiple court filings. So, if you want anonymity, privacy and security, you need a VPN + Tor or VPN + Qubes/Whonix. I have been reading up on the various tech collectives helping folks in repressive countries avoid being detected. For them, it can be a matter of life or death - and so these discussions. There are a number of people advocating a VPN cascade /multihop and ToR - another approach I've seen. But I do not have the technical expertise to judge. Given the way the West is itself engaging in mass surveillance, we may all need such technology soon. Even keeping a hand written diary is now illegal in some countries, if you work for or worked for the government there. Hello 1984.

rc4 is out:https://www.qubes-os.org/news/2018/01/31/qubes-40-rc4/ ​Hope that its more user friendly.I think isolation enhance your privacy.

Qubes can be complicated even for advanced users. Why would you choose a main OS you don't feel comfortable with? VPN is set inside the ProxyVM. The steps are described here: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager

I'm a complete noob with Linux. I have absolutely no idea about any of the command line. I've tried using the Quebs documentation, but it's clearly written for people who know what they are doing, as it doesn't say how to do the things, just that they have to be done. For one, I have no idea how to get the Airvpn config file into the relevant folders and even if I could get them there, I don't know what to do with them because the documentation just says "Set up your VPN as described in the NetworkManager documentation linked above." Well, I don't see that documentation. I really have no idea what to do. Any help is appreciated.

Hi there. I have been thinking of dabbling with Qubes and also Whonix. This short explanation is very helpful. T

So i downloaded the config files from AirVPN, set it to Linux, tried both UDP and TCP, in the network connection i did import saved VPN configuration and i save that. Then i try to connect to it and nothing. "connection failed because VPN connection timed out" I tried this both in sys-net, AppVM, and in proxyVM based on fedora-23. not sure what i'm doing wrong?

Qubes offers great protection of your privacy. First, since everything is compartmentalized. a compromised browser/PDF reader etc will not give the attacker access to the rest of your system and sensitive files. Secondly, the networking system and ProxyVM's make it very easy to route your(or part of your) traffic through VPN/Tor, and if the VM is compromised, it cannot obtain your real IP address since all its traffic is routed through the ProxyVM. Mullvad has already donated to Qubes OS. They have a decentralized bitcoin fund (https://www.qubes-os.org/news/2016/07/13/qubes-distributed-fund/) and are also on Open Collective(https://opencollective.com/qubes-os) which offers great transparency and pays the individual developers directly.

Hi. ​This sounds very interesting, indeed. I'll have a look, although it sounds quite challenging as well. ​ ​Perhaps for your interest: I run following setup, recommended and written from a Qubes community member, successfully; it's without 'Eddie' client: https://github.com/tasket/Qubes-vpn-support – and I am not an advanced user. An AirVPN proxyVM (Debian 9 template) which gives me speeds around 60 MBit/s (100 MBit connection according to my ISP) with Turris Omnia 2GB router. The AirVPN config generator file is Linux/Netherlands/TCP/443, no special settings in the router. ​ ​This setup, a little bit different from the »official« Qubes VPN proxy guide, works with Whonix/Tor as well – much slower speed, of course. Best regards, ​O. ​ ​ ​

Hello. What do you think would produce the best balance between security and speed? 1. Running AirVPN's client 'Eddie' in sys-netVM. 2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB router. 3. Setting up a VPN gateway in Qubes as described in Qubes' docs. Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM. Any hints and ideas are very much appreciated. Best regards. ​ PS: This also refers to the very interesting topic: ​https://airvpn.org/topic/22471-qubes-whonixtor-airvpn-world/?hl=qubes

Indeed, I find it very interesting! I haven't personally tested it, but there's no reason it shouldn't work. I've tried other VPN services that offer TCP VPN connections and it works as expected. The major downside to this simpler approach is that there isn't randomization for the VPN session to restart, which kills some of the anonymity with it, if your threat model includes a global adversary. I've setup bash scripts before to randomly connect to a different server, but I'd have to redo them if you'd want that. I think the best thing to use is the Eddie client though. Maybe this weekend I'll get around to writing a guide for getting that setup, but it depends. If you're eager to try and figure it out, here's a quick and dirty (pictureless) guide: 1) read the Network Lock documentation here: https://airvpn.org/faq/software_lock/ and use these rules to create a custom firewall (in /rw/config/qubes-firewall-user-script) that disables OUTPUT by default, allows connecting to the AirVPN servers (I just used the DNS results from earth.all.vpn.airdns.org, more here: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses/) and doesn't allow forwarding to the eth0 device (In the Qubes docs, it is the last line for the /rw/config/qubes-firewall-user-script). Also, Eddie client runs as root during runtime, so you need to allow root user access to eth0. 2) For persistence of user data, since everything outside of /rw and /home are deleted upon reboot, I installed beesu in my TemplateVM so the AirVPN client can be started as a user, and my AirVPN login data is written to a persistent directory. 3) Then you need to disable Network Lock in the client (since qubes firewall will take care of it). 4) Edit the OpenVPN directives to allow running of the qubes-vpn-handler.sh on up and down like in the Qubes docs for manual configuration, and disable DNS I think that's it.. There were tons of other things that I did for my own personal interest, but I think that's a good starting point if you (or anyone, perhaps an AirVPN employee? .) to get a Qubes ProxyVM with the Eddie client working. The main takeaway is that Qubes VMs do not play nicely with a service that runs iptables commands directly, especially flushing the firewall setup. Whenever a VM that is downstream from the VPN is powered on/off, or networking is modified, Qubes will flush everything and setup networking to allow the new VM to access the internet. This is problematic, since if all the firewall rules are flushed without Qubes knowing, VMs behind the ProxyVM will have no way to access the internet. With the release of 4.0 though, it might be fixed.

Qubes very neat

Ah, I've been thinking about writing a guide to setup the AirVPN client in Qubes for a few days, but I'm unsure about the modifications I've made thus far. For user -> Tor -> VPN, what is important to know is that you need a TCP connection for the VPN. Use the config generator to get a TCP openvpn file, then you should be able to follow the docs on the Qube's site to setup a manual OpenVPN connection. Note that Whonix Workstations require that they connect to a Gateway, so if your VM's networking looks like VM -> AirVPN -> sys-whonix -> sys-firewall -> sys-net, your VM must NOT be Whonix Workstation. For the AirVPN (Eddie) client, it's a little bit more involved.. I might make a post on the forums here just as a general idea, but I'm uncertain about my current firewall rules and would not rely on it to absolutely not leak. In my current tests, it doesn't forward my AppVMs to the internet without the VPN and there are no DNS leaks, but I have yet to try manually blocking connections physically, e.g. at the router. Also for Tor users, there might be a benefit of randomization to turn off and on the VPN.. depends what the devs think though.

Hey all, new to AirVPN. I've been trying to get the above setup working (only a day left until I have to renew) and it's definitely been a challenging one. Essentially, I'd like to have Me -> Tor -> AirVPN within a highly secure Operating System, and at the moment Qubes/Whonix seem to fit that description best as actively developed OS'. I have been trying to follow this guide: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts , installing the AirVPN client on the ProxyVM. and using it as a bridge between whonix workstation and wonix gateway however AirVPN fails to connect to any servers. Using the browser inside the AirVPN VM does work however, showing the Tor address. An easy to follow guide from Air on how to set up something like this would be awesome. I read this as well: https://airvpn.org/tor/ but if I'm being honest I wasn't sure how to apply the concepts in that article to Qubes/Whonix. I'm also open to suggestions on an easier method of achieving my goal of secure OS + Tor/VPN, even if it means using a different OS. Thanks.

One thing that particularly concerns me, is that this dump has proven for a fact that every operating system we currently know of is compromised. The list included Windows, Linux, OSX, Android and iOS. It would be safe to assume most if not all variations of these operating systems, including those deriving from Linux are also compromised in some way. So it leaves the question, if they are all compromised, and every Anti-Virus program is bypassed, then how can we protect ourselves? It will cease to matter if you are using a VPN or Tor if every machine is simply compromised at its core. Would it be too unthinkable to hope that the same forces that gave us Tor and VPN's would act to provide us with secure operating systems? TAILS and Qubes already exist, although i have difficulty believing they are sufficient given the latest revelations. One other thing that should be mentioned is that while we have alternatives for PC's, no alternative more secure OS options currently exist to my knowledge for Android and iOS devices, and their vulnerability is even more critical given their portability and access to information. I for one am infuriated that these organizations have been developing these tools and exploits. If the CIA and FBI and NSA should be doing anything, it's making American cyber infrastructure for both private and government uses more secure than ever before, not more vulnerable. By weakening us, they have weakened themselves in their never ending lust for a 1984 Orwellian future where they could have complete control. In their supposed effort to strengthen the fight on terrorism, they have brittled the American digital backbone, which is becoming evermore critical to maintaining our way of life.

I cannot tell whether you could tell that i was agreeing with you, but i do. Windows 10 has no privacy. I am actually quite surprised to read what you were able to turn up in terms of trackers and Microsoft spyware. That however leaves the question, is any Windows secure or private? It's quite probable that they are all compromised with some sort of Microsoft tracking or spyware tools. If you have to use Windows i would suggest Windows 7, if you are gaming or absolutely need Windows applications. Anything else i would suggest either using mainstream linux with security tweaks or something like TAILS or Qubes.

Thanks a lot! »maybe see if she can get airvpn« (cm0s #2) ​It's running in my router, so she's also connected via AirVPN. ​ ​The – possibly paranoid – question is, if an attacker could find a way through her outdated machine/browser via my router into my machine. ​But, okay, everything is »hackable«. Nevertheless​, as a medium talented user I'm quite proud of successfully running Qubes OS. Cheers, O.

This is old news from Thu 04 August 2016, but I though users would find this Security Vulnerability interesting. http://blog.quarkslab.com/xen-exploitation-part-3-xsa-182-qubes-escape.html#id24

Hello all. How dangerous could following set-up be for my machine(s)? - My neighbor connects to the internet via wi-fi guest network (admin not allowed) at my Asus RT-AC56U (no WPS, very strong WPA2 passwords). She runs a MacBook 1,1 from 2006, OSX 10.6, which can't be updated anymore, outdated browsers etc., and is a very unexperienced computer user. - I'm running Qubes 3.2, quite secure (AirVPN in wi-fi router) set-up, I think/hope, at an Asus Zenbook UX303. Thanks a lot for you ideas, O.

No operating system should be considered wholly secure. There are exploits for every known operating system and likely many more that the IT community is unaware of, almost certainly some of which are produced by governments and security agencies. It's kind of like that quote from Animal Farm that was coincidentally written by George Orwell "All animals are equal, but some animals are more equal than others" All operating systems are insecure, however some are more insecure than others. If you want the maximum level of security, i would not recommend using any mainstream OS such as major linux distributions, all versions of Windows and Mac OSX and all other Apple OS variants. There are operating systems such as TAILS and Qubes which are designed by security professionals with their own attributes. As i understand it TAILS specializes in not storing any information whatsoever and routing all traffic through Tor, while Qubes specializes in isolating code from other code and preventing system exploits. Don't take my word for it though, i have never used one of these before, but i am certain there are people in the community that have much more knowledge of OS security than i do, just putting in my two cents.

For User-Agent there obviously is, but other ones are in your OS TCP stack and the sizes and sequence of your packets. The easiest solution in this case would be using a gateway that reassembles the TCP packets in it's own order of the OS, for example Tor exits do that - there are many usability and latency disadvantages in this implementation but if metadata elimination is absolutely critical you can use that. Also you have privacy focused distros like Whonix, Qubes and Tails which have identical stamps to all users around the world, something those suspects in 2004 obviously didn't have.

Bump Ive been trying everything i can to solve this, but still unable to get the Browser VM proxy thought the AirVPN Proxy VM when network lock is on. Leaks when network lock is off. For colaberation, ive started a thread on the Qubes OS Google group here > https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg Perhaps there is a way to leave the lock off, and set the IP Tables manually? Or perhaps setup some firewall rules? Unfortunately this is currently beyond my Linux/Qubes skill level. Cheers.

How are you finding network lock? And leaks? I recomend running a leak test, if your not using network lock. Maybe you setup some customer IP tables? I would love to know what you did https://airvpn.org/topic/20157-problem-with-network-lock-on-qube-os/?hl=qubes

I've setup AirVPN on a Fedora VM in Qubes OS, as a Proxy VM. Unfortunately with Network Lock on, the traffic is blocked from the VM trying to proxy through the AirVPN VM. I will outline bellow for clarity. 0. The internet. 1. sys-net VM 2. sys-firewall VM 3. Sys-AirVPN proxy VM 4. Browsing VM With network lock on, 4 can not access the internet. With network lock off, 4. can surf internet, but FAILS Leak tests. Revealing real IP. Obviously some type of configuration needs changing in with the network lock config to allow traffic from 3 to 4, and 4 to 3. But locking down any leaks from 3 still. This is beyond my knowledge of linux. I hope someone more knowledgeable can solve. Thx.