Search the Community

Hi. ​This sounds very interesting, indeed. I'll have a look, although it sounds quite challenging as well. ​ ​Perhaps for your interest: I run following setup, recommended and written from a Qubes community member, successfully; it's without 'Eddie' client: https://github.com/tasket/Qubes-vpn-support – and I am not an advanced user. An AirVPN proxyVM (Debian 9 template) which gives me speeds around 60 MBit/s (100 MBit connection according to my ISP) with Turris Omnia 2GB router. The AirVPN config generator file is Linux/Netherlands/TCP/443, no special settings in the router. ​ ​This setup, a little bit different from the »official« Qubes VPN proxy guide, works with Whonix/Tor as well – much slower speed, of course. Best regards, ​O. ​ ​ ​

Exactly. It's not even the vanilla FreeBSD kernel, it's a special pfSense kernel based on it. You can add extra packages to the distro to extend its functionality but these are "professional" like proxies, DHCP/DNS servers, monitoring tools, etc. Yes, should be avoided. Again, you don't need to throw money at it before you know exactly and without doubts that the functionality provided by the hardware is exactly what you need. In this case, forget activities that need direct/low-level access to hardware. Like gaming. Qubes OS is if you want to reverse engineer malware in one cube, do banking in another, social networking in a third, so that Tinder doesn't know of your banking activities and/or malicious code can't compromise the other two. I won't answer the second question because all the info is in the Qubes FAQ. Please go through it. Furthermore, I propose that your paranoia is to be destroyed.

Bump Ive been trying everything i can to solve this, but still unable to get the Browser VM proxy thought the AirVPN Proxy VM when network lock is on. Leaks when network lock is off. For colaberation, ive started a thread on the Qubes OS Google group here > https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg Perhaps there is a way to leave the lock off, and set the IP Tables manually? Or perhaps setup some firewall rules? Unfortunately this is currently beyond my Linux/Qubes skill level. Cheers.

You don't have a desktop GUI but the standard AirVPN (Eddie) is GUI based. You should use airvpn-cli instead: https://airvpn.org/topic/11541-command-line-edition-and-syntax/ Thanks for the reply. I do have a GUI, But not the debian OS GUI. Im running Qubes OS. Its a type 1 hypervisor based on Xen. Unlike running a guest in VirtualBox, you cant see the Guest OS desktop GUI in Qubes. Instead each application, from each, guest runs seamlessly together on 1 desktop. But are actually completely isolated for security reasons. This means tho, i dont have access to the traditional desktop system tools GUI menu. I would still like to run the AirVPN GUI client tho, as it shows useful info, easy to change servers etc. Hopefully that makes sense. I imagine Ur probably already familiar with Qubes OS UPDATE: As i was having trouble with debian Eddie, ive switched the guest to FEDORA 23. Which properly installs without portable. So now i just need to work out how to make this auto start in fedora 23?? Then how to lock down firewall rules to stop leaks if Airvpn closes? Or if anyone has a solution for Eddie auto start? Im a lot more familur with Debian then fedora, so either way i get suck haha.

Thank you for your answer. Yes I did. However it concerns the use of the ordinary openvpn client, with fail-close filter rules to be applied manually. For the sake of knowledge: I also tried with the Hummingbird client. It apparently succeeded to set the network lock in a Debian qube, though warning that "Kernel module iptable_filter not found" (maybe it's what Eddie didn't like?) and stating that "Network filter and lock is using iptables-legacy" despite Debian 10 using nftables. The result is a mixing of the qube's nftables rules and of the vpn client's iptables-legacy rules. It goes better with ./hummingbird xxx.ovpn --network-lock nftables : the vpn client stops complaining about iptable_filter and sets a nftables network lock. In both cases, however, hummingbirds' network lock puts a DROP in the forward chain including the tunnel interface, so the setting of a vpn gateway as per the documentation linked by @giganerd doesn't work. Coming back to Eddie, perhaps the reported problem comes from its trying to use iptbles-legacy netlock mode too. It's a pity, because the vpn client of another known vpn provider worked effortlessly in Debian qubes, included network lock compatibility with a vpn gateway. Perhaps I was just lucky?

rc4 is out:https://www.qubes-os.org/news/2018/01/31/qubes-40-rc4/ ​Hope that its more user friendly.I think isolation enhance your privacy.

Qubes can be complicated even for advanced users. Why would you choose a main OS you don't feel comfortable with? VPN is set inside the ProxyVM. The steps are described here: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager

I successfully created a ProxyVM within QubesOS using hummingbird and I confirm that connection works, however I have problems when trying to use this ProxyVM connections for other AppVM's. They basically do not connect. Accoring to QubesOS VPN section, it should be all working but it is not. I mean, I do not expect a solution here, I think I should post to QubesOS but heads up for hummingbird working (more or less lol) in Qubes.

Hello! The explanation in the link you provided looks relatively straightforward to me. I have to admit that I didn't try it out myself. It may seem a little overwhelming at first but I think you should pick out what you think to be useful for your purposes and just try it out. You could also read about virtualization&virtual machines and compartmentalization. There's a very interesting paper by Joanna Rutkowska about the Qubes OS and its software compartmenatlization approach: http://www.invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf There's a tutorial as well providing an insight into what's possible and how to use it. https://events.linuxfoundation.org/sites/events/files/slides/LinuxCon_2014_Qubes_Tutorial.pdf You would need a CPU capable of VT-x and VT-d. There's a list with what's been tested so far: https://www.qubes-os.org/hcl/ Regarding your question you can assign a network/VPN VM to specific apps while others (e.g. password manager) stay disconnected (you don't assign a netvm). It is a sophisticated approach that needs time getting used to it and reading to understand what and how to do it. Once you are satisfied with how your Vms work you can easily make a backup with one click. You should read the documentation carefully before using the mailing list (google groups) if you get stuck. In the latest version you can even use Windows-based AppVMs. https://www.qubes-os.org/doc/UserDoc/ This could be a nice, secure and very organized way of achieving your goal. Have fun!

I have successfully used eddie-ui in Qubes 4.0... however, with a caveat... I can only use it on individual APPVm... not system-wide... I've had success using ExpressVPN on the netvm System-wide.... albeit with a caveat... the network lock-down only works once a connection is established... and everything passes the dns leak test...

No operating system should be considered wholly secure. There are exploits for every known operating system and likely many more that the IT community is unaware of, almost certainly some of which are produced by governments and security agencies. It's kind of like that quote from Animal Farm that was coincidentally written by George Orwell "All animals are equal, but some animals are more equal than others" All operating systems are insecure, however some are more insecure than others. If you want the maximum level of security, i would not recommend using any mainstream OS such as major linux distributions, all versions of Windows and Mac OSX and all other Apple OS variants. There are operating systems such as TAILS and Qubes which are designed by security professionals with their own attributes. As i understand it TAILS specializes in not storing any information whatsoever and routing all traffic through Tor, while Qubes specializes in isolating code from other code and preventing system exploits. Don't take my word for it though, i have never used one of these before, but i am certain there are people in the community that have much more knowledge of OS security than i do, just putting in my two cents.

DNSCrypt is not a standard of IETF. DoH is. Define your own scope, a standard protocol with internet giants, or a non-standard one with volunteers. The end case is the same, they are both end-to-end encrypted, so you are safe from your ISP/VPN, just decide which party you prefer to trust more. Personally I go with a Torified DoH everywhere in Qubes.

what i like about ricochet is the fact it can use tor alpha 3 torrc on arch. meaning you can set your torrc say you want to chroot it also, to strictmode, avoid any servers that have been known to inject anything, i chatted with a couple of folks on ricochet on hope they move it forward with next gen onion, so for example right now i have it running, i got tor alpha from the AUR, got ricochet, themed it, tor runs in chroot via arch linux wiki instructions, again, this is all layers, the local repo chat laptop is basically stand alone, meaning it's not doin anything else and behind airvpn stunnel openvpn, that's basically just my tor box, it hosts my tokzco onion site version 3 and my local arch repo i don't browse tor sites on that box or much of anything else, it's a lazy way of compartmentalization also qubes and whonix etc are all cool and all but yeah i'm not into the work load of switching everything over and straight up, i don't trust the tor browser version at all reason is you look through it it is serious bloat shit and call out to google etc and mozilla big time the browser is the most targeted app and why i don't like to load anything up to chat through it either online irc in general has become shit, almost every chat url you can find online via clearnet search engines is all shit links to sicko shit, imho a deliberate campaign, there is more sick shit on facebook just by sheer volume there are family friendly spots on the onion and decent places to chat clearnet and often tor 'search engines' don't do much to help reason is this, it's about ad revenue, about money, google and everyone else wants us to think that if we all of a sudden get 'anon' that we lose our minds and load up negative content or get into bad stuff it's psychological warfare 101 and they do it well i'm more or less 'squeamish' there is a lot of stuff on youtube i can't handle today anyway my point is, ricochet is a solid so far to me because it does nothing else you check it on github you will see a lot of folks involved with it in the issues tab that's a good sign i sent staff an apology, goin back through fixing some posts long story short, my family got involved in hijacking my inheritance and the banks knew, law enforcement has also been involved in covering some things up, mail intercepts and forging courthouse legal docs i'm not making this shit up, wish i were, i'm sick to my gut me, i just wrapped up a decade of probation for getting stupid, shitfaced, went for a joy ride in a truck and yeah, so not cool there so last thing i want is any correspondence or attention from law enforcement or any courthouse, goin on 50, i just want left alone more than that, my 'family' absolutely had no reason to go behind my back plan anything out ahead to get money, if they had wanted it all or just had talked straight up to me, i'd most likely have agreed to whatever they want simply to just be left alone, coz my dad was not a good man, at all so yeah, i have been under some mental strain, real world heavy surveillance i'm naive in a lot of ways, i believe in the good of people tor, privacy, openvpn, i'm just like anyone else, i don't think about it much till i don't have it airvpn has been good to me, better than i deserve, i can't buy that or even earn that

​ ​ ​​Hi, ​ TAILS developers are not actively supporting VPN connections, as they claim:​ ​ ​ If you really want a secure system, ditch Windows - it is a joke. Remember Bill Gates calls Snowden a 'traitor' and actively allows backdoors into Skype, Bitlocker and other so called 'encrypted' programs for the Stasi based on disclosures. They and other mainstream corporates (Google, Apple etc) simply can't be trusted, ever. ​ ​Solution - migrate to FreeBSD or a linux distro as your main system. Easiest systems for Windows users to transition to IMO are: Linux Mint, Ubuntu. Debian & OpenSUSE for more intermediate users. TAILS is good to not leave any forensic trace on the computer you are using (think whistleblower) and to enforce encrypted Tor connections, hide MAC addresses etc, but not really suitable for everyday use for privacy/anonymity. ​ ​The gold paranoic standard O/S is Qubes (as your very secure host system, requires 64 bit infrastructure, uses Xen hypervisor), then using Whonix gateway and workstation over the top in a virtual environment. See here: https://www.whonix.org/wiki/Qubes ​ ​Whonix also enforces Tor connections (like TAILS), and has the benefit of little meta-data or forensic evidence on computer if each internet session is using a fresh Whonix image. Also, it will fake your time/date settings when making internet connections. ​ ​The benefit of this approach is VPN is easily incorporated theoretically (inside the network manager in the virtual machines) and you can incorporate multiple proxyVMs to compartmentalise your digital life. Also, you have many layers of network and session abstraction between you and the enemies of liberty, making their life difficult. With straight TAILS, you're just getting Tor, and the Stasi and ISP will know it. The Stasi can also apparently determine the difference in signatures between TAILS, Whonix and other types of Tor traffic (they are that good), so using it constantly will just get you lots of attention. ​ ​Re: deep packet inspection, Tor forums and elsewhere tells us the ISPs are capable of detecting Tor signatures, even when looking at encrypted OpenVPN traffic. So, to be sure, you should add a bridge into the mix if you think your ISP or government is actively looking for Tor users to de-anonymise. ​ ​In summary, forget TAILS as a standard O/S. Use it in the future when you are gonna do your best Edward Snowden impersonation ​ ​If you get all this up and running, spend a lot of time hardening the linux systems as per recommendations online, then you may eventually want to also ditch your commercial router and install something solid with PfSense running on it as a heavy duty firewall, with added intrusion detection systems etc. See online guides in these forums... ​ ​If you MUST use Windows for some program or other, consider either running the specific program with Play on Linux (if compatible), running Windows in a virtual environment, or dual booting your brand new Linux distro with Windows. This will of course require you shrinking down the size of the Windows partition to make way for a real operating system . Apparently some Windows stuff runs quicker in virtualisation, then in real life, because frankly Windows code is a piece of shit

I tried to use Qubes yesterday, but apparently my HP Z600 is not compatible. Oh well, Fedora it remains!

I have tried to search but have not found a clear answer to the question in the title. What I would ideally like to do is have a second firefox profile that can browse outside of the vpn (for netflix and the occasional other site) while leaving the vpn connection and network lock active for every other application on the computer. I currently use QubesOS to achieve this (and other things), but I am looking to move to another distribution while still having the feature above. I do not care if Eddie is used for the network lock or if I need to use iptables directly (or some other way), I just do not have the knowledge to work it out myself from scratch. I would be happy with a method to let certain sites bypass the network lock, but I understand that netflix makes this very difficult or impossible to do. I have seen information regarding forcing certain applications to use the vpn while the rest of the system does not, but I do not believe those methods can be used the other way around (I do not understand enough to be sure though). Link to the only post I can find again on the subject - https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398 Thank you to anyone who can help (even if it is to say it can not be done any easier than using Qubes after all)

What about Qubes 3.2?

Hello! No I don't think so. Edit: There's a rough set of instructions here on Qubes-related things.

Hi there. I have been thinking of dabbling with Qubes and also Whonix. This short explanation is very helpful. T

Qubes very neat

Ah, I've been thinking about writing a guide to setup the AirVPN client in Qubes for a few days, but I'm unsure about the modifications I've made thus far. For user -> Tor -> VPN, what is important to know is that you need a TCP connection for the VPN. Use the config generator to get a TCP openvpn file, then you should be able to follow the docs on the Qube's site to setup a manual OpenVPN connection. Note that Whonix Workstations require that they connect to a Gateway, so if your VM's networking looks like VM -> AirVPN -> sys-whonix -> sys-firewall -> sys-net, your VM must NOT be Whonix Workstation. For the AirVPN (Eddie) client, it's a little bit more involved.. I might make a post on the forums here just as a general idea, but I'm uncertain about my current firewall rules and would not rely on it to absolutely not leak. In my current tests, it doesn't forward my AppVMs to the internet without the VPN and there are no DNS leaks, but I have yet to try manually blocking connections physically, e.g. at the router. Also for Tor users, there might be a benefit of randomization to turn off and on the VPN.. depends what the devs think though.

One thing that particularly concerns me, is that this dump has proven for a fact that every operating system we currently know of is compromised. The list included Windows, Linux, OSX, Android and iOS. It would be safe to assume most if not all variations of these operating systems, including those deriving from Linux are also compromised in some way. So it leaves the question, if they are all compromised, and every Anti-Virus program is bypassed, then how can we protect ourselves? It will cease to matter if you are using a VPN or Tor if every machine is simply compromised at its core. Would it be too unthinkable to hope that the same forces that gave us Tor and VPN's would act to provide us with secure operating systems? TAILS and Qubes already exist, although i have difficulty believing they are sufficient given the latest revelations. One other thing that should be mentioned is that while we have alternatives for PC's, no alternative more secure OS options currently exist to my knowledge for Android and iOS devices, and their vulnerability is even more critical given their portability and access to information. I for one am infuriated that these organizations have been developing these tools and exploits. If the CIA and FBI and NSA should be doing anything, it's making American cyber infrastructure for both private and government uses more secure than ever before, not more vulnerable. By weakening us, they have weakened themselves in their never ending lust for a 1984 Orwellian future where they could have complete control. In their supposed effort to strengthen the fight on terrorism, they have brittled the American digital backbone, which is becoming evermore critical to maintaining our way of life.

I cannot tell whether you could tell that i was agreeing with you, but i do. Windows 10 has no privacy. I am actually quite surprised to read what you were able to turn up in terms of trackers and Microsoft spyware. That however leaves the question, is any Windows secure or private? It's quite probable that they are all compromised with some sort of Microsoft tracking or spyware tools. If you have to use Windows i would suggest Windows 7, if you are gaming or absolutely need Windows applications. Anything else i would suggest either using mainstream linux with security tweaks or something like TAILS or Qubes.

Hello all. How dangerous could following set-up be for my machine(s)? - My neighbor connects to the internet via wi-fi guest network (admin not allowed) at my Asus RT-AC56U (no WPS, very strong WPA2 passwords). She runs a MacBook 1,1 from 2006, OSX 10.6, which can't be updated anymore, outdated browsers etc., and is a very unexperienced computer user. - I'm running Qubes 3.2, quite secure (AirVPN in wi-fi router) set-up, I think/hope, at an Asus Zenbook UX303. Thanks a lot for you ideas, O.

Thanks a lot! »maybe see if she can get airvpn« (cm0s #2) ​It's running in my router, so she's also connected via AirVPN. ​ ​The – possibly paranoid – question is, if an attacker could find a way through her outdated machine/browser via my router into my machine. ​But, okay, everything is »hackable«. Nevertheless​, as a medium talented user I'm quite proud of successfully running Qubes OS. Cheers, O.