ChatGPT trying to help set up VPN

General Discussion
1

I have been attempting to get openvpn set up and had run into numerous guides with different instructions. I end up getting tied up somewhere along the line, so I put one in-depth guide into ChatGPT to ask it to give me instructions, and it came up with a different instruction set to do this. Can anyone tell me how accurate these instructions are? I’ll try it out in a disposable qube just to see if it works, but I thought it was interesting.

  • Open the Qube Manager by clicking on the “Q” button in the top left corner of your QubesOS desktop.
  • Click the “Create VM” button and fill out the VM creation wizard with the following settings:
  • Name: Choose a name for your ProxyVM
  • Type: ProxyVM
  • Template: Choose a template for your ProxyVM
  • Networking: Select the default network settings or customize them as needed
  • Color: Choose a color for your ProxyVM
  • After creating the ProxyVM, open its settings by right-clicking on it and selecting “Settings”.
  • In the “Services” tab, click the “+” button and select “network-manager” from the list of available services. Click “OK” to save the changes.
  • Configure your VPN as described in the NetworkManager documentation linked in step 3.
  • (Optional) To make your VPN start automatically, edit the /rw/config/rc.local file and add the following lines:

bash

# Automatically connect to the VPN once Internet is up
while ! ping -c 1 -W 1 1.1.1.1; do
   sleep 1
done
PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
nmcli connection up file-vpn-conn passwd-file $PWDFILE

Replace “file-vpn-conn” with the name of your VPN connection file. You can find this file in /rw/config/NM-system-connections/.

Create the /rw/config/NM-system-connections/secrets/ directory if it doesn’t exist yet. Place your VPN certificates and keys in this directory, and create a new file /rw/config/NM-system-connections/secrets/passwd-file.txt with the following contents:

makefile

vpn.secrets.password:XXXXXXXXXXXXXX


Replace "XXXXXXXXXXXXXX" with your actual VPN password. The contents of `passwd-file.txt` may differ depending on your VPN settings. See the [documentation for `nmcli up`](https://www.mankier.com/1/nmcli#up) for more information.
* (Optional) To make the network fail-close for the AppVMs if the VPN connection breaks, edit the `/rw/config/qubes-firewall-user-script` file and add the following lines:

bash

1. ```
# Block forwarding of connections through upstream network device
# (in case the VPN tunnel breaks)
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
  1. Configure your AppVMs to use the new VM as a NetVM by right-clicking on the AppVM and selecting “Settings”. In the “Applications” tab, select “Network” from the left-hand side, and then select the name of your ProxyVM from the “NetVM” drop-down menu.

Once you have completed these steps, your ProxyVM should be set up as a VPN gateway using NetworkManager, and your AppVMs should be able to use it as a NetVM to access the Internet through the VPN connection.

2

I don’t know what guide you used, but QM has no “Create VM” button, and
there is no “Type: ProxyVM”.
There’s a reference to NM documentation “linked in step 3”, but it isn’t
clear what “step 3” might refer to.
The instructions at step 2 about using the “Applications” tab to set the
netvm are completely wrong.

If you are looking for a simple set-up for an openVPN gateway, try
installing the openvpn package from https://qubes.3isec.org/tasks.html

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like
3

I assume the title “Qubes Team” should mean I should trust html you sent? I obviously trust QubesOS, so I guess that makes sense, haha, but I like the framework of understanding you laid out from the beginning of the document. It made it quite easy to understand the problem you were addressing and the solutions you’re offering. I am about to go through it fully but I just wanted to comment this.

4

Absolutely not.

I’m suggesting that you install something in dom0 - this has the
potential to compromise your whole system.
I hope you will trust me based on my contributions. Also, the source code for
those packages is freely available on GitHub, and any one can examine
the packages to see exactly what they will do.
I don’t know if any one has actually done this.

Thanks for this.
If you hit any problems, let me know.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
5

You mentioned something I think is actually extremely important.

“I don’t know if any one has actually done this.”

That’s the problem, I guess. With current open-source markets, we really don’t have any idea who is checking the code and how many have. We have little information in a lot of respects, in terms of security.

I would like to try to develop a process or framework for questioning or posing questions to your environment (your job, your supermarket, the government, etc) and then gaining more accurate answers to see how it applies and if it holds “true”. This goes quite a bit deeper than that, but that’s the general idea.