Firewall1 < VPN < Firewall2 < AppVM?

oijawyuh · July 6, 2022, 7:06pm

I’ve been using a VPN Qube (aka sys-vpn, ProxyVM, etc.) for a while, connecting several Qubes/VMs to it. And then it struck me that this is could be breaking the security model of Qubes OS because several Qubes should connect to a firewall Qube which enforces the isolation, rather than to a VPN Qube. Right? Or am I missing something here?
Should this be the right configuration?:
sys-net < sys-firewall < VPN Qube < sys-firewall2 < AppVM?

Pawelek85 · July 6, 2022, 10:34pm

Hi,
I think your way is interesting, however you will not isolate the vpn traffic streams this way.
Ultimately, traffic going through any machine will connect to your assigned VPN.
If you are looking to increase security and privacy, then put sys-whonix directly behind the vpn and before the sys-net.

HPOA909 · July 7, 2022, 2:15am

For me, if you look at my Qubes Network post, I have this config for the qubes following:

personal → sys-vpn2 → sys-firewall → sys-net

This is my config for this VM

oijawyuh · July 7, 2022, 6:35am

My question is exactly about this issue. Is that configuration that you use @HPOA909 breaking Qubes OS security especially if multiplle Qubes / AppVMs connect to sys-vpn2 directly, and not to a firewally VM prior?

unman · July 7, 2022, 10:42am

This will entirely depend on how you have configured nftables in the
sys-vpn.
The default nftables for any qube that provides network, prohibit traffic
between attached downstream qubes. This will be the case for your
sys-vpn.
Depending on what changes you have made to that setup (and there must be
some), you may have removed that restriction. No one can answer that for
you, without knowing what your nftables set-up looks like.
Similarly, without knowing what your new nftables looks lie, no one can
say whether your sys-vpn is enforcing qubes firewall. If it is, then
sys-firewall2 is redundant: if not, it is necessary.

One point to bear in mind is that the qubes firewall provides NAT - if
you use a sys-firewall2, then all traffic arriving at the VPN qube will
appear to originate from sys-firewall2, so you cant do any fine grained
work on the VPN qube.
Similarly, the sys-firewall will only see traffic originating from VPN
Qube, which allows it to be a VPN enforcer, but not much more.

To sum up -it depends.

oijawyuh · July 7, 2022, 1:13pm

Thank you @unman.

I’ve built the VPN Qube as a VPN gateway using iptables and CLI scripts, based on the following instructions:

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

I guess this means that iptables were modified, and VPN Qube where iptables were modified is unable to fulfill the same function as sys-firewall. Right?

I also note this related documentation text about using a VPN Qubes and setting up firewalls:

HPOA909 · July 7, 2022, 4:11pm

Thanks, mate. This will be an issue about the internal RAM that has been soldered before sold to me as brand new back then the price was $899.

noti2p · July 7, 2022, 8:57pm

Some OLD TRICK!
You can install GUFW in the firewall VM. You can have multiple firewall VM’s connected to NET VM.
Qubes will give you some complaint notification but will abide.

If you have an independent VM (non Qubes) you can install firwalld which is dynamic. You start a program and the helper will adapt the firewall. Yes you have to know how and is a lot of work!

By FAR the most important thing is a GPS so you can have the correct time. Even a USB one is good. Currently I use an Apache Server to send the time to the other VM’s.

How are you going to have certificate pinning with Qubes firewall? It’s a dude… I would not waste my time with it (I did already… spend to much time on it).

unman · July 8, 2022, 2:18pm

I have no idea what you are trying to say.
The Qubes firewall provides basic functionality - it doesn’t pretend to
do anything more.
If you want more features then of course, you install a firewall
that provides those features.
For most users the Qubes firewall serves the main purpose of helping to guard
against user mistakes.