How would i set up Qubes so that a VPN is always on, with a killswitch in the whole of Qubes 4.1?
Right now i have created a standalone VPN appVM as the qubes documentation says, with iptables.
" Set up a ProxyVM as a VPN gateway using iptables and CLI scripts"
Then i switched the personal or untrusted to use a VPN in Qubes settings net cube.
But now i’m wondering if instead of setting cubes to use the VPN, is it not better to set all of qubes to connect through a VPN? And if i then use any Appvm, cubes, they will all connect through the VPN, and also TOR. So it’s tor-over-vpn.
The first connection is made to a vpn, and the second is tor through that VPN.
How do i set that up in Qubes 4.1? Could i just set the sys-net to use the sys-VPN and then all of qubes traffic goes through a vpn ?
Ok, is that the optimal way if you want all of the traffic to go through a VPN in Qubes 4.1?
Are there any documentation for this? I read in those that you can set up which cubes you want to use…
But if i use my way whonix would use tor-over-vpn instead of tor-internet as now…
And that would give more security as-well.
What do you mean? No. And that’s irrelevant to my question…
I’m not asking about the clock…
I’m asking about how qubes work, and if i can get all of the traffic out from Qubes through a VPN that is always on, and that has a killswitch if it goes down.
I’m also wondering in what ways qubes is “leaking” the real IP as default? Everything apart from the whonix is “leaking” the real ip i’m guessing.
If i want a VPN as a filter, how do i set that up is my question. If anyone has managed that i would appreciate if you could help me with an answer.
Yes that’s irrelevant, and i don’t care about the clock…
I mean leaking outside of the Qubes OS… past my router. Hiding the real ip as in putting a lock on a house.
Answer if you have experience with this. Or anyone else. You are offtopic. Thanks
The only caveats are that, by default, Qubes updates go directly via sys-net (templates) and sys-firewall (dom0). I don’t have any concerns about that, but others might.
Thanks. Ok… But how do you use let’s say whonix as tor-over-vpn with that setup?
For tor-over-vpn you wouldhave to use tor browser in some appVM, but whonix could be better… It depends.
i throw up my hands at the “tor over vpn” vs “vpn over tor” discussion mostly because i don’t agree with everyone on what the terminology means. [not your fault! but i can’t take it any more. ]
Part of that involves “what does ‘->’ mean”? In my diagram above I was specific “this diagram shows what the Networking drop down points to in each case”. Just to be clear.
Same… I confuse them. I mean. I want a VPN as the first connection to the internet, and then after that a tor connection that goes inside of that VPN. The ISP can see a vpn, whonix would run inside. To my understanding that gives a little bit of “anonymity”, or security online.
That doesn’t make sense. sys-net is essentially your device controller for the hardware that allows you to connect to the internet. Either your wifi card or ethernet controller. There is no VPN service without something to plug into. One of the reasons sys-firewall is there is to prevent DMA attacks on your front end VMs (due to sys-net being directly connected to your hardware controller). So those two VMs are the bare essentials for secure connectivity. Then you add a VPN qube with your firewall IP tables configured and a kill switch, etc.
Also, don’t run any apps in sys-net and don’t connect any appVMs to directly to sys-net. sys-net and sys-firewall should be utilized as a pair and everything else should be in front of them.
The updates sent from the repos are cryptographically signed (“Qubes distrusts the {networking} infrastructure”), so no less secure.
Some folks don’t want the ISP-level inspection (e.g. Comcast/Verison) to see Qubes being used, but I’m not personally worried about that. It’s just a linux distro.
but i can’t take it any more. 
Thanks for sharing!