Is this vpn setup stupid?

cookie839 · May 25, 2022, 7:03am

Hello,

I have looked at a lot of threads regarding a vpn setup, but because i still have no idea what the hell i should/need to do i wanted to do this setup. (And hopefully have a secure/leak proof setup)

VM

---->

VPN-Mullvad-GUI (Mullvad + Wireguard on Qubes-OS - #6 by turkja)

----->

PROXY-VM (GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS)

----->

PROXY-VM (micahflee com/2019/11/using-mullvad-in-qubes/)

---->

Firewall-VM

------->

NET-VM

Is this setup really really stupid but still works good? Or am i making everything worse?

help

tzwcfq · May 25, 2022, 7:24am

I’d go for Qubes-vpn-support if I didn’t need to easily and quickly change the used VPN server or mullvad gui if I need it.
Also do you have 3 chained proxy-vm using the same VPN provider? I’d say that it’s useless and won’t increase your anonymity.

cookie839 · May 25, 2022, 9:31am

Yeah all three are mullvad. I just want to make sure nothing leaks even if one fails. (bc no idea how any of that works). And i thought multihop makes it harder to trace back traffic?

ckN6QwSZ · May 25, 2022, 10:06am

All those discussions I have read on this forum lately regarding it-security are lacking critical questions, I believe.

What are your objectives?
What is your thread model?
How do you define “being hacked” or “leaking data”?
How advanced is your adversary and what kind of resources does he have?

For instance I have got a quick glance on a video linked around here which could hint on a browser hooked by BeEF. Could have been a malfunctioning browser or a lack of RAM or swapspace or both, but what the heck. Now, QubesOS won’t be much of a help against that. One could argue not to visit shady websites, but an advanced adversary might even use the NY-Times web presence to attack a certain user’s browser. This is called a water-hole-attack, btw.

On the other hand switching off javascript in your browser prevents an attack with BeEF.

Coming back to your question:

And hopefully have a secure/leak proof setup

What data do you want to prevent to leak?

cookie839 · May 25, 2022, 10:10am

Just my ip adress (torrenting some linux isos). I just read in some threads that the can be leaks if something fails (ex. network manager). Just trying to avoid some letters from coming in. I am not under direct attack or anything.

ckN6QwSZ · May 25, 2022, 10:38am

~~Aren’t bittorrent-clients relying on UDP?~~
~~Isn’t Tor dropping UDP-traffic?~~

I’m not into that topic, but if you use VPN-providers which have your credit card number and your name you are trusting them to not log your traffic. I can not recommend that.

tzwcfq · May 25, 2022, 11:07am

If your VPN provider is compromised by attacker then your 3 proxy-vm will be compromised as well.
If you’d use 3 different VPN providers then attacker will need to compromise all 3 of them before he reach your real IP.
Also read about Traffic Analysis and Timing Attacks here:

With such attacks it doesn’t matter how many hops you’ll use.

cookie839 · May 25, 2022, 11:10am

how would you protect yourself? Just pay with monero and different vpn providers?

cookie839 · May 25, 2022, 11:10am

thanks i will take a look!

ckN6QwSZ · May 25, 2022, 11:23am

how would you protect yourself?

As long as you just want hide your IP when downloading a linux iso, one VPN provider should be enough.

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

I haven’t read the article in full but I believe it even uses iptables to ensure your VPN-tunnel is used or otherwise traffic is blocked.

If you are using the bittorrent protocol for hollywood movies, there is a not to neglect likelyhood that your VPN-provider is going to give them your identity.

Traffic Analysis and Timing Attacks are most likely used in scenarios like this:

That’s why I wrote you got to ask the right questions.

cookie839 · May 25, 2022, 11:41am

yeah thank you very much!