Lets be clear: Nobody ever complained about the official guide back when it wasn’t obsolete. This thread isn’t about debating which VPN technology, provider, or protocol is better — it’s about finally updating the official guide, now obsolete for almost 2 years.
Nearly 1/3 of the forum threads involve users seeking assistance with setting up a VPN gateway! Why is QubesOS management focusing resources into new features that few asked for, while ignoring the critical, widespread demand for a robust VPN setup?
A secure, leak-proof VPN setup is an essential requirement for any user seeking to use Qubes for security AND privacy. Qubes has a unique networking architecture, implementing a VPN gateway is NOT straightforward – only those intimately familiar with its architecture AND upcoming changes can properly configure and maintain a secure, reliable VPN setup without risking leaks or disruptions.
This Is Not Optional for a security AND PRIVACY oriented operating system!
Fair enough. I’m working on an update now, but the lack of input from the community to the documentation speaks volumes.
You are missing the point. Qubes already provides the capability
for a robust VPN set up. Many people who post about VPN set ups dont
appear to understand about basics of Qubes use - where software should
be installed, what is persistent in a template based qube, how to
configure netvm in a qube, and so on.
I do niot say this to blame them - there’s a lot to learn, and
understand.
It’s for this reason that I package Mullvad here. But I do not believe
that Qubes networking is so hard to understand, and I believe that our
views on this will differ.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Qubes-os is for SECURITY oriented operating system…
Even if more and more users want more and more privacy. Safety remains the basis of the project…
However, I use a vpn almost all the time that I managed to configure myself: thanks to the tutorials found in the forum/documentation.
I don’t have more knowledge than that, but I succeeded without too much difficulty .
Updates to the documentation will surely be coming soon. But you also have to understand that not everything is done in a snap of the fingers. It’s better to take your time and do things well rather than doing them quickly and badly
The new version of qubes-os has just been released, so we might as well be happy about it!
It is better to drink the glass half full than half empty. The rest will follow.
Let’s be happy about what we have
I knew nothing about Qubes OS a couple of years ago. I spent a lot of time reading documentation/forums and, fast forward to today, find it fairly trivial to set up almost any service in a DVM without a guide. It’s not like this is some gatekept knowledge and a guide is the only way to source information about what you want to do. The people who make these guides don’t have access to secrets that you don’t. I’m having a hard time not interpreting this post as unappreciative towards the volunteers who make this experience possible. To be completely honest this sounds like a skill issue… I was also under the impression Qubes OS was SECURITY first, PRIVACY second? Unless I’m missing or ignorant to something, what is stopping somebody from understanding how Qubes works, understanding how Linux works, understanding how VPNs work and tying it together? I do understand the edge case of somebody wanting to use Qubes but not being very good at computers but unfortunately if you want to use this OS you might have to learn something. If you’re using Qubes you are worried about security right? I can’t imagine how using Qubes and not understanding how it works isn’t a huge attack surface by itself in the first place.
I think OP is just asking for www.qubes-os.org/doc/vpn (official qube website) to stop leading users to a vpn setup guide that is unusable. either update or remove that as it is misleading, makes the OS look abandoned?
almost all comments are negative, even though OPs proposal was positive and altruistic. What a mature community we have here
Something it’s really helpful to internalize, as a citizen of the internet where text is most often the medium of communication, is that the reader chooses the tone. The writer surely has intentions about the tone of their writing, but ultimately it’s in the hands of the reader what the tone is. So why not bias toward a neutral or good faith tone that doesn’t rankle? You’re the boss, so give yourself a break, don’t choose to allow the other internet citizens of this niche internet forum to get under your skin. Make your day a better day.
I just spent 2-3 hours testing this setup and packet capturing my router and I found that the vpn has LEAKS. This is why we need an official setup because otherwise you have a bunch of individuals who use AI LLMS to create their nftable rules that don’t actually work. Once again we need an official VPN guide so that everyone in the community can leak test the official vpn guide. I am ONE PERSON AND I ALREADY FOUND leaks. God forbid someone with a high threat model used this setup. Whonix is a great example of what a VPN proxy VM should be like. It is built in and easily installable on qubes. I’ve leak tested whonix many times and have never found leaks in the stable versions of qubes. Never ever.
Joined 9 hours ago, only to post this comment. I find it likely you are an alt account of one of the fools who wasted their time senselessly hating on this thread.
Leaks are literally impossible, and anybody is welcome to prove otherwise. Besides, dom0 firewall is also in place, which means any leak is to be immediately reported to the Qubes Security team for review and possibly issuing a CVE. @deeplow
I spent 2 entire days of my (unpaid) free time testing the setup and writing the guide, which I’m proud to say has more anti-leak features that any other guide in the entire forum.
@corde You are welcome to publish any reproducible PoC, I’m eager to see it.
Welcome new user. We welcome discourse and challenge to any assertion made, however you appear to offer the author of this thread no particular examples of how to reproduce the leaks so that they can be addressed in their formula. Simply asserting it leaks, without showing how… or even suggest why (and perhaps even suggesting some remediation steps) seems counter productive to a collaborative community process. Could you elaborate with some examples of what you have found so the author can address this in their howto?
Please post details. Sure I agree that for years now, the community has been asking for an update to the existing VPN-on-Qubes guide, with information relevant to a post-iptables template. And I agree that people like @unman pretending not to know what sort of guide(s) are needed is dishonest, when the users have been screaming for it. it’s obvious that that’s all we want. (Personally I’ve been using debian-11 as my VPN qube for years now.)
Also it would be nice for the Qubes team to decide on one of three paths:
1 - Create an official doc.
2 - Expect people to write their own and either:
2a) read them all and sign off on the good ones
2b) announce that they do not provide this level of user documentation, period.
BUT just because the Qubes team has left its user base hanging since iptables went away, doesn’t mean that your comment above is useful. Since this is a community guide, you can’t use the github issue tracker, but please provide a bug report on this guide anyhow.
What was your setup, and what were you doing when you had the leak?
What exactly is the nature of and evidence for the leak?
With that information, we can test and maybe help @longTimeQubesUser make necessary updates, in lieu of help from the Qubes team who - for whatever reason - has basically made its statement that it will not continue to provide official documentation on maintaining a VPN Qube.
I myself am not an expert on nftables, but I don’t notice any problems with the firewall rules. But if you can share your issue, I’ll help troubleshoot.
The main difference between core (or official) and external (or community or unofficial) documentation is whether it documents software that is officially written and maintained by the Qubes OS Project.
Your 2a point is theoretically wrong but true in my personal experience. I think that there has been no update on the external links presented in the docs since 3 years at last?
.
The rest will follow.
