Hellow all.
I want to work on a cube that is completely unrelated. For example, I want to do completely different work on cube A and cube B so that outsiders don’t know the connection between cube A and cube B at all.
So I want to ask you about VPN connections. I am thinking of using Fedora as a [NET Qube} to make a VPN connection. Do I need to change the Fedora Net cube, VPN, VPN account, etc. that I want to connect to each cube?
Leave sys-net alone.
Make separate vpn qube for your separate workflow.
Thank you, I understand. For each appQube, the corresponding Fedora Net Qube, VPN, VPN account, etc. to Change.
No no no.
As I said, leave sys-net alone. Same wth sys-firewall - you can configure it but don’t duplicate it or install anyfhing in it.
Make template for vpn. Install vpn app in that template.
Based on vpn template make any needed sys-vpn app qubes.
Make it to have network from sys-firewall and be network provider for selected qubes.
sys-vpn need to have network-manager service enabled.
I have sys-vpn-youtube, sys-vpn-untrusted, sys-vpn-forums, sys-vpn-shopping among others.
They don’t autostart with system but since they provide network they start when related qube start.
I could run 10 vpns at same time (paid subscription).
Oh, that’s what you meant! It was dusty early. In other words, your plan is not to use an open VPN, but to use a VPN app.
I may have misunderstood you. I wrote {Fedora Net Qube} in reference to {Fedora VPN Qube}. I was trying to connect an open VPN with the Fedora app Qube and use it as a {net Qube} for the other app Qube. I didn’t mean to say {sys-net}. Sorry, it was difficult to understand.
Anyway, I have two questions about VpnApp. One is If you use a VPN with an app as you said, which Qube can use that VPN communication besides the Qube running the app? Is it a Qube with its App Qube set to NETQube like an open VPN? Or all Qubes running? I think it’s the former, but please tell me.
The second question is, what kind of VPN do you use? Or is there a VPN that doesn’t work with Qubes? It means. Actually, I’ve tried VPN apps twice in the past with different versions and hardware, and I’ve only had a few times it work decently. I did exactly the same method you specified, but for some reason the communication is not connected. By the way, I used ProtonVpn (free plan) 
It’s separate qube with protonvpn that runs nothing else.
It’s network provider and it could be used by any qube in which I set in setting as network source.
But I don’t reuse sys-vpn’s between qubes.
YouTube qube have sys-vpn-youtube, forum qube have sys-vpn-forums, untrusted qube have sys-vpn-untrusted, shopping qube have sys-vpn-shopping and so on. I can’t run more than 10 vpn at a time but why not configure 20 sys-vpn if I need them?
@phirip - There are a number of issues here.
If you want to make sure that qube A and qube B are unrelated,
you may want to create a separate sys-net pathway for A and B. ( This
differs from the advice from KitsuneNoBaka.)
sys-net-1 and sys-net use different routes to the internet. (I dont mean
wired and wirless to the same router.)
Then place vpn qubes in the separate pathways.
I would not myself use the same VPN provider for routes, but different
providers. But this will depend on your threat model, and your risk
assessment.
I think you have the idea.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Thank you both.
KitsuneNoBaka’s idea is to use a VPN using a completely isolated AppQube. And by using multiple VPNs or Qube itself, anonymity is guaranteed. The answer to my question is {you can be affected by a VPN without setting it to netQube in another Qube}, right? And it is not for each Qube, but for each purpose to increase anonymity. Thanks, KitsuneNoBaka. I got good information and that’s a good idea. It’s just that for me the idea of unman is more interesting, but I don’t fully understand it. This sentence is something I don’t particularly understand.
{sys-net-1 and sys-net use different routes to the internet. (I dont mean wired and wirless to the same router.)}
Does this mean to make more than one sys-net? What I had been thinking about so far was to create multiple Fedora templates first, then create multiple app Qubes (Vpn-Qube), and finally set them to the net-Qube of other appQubes to communicate with Open(or wiregurd) Vpn. I thought this would allow me to use a separate VpnQube for each of the multiple Qubes.
However, I posted on this forum because I thought there might be a better idea. The idea I was looking for may be yours. I’m not familiar with sys-net. How can I use multiple sys-nets to increase my anonymity? By the way, I always use sys-whonix or sys-firewall, and I’m not sure how sys-net relates to other Qubes.
Also, the idea of using multiple VPN providers indirectly answers my second question. Look for a few reliable providers. Thank you
My threat level is low and even thou I use one vpn provider, each vpn have it’s own settings and connect to different server (and different country) every time they start (every time when I close qube I close related vpn too).
And my qube laptop is connected to router which is connected to another router which is connected to ISP.
Yes, you are right.
You can create as many sys-net as you want, but let us focus on two.
Each may use a different template.
Each may use a different NIC, and connect to a different router.
Now you have two completely distinct routes to the network, or internet.
You will want to make sure that you do not start them at the same time
to avoid correlation.
You might want to do this to have two separate routes , one of them to a
local network, and the other not allowed to use the local network.
Or if you are somewhat paranoid.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Thank you your answer. I have already solved one of the two points of focus in the way I mentioned before, right?
The problem is another problem you mentioned.
{Each may use a different NIC, and connect to a different router.}
Do you mean the actual router or NIC here? Or is it a virtual one on the Internet? And what role does Sys-net play in doing so?
I’ve researched and heard myself how to increase anonymity by creating multiple sys-nets, does it have anything to do with that? I don’t have much knowledge about this. I would be happy if you could tell me in as much detail and specifically as possible.
By the way, I have created new template Qube and AppQube by downloading or duplicating, but I have never created {service-Qube} and I don’t know how.
sys-net is seen from outside as one machine/router. How can you have 10 computers/router with one network card? It means one machine, one network point. Without separating sys-net between separate physical network cards there is no point. Different vpn/tunnel would do.
Are you talking about a relationship like this?
router(virtual)=sys-net
NIC (virtual) = VPN
I heard Unman’s story and guessed that it was the following relationship. router(virtual)=sys-net
** NIC (virtual) = sys-firewall**
Anyway, I have two questions. One is what happens to the sys-firewall if you talk about it? Do you want to increase this for each Qube in the same way? The second question is, what exactly should I do to create sys-net and sys-firewall?
In this article, you will learn how to create a sys-firewall and sys-net. Except for checking provides network, it would be fine if you refer to sys-net or sys-firewall that already exists, right?
If I create a sys-firewall and sys-net in this way and use a VPN, will I complete the isolation of each Qube?
So sys-net is an idea, not only a name. It is responsible for holding the hardware that makes external internet connections, and most consumer laptops have only two devices that do this: ethernet and wifi. You can’t magically make new external internet connections by making another sys-net, but instead you have to give it the networking hardware to function. This hardware is fingerprintable, so you shouldn’t connect to a network you don’t want associated with you with the same hardware with which you connect to networks that can identify you, like a work network where you sign in with credentials, or your home network at all. So, you can separate as many NICs (Network Interface Cards) as you have into different sys-nets to segregate traffic.
For instance, many business laptops also have the option for a WWAN card, or basically a card that can connect you to data like a phone, with a SIM. This could be a third NIC. You could also use a USB wifi dongle. While not technically a NIC, this could also be a separate sys-net.
Thank you very much. I learned a lot.
Thats a lot of information to digest,thanks.
Ive managed to get working VPNs using Proton configuration with a paid account.
A quick q: any info on how to create internal virrual NIC interfaces , please.
Playing with opnsense firewall, i have two physical cards connected and ready as for WAN but im lost in setting up an internal card(s) to be on the LAN side,to allow connections from Qubes VMs via sys_net and/or sys_firewall.
Thanks.
Did you use ProtonVPN, then maybe something else is wrong with me. Thank you for your report.
Many people, including me use protonvpn app.
Heck, I even use 6 of them. No problem at all.