so I asked this question on r/qubes and it was deleted as spam, absolutely no idea why.
Perhaps someone here can offer advice; I’m looking for an as anonymous as possible setup mostly for web browsing although some of the sites I need to use block tor exit nodes. this is my current setup in Qubes 4.1
SYS-NET > SYS-FIREWALL > VPN-FIREWALL > WG-VPN-VM > SOCKS5-FIREWALL > FIREFOX-VM
- sys-net and sys-firewall are standard.
- vpn-firewall only allows the IP of a multihop wireguard vpn.
- wg-vpn-vm uses a github script from HKBAKKE which is great, highly recommend it btw
or here’s the script
#!/usr/bin/env bash # # This script can safely be executed multiple times. # set -e -u . ./config # /etc/wireguard/wg0.conf is symlinked to this folder in the template mkdir -p -m 700 /rw/config/wireguard # Protect the key in the config file touch /rw/config/wireguard/wg0.conf chmod 600 /rw/config/wireguard/wg0.conf cat << EOF > /rw/config/wireguard/wg0.conf [Interface] Address = $WG_ADDRESS DNS = $WG_DNS PrivateKey = $WG_PRIVATE_KEY PostUp = for ns in \$(resolvectl dns wg0 | sed 's/.*: //'); do echo "nameserver \$ns"; done > /etc/resolv.conf PostUp = /usr/lib/qubes/qubes-setup-dnat-to-ns PostDown = for ns in \$(resolvectl dns | grep -F 'Global' | sed 's/.*: //'); do echo "nameserver \$ns"; done > /etc/resolv.conf PostDown = /usr/lib/qubes/qubes-setup-dnat-to-ns [Peer] PublicKey = $WG_PEER_PUBLIC_KEY AllowedIPs = 0.0.0.0/0 Endpoint = $WG_ENDPOINT EOF # Start the wireguard connection at boot grep -F "systemctl start wg-quick@wg0" /rw/config/rc.local > /dev/null || echo "systemctl start wg-quick@wg0" >> /rw/config/rc.local # Ensure only traffic destined for the wireguard interface is forwarded mkdir -p /rw/config/qubes-firewall.d cat << EOF > /rw/config/qubes-firewall.d/wireguard #!/bin/sh iptables -F QBS-FORWARD iptables -A QBS-FORWARD -o wg+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A QBS-FORWARD -i vif+ -o wg+ -j ACCEPT iptables -A QBS-FORWARD -j DROP EOF chmod +x /rw/config/qubes-firewall.d/wireguard
I use this script with a highly recommended vpn provider who allows anonymous payments, they also support multihop on their end meaning I can use a single configuration file with this script and I can connect to one server and they route my exit through another server, so I have 2 hops there.
- socks5-firewall is you guessed it… a socks5 firewall allowing only the IP of my vpn providers socks5 proxy which is specified in firefox
- firefox-vm is firefox with some privacy addons and the socks5 proxy specified.
How would increase my anonymity and security here besides using whonix?
I have the feeling my firewalls are too simple as they are only configured in the qube manager gui. I’m sure I could be more secure by using a more advanced iptables config but as it says on the Qubes manual ‘you really shouldn’t mess with iptables unless you know what you are doing as you will probably make things worse’, and I really don’t know what I’m doing with that…
Any suggestions welcome, thanks