Use windows as network provider

Hello, is it possible to use Windows VM as network provider for the others non-windows VMs? I find this kind configuration useful mostly because of proprietary (windows only) VPN software.

There is no need for that and will weaken security by a significant ratio. Simply install whatever vpn software you want in non-windows vm or use openvpn and leave sys-net as is.
You can also put whonix gw in between as extra layer.

If you havn’t purchased any vpn might I suggest to try protonvpn (offers a free version without any hiccups) , it has a linux app that works like charm and also with permanent kill switch feature which is often missing from proprietary windows vpn softwares.

Yes, you can do this.
It requires some change to the standard network configuration, but it is
doable.

notes/openBSD_as_netvm at master · unman/notes · GitHub explains how
to do this for OpenBSD, but the principle would apply to Windows also.

Normally you have this arrangement:
sys-net

sys-firewall

 >  

qube1 qube2

What you end up with is this:

 sys-firewall
   >      >  

NIC->Windows qube2

You need to configure the Windows HVM to forward traffic between the
interfaces, and configure sys-firewall to allow traffic topass to and
from between Windows and the other attached qubes.

I don’t know if you can easily do this with the VPN software you have to
use, but it should be doable.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes

Could you tell something more on this windows-networking provider security issue part? Will be the others non-connected to windows vm-machines affected ?

@endeavour VPN stands for virtual private network. It’s main purpose it to allow one to connect to private resources (e.g. a file server at work) that intentionally cannot be reached through the internet. In this case one has to use whatever protocol / software the owner of that private network selected. Some of those might only have Windows clients.

It is in fashion to resell bandwidth by (ab)using VPN servers as glorified encrypted proxies to people who feel more anonymous and/or secure that way because the respective vendor told them so. This might not be the OP’s use case.

No, they won’t be affected.
You can do this using a single sys-firewall, but it’s much cleaner to
use a separate firewall.
The rest of your qubes will be attached to sys-firewall, and will route
through sys-net.

If you set the Winqube’s netvm to be sys-firewall2, and set that up as
I have suggested, then any qubes with netvm of sys-firewall2 will route
through the Windows qube. If you have set that to use only the VPN
then these qubes will be forced to use the VPN.
If your Winqube fails close (only provides access via the VPN) then those
qubes will be similarly protected.

1 Like