Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pre-installed VPN qube #9463

Open
DemiMarie opened this issue Sep 21, 2024 · 0 comments
Open

Pre-installed VPN qube #9463

DemiMarie opened this issue Sep 21, 2024 · 0 comments
Labels
C: networking P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@DemiMarie
Copy link

How to file a helpful issue

The problem you're addressing (if any)

Setting up a VPN qube manually is error-prone, tedious, and often requires obscure command-line tools.

The solution you'd like

Provide a VPN qube that is correctly configured out of the box.

If one does not run non-VPN apps in the VPN qube, the following nftables rules should be sufficient to prevent any traffic from bypassing the VPN:

table ip qubes {
    chain vpn {
      type filter hook forward priority filter; policy accept;
      oifgroup 1 counter reject with icmp admin-prohibited
      iifgroup 1 counter reject with icmp admin-prohibited
   }
}
table ip qubes {
    chain vpn {
      type filter hook forward priority filter; policy accept;
      oifgroup 1 counter reject with icmpv6 admin-prohibited
      iifgroup 1 counter reject with icmpv6 admin-prohibited
   }
}

This blocks packets that enter or exit Xen netfront interfaces (eth*), since Qubes OS assigns them to interface group 1. Packets can only be forwarded if they enter and exit via interfaces that are not eth*, such as ones created by a VPN.

The value to a user, and who that user might be

Journalists and other users using VPNs will have an easier time setting up their systems.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)
@DemiMarie DemiMarie added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Sep 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: networking P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DemiMarie @andrewdavidwong