Zrubi
commented
8 years ago @ttasket There is nothing wrong with your guide. And my opinion is not against such solutions. I only suggested to rearrange the VPN related documentations. Because the general VPN guide in Qubes is about to decide where to implement such service. Then the users must decide to use NetworkManager or CLI. Your guide should be linked under the CLI category and probably labeled as openVPN.
Another reason for the rearrangement that there are more VPN related solutions like: https://github.com/adrelanos/vpn-firewall/
Somehow Tor, and or Whonix solutions also related. Moreover - if you follow the mailing lists - there was already some other VPN specific discussions about various VPN clients under Qubes.
tasket
adrelanos
andrewdavidwong
mfc
a) Qubes VPN documentation afaik does not fail closed. If the VPN breaks down, connections will still be possible in the clear. Which most likely is not what most users want since they want assurance the VPN will always be used.
b) Qubes VPN documentation is not suited to hide Tor. It does not claim it is, but using VPNs to hide Tor is something users often have in mind. (I infer this from the many questions about it from the Whonix forums.) This is because if a Tor entry guard is running on the same server as the VPN server, and if VPN breaks down, Tor may connect directly to the VPN if it happened to choose that as entry guard. This is not that unlikely, because a lot VPN providers support VPN port forwarding, use public IPs and people host Tor servers behind VPN's.
Do we have tickets for a) and b)?
In meanwhile should we list these limitations (and link to the tickets) from the documentation?