VPN Documentation

[fbrjcswx]

Current VPN documentation hosted on Qubes website is little non user friendly. I have written documentation for myself sometime. I would love to create a pull request for VPN Documentation on Qubes, wanted to ask first if you are interested, Please reply here before closing this issue even if if it's invalid. the documentation will be even for cascading servers and running tor over vpn and also oriented toward more basic users to understand. Thanks.

[GWeck]

Great idea!

I am looking for documentation on how to get OpenVPN running - I got it running using the solution of tasket, but a good documentation on how to use existing configuration files would be great.

[john590]

Do you have any perfect KillSwitch type solution of VPN for latest QubesOS. If yes, you should definitely create documentation. Even if it don't get accepted you can provide it in your own repositories. That will help a lot of users. But I was able to use VPN with Documentation currently provided by Qubes website, although I am not sure that if that documentation is perfectly fail-safe.

[SaswatPadhi]

I found these instructions by Mullvad VPN to be very useful: https://mullvad.net/sv/help/qubes-os-4-and-mullvad-vpn/. It was quite straightforward to tweak the steps to work for other VPN providers.

[andrewdavidwong]

@tasket, do you have anything to say here before a PR is opened?

[tasket]

I advise against instructing users to search for specific IP addresses and then hard-code them into command sequences. This ends up being way more difficult than having users copy-and-paste fully automatic scripts. And the hard-coded configs will probably break before long when the VPN provider changes something.

There is also a tendency to feel that editing IP numbers gives you more power and somehow makes an 'expert' solution. The real power in configuring and protecting your VPN link is the cryptographic certificate your VPN provider gives you along with your config file - and that works automatically.

Many proposals to re-do the VPN doc this way have had the wheels fall off when they realize all the little steps they didn't account for makes it much more complicated than the current approach when you have to account for more than one VPN provider.

People often want to emphasize what they like to automate, and gloss over the manual parts according to their personal taste. And that is because they don't think about the audience they're trying to reach. They think: We must tell users how to download, unzip and copy files... but managing hard-coded IP addresses... no big deal, they can just deal with it. I tend not to take this POV seriously bc its so obviously backwards.

---

Currently, I think the best general VPN solution on Qubes is my Qubes-vpn-support project. It is under review for incorporation in Qubes 4.1 and requires little work from the user other than taking their existing config files and placing them in /rw/config. It works around OpenVPN's connection management quirks and has multiple failsafes.

In the meantime, the current doc could use updating to the Qubes 4 terminology, punctuation fixes and clarifications (and possibly eliminate one editing step). But another possibility is to briefly describe DNS dnat and firewall failsafe, and then link to Qubes-vpn-support as a ready-to-use example.

[SaswatPadhi]

The instructions Mullvad provides doesn't require explicitly searching for and whitelisting IP addresses. It's only to make sure that the VPN AppVM absolutely does not connect to any other IP. The instructions simply suggest denying all other IPs in the iptable rul s, except those of the VPN servers.

If users are less paranoid, they need not set iptable rules at all and instead use the openvpn configs that use hostnames instead of IP addresses.

[tasket]

Also should comment on this:

 the documentation will be even for cascading servers and running tor over vpn and also oriented toward more basic users to understand

To say this is promising a lot is an understatement. However, I'll note that Whonix already has documentation for Tor over VPN.

I also remember Marek saying that the doc should be just for enabling basic connections.

[tasket]

The instructions Mullvad provides doesn't require explicitly searching for and whitelisting IP addresses.

See this part:

# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47

This is used for the dnat-ing of DNS packets. It doesn't work unless you get the IP address right.

I know Mullvad supports Qubes, but that doc is an afterthought. Like most VPN services, they push their custom VPN app hard bc they know most users need that level of automation to avoid costly support sessions.

[SaswatPadhi]

Oh yes, that part seems quite fragile. Even I didn't follow the instruction at that step. In place of this:

iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2

I used this:

iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $vpndns1
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $vpndns1
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $vpndns2
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $vpndns2

which I copied from the Qubes VPN documentation page.

[tasket]

But now vpndns1 and vpndns2 have to be correctly discovered and entered by the user. The current solution and Qubes-vpn-support do this automatically to avoid accidental misconfiguration. At this point I feel like we need higher quality input on the subject. So far the criticisms of the current doc have been aesthetic and proposals have been to expose the user to error-prone processes.

[borovif665]

I think Mullvad options are not good to go. But what about when VPN provide special features like Antitracker etc. and suggest users to use predefined DNS for those. Then users should have a documentation with all proper scripts written in Qubes VPN documentation where they are instructed about what to edit in scripts. Edits by user should be basically limited to only DNS I would say. Current Documentation based on CLI and iptables have a "DNS handling Script" with note "Edit and add" but doesn't mention what to edit and where (difficult to interpret for a novice user). Atleast Documentation should be clear on those things.

[tasket]

The DNS script is designed to get the correct DNS addresses from the server. So it seems the server would be programmed to provide the right DNS addresses if they wanted their users to take advantage of them.

But "Edit and add" could be considered confusing. It could be changed to "Add the following to the file" or "Using a text editor, paste the following into the file". The doc is not suggesting the user change the contents of the script.

[92VV3M42d3v8]

@fbrjcswx @tasket I have created a pull request for Update VPN.md If you guys interested, take a look on that and suggest if that good to go or not.

[joshua9glenn]

I think that the current VPN documentation on Qubes-OS website is oversimplified and doesn't take into consideration WebRTC leaks either. I also think that @tasket should be in charge of rewriting the docs or somehow making his work incorporated into the next stable release. I have tested the Qubes-vpn-support script's personally and found they work well on 2 out of 2 VPN providers.