search

tasket / Qubes-vpn-support

VPN configuration in Qubes OS
GNU General Public License v3.0
126 stars 28 forks source link

Support for multiple VPN connections #15

Open codyro opened 6 years ago

codyro commented 6 years ago

I'll see if I can make a PoC of this however I have a use case where I'd make a workVPN ProxyVM which would connect to various L2 OpenVPN instances.

An example use case would be something along these lines:

WorkVM <- workVPN / 192.168.20.0/24 > Hong Kong 
WorkVM <- workVPN / 192.168.30.0/24 > Singapore
WorkVM <- workVPN / 192.168.40.0/24 > Los Angeles
WorkVM <- workVPN / 0.0.0.0/0 -> Net (sys-firewall, no filtering beyond the aforementioned routes)

The firewall portion should be achievable by either plopping the adjusted iptables rules in /rw/config/rc.local or /rw/config/qubes-firewall.d.

This should be relatively easy to achieve by looping over a configuration directory (IE: /rw/config/vpn/openvpn.conf.d/*) and starting various OpenVPN instances. Modifying the systemd service file to support numerous OpenVPN instances (IE: using %i) would make this relatively clean.

I need to dive more into how you're handling the firewalling / routing to see how feasible / easy this change would be and if it fits the scope of your project. If not I'll fork this and adjust it for the use case outlined above.

tasket commented 6 years ago

Vpn-support adds no routing itself -- it places restrictions based on the layer below: interfaces -- so for routing you'll need to focus on the default Qubes configuration (which relies on masquerade) and whatever routes openvpn adds. For the former, connecting with openvpn set to verb=4 is useful for showing any route commands executed, including ones pushed down from the vpn server.

It sounds like your multiple connections will be simultaneous. If so, you may prefer to use the Debian openvpn service files, which already use %i instances and can accommodate server/router configurations. Once your services/links are up, adapting the firewall script for your case should be straightforward.

codyro commented 6 years ago

Understood about the routes -- I can finagle it to work fine with multiple VM's but I wasn't sure if this was in the scope of the project to support out of the box (IE: load up multiple OpenVPN instances + setup the firewall rules for said instances).

If not please feel free to close this issue. If I add anything worthwhile I'll shoot you a PR.

Cheers!

tasket commented 6 years ago

This is the first time I've had an inquiry about multiple instances. But I'd still say its in scope because the project is basically route-agnostic... that is left to the vpn configs. I'd be interested to get a PR for this.