diff --git a/content/posts/android/_index.md b/content/posts/android/_index.md index 2e455fd..bce370b 100644 --- a/content/posts/android/_index.md +++ b/content/posts/android/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about Android and related applications \ No newline at end of file +A collection of posts about Android and related applications. Android tips, custom operating system selection, and F-Droid security issue articles can be found here. \ No newline at end of file diff --git a/content/posts/knowledge/_index.md b/content/posts/knowledge/_index.md index 37df047..f3dff73 100644 --- a/content/posts/knowledge/_index.md +++ b/content/posts/knowledge/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about general privacy and security knowledge \ No newline at end of file +A collection of posts about general privacy and security knowledge. This section goes over concepts like threat modeling, multi-factor authentication, and badness enumeration. \ No newline at end of file diff --git a/content/posts/linux/_index.md b/content/posts/linux/_index.md index ba99892..520c49c 100644 --- a/content/posts/linux/_index.md +++ b/content/posts/linux/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about Linux and related applications \ No newline at end of file +A collection of posts about Linux and related applications. Desktop Linux, OCI, OpenSSH hardening guides can be found here. \ No newline at end of file diff --git a/content/posts/proxies/_index.md b/content/posts/proxies/_index.md index 1eeec9d..059e18e 100644 --- a/content/posts/proxies/_index.md +++ b/content/posts/proxies/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about proxies \ No newline at end of file +A collection of posts about proxies. Posts about commercial VPN use cases, choosing your VPN provider, and Signal TLS Proxy can be found here. \ No newline at end of file diff --git a/content/posts/qubes/Using IVPN on Qubes OS.md b/content/posts/qubes/Using IVPN on Qubes OS.md new file mode 100644 index 0000000..8d22cce --- /dev/null +++ b/content/posts/qubes/Using IVPN on Qubes OS.md @@ -0,0 +1,53 @@ +--- +title: "Using IVPN on Qubes OS" +date: 2022-09-30 +tags: ['Applications', 'Linux', 'Container', 'Security'] +author: Tommy +--- + +![IVPN](/images/ivpn-1.png) + +IVPN is a fairly popular and generally trustworthy VPN provider and is one of my favorites. In this post, I will walk you through how to use the official IVPN client in a ProxyVM on Qubes OS. + +## Preparing your TemplateVM + +I recommend that you make a new TemplateVM based on latest Fedora template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with IVPN, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly. + +This is what I run on my template to trim it down: +```bash +sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculator gnome-connections gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-characters gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* httpd mozilla* cups rygel -y +sudo dnf autoremove -y +``` + +Next, you need to create the bind directories for IVPN's configurations: + +```bash +sudo mkdir -p /etc/qubes-bind-dirs.d +sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null +binds+=( '/etc/ivpn' ) +EOF +``` + +## Installing the IVPN App + +Inside of the TemplateVM you have just created, do the following: + +```bash +sudo dnf config-manager --add-repo https://repo.ivpn.net/stable/fedora/generic/ivpn.repo +sudo dnf install ivpn-ui +sudo shutdown now +``` + +## Creating the ProxyVM + +Create an AppVM based on the TemplateVM you have just created. Set `sys-firewall` (or whatever FirewallVM you have connected to your `sys-net`) as the net qube. If you do not have such FirewallVM, use `sys-net` as the net qube. Next, go to the advanced tab and tick the `provides network access to other qubes` box. + +![Provides Network](/images/provides-network.png) + +## Notes + +With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that IVPN or some other apps may interfere with its firewall handling. + +Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/os/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the IVPN ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced. + +![MirageOS](/images/mirageos.png) \ No newline at end of file diff --git a/content/posts/qubes/_index.md b/content/posts/qubes/_index.md index 1e2d90c..03e7c86 100644 --- a/content/posts/qubes/_index.md +++ b/content/posts/qubes/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about Qubes OS and related applications \ No newline at end of file +A collection of posts about Qubes OS and related applications. This section contains MirageOS setup, Split SSH configuration, and guides on setting up proxies on Qubes OS. \ No newline at end of file