PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-09-07 19:53:30 -04:00
Code

Remove provider description and reword other category descriptions (#235)

Browse Source 
* Remove VPN provider description

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Reword description slightly

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Reword description slightly

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Reword description slightly

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Make various grammar changes

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Fix grammar

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Fix grammar

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Fix grammar

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

---------

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>
This commit is contained in:
friendly-rabbit-35 2024-05-25 03:13:23 +00:00 committed by GitHub
parent 70b41194be
commit 5049772a67
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/posts/android/_index.md
View File

@ -4,4 +4,4 @@ ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about Android and related applications. Android tips, custom operating system selection, and F-Droid security issue articles can be found here.
A collection of posts about Android and related applications. Articles about Android tips, custom operating system selection, and F-Droid security issues can be found here.

2
content/posts/linux/_index.md
View File

@ -4,4 +4,4 @@ ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about Linux and related applications. Desktop Linux, OCI, OpenSSH hardening guides can be found here.
A collection of posts about Linux and related applications. Guides for hardening desktop Linux, OCI, and OpenSSH can be found here.

8
content/posts/macos/Secure Time Synchronization on macOS.md
View File

@ -13,15 +13,15 @@ In this post, I will go over how to leverage virtualization to setup a local Lin
## Installing UTM
The virtualization software we are going to use for this setup is [UTM](https://mac.getutm.app/). You can obtain it through [App Store](https://apps.apple.com/us/app/utm-virtual-machines/id1538878817) for $10 USD or directly through [GitHub](https://github.com/utmapp/UTM/releases) free of charge.
The virtualization software we are going to use for this setup is [UTM](https://mac.getutm.app/). You can obtain it through the [App Store](https://apps.apple.com/us/app/utm-virtual-machines/id1538878817) for $10 USD or directly through [GitHub](https://github.com/utmapp/UTM/releases) free of charge.
Personally, I would recommend using the App Store, since you are getting automatic updates with it, and a small donation would really help out the developers.
Note that I am recommending UTM here over other solutions like [Parallels](https://www.parallels.com/) here, specifically for the [Emulated VLAN](https://docs.getutm.app/settings-qemu/devices/network/network/#network-mode) network setup. Parallels only supports the [Shared Network mode](https://kb.parallels.com/4948) where all VMs and the host are connected to the same VLAN, which is less than ideal considering that we will still communicate with our Linux server using the insecure NTP protocol. I have not tried VMWare Fusion or VirtualBox yet, but the gfeneral idea is that you should be connecting to the NTP server using a private interface which only the host and the target VM have access to. Another nice thing about UTM is that it is a [sandboxed](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox/) application and runs without any special privileges.
Note that I am recommending UTM here over other solutions like [Parallels](https://www.parallels.com/), specifically for the [Emulated VLAN](https://docs.getutm.app/settings-qemu/devices/network/network/#network-mode) network setup. Parallels only supports the [Shared Network mode](https://kb.parallels.com/4948) where all VMs and the host are connected to the same VLAN, which is less than ideal considering that we will still communicate with our Linux server using the insecure NTP protocol. I have not tried VMWare Fusion or VirtualBox yet, but the general idea is that you should be connecting to the NTP server using a private interface which only the host and the target VM have access to. Another nice thing about UTM is that it is a [sandboxed](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox/) application and runs without any special privileges.
## Choosing your Linux distribution
Generally, any distribution with `chrony` 4.0 or above would work fine. I recommend using Fedora since it is easy to manage, generally up to date, and has mostly sane defaults.
Generally, any distribution with `chrony` 4.0 or above would work fine. I recommend using Fedora since it is easy to manage, is generally up to date, and has mostly sane defaults.
You can download Fedora Server from their [official website](https://fedoraproject.org/server/download/).
@ -215,7 +215,7 @@ Add the following:
Finally, follow the [official documentation](https://docs.getutm.app/advanced/remote-control/) to automatically start the virtual machine at boot.
Note that for some reason, adding the shortcut to "Login Items" alone is not enough - UTM will launch but it will not start the VM. UTM also needs to be added to the list of "Login Items" for this to work properly. You can follow the discussion regarding this on [GitHub](https://github.com/utmapp/UTM/issues/4179#issuecomment-1606041021).
Note that, for some reason, adding the shortcut to "Login Items" alone is not enough: UTM will launch but it will not start the VM. UTM also needs to be added to the list of "Login Items" for this to work properly. You can follow the discussion regarding this on [GitHub](https://github.com/utmapp/UTM/issues/4179#issuecomment-1606041021).
![macOS login items](/images/macos-login-items.png)

2
content/posts/proxies/_index.md
View File

@ -4,4 +4,4 @@ ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about proxies. Posts about commercial VPN use cases, choosing your VPN provider, and Signal TLS Proxy can be found here.
A collection of posts about proxies. Posts about commercial VPN use cases and the Signal TLS Proxy can be found here.

8
content/posts/qubes/Using IVPN on Qubes OS.md
View File

@ -7,11 +7,11 @@ author: Tommy
![IVPN](/images/ivpn.png)
IVPN is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official IVPN client in a ProxyVM on Qubes OS. We will deviate from the [official guide](https://www.ivpn.net/knowledgebase/linux/ivpn-on-qubes-os/) by using systemd path to handle DNAT. This will provide the same robustness their approach to modify `/opt/ivpn/etc/firewall.sh`, while avoiding the risk that the modifications will be overwritten by a future app update. We will also be using a TemplateVM for IVPN ProxyVMs instead of using Standalone VMs.
IVPN is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official IVPN client in a ProxyVM on Qubes OS. We will deviate from the [official guide](https://www.ivpn.net/knowledgebase/linux/ivpn-on-qubes-os/) by using systemd path to handle DNAT. This will provide the same robustness as their approach to modify `/opt/ivpn/etc/firewall.sh`, while avoiding the risk that the modifications will be overwritten by a future app update. We will also be using a TemplateVM for IVPN ProxyVMs instead of using Standalone VMs.
## Preparing your TemplateVM
I recommend that you make a new TemplateVM based on latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with IVPN, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly.
I recommend that you make a new TemplateVM based on the latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with IVPN, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly.
I run [this script](https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh) on my template to trim it down.
@ -72,7 +72,7 @@ Next, enable the systemd path:
sudo systemctl enable dnat-to-ns.path
```
Finally, shutdown the TemplateVM:
Finally, shut down the TemplateVM:
```bash
sudo shutdown now
@ -107,4 +107,4 @@ With this current setup, the ProxyVM you have just created will be responsible f
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/qubes/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the IVPN ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
![MirageOS](/images/mirageos.png)
![MirageOS](/images/mirageos.png)

8
content/posts/qubes/Using Mullvad VPN on Qubes OS.md
View File

@ -11,7 +11,7 @@ Mullvad is a fairly popular and generally trustworthy VPN provider. In this post
## Preparing your TemplateVM
I recommend that you make a new TemplateVM based on latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with Mullvad, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly.
I recommend that you make a new TemplateVM based on the latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with Mullvad, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly.
I run [this script](https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh) on my template to trim it down.
@ -31,7 +31,7 @@ sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mul
sudo dnf install -y mullvad-vpn
```
To workaround [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803), we will using systemd path to run `/usr/lib/qubes/qubes-setup-dnat-to-ns` every time Mullvad modifies `/etc/resolv.conf`. Create the following files:
To work around [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803), we will be using systemd path to run `/usr/lib/qubes/qubes-setup-dnat-to-ns` every time Mullvad modifies `/etc/resolv.conf`. Create the following files:
- `/etc/systemd/system/dnat-to-ns.service`
```
@ -72,7 +72,7 @@ Next, enable the systemd path:
sudo systemctl enable dnat-to-ns.path
```
Finally, shutdown the TemplateVM:
Finally, shut down the TemplateVM:
```bash
sudo shutdown now
@ -105,4 +105,4 @@ With this current setup, the ProxyVM you have just created will be responsible f
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/qubes/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
![MirageOS](/images/mirageos.png)
![MirageOS](/images/mirageos.png)

2
content/posts/qubes/_index.md
View File

@ -4,4 +4,4 @@ ShowReadingTime: false
ShowWordCount: false
---
A collection of posts about Qubes OS and related applications. This section contains MirageOS setup, Split SSH configuration, and guides on setting up proxies on Qubes OS.
A collection of posts about Qubes OS and related applications. This section contains guides on setting up MirageOS, Split SSH, and proxies on Qubes OS.