diff --git a/content/posts/android/_index.md b/content/posts/android/_index.md index bce370b..e6e68f5 100644 --- a/content/posts/android/_index.md +++ b/content/posts/android/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about Android and related applications. Android tips, custom operating system selection, and F-Droid security issue articles can be found here. \ No newline at end of file +A collection of posts about Android and related applications. Articles about Android tips, custom operating system selection, and F-Droid security issues can be found here. diff --git a/content/posts/linux/_index.md b/content/posts/linux/_index.md index 520c49c..cbc3c5f 100644 --- a/content/posts/linux/_index.md +++ b/content/posts/linux/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about Linux and related applications. Desktop Linux, OCI, OpenSSH hardening guides can be found here. \ No newline at end of file +A collection of posts about Linux and related applications. Guides for hardening desktop Linux, OCI, and OpenSSH can be found here. diff --git a/content/posts/macos/Secure Time Synchronization on macOS.md b/content/posts/macos/Secure Time Synchronization on macOS.md index 88af853..ed2ede8 100644 --- a/content/posts/macos/Secure Time Synchronization on macOS.md +++ b/content/posts/macos/Secure Time Synchronization on macOS.md @@ -13,15 +13,15 @@ In this post, I will go over how to leverage virtualization to setup a local Lin ## Installing UTM -The virtualization software we are going to use for this setup is [UTM](https://mac.getutm.app/). You can obtain it through [App Store](https://apps.apple.com/us/app/utm-virtual-machines/id1538878817) for $10 USD or directly through [GitHub](https://github.com/utmapp/UTM/releases) free of charge. +The virtualization software we are going to use for this setup is [UTM](https://mac.getutm.app/). You can obtain it through the [App Store](https://apps.apple.com/us/app/utm-virtual-machines/id1538878817) for $10 USD or directly through [GitHub](https://github.com/utmapp/UTM/releases) free of charge. Personally, I would recommend using the App Store, since you are getting automatic updates with it, and a small donation would really help out the developers. -Note that I am recommending UTM here over other solutions like [Parallels](https://www.parallels.com/) here, specifically for the [Emulated VLAN](https://docs.getutm.app/settings-qemu/devices/network/network/#network-mode) network setup. Parallels only supports the [Shared Network mode](https://kb.parallels.com/4948) where all VMs and the host are connected to the same VLAN, which is less than ideal considering that we will still communicate with our Linux server using the insecure NTP protocol. I have not tried VMWare Fusion or VirtualBox yet, but the gfeneral idea is that you should be connecting to the NTP server using a private interface which only the host and the target VM have access to. Another nice thing about UTM is that it is a [sandboxed](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox/) application and runs without any special privileges. +Note that I am recommending UTM here over other solutions like [Parallels](https://www.parallels.com/), specifically for the [Emulated VLAN](https://docs.getutm.app/settings-qemu/devices/network/network/#network-mode) network setup. Parallels only supports the [Shared Network mode](https://kb.parallels.com/4948) where all VMs and the host are connected to the same VLAN, which is less than ideal considering that we will still communicate with our Linux server using the insecure NTP protocol. I have not tried VMWare Fusion or VirtualBox yet, but the general idea is that you should be connecting to the NTP server using a private interface which only the host and the target VM have access to. Another nice thing about UTM is that it is a [sandboxed](https://developer.apple.com/documentation/xcode/configuring-the-macos-app-sandbox/) application and runs without any special privileges. ## Choosing your Linux distribution -Generally, any distribution with `chrony` 4.0 or above would work fine. I recommend using Fedora since it is easy to manage, generally up to date, and has mostly sane defaults. +Generally, any distribution with `chrony` 4.0 or above would work fine. I recommend using Fedora since it is easy to manage, is generally up to date, and has mostly sane defaults. You can download Fedora Server from their [official website](https://fedoraproject.org/server/download/). @@ -215,7 +215,7 @@ Add the following: Finally, follow the [official documentation](https://docs.getutm.app/advanced/remote-control/) to automatically start the virtual machine at boot. -Note that for some reason, adding the shortcut to "Login Items" alone is not enough - UTM will launch but it will not start the VM. UTM also needs to be added to the list of "Login Items" for this to work properly. You can follow the discussion regarding this on [GitHub](https://github.com/utmapp/UTM/issues/4179#issuecomment-1606041021). +Note that, for some reason, adding the shortcut to "Login Items" alone is not enough: UTM will launch but it will not start the VM. UTM also needs to be added to the list of "Login Items" for this to work properly. You can follow the discussion regarding this on [GitHub](https://github.com/utmapp/UTM/issues/4179#issuecomment-1606041021). ![macOS login items](/images/macos-login-items.png) diff --git a/content/posts/proxies/_index.md b/content/posts/proxies/_index.md index 059e18e..aa9ff8e 100644 --- a/content/posts/proxies/_index.md +++ b/content/posts/proxies/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about proxies. Posts about commercial VPN use cases, choosing your VPN provider, and Signal TLS Proxy can be found here. \ No newline at end of file +A collection of posts about proxies. Posts about commercial VPN use cases and the Signal TLS Proxy can be found here. diff --git a/content/posts/qubes/Using IVPN on Qubes OS.md b/content/posts/qubes/Using IVPN on Qubes OS.md index ab08a22..3417b1f 100644 --- a/content/posts/qubes/Using IVPN on Qubes OS.md +++ b/content/posts/qubes/Using IVPN on Qubes OS.md @@ -7,11 +7,11 @@ author: Tommy ![IVPN](/images/ivpn.png) -IVPN is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official IVPN client in a ProxyVM on Qubes OS. We will deviate from the [official guide](https://www.ivpn.net/knowledgebase/linux/ivpn-on-qubes-os/) by using systemd path to handle DNAT. This will provide the same robustness their approach to modify `/opt/ivpn/etc/firewall.sh`, while avoiding the risk that the modifications will be overwritten by a future app update. We will also be using a TemplateVM for IVPN ProxyVMs instead of using Standalone VMs. +IVPN is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official IVPN client in a ProxyVM on Qubes OS. We will deviate from the [official guide](https://www.ivpn.net/knowledgebase/linux/ivpn-on-qubes-os/) by using systemd path to handle DNAT. This will provide the same robustness as their approach to modify `/opt/ivpn/etc/firewall.sh`, while avoiding the risk that the modifications will be overwritten by a future app update. We will also be using a TemplateVM for IVPN ProxyVMs instead of using Standalone VMs. ## Preparing your TemplateVM -I recommend that you make a new TemplateVM based on latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with IVPN, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly. +I recommend that you make a new TemplateVM based on the latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with IVPN, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly. I run [this script](https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh) on my template to trim it down. @@ -72,7 +72,7 @@ Next, enable the systemd path: sudo systemctl enable dnat-to-ns.path ``` -Finally, shutdown the TemplateVM: +Finally, shut down the TemplateVM: ```bash sudo shutdown now @@ -107,4 +107,4 @@ With this current setup, the ProxyVM you have just created will be responsible f Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/qubes/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the IVPN ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced. -![MirageOS](/images/mirageos.png) \ No newline at end of file +![MirageOS](/images/mirageos.png) diff --git a/content/posts/qubes/Using Mullvad VPN on Qubes OS.md b/content/posts/qubes/Using Mullvad VPN on Qubes OS.md index a66aaf1..dab6395 100644 --- a/content/posts/qubes/Using Mullvad VPN on Qubes OS.md +++ b/content/posts/qubes/Using Mullvad VPN on Qubes OS.md @@ -11,7 +11,7 @@ Mullvad is a fairly popular and generally trustworthy VPN provider. In this post ## Preparing your TemplateVM -I recommend that you make a new TemplateVM based on latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with Mullvad, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly. +I recommend that you make a new TemplateVM based on the latest Fedora GNOME template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with Mullvad, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly. I run [this script](https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh) on my template to trim it down. @@ -31,7 +31,7 @@ sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mul sudo dnf install -y mullvad-vpn ``` -To workaround [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803), we will using systemd path to run `/usr/lib/qubes/qubes-setup-dnat-to-ns` every time Mullvad modifies `/etc/resolv.conf`. Create the following files: +To work around [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803), we will be using systemd path to run `/usr/lib/qubes/qubes-setup-dnat-to-ns` every time Mullvad modifies `/etc/resolv.conf`. Create the following files: - `/etc/systemd/system/dnat-to-ns.service` ``` @@ -72,7 +72,7 @@ Next, enable the systemd path: sudo systemctl enable dnat-to-ns.path ``` -Finally, shutdown the TemplateVM: +Finally, shut down the TemplateVM: ```bash sudo shutdown now @@ -105,4 +105,4 @@ With this current setup, the ProxyVM you have just created will be responsible f Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/qubes/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced. -![MirageOS](/images/mirageos.png) \ No newline at end of file +![MirageOS](/images/mirageos.png) diff --git a/content/posts/qubes/_index.md b/content/posts/qubes/_index.md index 03e7c86..316fc8b 100644 --- a/content/posts/qubes/_index.md +++ b/content/posts/qubes/_index.md @@ -4,4 +4,4 @@ ShowReadingTime: false ShowWordCount: false --- -A collection of posts about Qubes OS and related applications. This section contains MirageOS setup, Split SSH configuration, and guides on setting up proxies on Qubes OS. \ No newline at end of file +A collection of posts about Qubes OS and related applications. This section contains guides on setting up MirageOS, Split SSH, and proxies on Qubes OS.