mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-22 04:41:33 -05:00
Use systemd path for dnat-to-ns (#227)
* Use systemd path for dnat-to-ns Signed-off-by: Tommy <contact@tommytran.io> * Make the flow better Signed-off-by: Tommy <contact@tommytran.io> --------- Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
a96b20cea0
commit
5cb4ad0ede
@ -5,7 +5,7 @@ tags: ['Applications', 'Qubes OS', 'Privacy']
|
||||
author: Tommy
|
||||
---
|
||||
|
||||
![Mullvad VPN](/images/mullvad-vpn-1.png)
|
||||
![Mullvad VPN](/images/mullvad-vpn.png)
|
||||
|
||||
Mullvad is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official Mullvad client in a ProxyVM on Qubes OS. This method is a lot more convenient than the [official guide](https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/) from Mullvad (which recommends that you manually load in OpenVPN or Wireguard profiles) and will let you seamlessly switch between different location and network setups just as you would on a normal Linux installation.
|
||||
|
||||
@ -13,19 +13,13 @@ Mullvad is a fairly popular and generally trustworthy VPN provider. In this post
|
||||
|
||||
I recommend that you make a new TemplateVM based on latest Fedora template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with Mullvad, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly.
|
||||
|
||||
This is what I run on my template to trim it down:
|
||||
```bash
|
||||
sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculator gnome-connections gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-characters gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* httpd mozilla* cups rygel -y
|
||||
sudo dnf autoremove -y
|
||||
```
|
||||
I run [this script](https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh) on my template to trim it down.
|
||||
|
||||
Next, you need to create the bind directories for Mullvad's configurations:
|
||||
|
||||
```bash
|
||||
sudo mkdir -p /etc/qubes-bind-dirs.d
|
||||
sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
|
||||
binds+=( '/etc/mullvad-vpn' )
|
||||
EOF
|
||||
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
|
||||
```
|
||||
|
||||
## Installing the Mullvad App
|
||||
@ -33,15 +27,43 @@ EOF
|
||||
Inside of the TemplateVM you have just created, do the following:
|
||||
|
||||
```bash
|
||||
sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm
|
||||
sudo systemctl enable mullvad-daemon
|
||||
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
|
||||
sudo dnf install -y mullvad-vpn
|
||||
```
|
||||
|
||||
Replace `https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/).
|
||||
To workaround [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803), we will using systemd path to run `/usr/lib/qubes/qubes-setup-dnat-to-ns` every time Mullvad modifies `/etc/resolv.conf`. Create the following files:
|
||||
|
||||
![Mullvad VPN URL](/images/mullvad-vpn-2.png)
|
||||
- `/etc/systemd/system/dnat-to-ns.service`
|
||||
```
|
||||
[Unit]
|
||||
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||
|
||||
Shutdown the TemplateVM:
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||
```
|
||||
|
||||
- `/etc/systemd/system/dnat-to-ns.path`
|
||||
|
||||
```
|
||||
[Unit]
|
||||
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns when /etc/resolv.conf changes
|
||||
|
||||
[Path]
|
||||
PathChanged=/etc/resolv.conf
|
||||
Unit=dnat-to-ns.service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
Next, enable the systemd path:
|
||||
|
||||
```bash
|
||||
sudo systemctl enable --now dnat-to-ns.path
|
||||
```
|
||||
|
||||
Finally, shutdown the TemplateVM:
|
||||
|
||||
```bash
|
||||
sudo shutdown now
|
||||
@ -53,15 +75,6 @@ Create an AppVM based on the TemplateVM you have just created. Set `sys-firewall
|
||||
|
||||
![Provides Network](/images/provides-network.png)
|
||||
|
||||
Edit `/rw/config/rc.local` to workaround [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803):
|
||||
|
||||
```bash
|
||||
echo "sleep 10 # Waiting a bit so that Mullvad can establish a connection
|
||||
/usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local
|
||||
```
|
||||
|
||||
Restart the ProxyVM. You can now use this ProxyVM as the net qube for other qubes!
|
||||
|
||||
## Notes
|
||||
|
||||
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 541 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Loading…
Reference in New Issue
Block a user