1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Use systemd path for dnat-to-ns (#227)

* Use systemd path for dnat-to-ns

Signed-off-by: Tommy <contact@tommytran.io>

* Make the flow better

Signed-off-by: Tommy <contact@tommytran.io>

---------

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-05-12 04:43:07 -07:00 committed by GitHub
parent a96b20cea0
commit 5cb4ad0ede
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 36 additions and 23 deletions

View File

@ -5,7 +5,7 @@ tags: ['Applications', 'Qubes OS', 'Privacy']
author: Tommy
---
![Mullvad VPN](/images/mullvad-vpn-1.png)
![Mullvad VPN](/images/mullvad-vpn.png)
Mullvad is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official Mullvad client in a ProxyVM on Qubes OS. This method is a lot more convenient than the [official guide](https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/) from Mullvad (which recommends that you manually load in OpenVPN or Wireguard profiles) and will let you seamlessly switch between different location and network setups just as you would on a normal Linux installation.
@ -13,19 +13,13 @@ Mullvad is a fairly popular and generally trustworthy VPN provider. In this post
I recommend that you make a new TemplateVM based on latest Fedora template and remove all unnecessary packages that you might not use. This way, you can minimize the attack surface while not having to deal with missing dependencies like on a minimal template. With that being said, if you do manage to get the minimal template to fully work with Mullvad, feel free to [open a discussion on GitHub](https://github.com/orgs/PrivSec-dev/discussions) or [contact me directly](https://tommytran.io/contact) and I will update the post accordingly.
This is what I run on my template to trim it down:
```bash
sudo dnf remove firefox thunderbird totem gnome-remote-desktop gnome-calendar gnome-disk-utility gnome-calculator gnome-connections gnome-weather gnome-contacts gnome-clocks gnome-maps gnome-screenshot gnome-logs gnome-characters gnome-font-viewer gnome-color-manager simple-scan keepassxc cheese baobab yelp evince* httpd mozilla* cups rygel -y
sudo dnf autoremove -y
```
I run [this script](https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh) on my template to trim it down.
Next, you need to create the bind directories for Mullvad's configurations:
```bash
sudo mkdir -p /etc/qubes-bind-dirs.d
sudo tee /etc/qubes-bind-dirs.d/50_user.conf << EOF > /dev/null
binds+=( '/etc/mullvad-vpn' )
EOF
echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf
```
## Installing the Mullvad App
@ -33,15 +27,43 @@ EOF
Inside of the TemplateVM you have just created, do the following:
```bash
sudo dnf install https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm
sudo systemctl enable mullvad-daemon
sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
sudo dnf install -y mullvad-vpn
```
Replace `https://mullvad.net/media/app/MullvadVPN-2022.5_x86_64.rpm` with whatever the latest URL for the Mullvad App is. I will try to update this post to give you the accurate command, but you should just take them from [their website](https://mullvad.net/en/download/linux/).
To workaround [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803), we will using systemd path to run `/usr/lib/qubes/qubes-setup-dnat-to-ns` every time Mullvad modifies `/etc/resolv.conf`. Create the following files:
![Mullvad VPN URL](/images/mullvad-vpn-2.png)
- `/etc/systemd/system/dnat-to-ns.service`
```
[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns
Shutdown the TemplateVM:
[Service]
Type=oneshot
ExecStart=/usr/lib/qubes/qubes-setup-dnat-to-ns
```
- `/etc/systemd/system/dnat-to-ns.path`
```
[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns when /etc/resolv.conf changes
[Path]
PathChanged=/etc/resolv.conf
Unit=dnat-to-ns.service
[Install]
WantedBy=multi-user.target
```
Next, enable the systemd path:
```bash
sudo systemctl enable --now dnat-to-ns.path
```
Finally, shutdown the TemplateVM:
```bash
sudo shutdown now
@ -53,15 +75,6 @@ Create an AppVM based on the TemplateVM you have just created. Set `sys-firewall
![Provides Network](/images/provides-network.png)
Edit `/rw/config/rc.local` to workaround [issue 3803](https://github.com/mullvad/mullvadvpn-app/issues/3803):
```bash
echo "sleep 10 # Waiting a bit so that Mullvad can establish a connection
/usr/lib/qubes/qubes-setup-dnat-to-ns" | sudo tee -a /rw/config/rc.local
```
Restart the ProxyVM. You can now use this ProxyVM as the net qube for other qubes!
## Notes
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.

Binary file not shown.

Before

Width:  |  Height:  |  Size: 541 KiB

View File

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB