Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for multiple VPN connections #15

Open
codyro opened this issue Mar 13, 2018 · 3 comments
Open

Support for multiple VPN connections #15

codyro opened this issue Mar 13, 2018 · 3 comments

Comments

@codyro
Copy link

codyro commented Mar 13, 2018

I'll see if I can make a PoC of this however I have a use case where I'd make a workVPN ProxyVM which would connect to various L2 OpenVPN instances.

An example use case would be something along these lines:

WorkVM <- workVPN / 192.168.20.0/24 > Hong Kong 
WorkVM <- workVPN / 192.168.30.0/24 > Singapore
WorkVM <- workVPN / 192.168.40.0/24 > Los Angeles
WorkVM <- workVPN / 0.0.0.0/0 -> Net (sys-firewall, no filtering beyond the aforementioned routes)

The firewall portion should be achievable by either plopping the adjusted iptables rules in /rw/config/rc.local or /rw/config/qubes-firewall.d.

This should be relatively easy to achieve by looping over a configuration directory (IE: /rw/config/vpn/openvpn.conf.d/*) and starting various OpenVPN instances. Modifying the systemd service file to support numerous OpenVPN instances (IE: using %i) would make this relatively clean.

I need to dive more into how you're handling the firewalling / routing to see how feasible / easy this change would be and if it fits the scope of your project. If not I'll fork this and adjust it for the use case outlined above.
@tasket
Copy link
Owner

tasket commented Mar 13, 2018

Vpn-support adds no routing itself -- it places restrictions based on the layer below: interfaces -- so for routing you'll need to focus on the default Qubes configuration (which relies on masquerade) and whatever routes openvpn adds. For the former, connecting with openvpn set to verb=4 is useful for showing any route commands executed, including ones pushed down from the vpn server.

It sounds like your multiple connections will be simultaneous. If so, you may prefer to use the Debian openvpn service files, which already use %i instances and can accommodate server/router configurations. Once your services/links are up, adapting the firewall script for your case should be straightforward.

@codyro
Copy link
Author

codyro commented Mar 14, 2018

Understood about the routes -- I can finagle it to work fine with multiple VM's but I wasn't sure if this was in the scope of the project to support out of the box (IE: load up multiple OpenVPN instances + setup the firewall rules for said instances).

If not please feel free to close this issue. If I add anything worthwhile I'll shoot you a PR.

Cheers!

@tasket
Copy link
Owner

tasket commented Mar 14, 2018

This is the first time I've had an inquiry about multiple instances. But I'd still say its in scope because the project is basically route-agnostic... that is left to the vpn configs. I'd be interested to get a PR for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codyro @tasket