desktop icon indicating copy to clipboard operation
desktop copied to clipboard

Published 20 hours ago verified publisher icon pia-foss

Feature request: Support for QubesOS proxy-vm setup

Open sifr01 opened this issue 4 years ago • 4 comments

Describe the solution you'd like Im looking for a user-friendly setup solution for this application in a QubesOS proxy-vm dedicated to setting up and maintaining a vpn connection (sys-vpn)

Is your feature request related to a problem? Please describe. When I install this application in an appVM, it installs to the /opt/ directory and no root directories persist across reboots except /rw/

Additional context This is the setup guide for a proxy-vm in QubesOS https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

I dont know if this is helpful but nordVPN have snap support for their VPN app: https://snapcraft.io/nordvpn-electron

sifr01 avatar Jul 05 '21 18:07 sifr01

When we last researched snap and flatpak, it wasn't possible to get root access from either, which PIA desktop needs in order to configure routing, firewall, etc. I haven't seen any changes to that, and I think it is an intentional decision in both snap and flatpak so it's unlikely to change. If it is possible now though, I'd be happy to look into it again!

That NordVPN package appears to be a third-party GUI over their Linux CLI client - you also have to install their CLI client separately, which isn't a snap. The PIA GUI could be packaged this way, but neither of these solves the deployment issue since you'd still have to install the daemon somehow.

I have not used QubesOS myself, but it sounds like if you can symlink /opt/piavpn/ over to /rw, then PIA desktop should install there and persist across reboots of the VM. Something like:

  1. Symlink /opt/piavpn over to /rw/piavpn.
  2. Install PIA
    • I'm not sure how init works in these VMs, but you might want to consider skipping service installation and running pia-daemon manually as root in your startup script:
    • bash pia-linux-<VERSION>.run -- --skip-service
  3. Create a startup script that does something like the following: (I'm not sure where to put the script, but I'd figure there must be some way to run something on startup in the VM)
    • Symlink /opt/piavpn over to /rw/piavpn since /opt isn't preserved
    • Start pia-daemon as root if you skipped the service configuration
    • If you want it to connect when the VM boots, do piactl connect at this point once the service is up

JonathonH-PIA avatar Jul 06 '21 13:07 JonathonH-PIA

Thank you for looking into this. Its unfortunate that its not possible with snap. But your installation suggestions are super helpful and they worked! I didnt realised that this was possible just with a symlink. This is what I did:

1 Install the dependencies in the template VM by running: sudo dnf install libsnl libnl3-devel.x86_64

2 Now to setup the VPN proxy-vm:

2.1 Run the installation. This installs to /opt/piavpn: bash pia-linux-2.9-06393.run

2.2 Now copy the installation folder to a folder that persists:

sudo mkdir /rw/usrlocal/opt
sudo cp -r /opt/piavpn/ /rw/usrlocal/opt/

2.3 I think this enables the client to start in the background later piactl background enable

2.4 Lastly, run these commands to edit the rc.local startup script every time you boot the VM:

sudo echo "ln -s /rw/usrlocal/opt/piavpn /opt/   #" >> /rw/config/rc.local
sudo echo "groupadd piavpn   #i think the daemon wants to use piavpn group to start" >> /rw/config/rc.local
sudo echo "/opt/piavpn/bin/pia-daemon   #this starts the daemon at startup" >> /rw/config/rc.local
sudo echo "piactl connect   #this makes the client connect on boot in the background" >> /rw/config/rc.local

2.5 Reboot the proxy-vm to test it

3 Now if you want to start the VPN client GUI, run this as a non-root user: /opt/piavpn/bin/pia-client your credentials should also persist

4 To do: Troubleshoot networking between this proxy-vm and an attached appVM. There is a connection but DNS doesnt work.

sifr01 avatar Jul 07 '21 10:07 sifr01

  1. A simple solution is to enable the port forwarding in the PIA clientGUI: Settings > Network > Request Port Forwarding

Problems:

  • Not all VPN servers support port forwarding
  • This also renders the Killswitch feature ineffective
  • And wireguard connects but doesnt redirect traffic to the VPN server and the port forwarding request fails

The answers probably lie in iptables' packet routing. The Qubes-Community setup guide for a proxy-vm in QubesOS suggests "3. Create the DNS-handling script". However, this bash script works by editing iptables rules which the PIA client already flushes and creates many rules of its own. Combining the two rule sets could start to get very messy! I might just write a handful of killswitch iptables rules of my own and add them.

sifr01 avatar Jul 07 '21 12:07 sifr01

I could add the PIA DNS servers to /etc/resolve.conf in every appVM that I connect to the proxyVM, but thats more of a workaround than a fix.

sifr01 avatar Jul 07 '21 13:07 sifr01

Closing as i believe the issue was addressed 👍

banister avatar Aug 23 '23 15:08 banister