-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
document how to safely use Bitmask #2021
Comments
I can look into bitmask during Whonix 14 development. |
I'm able to use Bitmask without any DNS leakage, how did you set it up? |
@jasperweiss can you draft a step-by-step walkthrough on how you set it up? if you want to include fail-safes then that would be doubly-helpful. thanks! |
Tests seem to indicate it isn't leaking any DNS queries (they keep running forever) but in theory it is still possible. Bitmask does fail closed so it shouldn't be a problem when the connection drops. The way I have it setup is as follows:
I did some testing using ping on an app VM connected to the VPN VM:
while Bitmask isn't running, ping google.com results in:
So here we can see that DNS queries are in fact leaking even though it can't access the IP address it resolved (Only the VPN service server's IP address is whitelisted). Whether DNS queries are also routed in the clear when Bitmask is running is unclear to me since all dns leak tests keep running forever. Obviously disabling 'Allow DNS queries' in the Qubes firewall settings will not allow any DNS traffic at all, so that's not very useful. Perhaps there should be an option in the firewall settings to whitelist specific DNS addresses? |
This is very similar to the issues described in #1941.
That would not cover the shared VPN/Tor server leak bug (issue description). |
That, and DNS traffic. Which is what I'm a little more worried about. Could it be possible to make the whitelisting/blacklisting of IP adresses apply for DNS traffic, too? |
is there a reason it needs to be stand-alone?
https://dnsleaktest.com not work for you?
I would argue this is outside the scope of this ticket/issue. The intention is a functional VPN setup, not a VPN-Tor setup, at least for now. |
Michael Carbone:
Although the issue description regrettably limited to Tor, the issue |
Yes, since you'll be installing Bitmask on it. You could install it inside the template but that means you've got Bitmask installed on all VM's based on that template which is not what we want.
No, the test runs indefinitely without returning any results.
I don't quite agree. The fact that Tor traffic could be send out in the clear rather than being routed through the VPN service means it's leaking; which is precisely what this issue is about. I'd like to quickly mention this project. It sets a few IP table rules to block all traffic except when it's coming from processes within the 'qvpn' group. It then adds the VPN client to that group. This seems to solve #1941 as well as DNS leakage. |
if the user wants to create additional Bitmask-based ProxyVMs then installing it in the template makes perfect sense. I think in general the default should be installing applications that are required for a given action, and if you want to mention that the user can create a standalone VM instead that is always a possibility.
from both Bitmask ProxyVM and AppVM? hmmm not encouraging for trying to confirm no DNS leaks, and as you mention DNS is leaking. so it sounds like we aren't there yet.
This issue is about documenting how to use Bitmask to prevent DNS and clearnet leaks which we still haven't figured out. Then running Tor over it and ensuring that if the server is also hosting a Tor entry guard on the same IP address and if your VPN breaks you don't get a leak is a much lower priority. It sounds like we should start with ensuring VPN won't easily break. If you disagree then maybe the guide should use Whonix-WS with the leak protection additions Patrick recently created.
Is there any way to incorporate it into the walkthrough? sounds like we are still looking for documentation we can put on the website walking the user through setting up Bitmask VPN as a ProxyVM with basic leak protection. |
Bitmask is not installable from official Debian repository. In such cases, for better security it's advisable to either use a separate TemplateVM, or with perhaps lower overhead, a separate StandaloneVM.
It's not tied to Tor at all. Nowadays more and more services are hosted in data centers. It does not seem that unlikely to me, that both a VPN provider and an unrelated website oder advertising company is sharing the same IP. This could result in a clearnet leak. We have a highly specialized economy nowadays. Some people provide cloud computing services and call them for example amazon aws. Others specialize in hosting VPNs or advertising tracking services - for that they use might use cloud computing. A match seems not that unlikely too me. I am wondering how special this ticket is. I mean, how different is Bitmask from OpenVPN. Since Bitmask is based on OpenVPN... It could very well be the case that anything done in #1941 or documented under https://www.qubes-os.org/doc/vpn/ "only needs |
ah yes that makes perfect sense.
I have no problem setting up OpenVPN in a ProxyVM using the Network Manager so that it doesn't leak DNS. I think Bitmask is special case since it's non-Debian repo deb, etc. So it sounds like it requires particular documentation/tweaks in order to use correctly that is not necessarily related to OpenVPN ProxyVMs in general. |
I'd recommend following this progression:
@jasperweiss Numbers 1-3a are of primary importance. Number 4 is secondary as it protects against access initiated from the inside of the vpn vm. Applying firewall rules internally is a good idea because of the detailed traffic information in that firewall, and because a dedicated vpn vm should be generally trusted anyway. If its untrusted (which doesn't make much sense) and you're filtering upstream, the vpn client could still send packets with sensitive info to whichever address you're allowing, and this could be intercepted by a hostile router or ISP (or sys-net). |
repository issues bitmask does not start |
connect to Tor before bitmask (User -> Tor -> bitmask -> Internet) broken |
bitmask shared VPN/Tor server leak bug? |
As per https://github.com/leapcode/bitmask_client/issues/1009#issuecomment-234293666
|
|
My attempt, step by step
To refresh, I have now the following setup: internet The dns leak test websites https://www.perfect-privacy.com/dns-leaktest/ and https://dns-leak.com/ opened in Firefox inside temp-bitmask reported a tor exit node ip address (all the same), and no DNS leaks. The Bitmask client running inside sys-bitmask is reporting activity. One thing that should be noted is that the external ip address reported to the dns leak test websites is always the same. So:
Conclusionsys-net > sys-firewall > Bitmask VPN ProxyVM > Whonix Gateway ProxyVM > Whonix Workstation AppVM is what Works For Me (tm). This comment is being sent from Tor Browser in a Whonix DispVM with that setup. I haven't tried to rob a bank yet to see if it really works, though. NotesIf by using Bitmask on its own without Whonix I am leaking DNS, then I'm leaking DNS to the Tor exit node, even though I'm not leaking to the final destination. If that's not true, then please correct me. I've tried messing with the networking at sys-net, and it seems that bitmask works in the "fail close" pattern. If I deliberately "turn off" Bitmask, then the sys-bitmask ProxyVM allows traffic to flow normally. While this could be intended behavior if you were running Bitmask in a regular desktop OS, in the case of Qubes, if I wanted to turn off bitmask, I'd change my AppVM's NetVM instead. So I expect that if I'm using sys-bitmask as NetVM, then it will enforce its use. Bitmask seems to start when the sys-bitmask ProxyVM is started, out of the box. And it sits in the notification area, so saving the login and password in the client provides a Just Works (tm) way to automatically tunnel all traffic in the VPN service, along with the regular Qubes scripts to start all other necessary VMs. An important thing that should be noted is that by doing these tests, I've broke the Paranoid Rules (tm) and successfully, irrevocably recorded forever in ECHELON's database all tied up my Tor routes, my Calyx VPN IP and my real world DNS. So now, no one will ever have to do it again. You're welcome. Another important thing is that
Not relevant or related, but the WebRTC test, also this one in a non Tor Browser (regular Firefox) leaks the AppVM internal IP address. Not that we all didn't know about that anyway. Now I will go through the qubes and the whonix instructions to make sure everything is set the Proper Way (tm). |
@DeSci The next bitmask release will automatically enable anti-leak fw rules tailored for Qubes proxyVMs. However, their main app pre-release isn't stable yet so I have only been able to get it to run manually from their bundled package. There is a thread in leap-discuss list covering this issue. |
I was going to close this since it's old and not recently updated but apparently it is still a recent issue tracked on the LEAP side (Bitmask, Riseup VPN, Calyx VPN, all are same codebase): |
i feel like this issue is old & there doesn't seem to be demand for it (also the main open issues are on bitmask's side), so i will close. we can always re-open in the future if needed. |
Bitmask is a free FOSS VPN client (and encrypted email application). It would be great to document how to use the VPN client in Qubes safely, following this email thread:
https://groups.google.com/d/msg/qubes-users/dUgf68iiN4I/rqVOSnnHJwAJ
The text was updated successfully, but these errors were encountered: