VPNs and Qubes - a cautionary tale

Here’s something that most of you probably know, but I didn’t. I think it has cost me dearly in terms of privacy. This is for those as ignorant as me, before they make the same mistake.

tl;dr - running one VPN-vm for multiple qubes links your identity across all of them. Separate qubes may afford more security, but unless you separate your VPN use as well, it won’t give you privacy. (I know, I know, it should be obvious.)

My VPN provider advertises a “shared” VPN connection. There’s not much other explanation - I thought that meant you shared a variety of IPs per session. No. On connection, you’re assigned an IP address. Others will share that IP, but you will not share others. Break the connection, and you get a new IP (see below).

When I first started using this provider - who is one of the best and supports Qubes - I was on a standard Linux OS. I used wireguard or their wireguard-based app. Connections were transparent, obvious and easy to change. If I wanted to get separation between one part of my online life and another (no Tor used here), I’d switch server locations. Better, I had a couple of dedicated VMs in VirtualBox, each with separate VPN connections via their app. Privacy by separation. All very clear to know - and not forget - what you were doing. I thought I could run something similar in Qubes, but more effectively and efficiently.

In Qubes, (going by the VPN company’s instructions) the connection to the server is by an OpenVPN arrangement in a dedicated net-VM, VPN-vm. Set your app-vm’s net-vm to VPN-vm, and you’re away. It kind of sits out-of-sight-out-of-mind. Close an app-vm, and the connection with the VPN stays open. Its the same connection when you fire up the next qube that’s also on that VPN-vm. So your IP address is the same between e.g. work-vm and personal-vm.

I thought my IP address was switching around their servers by what I thought “sharing” was. I thought there would be a ‘timeout’ function, or a re-connection, or even the instability I would sometimes see on the standard LinuxOS/wireguard/app. No. These connections, and thus your IP address, are surprisingly durable. I have now observed several days on the same IP address, including through a couple of suspend/resume and wifi on/off (several minutes). This makes a very persistent identity on the internet.

I’ve worked with this arrangement for about a year, not realizing. Even with the IP address sharing (just how shared are they?), even with restarts and successful reconnections, I’m almost always using Fedora-based qubes, Firefox (with a very similar set of privacy focused addons) and the same system time, screen size and language settings. F-i-n-g-e-r-p-r-i-n-t. For a year, I’ve left a big fat statistical trail blazed across every data aggregator company’s database that says “that’s the same guy”.

Does any of this really matter? You be the judge:

Last week I used Google-maps with GPS on my phone (through the VPN’s android client). A day later on my Qubes system, I opened my Google-vm, that uses VPN-vm, and logged into my Google account (that has location services switched off). A day or two after that, in personal-vm (i.e. a third, separate vm), Duckduckgo just wasn’t delivering so I ran the search in Google. Down the bottom of the page Google quietly displayed my location. It was my local district. Accurate. The VPN company has no servers near my side of the city. Its only happened once. I think that’s enough.

I think my mistake has wrecked 5 years of progress towards good online privacy. It really hurts. I’ve worked hard to get to this point. Miswiring two powerful privacy tools (VPN, Qubes) has actually backfired. There was no discussion of the issue on the VPN’s pages, and Qubes docs don’t really deal with the risk. I admit the risk is one of user error, but VPN connections are bewildering enough for lower-skilled users. A simple sentence or two could have saved me pain. Bet I am not the only one to have made this mistake.

Mitigations:

1. Use Tor/Whonix. In this place, I’m worried about Tor activity being legally prejudicial, also slow and scarce “bandwidth-for-freedom-fighters”, so I’ve avoided it. I am reviewing my position on the matter.

2. Use multiple VPN-vms. Be strict and strategic about which qube uses which VPN server. (Watch your provider’s connection cap).

3. Unless you really are relaxed about it, shutdown your VPN-vm at the same time you shut the app-vm. (I’d love to know how to automate that).

4. Force reconnection to the VPN server/s (and check). Suspend/resume, wifi powercycle and elapsed time will not work. Powercycling the machine will do it, but its a pain (~5+ minutes for me). Restarting the VPN-vm would (probably) also work. An `openvpn` command in the VPN-vm w/c/should also work (maybe even on a `cronjob`) - welcome suggestions.

Some things to consider:

• DO NOT use OpenVPN. It’s not very consistent, doesn’t handle connection breakages well, killswitches don’t work with any degree of consistency, and the massive codebase leads to a huge attack/bug surface.
• Use Wireguard.
• DuckDuckGo results suck, but rather than using Google, use Startpage, which is a privacy-friendly proxy for Google search results.
• A low-tech idea is to make your browser’s startpage an IP/location + DNS leak checker. This way, if something is up, you know before you start browsing.

Mitigations:

Use Tor/Whonix.

Right. Using Whonix in Qubes provides automatic stream isolation, so this problem would have never arisen.

In this place, I’m worried about Tor activity being legally prejudicial, also slow and scarce “bandwidth-for-freedom-fighters”, so I’ve avoided it. I am reviewing my position on the matter.

The legality question depends on your jurisdiction.

My understanding is that regular folks using Tor helps freedom fighters by providing cover traffic. Might want to check out the Tor docs for more info about this.

I only use VPN when I want my traffic to appear to originate from a specific place (as lots of websites have different policy based on where you connect from, as stupid as that is).

For anything else where I want privacy, whonix gateway is the way to go. That’s what it is made for and you should use it too. Of course it’s not perfect, as some websites block Tor exit nodes, and as you’ve noticed it’s slower.

Definitely reconsider your stance that you’re using up precious resources. It’s just the opposite. Freedom fighters need “normal” users to hide among. They can then claim to be normal users, since no one can tell who’s who.

May I ask what VPN provider you were using?

Not to talk negatively of it or anything, just out of curiosity.

Definitely a good practice to reset the VPN VM every time. However, one built-in possible mitigation is every Qube being (apparently) a different device with a different IP. It’s not a cover-all, but it’s something.

I’m probably late to the party, but there is a difference between identities and VMs for quite a few of us.

I have over a dozen appVMs I use for various activities, but only three real identities. I use the same VPN provider for all three, but I use three separate accounts for each one. This is pretty expensive compared to using one, but it does ensure that all three are separated and that none are connected to my real-life identity.

And to your point about TOR, I use a whonix browser for two of them and make sure to use TOR before hitting the VPN. I don’t really care if a random entrance node knows who I am because they can’t see my destination endpoint, but I do care if my VPN knows who I am because if they have a non-TOR connection point, it’s just one added step to find out who I am.

real me => VPN gateway (using account #1) => destination

fake me browsing => whonix VM => whonix gateway => VPN gateway (using account #2) => destination

fake me logging into online services => disposable whonix VM => whonix gateway => other VPN gateway (using account #2) => destination

-- for this site, I make sure to switch my identity, if not use a completely new disposable VM if I need to log into a new site (i.e. I don’t log into two accounts using the same disposable VM)

One other thing, it’s better to dispense with the “bandwidth for freedom fighters” mindset. The whole reason TOR was probably opensourced to the public is because if it was just government spies using it, adversaries could easily tell who is a government spy by seeing that they are using TOR traffic. Adding civilians to the population of TOR users adds noise which makes it easier for government agents, freedom fighters, and the like to hide in the noise. Just don’t use it to do stupid things, like streaming your netflix videos, because that really does choke bandwidth (and you probably are using it with your netflix account you paid for and have under your real name anyway, defeating the point).

Things to consider:
VPNs don’t actually work. Post 1 Post 2
You logged in

For your last hint, I’d recommend instead blocking everything but the VPN at the firewall. That way, you cannot accidentally leak your real ip to anyone. If something goes wrong with the VPN you know, because you can’t connect to anything.

Regular Tor user (and advocate).
You are completely correct about the last bit, the more regular people, the better people that need to hide can hide.