3.4 KiB
date | article.title | article.description | tags | author | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2024-06-24 | qubes-miragevpn, a MirageVPN client for QubesOS | A new OpenVPN client for QubesOS |
|
|
We are pleased to announce the arrival of a new unikernel: qubes-miragevpn. The latter is the result of work begun several months ago on miragevpn.
Indeed, with the ambition of completing our unikernel suite and the success of qubes-mirage-firewall - as well as the general aims of QubesOS - we thought it would be a good idea to offer this community a unikernel capable of acting as an OpenVPN client, from which other virtual machines (app qubes) can connect so that all their connections pass through the OpenVPN tunnel.
QubesOS & MirageOS
Unikernels and QubesOS have always been a tempting idea for users in the sense that a network application (such as a firewall or VPN client) could be smaller than a Linux kernel: no keyboard, mouse, wifi management, etc. Just network management via virtual interfaces should suffice.
In this case, the unikernel corresponds to this ideal where, starting from a base (Solo5) that only allows the strictly necessary (reading and writing on a virtual interface or block device) and building on top of it all the application logic strictly necessary to the objective we wish to achieve reduces, in effect, drastically:
- the unikernel's attack surface
- its weight
- its memory usage
We won't go into all the work that's been done to maintain and improve qubes-mirage-firewall over the last 10 years1, but it's clear that this particular unikernel has found its audience, who aren't necessarily OCaml and MirageOS aficionados.
In other words, qubes-mirage-firewall may well be a fine example of what can actually be done with MirageOS, and of real utility.
1: marmarek, Mindy or mato were (and still are) heavily involved in the work between QubesOS and MirageOS. We'd also like to thank them, because if we're able to continue this adventure, it's also thanks to them.
QubesOS & MirageVPN
So, after a lengthy development phase for MirageVPN, we set about developing a unikernel for QubesOS to offer an OpenVPN client as an operating system. We'd like to give special thanks to Pierre Alain, who helped us to better understand QubesOS and its possibilities.
The unikernel is available here: https://github.com/robur-coop/qubes-miragevpn A tutorial has just been created to help QubesOS users install and configure such an unikernel: https://robur-coop.github.io/miragevpn-handbook/
In the same way as qubes-mirage-firewall, we hope to offer a solution that works and expand the circle of MirageOS and unikernel users!