forked from robur/blog.robur.coop
83 lines
4.9 KiB
HTML
83 lines
4.9 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta http-equiv="x-ua-compatible" content="ie=edge">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<title>
|
|
Robur's blogqubes-miragevpn, a MirageVPN client for QubesOS
|
|
</title>
|
|
<meta name="description" content="A new OpenVPN client for QubesOS">
|
|
<link type="text/css" rel="stylesheet" href="https://blog.robur.coop/css/hl.css">
|
|
<link type="text/css" rel="stylesheet" href="https://blog.robur.coop/css/style.css">
|
|
<script src="https://blog.robur.coop/js/hl.js"></script>
|
|
<link rel="alternate" type="application/rss+xml" href="https://blog.robur.coop/feed.xml" title="blog.robur.coop">
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<h1>blog.robur.coop</h1>
|
|
<blockquote>
|
|
The <strong>Robur</strong> cooperative blog.
|
|
</blockquote>
|
|
</header>
|
|
<main><a href="https://blog.robur.coop/index.html">Back to index</a>
|
|
|
|
<article>
|
|
<h1>qubes-miragevpn, a MirageVPN client for QubesOS</h1>
|
|
<ul class="tags-list"><li><a href="https://blog.robur.coop/tags.html#tag-OCaml">OCaml</a></li><li><a href="https://blog.robur.coop/tags.html#tag-vpn">vpn</a></li><li><a href="https://blog.robur.coop/tags.html#tag-unikernel">unikernel</a></li><li><a href="https://blog.robur.coop/tags.html#tag-QubesOS">QubesOS</a></li></ul><p>We are pleased to announce the arrival of a new unikernel:
|
|
<a href="https://github.com/robur-coop/qubes-miragevpn">qubes-miragevpn</a>. The latter is the result of work begun
|
|
several months ago on <a href="https://github.com/robur-coop/miragevpn">miragevpn</a>.</p>
|
|
<p>Indeed, with the ambition of completing our unikernel suite and the success of
|
|
<a href="https://github.com/mirage/qubes-mirage-firewall">qubes-mirage-firewall</a> - as well as the general aims of
|
|
QubesOS - we thought it would be a good idea to offer this community a unikernel
|
|
capable of acting as an OpenVPN client, from which other virtual machines (app
|
|
qubes) can connect so that all their connections pass through the OpenVPN
|
|
tunnel.</p>
|
|
<h2 id="qubesos--mirageos"><a class="anchor" aria-hidden="true" href="#qubesos--mirageos"></a>QubesOS & MirageOS</h2>
|
|
<p>Unikernels and QubesOS have always been a tempting idea for users in the sense
|
|
that a network application (such as a firewall or VPN client) could be smaller
|
|
than a Linux kernel: no keyboard, mouse, wifi management, etc. Just network
|
|
management via virtual interfaces should suffice.</p>
|
|
<p>In this case, the unikernel corresponds to this ideal where, starting from a
|
|
base (<a href="https://github.com/Solo5/solo5">Solo5</a>) that only allows the strictly necessary (reading and
|
|
writing on a virtual interface or block device) and building on top of it all
|
|
the application logic strictly necessary to the objective we wish to achieve
|
|
reduces, in effect, drastically:</p>
|
|
<ol>
|
|
<li>the unikernel's attack surface</li>
|
|
<li>its weight</li>
|
|
<li>its memory usage</li>
|
|
</ol>
|
|
<p>We won't go into all the work that's been done to maintain and improve
|
|
<a href="https://github.com/mirage/qubes-mirage-firewall">qubes-mirage-firewall</a> over the last 10
|
|
years<sup><a href="#fn1">1</a></sup>, but it's clear that this particular unikernel has
|
|
found its audience, who aren't necessarily OCaml and MirageOS aficionados.</p>
|
|
<p>In other words, <a href="https://github.com/mirage/qubes-mirage-firewall">qubes-mirage-firewall</a> may well be a
|
|
fine example of what can actually be done with MirageOS, and of real utility.</p>
|
|
<hr>
|
|
<p><tag id="fn1"><strong>1</strong></tag>: <a href="https://github.com/marmarek">marmarek</a>, <a href="https://github.com/yomimono">Mindy</a> or
|
|
<a href="https://github.com/mato">mato</a> were (and still are) heavily involved in the work between QubesOS
|
|
and MirageOS. We'd also like to thank them, because if we're able to continue
|
|
this adventure, it's also thanks to them.</p>
|
|
<h2 id="qubesos--miragevpn"><a class="anchor" aria-hidden="true" href="#qubesos--miragevpn"></a>QubesOS & MirageVPN</h2>
|
|
<p>So, after a lengthy development phase for MirageVPN, we set about developing a
|
|
unikernel for QubesOS to offer an OpenVPN client as an operating system. We'd
|
|
like to give special thanks to <a href="https://github.com/palainp">Pierre Alain</a>, who helped us to better
|
|
understand QubesOS and its possibilities.</p>
|
|
<p>The unikernel is available here: https://github.com/robur-coop/qubes-miragevpn
|
|
A tutorial has just been created to help QubesOS users install and configure
|
|
such an unikernel: https://robur-coop.github.io/miragevpn-handbook/</p>
|
|
<p>In the same way as <a href="https://github.com/mirage/qubes-mirage-firewall">qubes-mirage-firewall</a>, we hope to
|
|
offer a solution that works and expand the circle of MirageOS and unikernel
|
|
users!</p>
|
|
|
|
</article>
|
|
|
|
</main>
|
|
<footer>
|
|
<a href="https://github.com/xhtmlboi/yocaml">Powered by <strong>YOCaml</strong></a>
|
|
<br />
|
|
</footer>
|
|
<script>hljs.highlightAll();</script>
|
|
</body>
|
|
</html>
|