83 lines
3.4 KiB
Markdown
83 lines
3.4 KiB
Markdown
|
---
|
||
|
date: 2024-06-24
|
||
|
article.title: qubes-miragevpn, a MirageVPN client for QubesOS
|
||
|
article.description: A new OpenVPN client for QubesOS
|
||
|
tags:
|
||
|
- OCaml
|
||
|
- vpn
|
||
|
- unikernel
|
||
|
- QubesOS
|
||
|
author:
|
||
|
name: Romain Calascibetta
|
||
|
email: romain.calascibetta@gmail.com
|
||
|
link: https://blog.osau.re/
|
||
|
---
|
||
|
|
||
|
We are pleased to announce the arrival of a new unikernel:
|
||
|
[qubes-miragevpn][qubes-miragevpn]. The latter is the result of work begun
|
||
|
several months ago on [miragevpn][miragevpn].
|
||
|
|
||
|
Indeed, with the ambition of completing our unikernel suite and the success of
|
||
|
[qubes-mirage-firewall][qubes-mirage-firewall] - as well as the general aims of
|
||
|
QubesOS - we thought it would be a good idea to offer this community a unikernel
|
||
|
capable of acting as an OpenVPN client, from which other virtual machines (app
|
||
|
qubes) can connect so that all their connections pass through the OpenVPN
|
||
|
tunnel.
|
||
|
|
||
|
## QubesOS & MirageOS
|
||
|
|
||
|
Unikernels and QubesOS have always been a tempting idea for users in the sense
|
||
|
that a network application (such as a firewall or VPN client) could be smaller
|
||
|
than a Linux kernel: no keyboard, mouse, wifi management, etc. Just network
|
||
|
management via virtual interfaces should suffice.
|
||
|
|
||
|
In this case, the unikernel corresponds to this ideal where, starting from a
|
||
|
base ([Solo5][solo5]) that only allows the strictly necessary (reading and
|
||
|
writing on a virtual interface or block device) and building on top of it all
|
||
|
the application logic strictly necessary to the objective we wish to achieve
|
||
|
reduces, in effect, drastically:
|
||
|
1) the unikernel's attack surface
|
||
|
2) its weight
|
||
|
3) its memory usage
|
||
|
|
||
|
|
||
|
We won't go into all the work that's been done to maintain and improve
|
||
|
[qubes-mirage-firewall][qubes-mirage-firewall] over the last 10
|
||
|
years<sup>[1](#fn1)</sup>, but it's clear that this particular unikernel has
|
||
|
found its audience, who aren't necessarily OCaml and MirageOS aficionados.
|
||
|
|
||
|
In other words, [qubes-mirage-firewall][qubes-mirage-firewall] may well be a
|
||
|
fine example of what can actually be done with MirageOS, and of real utility.
|
||
|
|
||
|
<hr>
|
||
|
|
||
|
<tag id="fn1">**1**</tag>: [marmarek][marmarek], [Mindy][yomimono] or
|
||
|
[mato][mato] were (and still are) heavily involved in the work between QubesOS
|
||
|
and MirageOS. We'd also like to thank them, because if we're able to continue
|
||
|
this adventure, it's also thanks to them.
|
||
|
|
||
|
## QubesOS & MirageVPN
|
||
|
|
||
|
So, after a lengthy development phase for MirageVPN, we set about developing a
|
||
|
unikernel for QubesOS to offer an OpenVPN client as an operating system. We'd
|
||
|
like to give special thanks to [Pierre Alain][palainp], who helped us to better
|
||
|
understand QubesOS and its possibilities.
|
||
|
|
||
|
The unikernel is available here: https://github.com/robur-coop/qubes-miragevpn
|
||
|
A tutorial has just been created to help QubesOS users install and configure
|
||
|
such an unikernel: https://robur-coop.github.io/miragevpn-handbook/
|
||
|
|
||
|
In the same way as [qubes-mirage-firewall][qubes-mirage-firewall], we hope to
|
||
|
offer a solution that works and expand the circle of MirageOS and unikernel
|
||
|
users!
|
||
|
|
||
|
[qubes-miragevpn]: https://github.com/robur-coop/qubes-miragevpn
|
||
|
[miragevpn]: https://github.com/robur-coop/miragevpn
|
||
|
[qubes-mirage-firewall]: https://github.com/mirage/qubes-mirage-firewall
|
||
|
[glossary]: https://www.qubes-os.org/doc/glossary/
|
||
|
[solo5]: https://github.com/Solo5/solo5
|
||
|
[palainp]: https://github.com/palainp
|
||
|
[marmarek]: https://github.com/marmarek
|
||
|
[yomimono]: https://github.com/yomimono
|
||
|
[mato]: https://github.com/mato
|