From 85410e6bf794f7522b2c3a6e709149588856a472 Mon Sep 17 00:00:00 2001 From: Calascibetta Romain Date: Mon, 24 Jun 2024 12:33:02 +0200 Subject: [PATCH] Add an article about qubes-miragevpn --- articles/qubes-miragevpn.md | 82 +++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 articles/qubes-miragevpn.md diff --git a/articles/qubes-miragevpn.md b/articles/qubes-miragevpn.md new file mode 100644 index 0000000..8c89776 --- /dev/null +++ b/articles/qubes-miragevpn.md @@ -0,0 +1,82 @@ +--- +date: 2024-06-24 +article.title: qubes-miragevpn, a MirageVPN client for QubesOS +article.description: A new OpenVPN client for QubesOS +tags: + - OCaml + - vpn + - unikernel + - QubesOS +author: + name: Romain Calascibetta + email: romain.calascibetta@gmail.com + link: https://blog.osau.re/ +--- + +We are pleased to announce the arrival of a new unikernel: +[qubes-miragevpn][qubes-miragevpn]. The latter is the result of work begun +several months ago on [miragevpn][miragevpn]. + +Indeed, with the ambition of completing our unikernel suite and the success of +[qubes-mirage-firewall][qubes-mirage-firewall] - as well as the general aims of +QubesOS - we thought it would be a good idea to offer this community a unikernel +capable of acting as an OpenVPN client, from which other virtual machines (app +qubes) can connect so that all their connections pass through the OpenVPN +tunnel. + +## QubesOS & MirageOS + +Unikernels and QubesOS have always been a tempting idea for users in the sense +that a network application (such as a firewall or VPN client) could be smaller +than a Linux kernel: no keyboard, mouse, wifi management, etc. Just network +management via virtual interfaces should suffice. + +In this case, the unikernel corresponds to this ideal where, starting from a +base ([Solo5][solo5]) that only allows the strictly necessary (reading and +writing on a virtual interface or block device) and building on top of it all +the application logic strictly necessary to the objective we wish to achieve +reduces, in effect, drastically: +1) the unikernel's attack surface +2) its weight +3) its memory usage + + +We won't go into all the work that's been done to maintain and improve +[qubes-mirage-firewall][qubes-mirage-firewall] over the last 10 +years[1](#fn1), but it's clear that this particular unikernel has +found its audience, who aren't necessarily OCaml and MirageOS aficionados. + +In other words, [qubes-mirage-firewall][qubes-mirage-firewall] may well be a +fine example of what can actually be done with MirageOS, and of real utility. + +
+ +**1**: [marmarek][marmarek], [Mindy][yomimono] or +[mato][mato] were (and still are) heavily involved in the work between QubesOS +and MirageOS. We'd also like to thank them, because if we're able to continue +this adventure, it's also thanks to them. + +## QubesOS & MirageVPN + +So, after a lengthy development phase for MirageVPN, we set about developing a +unikernel for QubesOS to offer an OpenVPN client as an operating system. We'd +like to give special thanks to [Pierre Alain][palainp], who helped us to better +understand QubesOS and its possibilities. + +The unikernel is available here: https://github.com/robur-coop/qubes-miragevpn +A tutorial has just been created to help QubesOS users install and configure +such an unikernel: https://robur-coop.github.io/miragevpn-handbook/ + +In the same way as [qubes-mirage-firewall][qubes-mirage-firewall], we hope to +offer a solution that works and expand the circle of MirageOS and unikernel +users! + +[qubes-miragevpn]: https://github.com/robur-coop/qubes-miragevpn +[miragevpn]: https://github.com/robur-coop/miragevpn +[qubes-mirage-firewall]: https://github.com/mirage/qubes-mirage-firewall +[glossary]: https://www.qubes-os.org/doc/glossary/ +[solo5]: https://github.com/Solo5/solo5 +[palainp]: https://github.com/palainp +[marmarek]: https://github.com/marmarek +[yomimono]: https://github.com/yomimono +[mato]: https://github.com/mato