False claims by Avast! antivirus

It’s particularly disturbing when products that are supposed to protect you, actually mislead you into a false sense of safety, hence endangering you.

Take this bold claim by the otherwise quite good free antivirus software Avast!

avast claims

Here, Avast! directly claim that nobody can listen in on your Voice over IP (VoIP) calls (like Skype or Viber) if you use the Avast! VPN service.

This is patently false.

There is absolutely no way of stopping the government from getting the content of your VoIP calls directly from Microsoft (Skype), or Viber themselves.

All a VPN (Virtual Private Network) service can achieve is thinly disguise your physical location when you connect to the Internet.

Advanced networking with QubesOS: VPN proxyVM

According to http://theinvisiblethings.blogspot.co.uk/2011/09/playing-with-qubes-networking-for-fun.html we can setup multiple ways for our AppVMs to reach the Internet.

AppVMs can:

  • have direct access to the Internet
  • be forced to go through a Tor proxy, tunnelling all their traffic through the Tor network
  • be forced to go through a VPN proxy, tunnelling all their traffic through the VPN.

The beauty of this setup is that once we have our proxyVMs setup, we don’t need to worry about the configuration of any network-level data leaks of the AppVMs that use the proxies.

Example: setting up a Tor proxyVM and then assigning this as the netvm of 5 different AppVMs will force all network traffic from all 5 AppVMs through the Tor network, with no configuration/awareness in the AppVMs themselves! This setup is covered quite well already in http://qubes-os.org/trac/wiki/UserDoc/TorVM

Creating the setup

How to setup a “workvpn” proxyVM that allows us to tunnel any “work” related AppVMs we have through work’s (in this case Cisco) VPN gateway as shown here:

QubesOS advanced network setup

  1. From Qubes Manager: VM -> Create AppVM
  2. Name: workvpn. Select the ProxyVM radio button and OK.
  3. In a couple of seconds your new VM is created. Go to the “K” menu and fire up a terminal in your new workvpn VM.
  4. Create the file vpn.conf with the following contents, substituting your VPN provider’s values:
    Xauth username xxxxxxxxxxxxxxxxxxx
    IPSec gateway xxxxxxxxxxxxx.xxxxxxx.xxx
    IPSec ID xxxxxxxxxxxxxxxxxx
    IPSec secret xxxxxxxxxxxxxxxxxxxx
  5. Create the file start_vpn.sh with the following contents:
    #!/bin/bash
    sudo /usr/sbin/vpnc /home/user/vpn.conf
    sleep 2
    sudo /usr/lib/qubes/qubes_setup_dnat_to_ns
  6. Create the file stop_vpn.sh with the following contents:
    #!/bin/bash
    sudo /usr/sbin/vpnc-disconnect
    sleep 2
    sudo /usr/lib/qubes/qubes_setup_dnat_to_ns
  7. Make both scripts executable:
    chmod +x *.sh
  8. Now tell your work-related AppVMs to use workvpn as their network VM. To do this, right-click on the AppVMs in Qubes VM Manager and select “VM Settings”. In the “Basic” tab ensure that “NetVM” is set to “workvpn”
  9. You’re all set.

Using this setup

When you fire up any of your AppVMs that need to use the VPN, workvpn will automatically start. You will then need to fire up a terminal in workvpn and type

./start_vpn.sh

(of course after the first time you can just hit the “up” arrow and the command will be there for you)
This will connect you to your work’s VPN and allow all AppVMs that use this as their netvm to seamlessly talk to internal work systems, while leaving the rest of your QubesOS AppVMs unaffected, reaching the Internet either directly or through Tor.