Re: [qubes-users] The VPN avalibel in Qubes
Hello Chris, On Sat, 17 Aug 2019 at 04:35, 799 wrote: > Chris Laprise schrieb am Di., 13. Aug. 2019, 23:10: > >> (...) >> The easiest & most comprehensive/secure VPN config for Qubes is here: >> >> https://github.com/tasket/Qubes-vpn-support >> [...] >> > I thought about a way to simplify the installation of your VPN-Script & the deployment of a VPN-Proxy VPN even further. My Qubes-Installation & configuration is all done by scripts which I start from dom0, this allowas to rebuild my complete Qubes system without much work. I have written a scripted install, which is building a VPN-ProxyVM based on my own sys-template for sys-net / sys-usb / sys-firewall (which is itself based on a fedora-29-minimal template). All steps to build the vpn-proxy VPN including configuration for privateinternetaccess.com is done through the script. Only step has to be done manually: Adding vpn-handler-openvpn to the Qubes Setting / Services Tab. QUESTION: I know that this can also be done via dom0 CLI, but I am missing the right command. Can someone help? [799] PS: This is the script, which will build the VPN-ProxyVM. (Hint: I like to keep my templates small and therefor packages which I only need during setup will be installed in the AppVM (and be lost on reboot). In this case git/unzip/wget are only used to setup everything - they're not needed for running the ProxyVPN): start Template=t-fedora-29-sys AppVM=sys-vpn2 qvm-create --template=$Template --label=blue $AppVM qvm-prefs --set $AppVM provides_network True qvm-run --auto --pass-io --no-gui --user root $AppVM \ 'dnf install -y git wget unzip && \ mkdir -p /rw/config/vpn && \ cd /root && \ git clone https://github.com/tasket/Qubes-vpn-support.git && \ cd Qubes-vpn-support && \ bash ./install' qvm-run --auto --pass-io --no-gui --user root $AppVM \ 'cd /rw/config/vpn && \ wget https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip && \ unzip openvpn-ip.zip && \ # Link to your favorite VPN-Entry Point here I'm using Switzerland && \ ln -s Switzerland.ovpn vpn-client.conf' qvm-shutdown --wait $AppVM # MANUAL step (at the moment): # Add "vpn-handler-openvpn" to the Settings > Services Tab qvm-start $AppVM end As mentioned above the AppVM is based on my own sys-template named t-fedora-29-minimal. If you want to rebuild, this is how you build this template from dom0. It can be used for sys-net / sys-firewall / sys-usb): start template=fedora-29-minimal systemplate=t-fedora-29-sys #remove old template qvm-kill $systemplate qvm-remove -f $systemplate #clone template qvm-clone $template $systemplate # update template qvm-run --auto --user root --pass-io --no-gui $systemplate \ 'dnf update -y' # install a missing package for fedora-29-minimal # without it, gui-apps will not start # not needed in the latest fedora-29-minimal template (after april 2019) qvm-run --auto --user root --pass-io --no-gui $systemplate \ 'dnf install -y e2fsprogs' # Install required packages for Sys-VMs # Hint: you might need to add your own wifi-firmware-drivers here instead of iwl6000g2a... qvm-run --auto --user root --pass-io --no-gui $systemplate \ 'dnf -y install qubes-core-agent-qrexec qubes-core-agent-systemd \ qubes-core-agent-networking polkit qubes-core-agent-network-manager \ notification-daemon qubes-core-agent-dom0-updates qubes-usb-proxy \ iwl6000g2a-firmware qubes-input-proxy-sender iproute iputils \ NetworkManager-openvpn NetworkManager-openvpn-gnome \ NetworkManager-wwan NetworkManager-wifi network-manager-applet' # Optional packages you might want to install in the sys-template: qvm-run --auto --user root --pass-io --no-gui $systemplate \ 'dnf -y install nano less pciutils xclip' # Set new template as template for sys-vms qvm-shutdown --all --wait --timeout 120 qvm-prefs --set sys-usb template $systemplate qvm-prefs --set sys-net template $systemplate qvm-prefs --set sys-firewall template $systemplate end -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sbWbACK0jddxgBGibRRPLzXO57ZLursddDs-bFYA7W8w%40mail.gmail.com.
[qubes-users] Re: best and less expensive Lenovo think pad
Anything with an i-series chip should work. G50. <$299. Pay $35 for a crucial mem card, pop out, drop it in the slot. If you can run off an internal/external SSD so much the better works either way. On Monday, August 12, 2019 at 12:26:15 AM UTC-7, 27casa...@gmail.com wrote: > > What is the best and less expensive Lenovo think pad for new Qube? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/50558c54-4c89-4ef1-90e2-0eba6b1263a3%40googlegroups.com.
[qubes-users] Re: using static dispVM for sys-net
On 8/10/19 5:28 AM, 'awokd' via qubes-users wrote: > 799: > >> What would be the better choice regarding attack surface: >> disposable netvm+firewallvm vs. mirage-firewall? > > You still need a netvm with Mirage, but smallest attack surface alone is > disposable netvm + Mirage. "Disposable" doesn't increase or decrease > attack surface, though. It helps against persistence- if something > managed to compromise sys-net's rw area, it would be gone next reboot. > >> If I understand it right the mirage firewall has no/less option to be >> compromised. >> I am using the mirage fw and are only using a fedora-30-minimal based >> sys-firewall to get dom0-updates, which can't be done via the mirage >> firewall. >> >> But I'll also change this firewall to a static disposable FW. > > If you're using Mirage for a firewall, you don't need that fedora-30 > sys-firewall inline any more. That might be what you have already done. > You could create a sys-update and place it anywhere behind Mirage firewall. > >> Question: >> Afaik the problem when using a static disposable sys-net VM is, that I need >> to enter my Wifi Credentials each time, as the VM will be unable to >> remember them. >> Is there any way tweaking this behaviour? > > Put them in the custom DVM template you base the disposable sys-net > from: > https://www.mail-archive.com/qubes-users-/jypxa39uh5tlh3mboc...@public.gmane.org/msg26895.html. > Sorry how is this done, I don't really follow along with the URL link how to store the wifi credentials in custom-dvm-template ? regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3038a47a-b816-9c10-b52d-43b4458adcc4%40riseup.net.
[qubes-users] Re: What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?
The process is to verify the Qubes ISO signature is correct, and not to trust a SHA256 checksum posted on the same website hosting the file. The hash only confirms the integrity and not the validity of the file (which may be infected). It's a security theater exercise we're used to doing elsewhere in order to provide us with the warm fuzzy feeling of a false sense of security. Instructions here on how to verify the latest Qubes ISO is legitimate: https://www.qubes-os.org/security/verifying-signatures/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ba9c19f-a5be-40f8-96d1-15e0d067449c%40googlegroups.com.
[qubes-users] Re: How do I create a Qubes USB Installer within Qubes OS (if it's possible)?
1. Download and verify the latest Qubes iso in your AppVM: https://github.com/tasket/Qubes-vpn-support 2. Plug in your USB flash drive, mount it to your AppVM https://www.qubes-os.org/doc/usb-devices/ 3. Flash the ISO to the USB using standard Linux command line instruction This should be a dd command no different than Mint, if not search for instructions for flashing an image to USB in Fedora or Debian, depending on the AppVM that you're using, defaults are Fedora On Friday, August 16, 2019 at 10:51:11 AM UTC-4, O K wrote: > > Mint lets you do it, but not sure about Qubes. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d546ed0-b529-41b2-ae1e-ca6343771ee0%40googlegroups.com.
Re: [qubes-users] Which qube is most secure for internet use?
China changes everything, as 799 hinted at thinking about what threads you're concerned about. For "they certainly won't be after me" as a foreigner in China I just used my home internet with a VPN and skipped Whonix. If I was going to get in trouble/deported, it wouldn't have anything to do with my computer's privacy/security. It would be because I posted something critical on Facebook, or some operational security mistake like a critical blog/forum post using the same pseudonym I registered someplace else with my real name and email. In China, using Whonix out of the box and accessing Tor is a bad idea and is dangerous for your personal security. Entry node IPs are public and they will know. Both Tor and VPNs are quasi-illegal, but there's a difference. Tor screams out that you're a dissident or criminal. VPNs instead suggest you're streaming Netflix or looking at pictures of cats on Facebook. A VPN might land a local Tibetan/muslim in prison, but nothing happens to foreigners using a VPN (which is everyone, and they're not going to deport everyone). For "most secure" in China, I would put a VPN VM behind sys-net, and then use Qubes settings to attach whonix-gw behind the VPN and use whonix-ws for browsing (https://www.qubes-os.org/doc/vpn/). For China, NordVPN supposedly works best, but I've never had issues there using ExpressVPN. For the paranoid, consider for a moment that China blocks other VPNs but not these two... So, you just connect the whonix-gw through the VPN and now you have reasonable Qubes security and reasonable privacy from the whonix-ws. Whonix uses Tor and prevents identification of your true IP/Mac/host DNS/hardware is the purpose of Whonix using a gateway (GW) and a workstation (WS). Using Whonix on Qubes alleviates some of the pitfalls of your hardware concerns, identified here: https://www.whonix.org/wiki/Host_Security For public Wi-Fi, your card's MAC accessing a VPN would still be seen. Scrambling your Wi-Fi card's MAC address using macchanger is easy to screw up and some cards don't play nice. Pretty useless anyway, a cafe in China is going to have at least two cameras on you inside and the streets are covered in cities so a directional antenna only brings attention to yourself. Just be mindful of what's recording your screen. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7d86b6f1-1189-43d8-988e-71d3da29df69%40googlegroups.com.
[qubes-users] Re: best and less expensive Lenovo think pad
Theres some guy on youtube "wolfgangs Chanel". Claming that the X230 is better then the X220 when it comes to instaling corboot for the vey reason that it comes with two chips. I dont know any way. Any way its cool how easy an inexpensive it is to get up to 16 Ram on both models! cost close to nothing. my old setup hade 8 ram and couldent handel more than 4 VM or something like that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37f7296e-89a4-432c-9404-b588c89863e5%40googlegroups.com.
[qubes-users] Re: best and less expensive Lenovo think pad
Theres some guy on youtube "wolfgangs Chanel". Claming that theres an advantage to have to chips. I dont know any way. Any way its cool how easy an inexpensive it is to get up to 16 Ram on both models. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3ff640ba-b0b8-421d-904b-9e284918857f%40googlegroups.com.
[qubes-users] Re: best and less expensive Lenovo think pad
x220 better than x230. 1. x220 most easiest laptop for flashing coreboot and disassemble. x230 has two spi chips, only what you need is ch341a and clip toolchain. 5-7 minutes and job is done. 2. nude old x220 price on ebay ~ 100 dollars. 3. you can upgrade your x220 laptop to 2k display, i7hq, 16gb ram, 2TB ssd, atheros wwan 3g card, 9 cell battery 44+, 7-row ibm classical keyboard and external gpu AMD or NVIDIA Titan +, usb External WIFI antenna (kali-linux template). ~ + 1000 dollars 4. platinum status to all linux distros hardware compatibility -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/05072f82-b45e-41fb-96ce-72731fe7e68f%40googlegroups.com.
Re: [qubes-users] best and less expensive Lenovo think pad
Hi again. I tried to install Qubes 4 on a HP Elitbook 2170 some time ago. And got this message: HVM/VT-x/AMD-V.. Interupt Remapping Do you know what it referes to? Perhaps it can fixt in Bios? The 2170 is even smaler than the X230.It might lack other fetures tough. If it even works. By the way I just got some first hand experience concerning why its a good idee to instal coreboot: When trying to enter Bios on the 2170 a pasword verification showsup! I dont think this is there by defult. So I guse some one at some point alterd bios. After considering it I think every one sould get corboot. Its not that unlickly that some one at some point could have put some kind of program in there. After all its an old computer with many users and also a prime computer for both people that know how to infect bios and peple consernd about there privacy. So watch out! but then again I gues you would have to trust the people behind corboot. catch 22. Or is it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e21b37bc-fc3c-478a-b226-cbbd0748ab1a%40googlegroups.com.
Re: [qubes-users] best and less expensive Lenovo think pad
Hi again. I tried to install Qubes 4 on a HP Elitbook 2170 some time ago. And got this message: HVM/VT-x/AMD-V.. Interupt Remapping Do you know what it referes to? Perhaps it can fixt in Bios? The 2170 is even smaler than the X230.It might lack other fetures tough. If it even works. By the way I just got some first hand experience concerning why its a good idee to instal coreboot: When trying to enter Bios on the 2170 a pasword verification showsup! I dont think this is there by defult. So I guse some one at some point alterd bios. After considering it I think every one sould get corboot. Its not that unlickly that some one at some point could have put some kind of program in there. After all its an old computer with many users and also a prime computer for both people that know how to infect bios and peple consernd about there privacy. So watch out! but then again I gues you would have to trust the people behind corboot. catch 22. Or is it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ca619ec-996c-44d4-8433-cb88878e0454%40googlegroups.com.
Re: [qubes-users] best and less expensive Lenovo think pad
Hi again. I tried to install Qubes 4 on a HP Elitbook 2170 some time ago. And got this message: HVM/VT-x/AMD-V.. Interupt Remapping Do you know what it referes to? Perhaps it can fixt in Bios? The 2170 is even smaler than the X230.It might lack other fetures tough. If it even works. By the way I just got some first hand experience concerning why its a good idee to instal coreboot: When trying to enter Bios on the 2170 a pasword verification showsup! I dont think this is there by defult. So I guse some one at some point alterd bios. After considering it I think every one sould get corboot. Its not that unlickly that some one at some point could have put some kind of program in there. After all its an old computer with many users and also a prime computer for both people that know how to infect bios and peple consernd about there privacy. So watch out! but then again I gues you would have to trust the people behind corboot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c17b59a5-2bb7-4fb6-88ed-b99680417f77%40googlegroups.com.
Re: [qubes-users] best and less expensive Lenovo think pad
Hi again. I tried to install Qubes 4 on a HP Elitbook 2170 some time ago. And got this message: HVM/VT-x/AMD-V.. Interupt Remapping Do you know what it referes to? Perhaps it can fixt in Bios? The 2170 is even smaler than the X230.It might lack other fetures tough. If it even works. By the way I just got some first hand experience concerning why its a good idee to instal coreboot: When trying to enter Bios on the 2170 a pasword verification showsup! I dont think this is there by defult. So I guse some one at some point alterd bios. After considering it I think every one sould get corboot. Its not that unlickly that some one at some point could have put some kind of program in there. After all its an old computer with many users and also a prime computer for both people that know how to infect bios and peple consernd about there privacy. So watch out! but then again I gues you would have to trust the people behind corboot... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c0274a27-ef60-4b4e-b424-f79f74977d73%40googlegroups.com.
[qubes-users] Enabling Apparmor in Debian-10 Fedora-30 Templates
Is it recommended to enable Apparmor in TemplateVM's? I note from whonix docs that this can be achieved in dom0 using qvm-prefs -s templatename kernelopts "nopat apparmor=1 security=apparmor". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0720fbdc-156c-dcdd-531d-c857619e6fc7%40riseup.net. pEpkey.asc Description: application/pgp-keys
[qubes-users] HCL - Lenovo Thinkpad X250
Hi, I successfully did the installation, but had to tweak the xen.cfg file. l also made a simple installation report here; maybe novice users might find it helpful. https://cruel.hatenablog.com/entry/2019/08/17/155955 Best -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0cca9584-c9b5-8cf8-86a1-0303a233bbf1%40gmail.com. Qubes-HCL-LENOVO-20CMA008JP-20190817-164720.cpio.gz Description: application/gzip Qubes-HCL-LENOVO-20CMA008JP-20190817-164720.yml Description: application/yaml