[qubes-users] How to use pass with split gpg ?

2020-05-23 Thread Christophe 
Hi all, 

Does anyone know how to use pass with split gpg ? 

I found this, but I could not get it working.
https://github.com/kulinacs/pass-qubes/blob/master/qubes.bash

I also tried to replace gpg by qubes-gpg-client-wrapper in /usr/bin/pass
but without success, I get an error 

gpg: decrypt_message failed: Unknown system error

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200523150905.oa6ibrnole4ifrud%40disp6806.


signature.asc
Description: PGP signature

Re: [qubes-users] How to check (in BASH and dom0) whether a appVM exists?

2020-05-19 Thread Christophe 
qvm-ls|grep yourvmname

On 20/05/19 10:32AM, Johannes Graumann wrote:
> Hello,
> 
> See subject line ;)
> 
> Sincerely, Joh
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/74dcf0a303aa9afb95809626034f7e1e%40graumannschaft.org.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200519083510.t3pfqbufr45hvlui%40disp6806.

Re: [qubes-users] Persistent Timezone per Qube

2020-05-18 Thread Christophe 
Hello, you can put the command "timedatectl set-timezone Asia/Kolkata"
in /rw/config/rc.local in your appvm, It will owerwrite the template's timezone.

On 20/05/18 07:26AM, Logan wrote:
> Hello,
> 
> What is the best way to set a timezone for a particular qube that is
> constantly behind a proxy in a particular timezone?
> 
> I have tried "timedatectl set-timezone Asia/Kolkata", but it isn't
> persistent. I would rather not use NTP if possible. I thought sticking the
> timedatectl
> 
> Thanks,
> Logan
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/33c8fd5f-0e44-88bf-8612-5f783ae80289%40threatmodel.io.




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200518080726.rokf4a25hxl4hdyv%40disp6806.

[qubes-users] Re: Android-x86 7.1-r2 with GAPPS installation guide

2020-05-11 Thread christophe . vial . 974 
Hi, I'm also trying to build an ISO with gapps. I'm following the updated 
instructions, but I'm stuck at the configure kernel part, I don't 
understand what I am supposed to do in the menuconfig. And I don't know 
where to edit the parameters for XEN and SELINUX. Someone could provide me 
instructions about what to do ? 
Thanks

> .
> # Configure kernel:
> /usr/bin/make -C kernel O=$OUT/obj/kernel ARCH=x86_64 menuconfig
>
>
> # You need to edit these parameters:
> XEN=yes
> XEN_BLKDEV_BACKEND=yes
> XEN_BLKDEV_FRONTEND=yes
> XEN_NETDEV_BACKEND=no
> XEN_NETDEV_FRONTEND=no
> SECURITY_SELINUX_BOOTPARAM=yes
> SECURITY_SELINUX_BOOTPARAM_VALUE=1
> SECURITY_SELINUX_DISABLE=yes
> DEFAULT_SECURITY_SELINUX=yes
>
>
> # The kernel config will be in out/target/product/x86_64/obj/kernel/.config
>
> # Also, you can edit the config to set the device type from tablet to 
> phone.
> # Edit device/generic/common/device.mk and change PRODUCT_CHARACTERISTICS 
> from tablet to default:
> PRODUCT_CHARACTERISTICS := default
>
>
> # Start the build:
> make -j$( nproc --all ) iso_img
>
> While the ISO boots and installs and the mouse works fine, the system 
> can't get past the initial Google first run wizard. After clicking the 
> button to set up a new device (vs transferring from an existing phone), the 
> screen turns black, and it doesn't go anywhere. It's still responsive - I 
> can click on the back button, and it will get highlighted as if I had 
> actually clicked it. However, nothing happens.
>
> Thoughts?
>
> On Wednesday, December 18, 2019 at 2:21:19 PM UTC-6, arthur...@gmail.com 
> wrote:
>>
>> So, I managed to get the instructions to work (albeit with a few 
>> modifications - I'll post them when/if I can figure out the GApps issue). 
>> However, I'm having issues whenever I try to include and compile GApps. I 
>> can confirm that Android-x86 will build successfully on its own, but when I 
>> include GApps in my device.mk, I get a lot of these after every GApps 
>> app build:
>>
>> End-of-central-directory signature not found. Either this file is not a 
>> zipfile, or it constitutes one disk of a multi-part archive. In the latter 
>> case the central directory and zipfile comment will be found on the last 
>> disk(s) of this archive.
>>
>>
>> I then get these for each app before it all fails:
>>
>> Unable to open 
>> 'out/target/product/x86_64/obj/APPS/PixelLauncherIcons_intermediates/package.apk'
>>  
>> for verification
>>
>>
>> I've got the complete log, my device.mk, etc, but does anyone know 
>> what's up?
>>
>> On Thursday, December 12, 2019 at 9:20:54 PM UTC-6, arthur...@gmail.com 
>> wrote:
>>>
>>> Are the instructions in the first post edited and updated, or are there 
>>> more recent instructions which should be used? I'm personally interested in 
>>> an image with GApps (I downloaded the nogapps ISO and tried to somehow 
>>> install GApps, but to no avail - I wasn't sure if the image provided up 
>>> near the start of the thread was functional). If there are updated/verified 
>>> instructions that could be provided, that would be awesome!
>>>
>>> On Saturday, April 27, 2019 at 6:29:08 PM UTC-5, alex.j...@gmail.com 
>>> wrote:

 On Saturday, April 27, 2019 at 9:35:19 PM UTC, alex.j...@gmail.com 
 wrote:
 > On Thursday, April 25, 2019 at 10:20:32 PM UTC, Daniil Travnikov 
 wrote:
 > > I am stuck on this process already twice.
 > > 
 > > When I put the command
 > > 
 > > Download sources:
 > > repo sync --no-tags --no-clone-bundle --force-sync -j$( nproc --all 
 )
 > > 
 > > 
 > > and when it show this:
 > > 
 > > 
 > > From git://git.osdn.net/gitroot/android-x86/platform/frameworks/av
 > >  * [new branch]  nougat-x86 -> x86/nougat-x86
 > > Fetching project platform/external/android-clat
 > > remote: Counting objects: 1, done
 > > remote: Finding sources: 100% (793/793)   
 > > remote: Total 793 (delta 244), reused 793 (delta 244)
 > > Receiving objects: 100% (793/793), 517.38 KiB | 0 bytes/s, done.
 > > Resolving deltas: 100% (244/244), done.
 > > From 
 https://android.googlesource.com/platform/external/android-clat
 > >  * [new tag] android-7.1.2_r36 -> android-7.1.2_r36
 > > 
 > > 
 > > I got nothing, I mean it's look like freeze.
 > 
 > Did you try to remove downloaded repo and sync it again from scratch? 
 The OpenGAPPS repo changed, see below, maybe it's somehow related.
 > 
 > I'd recommend to build Android 8 release, the mouse works fine there. 
 Also the Settings bug is fixed if you use userdebug build variant instead 
 of eng.
 > The guide in the same as in first post except:
 > 
 > Android 8 will take 211GB to build. I've build it with 32GB RAM 
 without swap, maybe it'll work with less RAM.
 > 
 > repo init -u git://git.osdn.net/gitroot/android-x86/manifest -b 
 oreo-x86 -m

[qubes-users] How to set up a hacking laboratory?

2019-05-21 Thread Christophe 
Hello,

I am using Qubes 4.1 on a Librem 13 v2 laptop, and I would like to simulate a 
simple enterprise network so as to play attacks on it.

Below are the VMs that I would like to set up:
-> A Pfsense firewall VM
-> A Windows server 2019 VM (running an Active Directory Domain Controller, a 
DNS and DHCP server)
-> A Squid proxy running on a Debian 9 VM
-> Some Windows machines as regular users

I already did that using VMWare Workstation on Windows (not Qubes OS), but now 
I would like to assess the feasibility of such a project using Qubes OS.

What I tried:

Running VMWare Workstation on a Windows 10 VM on Qubes OS (I am sure this is 
not the best idea I could came up with):
--> I installed Windows 10 in a HVM (there is no Qubes OS integration since QWT 
is unstable on Qubes 4, but it does not matter)
--> I installed VMWare in the Windows10 VM.
--> I downloaded Pfsense ISO file and tried to launch it in VMWare ==> Not 
working because it requires Intel VT-x. 
The reasons why Intel VT-x cannot be used - even though I have it on my Intel 
Core i7-6500U - are:
1. Coreboot does not enable it
2. Even if it would be enabled, I still need Xen to expose it to the Windows VM 
(not sure LibXenLight can do it since the "nestedhvm" feature required [1] does 
not seem to be available in libvirt configuration schemas [2])


The other option remaining is to give up VMWare and try to do the same directly 
on Xen. But here there are 2 points:
1. Will I be able to do the same as with VMWare (e.g. connect devices, have 
many Network Interface Controllers for 1 VM, create LANs / Subnetworks, etc.)?
2. I do not want Qubes OS to interfere with my lab. And it seems, for instance, 
that there is a DHCP server running (since my Windows 10 VM managed to access 
the network even without QWT installed)

So what do you think? How can I achieve to have such a lab running on Qubes?

Thanks so far!

[1] https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen
[2] Schemas file located here in Qubes OS: 
/usr/share/libvirt/schemas/domaincommon.rng

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf1f8614-0881-4bb6-9f05-7945988616ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Driver for usb wifi MT7610U

2019-03-19 Thread 'Christophe' via qubes-users 
Hi, yes the error in the VM is about bad usb cable when I use the 4.20 kernel.

[   50.803667] cfg80211: Loading compiled-in X.509 certificates for regulatory 
database
[   50.840384] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   51.761645] usb usb1-port1: Cannot enable. Maybe the USB cable is bad?
[   54.425794] mt76x0u: probe of 1-1:1.0 failed with error -110

It seems that the problem is specific to kernel 4.20 according this bug report 
https://bugzilla.kernel.org/show_bug.cgi?id=202243

There seem to be a patch, but it's still not clear for me how to apply it. They 
also say it's working fine with 4.19 kernel.

I'm trying to install the 4.19 kernel, but there seem to still be some wrong 
repo config on my system, when I run 'sudo qubes-dom0-update 
kernel-latest-devel-4.19.2-3.pvops.qubes.x86_64' the package is downloaded but 
then it returns an Error : Unable to find a match.

Best regards,

Christophe

On 3/19/19 10:08 AM, Frédéric Pierret wrote:

> Hi,
>
> Sorry for the few trouble you had with the .repo files which has been 
> corrected in recent updates.
>
> Have a look into your VM where you attached your wifi adapter. Does something 
> like 'bad usb cable' appear?
>
> Best,
>
> Frédéric
>
> On 3/18/19 3:32 PM, Christophe wrote:
>
>> Hello, thank you for your help.
>>
>> sudo qubes-dom0-update kernel-latest-qubes-vm, did not find any package, by 
>> running sudo qubes-dom0-update -v I found out something was pointing to some 
>> non existing URL.
>>
>> https://yum.qubes-os.org/r25-5/current/dom0/fc25/repodata/repomd.xml.metalink
>>
>> After some research I did some changes in /etc/yum.repos.d/qubes-dom0.repo, 
>> I replaced all the $releasever by 4.0, I got an important amount of updates 
>> after this and I was finally able to user kernel 4.20.3-1 in my VMs.
>>
>> Unfortunately this still didn't solve my wifi adapter problem. When I now 
>> assign the wifi adapter to a vm with the qvm-usb attach command, it appears 
>> briefly in the lsusb results of the vm, but then just disappears.
>>
>> Best regards,
>>
>> Christophe
>>
>> On 3/17/19 10:15 PM, Frédéric Pierret wrote:
>>
>>> Hi,
>>>
>>> I just googled (https://wireless.wiki.kernel.org/en/users/drivers/mediatek) 
>>> that it seems to be in 4.19+ kernels. From your error, you seem to run 4.14 
>>> kernel into you vm. Or we provide 4.19+ kernels. You need to update your 
>>> dom0 (if it is not done) and change your vm settings to use kernel-4.19.15 
>>> which is the current LTS. We also provide mainline stable kernel by 
>>> installing 'kernel-latest'. So if you are only interested in having more 
>>> updated kernels only in your VM, install the package 
>>> 'kernel-latest-qubes-vm' (in dom0: sudo qubes-dom0-update 
>>> kernel-latest-qubes-vm) and change your vm settings to the more recent one.
>>>
>>> Best regards,
>>>
>>> Frédéric
>>>
>>> On 3/17/19 9:59 PM, 'Christophe Vial' via qubes-users wrote:
>>>
>>>> Hi all, I'm trying to use a usb wifi adapter (TP-Link archer T2U).
>>>>
>>>> the lsusb command returns
>>>>
>>>> Bus 002 Device 002: ID 148f:761a Ralink Technology, Corp. MT7610U
>>>> ("Archer T2U" 2.4G+5G WLAN Adapter
>>>>
>>>> After some research I found the driver to install from
>>>> https://github.com/ulli-kroll/mt7610u
>>>>
>>>> But the make command fails. I tried both in fedora-29 and debian9 vm,
>>>> but in both cases I get the same error :
>>>>
>>>> make ARCH=x86_64 CROSS_COMPILE= -C
>>>> /lib/modules/4.14.74-1.pvops.qubes.x86_64/build M=/home/user/src/mt7610u
>>>> modules
>>>> make[1]: Entering directory
>>>> '/usr/lib/modules/4.14.74-1.pvops.qubes.x86_64/build'
>>>> make[2]: *** No rule to make target
>>>> '/home/user/src/mt7610u/os/linux/rt_profile.o', needed by
>>>> '/home/user/src/mt7610u/mt7610u.o'.  Stop.
>>>> make[1]: *** [Makefile:1527: _module_/home/user/src/mt7610u] Error 2
>>>> make[1]: Leaving directory
>>>> '/usr/lib/modules/4.14.74-1.pvops.qubes.x86_64/build'
>>>> make: *** [Makefile:370: modules] Error 2
>>>>
>>>> Does anyone knows how to fix it ?
>>>>
>>>> And if not, any recommendations for some usb wifi adapters working out
>>>> of the box ? I still have few days to return this one if I can't get it
>>>> working.
>>>>
>>>> --
>>>> You received this messag

Re: [qubes-users] Driver for usb wifi MT7610U

2019-03-18 Thread 'Christophe' via qubes-users 
Hello, thank you for your help.

sudo qubes-dom0-update kernel-latest-qubes-vm, did not find any package, by 
running sudo qubes-dom0-update -v I found out something was pointing to some 
non existing URL.

https://yum.qubes-os.org/r25-5/current/dom0/fc25/repodata/repomd.xml.metalink

After some research I did some changes in /etc/yum.repos.d/qubes-dom0.repo, I 
replaced all the $releasever by 4.0, I got an important amount of updates after 
this and I was finally able to user kernel 4.20.3-1 in my VMs.

Unfortunately this still didn't solve my wifi adapter problem. When I now 
assign the wifi adapter to a vm with the qvm-usb attach command, it appears 
briefly in the lsusb results of the vm, but then just disappears.

Best regards,

Christophe

On 3/17/19 10:15 PM, Frédéric Pierret wrote:

> Hi,
>
> I just googled (https://wireless.wiki.kernel.org/en/users/drivers/mediatek) 
> that it seems to be in 4.19+ kernels. From your error, you seem to run 4.14 
> kernel into you vm. Or we provide 4.19+ kernels. You need to update your dom0 
> (if it is not done) and change your vm settings to use kernel-4.19.15 which 
> is the current LTS. We also provide mainline stable kernel by installing 
> 'kernel-latest'. So if you are only interested in having more updated kernels 
> only in your VM, install the package 'kernel-latest-qubes-vm' (in dom0: sudo 
> qubes-dom0-update kernel-latest-qubes-vm) and change your vm settings to the 
> more recent one.
>
> Best regards,
>
> Frédéric
>
> On 3/17/19 9:59 PM, 'Christophe Vial' via qubes-users wrote:
>
>> Hi all, I'm trying to use a usb wifi adapter (TP-Link archer T2U).
>>
>> the lsusb command returns
>>
>> Bus 002 Device 002: ID 148f:761a Ralink Technology, Corp. MT7610U
>> ("Archer T2U" 2.4G+5G WLAN Adapter
>>
>> After some research I found the driver to install from
>> https://github.com/ulli-kroll/mt7610u
>>
>> But the make command fails. I tried both in fedora-29 and debian9 vm,
>> but in both cases I get the same error :
>>
>> make ARCH=x86_64 CROSS_COMPILE= -C
>> /lib/modules/4.14.74-1.pvops.qubes.x86_64/build M=/home/user/src/mt7610u
>> modules
>> make[1]: Entering directory
>> '/usr/lib/modules/4.14.74-1.pvops.qubes.x86_64/build'
>> make[2]: *** No rule to make target
>> '/home/user/src/mt7610u/os/linux/rt_profile.o', needed by
>> '/home/user/src/mt7610u/mt7610u.o'.  Stop.
>> make[1]: *** [Makefile:1527: _module_/home/user/src/mt7610u] Error 2
>> make[1]: Leaving directory
>> '/usr/lib/modules/4.14.74-1.pvops.qubes.x86_64/build'
>> make: *** [Makefile:370: modules] Error 2
>>
>> Does anyone knows how to fix it ?
>>
>> And if not, any recommendations for some usb wifi adapters working out
>> of the box ? I still have few days to return this one if I can't get it
>> working.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit 
>> [https://groups.google.com/d/msgid/qubes-users/Z0glcPBTr8ysTLe7JJX_K95S3BruPuVKAeqHIB2nPad1ANzOYUpWDhDmVTcRN56JaptfUPAKUySJ6iTNHxCy8e1AhKi4XnNkL_JRlh3kXq4%3D%40protonmail.com](https://groups.google.com/d/msgid/qubes-users/Z0glcPBTr8ysTLe7JJX_K95S3BruPuVKAeqHIB2nPad1ANzOYUpWDhDmVTcRN56JaptfUPAKUySJ6iTNHxCy8e1AhKi4XnNkL_JRlh3kXq4%3D%40protonmail.com?utm_medium=email_source=footer).
>> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/nYdtvxG25fX7nyZ0x-i9J8ytpWnJOW5qFt9M5MdZxhGaQyxwn358pZJVLaWsE_mEWUsipwK1HavURiqeOaaUU8sXHReTn27e8P2pT0XMGXg%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Driver for usb wifi MT7610U

2019-03-17 Thread 'Christophe Vial' via qubes-users 
Hi all, I'm trying to use a usb wifi adapter (TP-Link archer T2U).

the lsusb command returns

Bus 002 Device 002: ID 148f:761a Ralink Technology, Corp. MT7610U
("Archer T2U" 2.4G+5G WLAN Adapter

After some research I found the driver to install from
https://github.com/ulli-kroll/mt7610u

But the make command fails. I tried both in fedora-29 and debian9 vm,
but in both cases I get the same error :

make ARCH=x86_64 CROSS_COMPILE= -C
/lib/modules/4.14.74-1.pvops.qubes.x86_64/build M=/home/user/src/mt7610u
modules
make[1]: Entering directory
'/usr/lib/modules/4.14.74-1.pvops.qubes.x86_64/build'
make[2]: *** No rule to make target
'/home/user/src/mt7610u/os/linux/rt_profile.o', needed by
'/home/user/src/mt7610u/mt7610u.o'.  Stop.
make[1]: *** [Makefile:1527: _module_/home/user/src/mt7610u] Error 2
make[1]: Leaving directory
'/usr/lib/modules/4.14.74-1.pvops.qubes.x86_64/build'
make: *** [Makefile:370: modules] Error 2

Does anyone knows how to fix it ?

And if not, any recommendations for some usb wifi adapters working out
of the box ? I still have few days to return this one if I can't get it
working.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Z0glcPBTr8ysTLe7JJX_K95S3BruPuVKAeqHIB2nPad1ANzOYUpWDhDmVTcRN56JaptfUPAKUySJ6iTNHxCy8e1AhKi4XnNkL_JRlh3kXq4%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN qubes preventing some websites from loading properly

2018-11-26 Thread 'Christophe Pfeifer' via qubes-users 
‐‐‐ Original Message ‐‐‐
On Sunday, November 25, 2018 11:59 PM, Chris Laprise  wrote:

> On 11/25/2018 04:47 PM, Christophe Pfeifer wrote:
>
> > On Sunday, November 25, 2018 7:43 PM, Chris Laprise tas...@posteo.net wrote:
> >
> > > On 11/25/2018 10:32 AM, 'Christophe Pfeifer' via qubes-users wrote:
> > >
> > > > Hi,
> > > > I followed the tutorial "Set up a ProxyVM as a VPN gateway using
> > > > iptables and CLI scripts" [1], then I subscribed to NordVPN and
> > > > configured OpenVPN over UDP (since my ISP blocks OpenVPN over TCP).
> > > >
> > > > My final architecture is the following:
> > > > AppVM > VPN (ProxyVM) > Firewall VM > Network VM
> > > >
> > > > Firewall VM rules: Deny all but:
> > > > Address   |   Service   |   Protocol
> > > > *       | OpenVPN | UDP
> > > > *       | OpenVPN | TCP
> > > > *       | HTTPS     | TCP
> > > >
> > > > Problem: this is working for mostly all websites I use, except some
> > > > ones, like Protonmail, Facebook, etc. These latter sites are either
> > > > showing first some contents just after logging in, or the logging in is
> > > > impossible, and then loading endlessly.
> > > > It seems like a "Keep-alive connection issue".
> > > >
> > > > Investigation:
> > > >
> > > > 1.  I allowed full access on the firewall for 5 minutes
> > > > 2.  I launched Wireshark on the VPN VM
> > > > 3.  I tried to log in to Protonmail
> > > > Results: (excerpt)
> > > >
> > > >
> > > > -   10.137.0.14 -> 82.221.139.122 OpenVPN 110 MessageType: P_DATA_V2
> > > >
> > > > -   192.168.43.1 -> 10.137.0.14 ICMP 592 Destination unreachable
> > > > (Fragmentation needed)
> > > >
> > > > -   185.70.40.151 -> 10.8.8.20 TCP 68 [TCP Dup ACK 711#1] 443 → 42938
> > > > [ACK] Seq=69096 Ack=1868 Win=66 Len=0 SLE=3193 SRE=3194
> > > >
> > > > -   10.137.0.9 -> 185.70.40.151 TCP 1381 [TCP Retransmission] 42938 → 
> > > > 443
> > > > [ACK] Seq=1868 Ack=69096 Win=3261 Len=1325
> > > > [...]
> > > >
> > > > -   10.137.0.9 -> 185.70.40.151 TCP 56 [TCP Keep-Alive] 42954 → 443 
> > > > [ACK]
> > > > Seq=977 Ack=1262 Win=32640 Len=0
> > > >
> > > >
> > > > Do you know any solution to prevent this from happening? Maybe a
> > > > configuration trick of OpenVPN or of the VPN VM ?
> > >
> > > Did you download the openvpn config from NordVPN or write it yourself?
> > > Its preferable to download it. I see that NordVPN's config includes
> > > 'ping' and 'ping-restart' which is similar to using the 'keepalive' 
> > > option.
> > > The issue with only certain sites not working could indicate that a
> > > third-party service like a CDN has blocked the IP addresses that your
> > > VPN provider is using. I've also seen some services block VPN IPs on
> > > certain servers but not others. I see this occasionally when connecting
> > > through Private Internet Access. The solution rests with the VPN
> > > operators to block abusive network patterns and switch to IPs that
> > > haven't been blacklisted... its basically a VPN reputation thing.
> > > BTW, you might find Qubes-vpn-support project better to use overall for
> > > VPNs. You can control it as a system service and it uses connection
> > > parameters that keep openvpn operating more smoothly (although for this
> > > particular problem I don't think it would have an effect)...
> > > https://github.com/tasket/Qubes-vpn-support
> > >
> > > Chris Laprise,tas...@posteo.net
> > > https://github.com/tasket
> > > https://twitter.com/ttaskett
> > > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
> >
> > I am using NordVPN's config files and now (thanks to your advice) 
> > Qubes-vpn-support.
> > I have compared this with NordVPN's autoconfig script [1] and with another 
> > ISP.
> > Here are some results (for the very same remote VPN server):
> > -With another ISP
> > OpenVPN over UDP
> > Qubes-vpn-support: OK
> > NordVPN script: OK
> > OpenVPN over TCP
> > Qubes-vpn-support: OK
> > NordVPN script: OK
> > -With my ISP over 4G net

Re: [qubes-users] VPN qubes preventing some websites from loading properly

2018-11-25 Thread 'Christophe Pfeifer' via qubes-users 
On Sunday, November 25, 2018 7:43 PM, Chris Laprise  wrote:
> On 11/25/2018 10:32 AM, 'Christophe Pfeifer' via qubes-users wrote:
>
> > Hi,
> > I followed the tutorial "Set up a ProxyVM as a VPN gateway using
> > iptables and CLI scripts" [1], then I subscribed to NordVPN and
> > configured OpenVPN over UDP (since my ISP blocks OpenVPN over TCP).
> >
> > -
> >
> > My final architecture is the following:
> > AppVM > VPN (ProxyVM) > Firewall VM > Network VM
> >
> > -
> >
> > Firewall VM rules: Deny all but:
> > Address   |   Service   |   Protocol
> > *       | OpenVPN | UDP
> > *       | OpenVPN | TCP
> > *       | HTTPS     | TCP
> >
> > 
> >
> > Problem: this is working for mostly all websites I use, except some
> > ones, like Protonmail, Facebook, etc. These latter sites are either
> > showing first some contents just after logging in, or the logging in is
> > impossible, and then loading endlessly.
> > It seems like a "Keep-alive connection issue".
> >
> > ---
> >
> > Investigation:
> >
> > 1.  I allowed full access on the firewall for 5 minutes
> > 2.  I launched Wireshark on the VPN VM
> > 3.  I tried to log in to Protonmail
> > Results: (excerpt)
> >
> >
> > -   10.137.0.14 -> 82.221.139.122 OpenVPN 110 MessageType: P_DATA_V2
> > -   192.168.43.1 -> 10.137.0.14 ICMP 592 Destination unreachable
> > (Fragmentation needed)
> >
> > -   185.70.40.151 -> 10.8.8.20 TCP 68 [TCP Dup ACK 711#1] 443 → 42938
> > [ACK] Seq=69096 Ack=1868 Win=66 Len=0 SLE=3193 SRE=3194
> >
> > -   10.137.0.9 -> 185.70.40.151 TCP 1381 [TCP Retransmission] 42938 → 443
> > [ACK] Seq=1868 Ack=69096 Win=3261 Len=1325
> > [...]
> >
> > -   10.137.0.9 -> 185.70.40.151 TCP 56 [TCP Keep-Alive] 42954 → 443 [ACK]
> > Seq=977 Ack=1262 Win=32640 Len=0
> >
> >
> > Do you know any solution to prevent this from happening? Maybe a
> > configuration trick of OpenVPN or of the VPN VM ?
>
> Did you download the openvpn config from NordVPN or write it yourself?
> Its preferable to download it. I see that NordVPN's config includes
> 'ping' and 'ping-restart' which is similar to using the 'keepalive' option.
>
> The issue with only certain sites not working could indicate that a
> third-party service like a CDN has blocked the IP addresses that your
> VPN provider is using. I've also seen some services block VPN IPs on
> certain servers but not others. I see this occasionally when connecting
> through Private Internet Access. The solution rests with the VPN
> operators to block abusive network patterns and switch to IPs that
> haven't been blacklisted... its basically a VPN reputation thing.
>
> BTW, you might find Qubes-vpn-support project better to use overall for
> VPNs. You can control it as a system service and it uses connection
> parameters that keep openvpn operating more smoothly (although for this
> particular problem I don't think it would have an effect)...
>
> https://github.com/tasket/Qubes-vpn-support
>
> -

[qubes-users] VPN qubes preventing some websites from loading properly

2018-11-25 Thread 'Christophe Pfeifer' via qubes-users 
Hi,
I followed the tutorial "Set up a ProxyVM as a VPN gateway using iptables and 
CLI scripts" [1], then I subscribed to NordVPN and configured OpenVPN over UDP 
(since my ISP blocks OpenVPN over TCP).
---
My final architecture is the following:
AppVM > VPN (ProxyVM) > Firewall VM > Network VM
---
Firewall VM rules: Deny all but:
Address   |   Service   |   Protocol
*   | OpenVPN | UDP
*   | OpenVPN | TCP
*   | HTTPS | TCP
---
Problem: this is working for mostly all websites I use, except some ones, like 
Protonmail, Facebook, etc. These latter sites are either showing first some 
contents just after logging in, or the logging in is impossible, and then 
loading endlessly.
It seems like a "Keep-alive connection issue".
---
Investigation:
1) I allowed full access on the firewall for 5 minutes
2) I launched Wireshark on the VPN VM
3) I tried to log in to Protonmail
Results: (excerpt)
- 10.137.0.14 -> 82.221.139.122 OpenVPN 110 MessageType: P_DATA_V2
- 192.168.43.1 -> 10.137.0.14 ICMP 592 Destination unreachable (Fragmentation 
needed)
- 185.70.40.151 -> 10.8.8.20 TCP 68 [TCP Dup ACK 711#1] 443 → 42938 [ACK] 
Seq=69096 Ack=1868 Win=66 Len=0 SLE=3193 SRE=3194
- 10.137.0.9 -> 185.70.40.151 TCP 1381 [TCP Retransmission] 42938 → 443 [ACK] 
Seq=1868 Ack=69096 Win=3261 Len=1325
[...]
- 10.137.0.9 -> 185.70.40.151 TCP 56 [TCP Keep-Alive] 42954 → 443 [ACK] Seq=977 
Ack=1262 Win=32640 Len=0
---
Do you know any solution to prevent this from happening? Maybe a configuration 
trick of OpenVPN or of the VPN VM ?

[1] https://www.qubes-os.org/doc/vpn/

Thanks,
Christophe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/tnICtqmC5EaPld_xdfXMzM6l5iTGP1CTzkhKtU74CV7LoII76MCDaE_PTftC5fB5warQZegcYqFJzSBljOdwGwf3mnwP1gH-E-b5CXbdRmk%3D%40pm.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USB-C hub

2018-10-26 Thread 'Christophe Vial' via qubes-users 
Thank you very much for you help! Booting with the usb hub connected and then 
assigning the device "usb controller thunderbolt 3 usb controller" to the 
sys-usb vm got everything working.

 Original Message 
On Oct 26, 2018, 13:48, Achim Patzner wrote:

> Am Donnerstag, den 25.10.2018, 19:46 +0000 schrieb 'Christophe Vial' via 
> qubes-users:
>
>> Any workaround for this problem ?
>
> Connect the hub before booting and look at lspci; all my Lenovo systems turn 
> on the required controllers (and only them!) only after something has been 
> connected to the physical port and requested something. In Qubes 3.2 this was 
> annoying because there were sudden appearances of USB (or Thunderbolt) 
> controllers in Dom0 and it seems someone turned off adding busses that appear 
> after booting now (good decision).
>
> Achim
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> [https://groups.google.com/d/msgid/qubes-users/14b9c057b706c7c5a78780ff8790debdfb0b35d0.camel%40noses.com](https://groups.google.com/d/msgid/qubes-users/14b9c057b706c7c5a78780ff8790debdfb0b35d0.camel%40noses.com?utm_medium=email_source=footer).
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/_0XhDUcCEXyapa2pPuapvNbduOJlxkhQLFP1pFvcmwRUZQWKoZTbU9ABoZd6HkhQqFZ9S6Ut_w36Z3GinpWctqmu-0SpDNK-6lF0pji1Dgg%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] USB-C hub

2018-10-25 Thread 'Christophe Vial' via qubes-users 
Hi all,
I'm using Qubes R4.0 on a laptop with just one usb port and 2 usb-c ports. 
Sys-usb vm have been created during installation.
I need to connect 2 external usb disks simultaneously for backup. I can connect 
one to the usb-a port, but impossible to connect the second one via usb-c. I 
tried several usb-c hubs, direct usb-c calbe to the disk, nothing works.
The usb hub also cannot read SD cards.
However the usb hub can read older usb devices (old hard drives and flashdisks)
The usb hub works properly on the same laptop running archlinux.
I suspect the problem is related to USB 3.
Any workaround for this problem ?
Thank you for help.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1k5npR1yy4YOHCNs9kVahBHiCzMUlh9TfikXouGm9Of4fTGyV3xg0cCQH8MsYQvS6nZfDh4mOc6MZPexlFDfiALXEHIzQd17Es0-JOeldV4%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] how to switch Background Dom0 Qubes 4.0

2018-10-16 Thread 'Christophe Vial' via qubes-users 
Not really a good idea to attach or copy anything to Dom0.
The safest way is probably to take a screenshot of the picture you want to use 
as wallpaper since screenshots end in Dom0.

 Original Message 
On Oct 16, 2018, 01:04, Steve Coleman wrote:

> On 10/15/18 6:45 PM, English USA wrote:
>> how can I change the screen background of the official Qubes OS 4.?
>
> Right click on the desktop and from the menu select "Desktop Settings"
>
>> Please help me, I am new to the IT world. maybe someone knows how to
>> copy in Qubes 4 directly to Dom0 or connect the USB stick directly to
>> Dom0? ask for instructions with a detailed explanation. Thank you in
>> advance !;)
>
> To mount a USB stick in dom0, insert the USB stick, and then open up
> nautilus in Dom0 (Menu/System Tools/Files) and look on the left pane for
> your USB stick. If you do not see a label for it there, the stick may be
> formatted in exFat format which may need some extra drivers in dom0 in
> order to read it.
>
> Be very cautious what you allow to attach to or run in dom0.
>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to qubes-users+unsubscr...@googlegroups.com
>> .
>> To post to this group, send email to qubes-users@googlegroups.com
>> .
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/CAGhU_PJA6GtF-fc7v-mT2d6fpejyaNBo677iO%2BLhp8Ekcr_KsQ%40mail.gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/de880228-1436-14f4-c3f7-2cc6cce6d0a3%40jhuapl.edu.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/m32E8-iN_L9JdmjZcicngRWL0YBJhKqZSQCcmDe65tX_zRZh7Nm2uH7NQD6G6LZMeWgYqpmZKCcLRzzbKUQzIO_fUVTwjh0lx8QMacNbdiE%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Update/Removal

2018-10-10 Thread 'Christophe Vial' via qubes-users 
You maybe still have fedora 26 set as default template VM in general qubes 
settings. That could be a reason why you can't remove it.

 Original Message 
On Oct 11, 2018, 07:05, wrote:

> I used the qubes R3 with no problem, everything work out of the box and it 
> was nice ( i just wanted to say that ).
>
> Now here's the problem, qubes R4 iso file is not up to date and i have no 
> clue why the team doesn't take the time to update it, rather then force every 
> new person, to install a version that needs to be fully updated from 
> fedora/debian to the new whonix 14 ( woundn't it be easy to provide a iso 
> that updated with debian/fedora/whonix).
>
> So i followed everything step by step on how to update the fedora 26 to 27 
> and to update whonix to whonix 14 and and by all means everything is working 
> perfectly except one problem, ( my old fedora 26 and old whonix are still 
> there and i am not able to remove them by any means).I really tried 
> everything and read other peoples problem.
>
> Will the Qubes team update the R4 iso with the new fedora/debian/whonix ? As 
> i love qubes.
>
> Am using a thinkpad x220
>
> Thank you
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/6caf409d-393a-4ff5-b5ff-9da25df0aecf%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/VpUwh0NhV-WOyK3_aH4FdNohV9UcqQxAIklcTICH5DN5PRFZitvHcEJLJKZj2tZyJUStDJvYJgp4cuZB363Sx1W4zWY9wVMkF1mMRc42boA%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.