Re: [qubes-users] Best practice VPN in Qubes
Demi Marie Obenour: On Sat, May 13, 2023 at 10:57:00AM +, Qubes OS Users Mailing List wrote: Andrew David Wong: On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote: If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze. Any ideas how to solve this? I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy. The answer below was meant to you David. I misidentified Patrick as the author of the answer. Thank you for the answer Patrick. It is possible. The question is how does one use VPN over Tor in this case with Torbrowser that doesn't compromise the privacy (see the use case below please). The use case is to connect to a service like Twitter that is not Tor friendly from a static non-tor IP address (VPN), but at the same time hide my real IP address from the VPN provider by using Tor before I connect to the VPN. Some services, like Twitter even if they have onion site keep forcing me to reset password periodically, reminding me that there is a suspicious behavior (just by connecting from Tor, not even posting anything) in an endless loop. I would like to use the anon-whonix-twitter AppVM Torbrowser specifically for connection to that particular account only and nothing else, no other apps or even websites ever used in that anon-whonix-twitter AppVM. Do you have any advice how to enable Torbrowser in the anon-whonix-twitter to work in the VPN over Tor scenario? I would use the onion service and deal with the Twitter-side brokenness. So you would propose to drop the VPN entirely from the equation, use twitter's onion service and just use normal sys-whonix networking in the anon-whonix-twitter AppVM. The issue I face is not much of a laziness to deal with the annoyance but with the requests for additional, looped identity checks like sms (I can deal with that from time to time, but not always), continuous password changes and similar craziness. They want to "protect me", omg. I have set the 2FA but still the same. Funny part is that one even doesn't need to have any activity on the account that could be suspicious, because there is no activity at all. The issue is purely the fact of connection through their own onion service. Which would be funny if it wasn't sad. Are there any significant drawbacks to use Torbrowser in the VPN over Tor scenario? Just in case they lock me out or something., for my protection of course. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e18aa56b-8ffe-b14d-e3df-9efec275d6f3%40mailbox.org.
Re: [qubes-users] Best practice VPN in Qubes
Andrew David Wong: On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote: If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze. Any ideas how to solve this? I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy. Thank you for the answer Patrick. It is possible. The question is how does one use VPN over Tor in this case with Torbrowser that doesn't compromise the privacy (see the use case below please). The use case is to connect to a service like Twitter that is not Tor friendly from a static non-tor IP address (VPN), but at the same time hide my real IP address from the VPN provider by using Tor before I connect to the VPN. Some services, like Twitter even if they have onion site keep forcing me to reset password periodically, reminding me that there is a suspicious behavior (just by connecting from Tor, not even posting anything) in an endless loop. I would like to use the anon-whonix-twitter AppVM Torbrowser specifically for connection to that particular account only and nothing else, no other apps or even websites ever used in that anon-whonix-twitter AppVM. Do you have any advice how to enable Torbrowser in the anon-whonix-twitter to work in the VPN over Tor scenario? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5dfa9007-6f21-3032-a1e1-395f719d0457%40mailbox.org.
Re: [qubes-users] Best practice VPN in Qubes
I managed to make run the tasket guide even for VPN over Tor. The only issue I didn't solve is that it is not working with Torbrowser in anon-whonix AppVM. If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze. Any ideas how to solve this? Leo28C: I followed this guide: https://micahflee.com/2019/11/using-mullvad-in-qubes/ (works with others too not just Mullvad) On Wed, May 10, 2023 at 9:51 AM 'taran1s' via qubes-users < qubes-users@googlegroups.com> wrote: Hi, What is the best practice for setting up a VPN proxy in Qubes these days (for Mullvad, VPN over Tor)? I found two versions for setup of VPN proxy in Qubes: The first one is from tasket called Qubes-vpn-support. The last version is dated Dec 2020: https://github.com/tasket/Qubes-vpn-support/tree/v1.4.4 Second one is directly from Mullvad dated March 6th 2023 and so it seems more fresh. https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/ I plan to use VPN over Tor with Mullvad. Which guide would you recommend to use for this case and why? Thank you a ton! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/35163750-58a0-66fd-d46c-8f755051f59c%40mailbox.org . -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/47054e41-8891-cab3-0159-64a4a17e5191%40mailbox.org.
[qubes-users] Best practice VPN in Qubes
Hi, What is the best practice for setting up a VPN proxy in Qubes these days (for Mullvad, VPN over Tor)? I found two versions for setup of VPN proxy in Qubes: The first one is from tasket called Qubes-vpn-support. The last version is dated Dec 2020: https://github.com/tasket/Qubes-vpn-support/tree/v1.4.4 Second one is directly from Mullvad dated March 6th 2023 and so it seems more fresh. https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/ I plan to use VPN over Tor with Mullvad. Which guide would you recommend to use for this case and why? Thank you a ton! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/35163750-58a0-66fd-d46c-8f755051f59c%40mailbox.org.
[qubes-users] Dark theme in Dom
Hello everyone, I am trying to set up the dark theme in dom0. All working well but at the end it doesnt work. There are some errors popping up and I think this is the issue but duno how to solve that. [xxx@dom0 ~]$ sudo qubes-dom0-update qt5-qtstyleplugins Using sys-whonix-update as UpdateVM to download updates for Dom0; this may take some time... Qubes OS Repository for Dom00.0 B/s | 0 B 00:00 Errors during downloading metadata for repository 'qubes-dom0-cached': - Curl error (37): Couldn't read a file:// file for file:///var/lib/qubes/updates/repodata/repomd.xml [Couldn't open file /var/lib/qubes/updates/repodata/repomd.xml] Error: Failed to download metadata for repo 'qubes-dom0-cached': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried Ignoring repositories: qubes-dom0-cached Package qt5-qtstyleplugins-5.0.0-39.fc32.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [guruji@dom0 ~]$ export QT_QPA_PLATFORMTHEME=gtk2 /etc/environment bash: export: `/etc/environment': not a valid identifier #Due to error above I did it manually: sudo nano /etc/environment ## added QT_QPA_PLATFORMTHEME=gtk2 [xxx@dom0 ~]$ cat /etc/environment QT_QPA_PLATFORMTHEME=gtk2 [xxx@dom0 ~]$ echo $QT_QPA_PLATFORMTHEME gtk2 [xxx@dom0 ~]$ sudo dnf info qt5-qtstyleplugins Qubes OS Repository for Dom00.0 B/s | 0 B 00:00 Errors during downloading metadata for repository 'qubes-dom0-cached': - Curl error (37): Couldn't read a file:// file for file:///var/lib/qubes/updates/repodata/repomd.xml [Couldn't open file /var/lib/qubes/updates/repodata/repomd.xml] Error: Failed to download metadata for repo 'qubes-dom0-cached': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried Ignoring repositories: qubes-dom0-cached Installed Packages Name : qt5-qtstyleplugins Version : 5.0.0 Release : 39.fc32 Architecture : x86_64 Size : 1.2 M Source : qt5-qtstyleplugins-5.0.0-39.fc32.src.rpm Repository : @System From repo: qubes-dom0-cached Summary : Classic Qt widget styles URL : https://github.com/qtproject/qtstyleplugins License : LGPLv2 or GPLv2 Description : Classic Qt widget styles, including cleanlooks, motif, plastique, : qgtk. Any ideas? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3de531cd-e96c-5cf0-8ad8-dcf947b7033c%40mailbox.org.
[qubes-users] Audioconference and screen sharing in Torbrowser
Hello everyone, I would like to ask how to use audio conference in a Torbrowser in Whonix anon-whonix in Qubes. I need to make some live presentation with a team, through audio and screen sharing. I tried to use microphone, connected it with the anon-whonix AppVM, but Torbrowser doesn't see it. Can anyone help me with the setup? Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bae5e9a4-443a-cf59-b18a-4573f54ce530%40mailbox.org.
Re: [qubes-users] Qubes Manager not honoring colour scheme selection
I tried this but didn't succeed. sudo qubes-dom0-update qt5-qtstyleplugins sudo qubes-dom0-update export QT_QPA_PLATFORMTHEME=gtk2 cat /etc/environment QT_QPA_PLATFORMTHEME=gtk2 cat: 'QT_QPA_PLATFORMTHEME=gtk2': No such file or directory Qube Manager is still white ^^. Any ideas? TheGardner: > Thanks very much Demi Marie. > Then this should be the correct way: > > Source & Info: https://github.com/QubesOS/qubes-issues/issues/7389 > > > Install the package qt5-qtstyleplugins with: > > sudo qubes-dom0-update qt5-qtstyleplugins > > then insert in /etc/environment: > > -[Start]- > QT_QPA_PLATFORMTHEME=gtk2 > -[End]--- > > in dom0 terminal do: > > export QT_QPA_PLATFORMTHEME=gtk2 > > --- > > finally you can check, if all changes were set & working: > > [TheGardner@dom0]$ cat /etc/environment > QT_QPA_PLATFORMTHEME=gtk2 > > [TheGardner@dom0]$ echo $QT_QPA_PLATFORMTHEME > gtk2 > > [TheGardner@dom0]$ sudo dnf info qt5-qtstyleplugins > Qubes OS Repository for Dom0 >1.9 MB/s | 3.0 kB 00:00 > Installed Packages > Name : qt5-qtstyleplugins > Version : 5.0.0 > Release : 39.fc32 > Architecture : x86_64 > Size : 1.2 M > Source : qt5-qtstyleplugins-5.0.0-39.fc32.src.rpm > Repository : @System > From repo: qubes-dom0-cached > Summary : Classic Qt widget styles > URL : https://github.com/qtproject/qtstyleplugins > License : LGPLv2 or GPLv2 > Description : Classic Qt widget styles, including cleanlooks, motif, > plastique, qgtk. > > Demi Marie Obenour schrieb am Samstag, 23. Juli 2022 um 04:07:18 UTC+2: > On Fri, Jul 22, 2022 at 05:45:13PM -0700, TheGardner wrote: Great! It's working now with the following steps in dom0 terminal: Download qt5-qtstyleplugins RPM file from: https://kojipkgs.fedoraproject.org//packages/qt5-qtstyleplugins/5.0.0/39.fc32/x86_64/qt5-qtstyleplugins-5.0.0-39.fc32.x86_64.rpm Move it from your AppVM to dom0 with: qvm-run --pass-io 'cat /home/user/Download/qt5-qtstyleplugins-5.0.0-39.fc32.x86_64.rpm' > /home//Downloads/qt5-qtstyleplugins-5.0.0-39.fc32.x86_64.rpm Install the package with: sudo dnf install -y qt5-qtstyleplugins-5.0.0-39.fc32.x86_64.rpm This is not safe. You can do: sudo qubes-dom0-update qt5-qtstyleplugins and it will work as with any other package. That reminds me: Marek, should we set repo_gpgcheck=1 and/or %_pkgverify_level all in dom0, to protect against mistakes like this? >> > -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/353e6a9e-5f6f-72d3-e67b-85c47511dd08%40mailbox.org.
Re: [qubes-users] Re: Qubes 4.1 qrexec issue?
Demi Marie Obenour: On Wed, Mar 16, 2022 at 10:02:41AM +, 'taran1s' via qubes-users wrote: unman: On Wed, Mar 09, 2022 at 11:20:53AM +, 'taran1s' via qubes-users wrote: taran1s: I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too. https://www.getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html Split GPG Opening Thunderbird, I get following errors in the notification popup: Denied: whonix.NewStatus Denied whonix.NewStatus+status from work-email to sys-whonix I have to as well make every gpg action confirm in the Dom0 Operation Execution with Target GPG backend. Using dispVMs from within AppVM When trying to convert file or open it in the disposable VM from within the normal AppVM, I get an error popuplike : Denied: qubes.PdfConvert Denied qubes.pdfConvert from work-email to @dispvm Any advice appreciated! Is this mailing list still active or one needs to better go to a different place? Still active, but the Forum has more traffic, although it's often low grade and noisy. On your questions, the first looks like a Whonix issue - Patrick has asked that Qubes-Whonix questions be put in the Whonix forums, where they will get better oversight. The second looks like permissions - look in the policy file at /etc/qubes-rpc/policy/qubes.PdfConvert The /etc/qubes-rpc/policy/qubes.PdfConvert has allowed anyvm to run PdfConvert $anyvm $dispvm allow What do the files under “/etc/qubes/policy.d” contain? R4.1 has a new policy syntax and the files are located in a different directory. That could easily cause denials. Dear Demi-Marie, thank you for your reaction. Patrick on whonix forum mentioned that this is an issue (the communication in between qubes) with the Qubes qrexec rules, not whonix specific. To your question regarding, the files under /etc/qubes/policy.d. The Qubes 4.1 is a fresh installation and I didn't make any changes except the Split Gpg and the Monero guide here http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Monero_Wallet_Isolation I believe that there are no changes whatsoever in the files under /etc/qubes/policy.d and should be in default vanilla state. Thank you in advance for your support! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/53be1d3a-d510-ab04-8a58-11b4167cf70d%40mailbox.org.
Re: [qubes-users] Re: Qubes 4.1 qrexec issue?
unman: On Wed, Mar 09, 2022 at 11:20:53AM +, 'taran1s' via qubes-users wrote: taran1s: I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too. https://www.getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html Split GPG Opening Thunderbird, I get following errors in the notification popup: Denied: whonix.NewStatus Denied whonix.NewStatus+status from work-email to sys-whonix I have to as well make every gpg action confirm in the Dom0 Operation Execution with Target GPG backend. Using dispVMs from within AppVM When trying to convert file or open it in the disposable VM from within the normal AppVM, I get an error popuplike : Denied: qubes.PdfConvert Denied qubes.pdfConvert from work-email to @dispvm Any advice appreciated! Is this mailing list still active or one needs to better go to a different place? Still active, but the Forum has more traffic, although it's often low grade and noisy. On your questions, the first looks like a Whonix issue - Patrick has asked that Qubes-Whonix questions be put in the Whonix forums, where they will get better oversight. The second looks like permissions - look in the policy file at /etc/qubes-rpc/policy/qubes.PdfConvert The /etc/qubes-rpc/policy/qubes.PdfConvert has allowed anyvm to run PdfConvert $anyvm $dispvm allow I already asked on the whonix forum and followed the improved version of the guide for Split Monero on Whonix website, but got another error that seems like the monero-wallet-ws AppVM doesnt see the monerod-ws AppVM. Monero GUI cannot connect and monero-wallet-cli returns this error: Error: wallet failed to connect to daemon: http://localhost:18081. Daemon either is not started or wrong port was passed. Please make sure daemon is running or change the daemon address using the ‘set_daemon’ command. Background refresh thread started The monerod-ws is syncing albeit it gets quite a lot Socks errors here and there and sometimes freezes Also in connection with the error related to the PdfConvert, I am not sure if the issue wiht the Split Monero is whonix specific or it is linked to the general qubes qrexcec setup and permissions of my Qubes. Qubes 4.1 I use is vanilla and whonix-ws-16 is full vanilla too. It would be really helpful if someone more experienced could have a look into it and provide help. I am cut off from the monero usage now if I don't want to use the remote node which I would like to avoid. Tried to find an answer on the net but didn't succeed. Thanks in advance to anyone that can help us solve the issue! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a0b67fc-a975-cd5b-5410-fd5c32492ce3%40mailbox.org.
[qubes-users] Re: Qubes 4.1 qrexec issue?
taran1s: I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too. https://www.getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html Split GPG Opening Thunderbird, I get following errors in the notification popup: Denied: whonix.NewStatus Denied whonix.NewStatus+status from work-email to sys-whonix I have to as well make every gpg action confirm in the Dom0 Operation Execution with Target GPG backend. Using dispVMs from within AppVM When trying to convert file or open it in the disposable VM from within the normal AppVM, I get an error popuplike : Denied: qubes.PdfConvert Denied qubes.pdfConvert from work-email to @dispvm Any advice appreciated! Is this mailing list still active or one needs to better go to a different place? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a36ef384-b0d3-0d60-b53e-7f08e26bbc2a%40mailbox.org.
[qubes-users] Qubes 4.1 qrexec issue?
I have an issue with Split GPG as well as with opening files in the disposable VMs and with the qrexec in the guide How to use Monero CLI/daemon with Qubes + Whonix too. https://www.getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html Split GPG Opening Thunderbird, I get following errors in the notification popup: Denied: whonix.NewStatus Denied whonix.NewStatus+status from work-email to sys-whonix I have to as well make every gpg action confirm in the Dom0 Operation Execution with Target GPG backend. Using dispVMs from within AppVM When trying to convert file or open it in the disposable VM from within the normal AppVM, I get an error popuplike : Denied: qubes.PdfConvert Denied qubes.pdfConvert from work-email to @dispvm Any advice appreciated! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3c5f45cb-0e56-5bb5-a4ea-f68d001e2856%40mailbox.org.
[qubes-users] Nitropad X230 with Qubes 4.1
Hello everyone, I am using the Nitropad X230 with the latest 4.0 Qubes installed. In the conversation with Thierry Laurion here https://groups.google.com/g/qubes-users/c/KsY46D55UQM/m/F3cQ-89KBQAJ it seemed that at that time the Nitropad X230 was not ready to transit to Qubes 4.1. This part of the conversation actually: Heads will need to be reflashed with a ROM supporting cryptsetup2 to reinstall. Heada will also need to be based on coreboot 4.13+ as per pending Heads pull request 1015. Consider this as a beta testing ROM. Is the situation different now with rc4, or is it advisable to wait till the transition will be ready? Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/01457a0b-9ac2-c4f4-7678-56e25de0374b%40mailbox.org.
Re: [qubes-users] Re: sys-net dispVM forgetting wifi passwords
TheGardner: Mentioned already here and there. Thats one of the cons using a dispVM for the sys-qubes. Next one is - you can't "restart"... r...@abtion.com schrieb am Donnerstag, 2. Dezember 2021 um 04:00:32 UTC-5: I have installed 4.1rc2 and chose a disposable sys-net, because I could think of a reason not to. But now that I have to type in the wifi password again and again, I know a reason to not choose dispVM for sys-net. Maybe it should be mentioned in the installation process what consequences it will have to choose disposable for sys-net? It should be just easy to use your offline debian-11 vault to save the wifi passwords and insert it once you connect to a particular wifi. There is of course an advantage for your anti tracking setup (together with other ones). So in this case if your sys-net gets compromised (unlikely but still possible), an adversary could see all your stored wifi connections which can give him unneeded advantage. This doesnt happen with disp sys-net. The question is: What makes you more happy? Connect to the wifi handsfree and possibly give out your wifi history intelligence to an unknown parties, or you are more happy to insert the password from the offline vault manually and be more safe? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0bec3225-c28a-c258-08cc-767a1bf45723%40mailbox.org.
Re: [qubes-users] Qubes OS 4.1-rc2 has been released!
Andrew David Wong: Dear Qubes Community, We're pleased to announce the second release candidate for Qubes 4.1! Qubes 4.1-rc2 contains fixes for bugs that were discovered in the first release candidate (4.1-rc1). For existing Qubes 4.1-rc1 users, a regular update [01] is sufficient to upgrade to 4.1-rc2. In case you haven't heard, Qubes 4.1 includes several major new features, each of which is explained in depth in its own article: - Qubes Architecture Next Steps: The GUI Domain [02] - Qubes Architecture Next Steps: The New Qrexec Policy System [03] - New Gentoo templates and maintenance infrastructure [04] - Reproducible builds for Debian: a big step forward [05] There are also numerous other improvements and bug fixes listed in the release notes [06] and in the issue tracker [07]. Finally, Qubes 4.1 features the following updated default components: - Xen 4.14 - Fedora 32 in dom0 - Fedora 34 template - Debian 11 template - Whonix 16 Gateway and Workstation templates - Linux kernel 5.10 How to test Qubes 4.1-rc2 - If you're willing to test [08] this release candidate, you can help to improve the stable release by reporting any bugs you encounter [09]. Experienced users are strongly encouraged to join the testing team [10]! How to migrate to 4.1-rc2: - If you're already on 4.1-rc1, simply perform a normal update [01]. - If you're not on 4.1-rc1, you have two options: 1. Back up [11] your current installation, download [12] 4.1-rc2, perform a fresh install [13], then restore [14] from your backup. 2. Perform an in-place upgrade [15]. Release candidate planning -- As with any release candidate, it's possible that user testing will reveal important bugs that we'll want to fix before the stable release. We plan to release the next release candidate in approximately five weeks. As explained in our general release schedule [16], this cycle will continue until no major bugs are discovered, at which point the latest release candidate will be declared the stable 4.1 release. [01] https://www.qubes-os.org/doc/how-to-update/ [02] https://www.qubes-os.org/news/2020/03/18/gui-domain/ [03] https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/ [04] https://www.qubes-os.org/news/2020/10/05/new-gentoo-templates-and-maintenance-infrastructure/ [05] https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/ [06] https://www.qubes-os.org/doc/releases/4.1/release-notes/ [07] https://github.com/QubesOS/qubes-issues/issues?q=milestone%3A%22Release+4.1%22+is%3Aclosed+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+invalid%22+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+not+an+issue%22+-label%3A%22R%3A+not+our+bug%22+-label%3A%22R%3A+won%27t+do%22+-label%3A%22R%3A+won%27t+fix%22+ [08] https://www.qubes-os.org/doc/testing/ [09] https://www.qubes-os.org/doc/issue-tracking/ [10] https://forum.qubes-os.org/t/joining-the-testing-team/5190 [11] https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup [12] https://www.qubes-os.org/downloads/ [13] https://www.qubes-os.org/doc/installation-guide/ [14] https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup [15] https://www.qubes-os.org/doc/upgrade/4.1/ [16] https://www.qubes-os.org/doc/version-scheme/#release-schedule This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/11/17/qubes-4-1-rc2/ Is there any HCL list for Qubes 4.1? I have Nitropad X230 but from the previous conversations I was told that it is not so easy to transit with this laptop to 4.1 and also the Heads needs to be upgraded. Is that still true? I would like to transit to 4.1 but wel safely as my current 4.0.6 is my main laptop used for all my activites. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6db7115b-37b6-27ba-b3fd-25c50355a8ed%40mailbox.org.
Re: [qubes-users] Qubes 4.1 - ready to go on Nitropad X230 without much tweaks?
Insurgo Technologies Libres / Open Technologies: On October 13, 2021 3:16:13 PM UTC, 'taran1s' via qubes-users wrote: unman: On Wed, Oct 13, 2021 at 10:24:46AM +, 'taran1s' via qubes-users wrote: I am thinking about upgrading my Nitropad X230 Qubes to 4.1, but I am curious if the version 4.1 has some serious issues that would make the experience worse than the current 4.0 or would need many tweaks to make the beast run well. I know that the 4.1 is an rc1 with all its pros and cons, which can be but different on each hardware. My question is if the Nitropad X230 has some functionality issues running the 4.1-rc1 now. For sys-net and sys-firewall I use the fedora-33-minimal, I use qubes-gpg-split and a kind of split monero with qrexec, as described here: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html, sys-usb is based on debian-10. The rest is a normal usage with not so many changes in the dom0 or templates from the default state. Would you recommend to go on with the upgrade/reinstall of my 4.0 Qubes to 4.1 on Nitropad X230 now? Thank you. -- Kind regards taran1s 4.1rc1 works fine on a corebooted x230 (that's what the nitropad is). No functionality issues for me, and I cant see any issues with your set up. You'll have to reseal HEADS of course, but I assume you know that. This is very good news, thank you. I will most probably clean-reinstall the beast to get advantage of the LUKS2. But not sure if it is worthy to do or the upgrade is enough to get advantage of the new 4.1. Is the LUKS1 vs LUKS2 the only difference in between the clean-reinstall and upgrade, or are there other factors to take into consideration when deciding between the clean reinstall vs upgrade to 4.1? Heads will need to be reflashed with a ROM supporting cryptsetup2 to reinstall. Heada will also need to be based on coreboot 4.13+ as per pending Heads pull request 1015. Consider this as a beta testing ROM. As far as I understand it, it is currently not recommended to upgrade on the Nitropad X230 and similar HW due to lack of support for the underlying software like Heads. Do I get it right? Could you point me to where I can find more about the topic where I can learn how to reflash the ROM on my Nitropad X230 properly, and check if the status changed? Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b229c944-0ca6-f930-a781-8c5c470c51ec%40mailbox.org.
Re: [qubes-users] Qubes 4.1 - ready to go on Nitropad X230 without much tweaks?
Insurgo Technologies Libres / Open Technologies: On October 13, 2021 3:16:13 PM UTC, 'taran1s' via qubes-users wrote: unman: On Wed, Oct 13, 2021 at 10:24:46AM +, 'taran1s' via qubes-users wrote: I am thinking about upgrading my Nitropad X230 Qubes to 4.1, but I am curious if the version 4.1 has some serious issues that would make the experience worse than the current 4.0 or would need many tweaks to make the beast run well. I know that the 4.1 is an rc1 with all its pros and cons, which can be but different on each hardware. My question is if the Nitropad X230 has some functionality issues running the 4.1-rc1 now. For sys-net and sys-firewall I use the fedora-33-minimal, I use qubes-gpg-split and a kind of split monero with qrexec, as described here: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html, sys-usb is based on debian-10. The rest is a normal usage with not so many changes in the dom0 or templates from the default state. Would you recommend to go on with the upgrade/reinstall of my 4.0 Qubes to 4.1 on Nitropad X230 now? Thank you. -- Kind regards taran1s 4.1rc1 works fine on a corebooted x230 (that's what the nitropad is). No functionality issues for me, and I cant see any issues with your set up. You'll have to reseal HEADS of course, but I assume you know that. This is very good news, thank you. I will most probably clean-reinstall the beast to get advantage of the LUKS2. But not sure if it is worthy to do or the upgrade is enough to get advantage of the new 4.1. Is the LUKS1 vs LUKS2 the only difference in between the clean-reinstall and upgrade, or are there other factors to take into consideration when deciding between the clean reinstall vs upgrade to 4.1? Heads will need to be reflashed with a ROM supporting cryptsetup2 to reinstall. Heada will also need to be based on coreboot 4.13+ as per pending Heads pull request 1015. Consider this as a beta testing ROM. Outch, this is what I was afraid of. Thank you for the warning. Is there any detailed guide on how to do that safely? This is my main laptop used for all of my digital activities, and I wouldn't like to mess it up. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/45c821c8-c5ac-6c6a-4a75-c76f58e720cb%40mailbox.org.
Re: [qubes-users] Qubes 4.1 - ready to go on Nitropad X230 without much tweaks?
unman: On Wed, Oct 13, 2021 at 10:24:46AM +, 'taran1s' via qubes-users wrote: I am thinking about upgrading my Nitropad X230 Qubes to 4.1, but I am curious if the version 4.1 has some serious issues that would make the experience worse than the current 4.0 or would need many tweaks to make the beast run well. I know that the 4.1 is an rc1 with all its pros and cons, which can be but different on each hardware. My question is if the Nitropad X230 has some functionality issues running the 4.1-rc1 now. For sys-net and sys-firewall I use the fedora-33-minimal, I use qubes-gpg-split and a kind of split monero with qrexec, as described here: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html, sys-usb is based on debian-10. The rest is a normal usage with not so many changes in the dom0 or templates from the default state. Would you recommend to go on with the upgrade/reinstall of my 4.0 Qubes to 4.1 on Nitropad X230 now? Thank you. -- Kind regards taran1s 4.1rc1 works fine on a corebooted x230 (that's what the nitropad is). No functionality issues for me, and I cant see any issues with your set up. You'll have to reseal HEADS of course, but I assume you know that. This is very good news, thank you. I will most probably clean-reinstall the beast to get advantage of the LUKS2. But not sure if it is worthy to do or the upgrade is enough to get advantage of the new 4.1. Is the LUKS1 vs LUKS2 the only difference in between the clean-reinstall and upgrade, or are there other factors to take into consideration when deciding between the clean reinstall vs upgrade to 4.1? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5224aeb4-2633-4344-90ff-086e1ee4d34c%40mailbox.org.
[qubes-users] Qubes 4.1 - ready to go on Nitropad X230 without much tweaks?
I am thinking about upgrading my Nitropad X230 Qubes to 4.1, but I am curious if the version 4.1 has some serious issues that would make the experience worse than the current 4.0 or would need many tweaks to make the beast run well. I know that the 4.1 is an rc1 with all its pros and cons, which can be but different on each hardware. My question is if the Nitropad X230 has some functionality issues running the 4.1-rc1 now. For sys-net and sys-firewall I use the fedora-33-minimal, I use qubes-gpg-split and a kind of split monero with qrexec, as described here: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html, sys-usb is based on debian-10. The rest is a normal usage with not so many changes in the dom0 or templates from the default state. Would you recommend to go on with the upgrade/reinstall of my 4.0 Qubes to 4.1 on Nitropad X230 now? Thank you. -- Kind regards taran1s -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78a6b833-344a-542b-dce0-b0d4138a91c4%40mailbox.org.
[qubes-users] Trezor-T - is someone really using it in Qubes?
I am searching for someone who is actually really using Trezor-T on Qubes. I tried following: - new vanilla sys-usb AppVM based on new vanilla debian-10 template - new vanilla trezord AppVM based on new vanilla whonix-ws-16 template Used packages (Trezor Suite gpg2 --verified against SatoshiLabs 2021 Signing Key): trezor-bridge_2.0.27_amd64.deb Trezor-Suite-21.9.2-linux-x86_64.AppImage trezor-udev_2_all.deb 1. https://wiki.trezor.io/Qubes_OS done, restart both AppVMs (sys-usb trezord) 2. run trezord AppVM 3. ./Trezor-Suite-21.9.2-linux-x86_64.AppImage in trezord AppVM. Suite GUI says "Trezor Bridge is not running". Same output with --no-sandbox. user@host:~$ ./Trezor-Suite-21.9.2-linux-x86_64.AppImage libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null) 4. sys-usb runs 5. I connect Trezor-T and no change, restart, unplug-replug, other USB port...o change 6. Trezor-T cannot be used -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4e38352e-1f79-a2b2-95bc-9e6f2466d56d%40mailbox.org.
Re: [qubes-users] Trezor error with qubes
have you seen this? https://github.com/Qubes-Community/Contents/blob/e7443c960228c1abec9b97f2c2027dbc01f45f63/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md Actually I did do the process based on this guide. Everything is set up except bridge verification. The issue is that once I download the bridge from https://wallet.trezor.io/#/bridge I cannot verify it with gpg2 --verify It returns: [user@fedora-33-min-trezor ~]$ gpg2 --verify trezor-bridge-2.0.27-1.x86_64.rpm gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. If I try to use rpm directly, it returns this: [user@fedora-33-min-trezor ~]$ sudo rpm -i trezor-bridge-2.0.27-1.x86_64.rpm warning: trezor-bridge-2.0.27-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY package trezor-bridge-2.0.27-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY Fedora min template has following packages installed: gnome-keyring qubes-core-agent-nautilus qubes-mgmt-salt-vm-connector qubes-usb-proxy and of course trezor-common On Tue, Aug 31, 2021 at 02:53:47PM +, 'taran1s' via qubes-users wrote: Hello, In my last message I mentioned my attempts to start using the Trezor with qubes. I try to follow this guide, from the official trezor website: https://wiki.trezor.io/Qubes_OS I use the sys-usb based on debian-10 and tried the same with sys-usb based on debian-10-minimal with similar error. My online AppVM in anon-whonix. After I finished the procedures described in the guide, I installed the trezor Bridge and Udev rules in the sys-usb, and the Trezor Suite in the anon-whonix, with sudo dpkg -i required-package. Once I start both sys-usb and anon-whonix and attach the trezor-T I get following error (suite is seen by the sys-usb): 2021-08-31T14:38:06.967Z - ERROR(process-trezord): Status error: request to http://127.0.0.1:21325/ failed, reason: connect ECONNREFUSED 127.0.0.1:21325 Do you see any workarounds to make it work? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/753fdebf-f149-5ba4-8f24-f19802a0b525%40mailbox.org. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/47eb2823-12cc-d48c-8202-456679616a60%40mailbox.org.
Re: [qubes-users] Trezor in Qubes
tetrahe...@danwin1210.me: On Thu, Aug 26, 2021 at 02:27:35PM +, 'taran1s' via qubes-users wrote: Hello all, I would like to start to use Trezor with my qubes. I would like to follow this guide here https://wiki.trezor.io/Qubes_OS. My intention is to use the Trezor HW wallet in a anon-whonix AppVm with Trezor Suite qube through Tor. I run qubes on X230 Nitropad. I would like to check if the guide to install the Trezor Bridge and Udev rules in the sys-usb (see the official Trezor guide) is advised by qubes community or is it good practice not to install anything in the sys-usb and instead install the packages (bridge, udev rules and suite) in the target anon-whonix AppVM. It should be fine. See my pull request for step by step instructions: https://github.com/Qubes-Community/Contents/pull/145 https://github.com/Qubes-Community/Contents/blob/3e1785a11e90b52e086fb8b3b246e5c2de7faca5/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md Thank you for the guide. I tried to follow the official guide on trezor wiki, abstaining from fedora a bit more, but still erroring. To your guide. The last 4 lines: copy to fedora-3x in fedora-3x sudo rpm -i /path/to/trezor.rpm ...are to be done in the fedora-3x template, right? Will it work on fedora-33-minimal too, or it needs to be full template? All done, but I wasnt able to find any signed hash of the bridge or something and so I get this error: [user@fedora-33-min-trezor ~]$ sudo rpm -i trezor-bridge-2.0.27-1.x86_64.rpm warning: trezor-bridge-2.0.27-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY package trezor-bridge-2.0.27-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/202fb74d-009e-249f-c4f1-86e3b92834d9%40mailbox.org.
[qubes-users] Trezor error with qubes
Hello, In my last message I mentioned my attempts to start using the Trezor with qubes. I try to follow this guide, from the official trezor website: https://wiki.trezor.io/Qubes_OS I use the sys-usb based on debian-10 and tried the same with sys-usb based on debian-10-minimal with similar error. My online AppVM in anon-whonix. After I finished the procedures described in the guide, I installed the trezor Bridge and Udev rules in the sys-usb, and the Trezor Suite in the anon-whonix, with sudo dpkg -i required-package. Once I start both sys-usb and anon-whonix and attach the trezor-T I get following error (suite is seen by the sys-usb): 2021-08-31T14:38:06.967Z - ERROR(process-trezord): Status error: request to http://127.0.0.1:21325/ failed, reason: connect ECONNREFUSED 127.0.0.1:21325 Do you see any workarounds to make it work? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/753fdebf-f149-5ba4-8f24-f19802a0b525%40mailbox.org.
Re: [qubes-users] Trezor in Qubes
tetrahedra via qubes-users: On Thu, Aug 26, 2021 at 02:27:35PM +, 'taran1s' via qubes-users wrote: Hello all, I would like to start to use Trezor with my qubes. I would like to follow this guide here https://wiki.trezor.io/Qubes_OS. My intention is to use the Trezor HW wallet in a anon-whonix AppVm with Trezor Suite qube through Tor. I run qubes on X230 Nitropad. I would like to check if the guide to install the Trezor Bridge and Udev rules in the sys-usb (see the official Trezor guide) is advised by qubes community or is it good practice not to install anything in the sys-usb and instead install the packages (bridge, udev rules and suite) in the target anon-whonix AppVM. It should be fine. See my pull request for step by step instructions: https://github.com/Qubes-Community/Contents/pull/145 https://github.com/Qubes-Community/Contents/blob/3e1785a11e90b52e086fb8b3b246e5c2de7faca5/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md Thank you for the advice. You mention on github to verify the bridge, but I cannot find any signed hash or anything for Trezor bridge and udev rules. Can you point me to it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20791bd4-38c6-28ff-d721-8440b6e00786%40mailbox.org.
[qubes-users] Trezor in Qubes
Hello all, I would like to start to use Trezor with my qubes. I would like to follow this guide here https://wiki.trezor.io/Qubes_OS. My intention is to use the Trezor HW wallet in a anon-whonix AppVm with Trezor Suite qube through Tor. I run qubes on X230 Nitropad. I would like to check if the guide to install the Trezor Bridge and Udev rules in the sys-usb (see the official Trezor guide) is advised by qubes community or is it good practice not to install anything in the sys-usb and instead install the packages (bridge, udev rules and suite) in the target anon-whonix AppVM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ed217635-97a2-33c8-f786-c9966b331094%40mailbox.org.
Re: [qubes-users] Debian onion repo v2 deprecation - any debian v3 onions alternatives
unman: On Tue, Jul 06, 2021 at 10:00:23AM +, 'taran1s' via qubes-users wrote: I have my debian based templates updating repos onionized through existing v2 onions. Tor Project announced that it will deprecate the v2 onions. Are there any alternative debian v3 onions for debian updates? The Qubes onion repos are v3. If you have updated apt-transport-tor, then you should already be using v3 onions. I onionized the debian and whonix templates long time ago. In my /etc/apt/sources.list and etc/apt/sources.list.d/qubes-r4.list in debian I can still see v2 onions only: deb http://vwakviie2ienjx6t.onion/debian buster main contrib non-free deb http://sgvtcaew4bxjd7ln.onion buster/updates main contrib non-free Should I run sudo apt update apt-transport-tor in each debian-based template to include the v3 onions? -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/958fe158-7e34-b227-14a1-6947b27480ec%40mailbox.org.
[qubes-users] Debian onion repo v2 deprecation - any debian v3 onions alternatives
I have my debian based templates updating repos onionized through existing v2 onions. Tor Project announced that it will deprecate the v2 onions. Are there any alternative debian v3 onions for debian updates? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d8184185-f60a-7058-19bf-704e101fac64%40mailbox.org.
Re: [qubes-users] Networking with debian10-minimal instead of fedora-33
'taran1s' via qubes-users: Hi, I am trying to make work the sys-net and sys-firewall under debian-10-minimal template, instead of fedora-33, but without success. Fedora is annoying with its updates and also I would like to decrease the exposure to the complexity of fedora-33 full template wherever possible. I followed these guides regarding networking: https://www.qubes-os.org/doc/templates/minimal/ https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md I installed following packages into debian-10-minimal template and based the sys-net and sys-firewall on it: qubes-core-agent-networking qubes-core-agent-dom0-updates qubes-core-agent-network-manager qubes-core-agent-passwordless-root nano qubes-mgmt-salt-vm-connector qubes-core-agent-nautilus nautilus gnome-terminal Once I change the sys-whonix and sys-firewall, the network icon doesnt show any Wi-Fi Networks, only ethernet. Sorry, sys-net and sys-firewall, not sys-whonix of course. Any workaround? > -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32a8d14c-fd6d-947a-5760-d6df841f0d8a%40mailbox.org.
[qubes-users] Networking with debian10-minimal instead of fedora-33
Hi, I am trying to make work the sys-net and sys-firewall under debian-10-minimal template, instead of fedora-33, but without success. Fedora is annoying with its updates and also I would like to decrease the exposure to the complexity of fedora-33 full template wherever possible. I followed these guides regarding networking: https://www.qubes-os.org/doc/templates/minimal/ https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md I installed following packages into debian-10-minimal template and based the sys-net and sys-firewall on it: qubes-core-agent-networking qubes-core-agent-dom0-updates qubes-core-agent-network-manager qubes-core-agent-passwordless-root nano qubes-mgmt-salt-vm-connector qubes-core-agent-nautilus nautilus gnome-terminal Once I change the sys-whonix and sys-firewall, the network icon doesnt show any Wi-Fi Networks, only ethernet. Any workaround? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/95355de4-b050-5ead-661b-f46bc19406ee%40mailbox.org.
Re: [qubes-users] MS Office 365 in Qubes
Sven Semmler: need to use MS Office 365 Condolences. Thank you, taken sadly. workaround other than necessity to install whole Windows OS https://www.codeweavers.com/compatibility/crossover/microsoft-office-365 WIN7 or WIN10 [...] point me to a how to guide? https://github.com/elliotkillick/qvm-create-windows-qube But if Office 365 Suite are the only windows apps you need I'd go for CrossOver. I believe that I could possibly to get out with the MS Office 2019 instead of Office 365. Would this change the equation and make things easier? -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1119c0e0-cb0f-dcd3-c9b3-11e56b796a6d%40mailbox.org.
[qubes-users] MS Office 365 in Qubes
I am using Qubes as my main OS and now it seems that due to my work assignment, I will need to use MS Office 365 and I would like to keep using my Qubes laptop. I will need to use the MS Office 365 ideally with/without the following features: - no need to have internet connection - no need to have win apps other than the MS Office 365 are needed now - need to copy and paste text in between win-AppVMs and non-win-AppVMs - need to file sharing between win-AppVMs and non-win-AppVMs (copy and move) - need to ideally be able to open the MS Office 365 files in various separate AppVMs, but it is not a killer and I can live without it if it complicates the situation too much. My question is, if there is some workaround other than necessity to install whole Windows OS in my Qubes. If the Windows OS installation is a necessity in this case, would you consider the WIN7 or WIN10 as better, less troublesome option? Could you point me to a how to guide? There is this guide https://www.qubes-os.org/doc/windows/. Is there any other one you would propose for this case? -- Kind regards taran1s -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67f41fe8-af95-f3eb-ecec-ce0a59d2091c%40mailbox.org.
Re: [qubes-users] X230 - external monitor how to
unman: On Thu, Apr 08, 2021 at 01:25:57PM +, 'taran1s' via qubes-users wrote: unman: On Wed, Apr 07, 2021 at 01:59:10PM +, 'taran1s' via qubes-users wrote: How do I use the X230+Qubes 4.0 with external monitor of at least 1080p or higher? I understand that a dock station (Ultrabase?) is required to be able to use the HiDPI external monitor with X230. What smallest dock station would you propose for this purpose? Is there possibly some other, more portable way, to get X230 to use HiDPI external monitor? You don't need a dock for this - the x230 supports 1920x1200 through HDMI and 2560x1600 through the DisplayPort. Of course, a dock is always nice. This is really interesting and thank you a tone for this information. I dont see the HDMI output from my X230 but there seem to be a Mini Displayport. Very nice. You can also mod the x230 with a board and updated panel to get 1080p on a larger IPS panel - very portable and a real boost to the x230. Can you please elaborate more on this? What kind of board and updated panel is it? I didn't know that X230 can be modded to have 1080p IPS display at all. This would possibly solve most need to have external display for simple media. There are a number of boards you can use - imo the best is from nitrocaster - nitrocaster.me/store They all work in the same way - you solder the board on the motherboard and "steal" output from the dock. With some minor modification to the screen enclosure you can fit a really nice 1080p IPS panel to the x230. There are a number of people who will do this for you, if you doubt your soldering skills. If you didnt already have an x230 you can also buy x230 premodded, but that's no use to you. :-( Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/273200cf-3552-0e10-786c-ca9fad8ec548%40mailbox.org.
Re: [qubes-users] X230 - external monitor how to
unman: On Wed, Apr 07, 2021 at 01:59:10PM +, 'taran1s' via qubes-users wrote: How do I use the X230+Qubes 4.0 with external monitor of at least 1080p or higher? I understand that a dock station (Ultrabase?) is required to be able to use the HiDPI external monitor with X230. What smallest dock station would you propose for this purpose? Is there possibly some other, more portable way, to get X230 to use HiDPI external monitor? You don't need a dock for this - the x230 supports 1920x1200 through HDMI and 2560x1600 through the DisplayPort. Of course, a dock is always nice. This is really interesting and thank you a tone for this information. I dont see the HDMI output from my X230 but there seem to be a Mini Displayport. Very nice. You can also mod the x230 with a board and updated panel to get 1080p on a larger IPS panel - very portable and a real boost to the x230. Can you please elaborate more on this? What kind of board and updated panel is it? I didnt know that X230 can be modded to have 1080p IPS display at all. This would possibly solve most need to have external display for simple media. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0a0364ea-66d6-007c-0e61-a82d9c60263f%40mailbox.org.
[qubes-users] X230 - external monitor how to
How do I use the X230+Qubes 4.0 with external monitor of at least 1080p or higher? I understand that a dock station (Ultrabase?) is required to be able to use the HiDPI external monitor with X230. What smallest dock station would you propose for this purpose? Is there possibly some other, more portable way, to get X230 to use HiDPI external monitor? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/10f700de-a6ee-4a28-7bc3-4f9a32bc94e5%40mailbox.org.
Re: [qubes-users] X230 - switch-on backlit keyboard
unman: On Tue, Apr 06, 2021 at 12:44:31PM +, 'taran1s' via qubes-users wrote: I have got my X230 with Qubes preinstalled. Everything seems to work well, but I cant switch-on the backlit keyboard. Pressing Fn+Space just cycles between ON and OFF of the upper light (besides camera). The X230 of course has, or should have, the backlit keyboard. I didn't find any options in the Qubes Settings Manager to make it run. How can I make it run? Thank you! This isn't a Qubes issue, because the backlit keyboard works fine on varieties of 4. Just to check - you **do** have a backlit keyboard? When you look at the lamp icon on the space bar, are the beams pointing to the screen or toward you? Ah I see. The beams pointing towards me. -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c278863-4396-517d-e70c-94b4c461820a%40mailbox.org.
[qubes-users] X230 - switch-on backlit keyboard
I have got my X230 with Qubes preinstalled. Everything seems to work well, but I cant switch-on the backlit keyboard. Pressing Fn+Space just cycles between ON and OFF of the upper light (besides camera). The X230 of course has, or should have, the backlit keyboard. I didn't find any options in the Qubes Settings Manager to make it run. How can I make it run? Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f27a30ff-15e6-fd5f-d24b-e7a64baf3164%40mailbox.org.
Re: [qubes-users] qubes-split-browser issues
Rusty Bird: taran1s: Rusty Bird: Anything interesting in 'sudo journalctl' on the DisposableVM? Can you navigate me how to open the terminal in the active dispvm please? In the Domains Widget (system tray Q button), there's 'Run Terminal' inside the disp1234 submenu. Sorry, in the Domains Widget there is no active disp12... available. I can see the dispvm only in the Qube Manager. The logs in the *persistent* VM would be relevant too: journalctl -t qubes.StartApp+split-browser-dom0 \ -t qubes.StartApp+split-browser-safest-dom0 - At the end, if I save a bookmark in the disp VM TB, launched from the surfer VM, the bookmark doesnt survive the killing of the disp VM and is not available from the another disp VM launched from the surfer VM. Did you use the hotkeys? Ctrl-d to save a persistent bookmark, and Alt-b to open the persistent bookmarks list. Other methods (like clicking the star outline in the address bar, etc.) unfortunately won't work. Yes I did. Clicking ctrl-d saves the bookmark with blue Saved to library! popup in the active TB dispVM. alt-b opens up the bookmarks menu and I can see the bookmark. It doesn't but survive the reboot. Ah, for some reason the hotkeys aren't intercepted. Can you start a new Split Browser, and post the full contents of Tor Browser's Browser Console? (Ctrl-Shift-j) split-browser-safest [02-08 11:25:56] Torbutton NOTE: Initializing security-prefs.js [02-08 11:25:56] Torbutton NOTE: security-prefs.js initialization complete Content Security Policy: Couldn’t parse invalid host 'wasm-eval' [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 661" data: no] 14 L10nRegistry.jsm:661:19 Bootstrapped manifest not allowed to use 'resource' directive. chrome.manifest:2 Content Security Policy: Couldn’t parse invalid host 'wasm-eval' [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync :: line 661" data: no] L10nRegistry.jsm:661:19 Content Security Policy: Couldn’t parse invalid host 'wasm-eval' [Exception... "Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]" nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)" location: "JS frame :: resource:///modules/BrowserGlue.jsm :: _collectStartupConditionsTelemetry :: line 1743" data: no] BrowserGlue.jsm:1743:9 Error: setevents stream -> 510 Command filtered tor-control-port.js:237:19 [02-08 11:25:59] Torbutton NOTE: no SOCKS credentials found for current document. Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist. store.js:135 a11y.sitezoom - Unknown scalar. [02-08 11:26:02] Torbutton WARN: Your Tor Browser is out of date. Key event not available on GTK2: key=“u” modifiers=“accel shift” id=“torbutton-new-identity-key” browser.xhtml Key event not available on some keyboard layouts: key=“r” modifiers=“accel,alt” id=“key_toggleReaderMode” browser.xhtml Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xhtml -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/453e9c0c-60d0-2271-81d2-82f8ca72d424%40mailbox.org.
Re: [qubes-users] qubes-split-browser issues
Rusty Bird: taran1s: - TB opens up in disp-VM whonix-ws-15-disp. In a VM named like disp1234 though, right? Right. The welcome page is not Whonix Welcome Page as normally when I open the TB in the disp VM directly, but instead it opens up the About Tor welcome page. Is this intended? Yes, so far so good. I've configured about:tor as the homepage, because Tor Browser has been plagued by a bunch of obscure bugs on first startup (which should be every startup for DisposableVMs) when it's blank or a file:// URL. - TB opens up in the Security Level: Standard, instead of Safest, as mentioned in the name of the link (Split Browser (TB Security level: Safest). [...] - once I close the TB, the disp VM remains active and needs to be stopped manually. Those two are strange. Anything interesting in 'sudo journalctl' on the DisposableVM? Can you navigate me how to open the terminal in the active dispvm please? - At the end, if I save a bookmark in the disp VM TB, launched from the surfer VM, the bookmark doesnt survive the killing of the disp VM and is not available from the another disp VM launched from the surfer VM. Did you use the hotkeys? Ctrl-d to save a persistent bookmark, and Alt-b to open the persistent bookmarks list. Other methods (like clicking the star outline in the address bar, etc.) unfortunately won't work. Yes I did. Clicking ctrl-d saves the bookmark with blue Saved to library! popup in the active TB dispVM. alt-b opens up the bookmarks menu and I can see the bookmark. It doesn't but survive the reboot. This behavior is the same if I execute split-browser in the terminal, or through the GUI as Split Browser or as Split Browser (TB Security level: Safest). So 'split-browser --safest' also opens up on Standard? Both open on Standard and don't kill the dispvm once switched off. It needs to be stopped manually. Hmm, maybe try with a freshly created DisposableVM template instead of whonix-ws-15-disp? I'm definitely interested in debugging this. Rusty > > -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d530f9a2-ac29-c0ef-f39b-83670a22839e%40mailbox.org.
[qubes-users] qubes-split-browser issues
I have installed and enabled the qubes-split-browser. I would like to check if the behavior of the qubes-split-browser is as intended. My surfer VM is based on Fedora-32, with networking disabled. Its disp-VM is set to whonix-ws-15-disp, that itself is based on whonix-ws-15. In the surfer VM I open the Split Browser (TB Security level: Safest). This is what happens: - TB opens up in disp-VM whonix-ws-15-disp. The welcome page is not Whonix Welcome Page as normally when I open the TB in the disp VM directly, but instead it opens up the About Tor welcome page. Is this intended? - TB opens up in the Security Level: Standard, instead of Safest, as mentioned in the name of the link (Split Browser (TB Security level: Safest). It should open up in the Safest I guess? - once I close the TB, the disp VM remains active and needs to be stopped manually. Normally, if I launch TB in the whonix-ws-15-disp directly, and than close that TB, whole disp VM gets killed by itself. How can I set the qubes-split-browser to kill the whole disp VM once the TB is closed? - At the end, if I save a bookmark in the disp VM TB, launched from the surfer VM, the bookmark doesnt survive the killing of the disp VM and is not available from the another disp VM launched from the surfer VM. This behavior is the same if I execute split-browser in the terminal, or through the GUI as Split Browser or as Split Browser (TB Security level: Safest). Can anyone help me with the setup? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d6451a2-04c3-7953-39dc-a74392eaa304%40mailbox.org.
Re: [qubes-users] Android on Qubes
Franz: On Fri, Dec 6, 2019 at 7:31 AM scurge1tl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I would like to ask if there is any reliable way to get Android template into Qubes, so that I could create AppVMs for different android apps (from google play too). I know about the project of Daniel Micay who is working on a hardened version of Android GrapheneOS, but don't know where the project stands. Is there actually any reliable way to get the android into Qubes now in the form of a template? More than a year passed and nobody replied. May a bounty encourage a brave developer to prepare and maintain a community template? Best Franz I think that Daniel Micay from GrapheneOS did do some work in this field, but one need to check this. I dont know where he is in this now. Definitely it would really make things interesting and exciting. -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23b591c6-f8e4-78d5-1182-d65f91f34924%40mailbox.org.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
taran1s: Chris Laprise: On 5/2/20 6:54 AM, unman wrote: On Sat, May 02, 2020 at 08:22:57AM +, taran1s wrote: unman: On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: taran1s: Chris, I tried now to connect to the kraken.com, which seems to be tor unfriendly through me->tor->VPN->kraken.com but it returns error on the site "Disabled". I learned now that despite I use the above connection model, using VPN as an exit, I still exit from the tor exit not and not from the VPN. I am not sure what broke. If I understand your model: me->tor->VPN->kraken.com you are running Tor *through* your VPN - this means that your service provider sees your connection to the VPN, and your VPN provider sees your connection to the first Tor hop. Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor exit node that connects to kraken. The VPN is NOT an exit in this model. Nothing has broken. I am actually using mullvad VPN. The idea is to have the possibility to access websites or services (like kraken.com) that are not tor-friendly. I would like to connect first to Tor through sys-whonix than connect to the VPN through VPN AppVM and from that VPN to connect to the clearnet. I set the AppVMs networking following way: anon-whonix networking set to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to the clearnet. Is that right for my model? No. Think about it. anon-whonix creates a request. sys-whonix takes that request, and builds a circuit. VPN-AppVM sees the traffic to the first hop, and sends it down the VPN. The VPN provider gets the Tor traffic, and sends it on to the first hop. Then it goes via Tor to the exit node and then to the target. Your ISP sees traffic to the VPN; the VPN provider sees traffic from you going to Tor; the target sees traffic coming from Tor network. *Always* use check.torproject.org to confirm your exit IP in this sort of case (always) so that actual matches expectations. What you have built (in packet terms) is: me - Tor - VPN - target. What you seem to want is: me - VPN - Tor - target To do that you need to build the VPN traffic and send it down a Tor circuit. Your Qubes network configuration should be: client - VPN qube - Tor qube - sys-firewall - sys-net A good rule of thumb is that whichever proxyVM is directly attached to your appVM will be the type of network that the remote service sees. I have no idea if Whonix will let you do this. This should work for most VPNs, as Patrick and I and others have tested it (though I haven't tested Whonix specifically with Mullvad). The only constraint is that the VPN use TCP instead of UDP. Thank you for the hint with ProxyVM logic. I tried both configurations from Mullvad with UDP and TCP 443, but didn't get it work. The VPN-ProxyVM cycles at ready to start link but never goes to the Link Up. Mullvad's options are Default (UDP), UDP 53, TCP 80 and TCP 443. Chris, if you have any chance to try the setup, would be very much appreciated. Hello everyone, did anyone actually managed to make this setup run? Posibly any aditional ideas how to acomplish the task of connecting in the above configuration? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d8ad56cf-49f6-e8b8-a670-ba51d922273f%40mailbox.org.
Re: [qubes-users] Qubes updater icon never gets cleared
It happened to me as well and is most probably an issue with the pulseaudio. Does it happen with fedora-32 template only or is it the case for other templates too? If only with fedora-32, try to directly open the fedora-32 template and execute: $ sudo dnf update If it says anything about pulseaudio, try to execute: $ sudo dnf update --best --allowerasing This should solve the issue. Viktor Ransmayr: Hello Qubes community, I noticed since yesterday, that the icon, which indicates that updates are available, never gets cleared on my system, although I obviously try to launch the updater in a timely fashion - and - the operation succeeds ... Here's the log from the latest attempt: ### Updating fedora-32 fedora-32: -- ID: dnf list updates --refresh >/dev/null Function: cmd.run Result: True Comment: Command "dnf list updates --refresh >/dev/null" run Started: 09:00:59.753451 Duration: 8745.114 ms Changes: -- pid: 1077 retcode: 0 stderr: stdout: -- ID: update Function: pkg.uptodate Result: True Comment: Upgrade ran successfully Started: 09:01:10.612928 Duration: 24382.315 ms Changes: -- ID: notify-updates Function: cmd.run Name: /usr/lib/qubes/upgrades-status-notify Result: True Comment: Command "/usr/lib/qubes/upgrades-status-notify" run Started: 09:01:34.995429 Duration: 3878.256 ms Changes: -- pid: 1148 retcode: 0 stderr: stdout: Summary for fedora-32 Succeeded: 3 (changed=2) Failed:0 Total states run: 3 Total run time: 37.006 s ### Does anyone have an explanation - or - a suggestion what else to try? - TIA! Viktor -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36cd83fc-3dd6-9530-209e-ca5bc762ac6c%40mailbox.org.
Fwd: [qubes-users] Large unscalable window of qTox and Zulucrypt in AppVMs based on debian-10 and whoni-15 templates
I am reopening the issue for a kind attention of the qubes community. Thank you. Forwarded Message Subject: [qubes-users] Large unscalable window of qTox and Zulucrypt in AppVMs based on debian-10 and whoni-15 templates Date: Tue, 20 Oct 2020 17:13:44 + From: 'taran1s' via qubes-users Reply-To: taran1s To: qubes-users I have an issue with the qTox and Zulucrypt, when opening these apps in the AppVMs based on both debian-10 and whonix-ws-15 templates. I use a built in 1920x1080 laptop monitor, not an external one. It looks like if it was under a magnifier. Is there any available solution to this issue? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/00664b7c-136e-8f41-3c12-38936b6f016f%40mailbox.org. -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4dfaac4a-58be-9493-e0f8-e900762bfda6%40mailbox.org.
[qubes-users] Large unscalable window of qTox and Zulucrypt in AppVMs based on debian-10 and whoni-15 templates
I have an issue with the qTox and Zulucrypt, when opening these apps in the AppVMs based on both debian-10 and whonix-ws-15 templates. I use a built in 1920x1080 laptop monitor, not an external one. It looks like if it was under a magnifier. Is there any available solution to this issue? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/00664b7c-136e-8f41-3c12-38936b6f016f%40mailbox.org.
Re: [qubes-users] Re: Updated Split GPG documentation for Thunderbird 78
Andrew David Wong: On 10/7/20 3:56 AM, Andrew David Wong wrote: On 10/7/20 3:47 AM, Andrew David Wong wrote: On 10/7/20 3:46 AM, Andrew David Wong wrote: Hi all, Many of us have recently upgraded to Thunderbird 78, which changes the way OpenPGP keys are handled. Thanks to Frédéric, the Split GPG documentation was updated a little over a week ago with detailed new instructions, including a full screenshot walk-through, for how to use Split GPG with Thunderbird 78 and higher. If you haven't already seen it, take a look: https://www.qubes-os.org/doc/split-gpg/#using-thunderbird By the way, if anyone figures out how to automatically sign all emails, please let me know. :) Answering my own question: Account Settings -> End-To-End Encryption -> Default settings for sending messages -> [x] Add my digital signature by default There's also an option here to require encryption by default. However, I don't see an option to use inline signatures for compatibility with our mailing lists. Found this: https://wiki.mozilla.org/Thunderbird:OpenPGP:Status > -- unknown schedule -- > [...] > sending an INLINE cleartext signed message without attachments (we don't intend to support sending other kinds of inline OpenPGP messages) Also there is no possibility to select what type of encryption I would like to use OpenPGP or S/MIME. In the Account Settings End To End Encryption, at the bottom there is Preferrend Encryption Technology with options for both OpenPGP and S/MIME, but the selection is disabled. It is disabled as well in the Security button -> Encryption Technology. The Open PGP is selected and S/MIME is impossible to select. Does the OpenPGP encrypt attachments and Subject like S/MIME? Also btw it is not possible to use more than one PGP key in one account. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0dfe53da-7ec4-fa3a-e1b0-6c529bc3b701%40mailbox.org.
Re: [qubes-users] Re: Tunderbird in new anon-whonix is refusing to connect to internet
'b17b7bdb' via qubes-users: >> 'awokd' via qubes-users: >>> taran1s: >>>> Hi, I am stuck with the following Thunderbird issue. >>>> >>>> I created new anon-whonix AppVM where I would like to have my new email >>>> account in Thunderbord, but whatever I do, I get "Could not connect to >>>> server xxx connection was refused" immediately after clicking the Get >>>> Messages. At the same time, TB can nicely connect to the network from >>>> that AppVM. >>>> >>>> Thunderbird in older anon-whonix AppVMs are connecting just ok. The >>>> settings are precisely the same in both - the old and new anon-whonix. >>>> The template is the same whonix-ws-15. >>>> >>>> I tried to create anon-whonix through salt or directly from the Qube >>>> Manager with Create a new qube, but still the same issue. >>>> >>>> Any idea how to solve this? >>> >>> From your new anon-whonix AppVM, test using a different app like regular >>> Firefox and see if it can connect to the Internet. Also, verify its >>> NetVM is set to sys-whonix. >>> >> >> As I mention, TB in the anon-whonix AppVM is able to connect to the >> internet, except Thunderbird. All email account settings are ok. The >> same settings are working in the old anon-whonix AppVM just well. >> > > I had a similar issue recently with anon-whonix Thunderbird refusing to > connect to the internet. I simply changed the manual proxy settings > (Preferences>Network & Disk Space>Connection Settings) from the default of > 127.0.0.1 port 9102 to 127.0.0.1 port 9150, which restored the connection. > > Sent with [ProtonMail](https://protonmail.com) Secure Email. > This did the trick. Funny the SOCKS Host was by default set in Thunderbird to 127.0.0.1. I spoke with the whonix chat support and the SOCKS Host should be (in the anon-whonix) set to 10.152.152.10, Port 9102. Now everything is working. Why my default Thunderbird SOCKS Host setting was set to 127.0.0.1 I don't know. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b208fae7-78a8-a7f2-b23e-1449ec21b673%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Tunderbird in new anon-whonix is refusing to connect to internet
'awokd' via qubes-users: > taran1s: >> Hi, I am stuck with the following Thunderbird issue. >> >> I created new anon-whonix AppVM where I would like to have my new email >> account in Thunderbord, but whatever I do, I get "Could not connect to >> server xxx connection was refused" immediately after clicking the Get >> Messages. At the same time, TB can nicely connect to the network from >> that AppVM. >> >> Thunderbird in older anon-whonix AppVMs are connecting just ok. The >> settings are precisely the same in both - the old and new anon-whonix. >> The template is the same whonix-ws-15. >> >> I tried to create anon-whonix through salt or directly from the Qube >> Manager with Create a new qube, but still the same issue. >> >> Any idea how to solve this? > > From your new anon-whonix AppVM, test using a different app like regular > Firefox and see if it can connect to the Internet. Also, verify its > NetVM is set to sys-whonix. > As I mention, TB in the anon-whonix AppVM is able to connect to the internet, except Thunderbird. All email account settings are ok. The same settings are working in the old anon-whonix AppVM just well. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c00dfd8d-2f83-4d0e-4d85-cb86837e4997%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] Tunderbird in new anon-whonix is refusing to connect to internet
Hi, I am stuck with the following Thunderbird issue. I created new anon-whonix AppVM where I would like to have my new email account in Thunderbord, but whatever I do, I get "Could not connect to server xxx connection was refused" immediately after clicking the Get Messages. At the same time, TB can nicely connect to the network from that AppVM. Thunderbird in older anon-whonix AppVMs are connecting just ok. The settings are precisely the same in both - the old and new anon-whonix. The template is the same whonix-ws-15. I tried to create anon-whonix through salt or directly from the Qube Manager with Create a new qube, but still the same issue. Any idea how to solve this? -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/004954fd-49ec-2357-b70d-71f557411b91%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Has anyone had a qube compromised?
unman: > On Fri, Sep 11, 2020 at 11:03:15AM +0000, taran1s wrote: >> >> >> unman: >> >> This is interesting. Can you be more specific in regards of settings you >> use? How do you set the tripwire for to run against network connected >> qubes? You also mentioned using mutt in an offline qube. Can you >> elaborate more on this too please? Is the mutt PGP friendly and more >> safer option than Thunderbird? >> > > This warrants a much more detailed answer than I have time for now. > > Tripwire - install in templates, store db in offline vault - I'm looking > for changes in /rw, as well as "normal" directory structures. > > Mutt - varies according to provider. I set this up when I was first > playing with Qubes. > I use 3 qubes: one disposableVM to pick up mail - either offline imap or > rsync mail dirs. That qube is minimal, connects over Tor, and is restricted > to mail provider. > If the sync is in Mbox format, you can use mb2md to convert to Maildir > format. > The mail dirs are synced in to my mutt qube which is offline. I use > qrexec for this. > > Mutt is a great MUA, and has good integration with PGP. I use split-gpg, > of course. I use notmuch integrated with mutt to keep on top of email. > > For sending mails I use msmtp. Actually I queue outgoing in the Mutt > qube, and rsync the queues (over qrexec) in to a sender disposableVM, > which has outgoing traffic restricted to SMTP host. Over Tor of course. > > So the fetch and send are done using disposableVMs, and the message > queues synced in and out of the offline mutt queue over qrexec. The > disposableVMs use minimal templates, have restricted network access, > and use different network routes. > The mutt qube is also based on a minimal template, and has a mailcap > that effectively loads almost all attachments in offline disposableVMs. > I have keyboard shortcuts to trigger the receive and send sides - I > suppose you could do this with cron jobs, but I prefer not to use > automatic processes. > > That probably raises a few more questions. If it does, ask and I'll try to > provide some specifics. > Dear Unman, thank you for your explanation. It is very interesting topic and it could, if transformed into a guide, be a huge added value for "Qubes hardening" section, or even Active Defense approach, in the Qubes documentation. I understand that every advanced user, like you, has his/her own custom secure setup of Qubes and there is no Ring that rules them all. But for the users that would like to move forward to a more active defense approach, already present in the Qubes documentation, this would really be very much enlightening. As if one opens the door to a new area and move forward again. Do you think it could be possible that you share with us the guide so that we can move forward? There is so much to learn, and even if I didn't manage to make run the vpn over tor yet, your setup seems very interesting to try. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1c2c4175-6aee-4f22-c3f1-98f6c305c6db%40mailbox.org. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Has anyone had a qube compromised?
unman: > On Tue, Sep 08, 2020 at 09:13:47PM +0200, Qubes wrote: >> On 9/7/20 2:12 AM, unman wrote: >>> On Sun, Sep 06, 2020 at 06:55:01PM +0200, Qubes wrote: On 9/6/20 5:32 PM, unman wrote: > On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: >> In all of my time using QubesOS, I have never had reason to believe >> that a qube was compromised. Has anyone here had a qube compromised? >> >> Sincerely, >> >> Demi >> > > I have had occasion to set a honeypot and use Qubes as a classic > Internet-inna-box - ideal for such use, and very instructive. But I > guess that wasn't what you were interested in. > In normal use, both myself and colleagues have seen compromised qubes. > Hi Unman How did you know you're qube was compromised, can you give some details? >>> >>> snort and tripwire. >>> >>> Other IDS are available. >>> >> Hi Unman >> >> What I mean is what made you suspicious to use a tripwire and snort? > > I run them on most of my Qubes installs, almost out of habit. > Because I salt my qubes, its relatively easy to run tripwire against > network connected qubes > But the way in which Qubes allows one to separate out activities really > does minimise risk. Example: read email in mutt in offline qube with > minimal template - any attachments are opened in offline disposableVM. > Anything I want to keep is transferred to an offline storage qube , > again with no significant programs installed. In this sense, it doesn't > matter if attachments have malware because the infection risk is > minimised. > This is interesting. Can you be more specific in regards of settings you use? How do you set the tripwire for to run against network connected qubes? You also mentioned using mutt in an offline qube. Can you elaborate more on this too please? Is the mutt PGP friendly and more safer option than Thunderbird? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba27d2bc-2660-6308-d5d6-754fca5fda6d%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] sign-encrypt-a with split-gpg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear comunity, I am trying to make work the qubes-gpg-client -ase -r recipi...@address.org -u m...@email.org but without success. I can --clearsign nicely using the work-email AppVM, but cannot encrypt message for a recipient (writing the message directly in terminal). In the work-email AppVM I execute user@host:~$ qubes-gpg-client -sea -r supp...@mullvad.net -u tara...@mailbox.org gpg: 7B708E18CCE7D51F: There is no assurance this key belongs to the named user gpg: cannot open '/dev/tty': No such device or address Any idea how to solve this issue? - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl9HhIAACgkQ5k6hqPgA y0SJ+xAAxJ3hyyLN6Un0vBKsZN1BH7kZ+kg6OiWcBf8oe4JlnGpTQM+Fwmc/LKpq zs/ftRYsU5dQ66/sGoz8ueHLVgv6cm3wH8qjnXVcievUun6LjjN2LUBSpylAF/rS 5Y7WHuQM3bjY6Rkc/N1vAiGFTlOSFlZ50rUo5tJuqrCVc4Msr1bS4c2gUcFkFtY5 3z7d9J+Cru2xkT0HsHlw6djoO+dr76p9lupdMx8EQSUQ/o7m6kqRDWX9fn0xCrYd n6mV7ZRItiq1Z0j5W+Q4vFi+WaFzPDJSlR/sDH5zPGbkc9rlAlJkqusiS8LjTIYl SDoG3nC0guWLgoM1030Pjy9jekQznQC4lDmLuZjstoua/CXpmbWHb2NcKzxP4asE AMQTmnFZ08d8wc33UMpo6l9j1A/R5IAemUrxIPd5E+5fuaF8eybZL5uLSVBXAZFW SSnePy5vDQk7ey6m3MYQs4OYY3tb0IebH6PCEVTA4FSKY7ir80d4/sB4bjswL0Mo DND2+1Hz5Z8omUMdLKMtNFS6MIkouQbmwsHzmizsd+zokkCkutq4/oo7QfUIwIU4 zmI69U0thH2r7kABkKNwhsXy+tw9nN7dvpLEC0rv3gjIXBXQXAgi5Xt/Ad0bgNaE rX3b8hRPWaVPs3w+oLPBO4eSMGETlsm4BWvTvgZi3oZY3vt5FKs= =gaQ+ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/303ea648-d9dd-7a50-06a7-2e06fdaca923%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] Qubes Backup Warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 When I backup my qubes, after I click on the backup icon in the Qube Manager, I can see in the bottom following warning that was not there before: Warning: unrecognized data found in configuration files. I didn't make any changes to dom0. I am running latest Qubes 4.0. I think it happened after the last dom0 update. What does it mean and how could I fix it? Thank you. - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl8psscACgkQ5k6hqPgA y0RTfg/9ELJRkksTIW+upLL63uKBGQ1Ife6ZT+EWj3W3JA3r2xirydpu7FlImhLP owjpfhGPg9IsrcFI/5yLQcH+TdEv21qHKQochPhRMJNlhsj9PngAwcOVanF8UDOR MLxmP/2XRAaj4WTapxwLMyoHMn5OOJepJNmFFyKg7NtW8x6NKbQu7ne2Wmcl4pL9 F4ZDlO/Bd/ok1hmjq5jGW7mys+bhQ5efMM6XKwVtC/sg6ZA8syi3Jhz4YrldL1x+ 8mlg2hPyuieSXFw2l36r0rPfYjv7j2W8mdgNdkGgLQ2Z3TywDVJb4Os1NeTw6HzI XQsLj0HQPzyVVjPclX7RnQxHdBIvDSlV8Sh3UHk1037SBuG9aulvl+SjjIxGcVuD Xr6XBGl+sEG0P69Gdar0pXNEuBT45pvllLwspWii87gA5jQzvTOSeNNj9BiuHAN/ d8uhgv+mnuB8kOZR6gMC9DM1pVCMb4qIX7Gb4Z6HVnWcIIV75najDxQJXOcGiUK3 TM2dIVVL8fO8HmtC15aJs3YphdafJ3DThjeLvfUnJ1R5sy0ztt7YqR00BLSAZwj7 /pRJS89j4pJsJkLJRwbpPDJ9JfhGvffU2u8kb/e6cg3kyrO0r7JFxXaSxKley2+b 1RsiemfE8a+RHfEW4ZopkUhDLaRqEnaRqqSsy2M5cdFQq9mYX14= =Exm6 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b02282aa-cb88-69d3-6112-55615e70c3f5%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] QSB #058: Insufficient cache write-back under VT-d (XSA-321)
Chris Laprise: > On 7/7/20 9:57 AM, Andrew David Wong wrote: >> Only Intel systems are affected. AMD systems are not affected. > > Per usual! > Is actually the XSA-321 a security issue only if one has HVM present in the Qubes system, or it is a general issue even if there is no HVM? Are there any security advices or a good practice to follow before the patch is available? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4fff9f92-71d1-9d3f-7a6e-646427f0a955%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Full disk encryption in qubes - best practice for high risk environment
dhorf-hfref.4a288...@hashmail.org: > On Fri, Jun 12, 2020 at 12:49:04PM +0000, taran1s wrote: >> - - set a higher encryption from qubes default to aes 512-bit full disk >> encryption. > > a) there is no "aes 512". > b) the qubes default is aes-xts-512. (which is really aes-256 with >two different keys since whoever implemented it for linux read >the XTS paper wrong, but it doesnt matter for security) > c) check "cryptsetup luksDump /dev/yourqubesluksdev" > Thank you for pointing out that qubes uses the aes-xts-512 already. I read somewhere in the past that qubes uses the 256-bit encryption but maybe it was confused with 256 effective or something. > >> Is this possible to do from within running qubes or will I need to >> reinstall the QubesOS and do it all fresh? > > most likely for the "encryption" part no change is required. > so just moving /boot + grub. Are there any good guides on how to do this move? /boot partition and grub installation onto the usb stick? > > >> cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition >> like for example sd3 in case of default qubes installation procedure. >> Is that case from inside of qubes too? > > cryptsetup can be used from inside qubes dom0, yes. > i recommend adding a new passphrase first, making sure it works, then > removing the old one. > luks default has 8 key slots. This would mean to execute sudo cryptsetup luksAddKey /dev/sd3 (sda3 is the luks partition in my case). If I get it right it should automatically add Key to the next free slot if available. Since sudo cryptsetup luksDump /dev/sd3 | grep -i key returns only one slot enabled, my new passphrase will be in the slot 1. Than sudo cryptsetup luksRemoveKey /dev/sdX will remove the passphrase I enter, so I dont need to specify the slot. Is that right? > > >> Are there any pros/cons of this setup? > > make sure to have more than one boot device for redundancy. > you will have to update them all for every kernel, xen or grub update. > (or accept booting your system from an old grub/xen/kernel if > you end up using an outdated boot stick) How do I update it? Are there any noob friendly guides? > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/960bb5d2-8b98-2937-16d5-1ab3a1394d32%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] Full disk encryption in qubes - best practice for high risk environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I would like to change the encryption password of my qubes installation. And once I start to play with this, I would like to also: - - set a higher encryption from qubes default to aes 512-bit full disk encryption. - - move the /boot partition to an external *USB device and install Grub as described here http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onio n/wiki/Full_Disk_Encryption Is this possible to do from within running qubes or will I need to reinstall the QubesOS and do it all fresh? Cryptsetup seems pretty straightforward with just executing sudo cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition like for example sd3 in case of default qubes installation procedure. Is that case from inside of qubes too? I am a newbie in this area. How would I do that in both cases (fresh installation of QubesOS; and from within running QubesOS)? Could one use the Nitrokey Storage as that *USB with /boot partition and grub installed, or it must be normal, unencrypted USB device? Are there any pros/cons of this setup? - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl7jea4ACgkQ5k6hqPgA y0SLCQ//QmsiNYx3LfA40bqzU5QfgND7wIBhMWuNRhDx0UCfXieGFLk/KJd+kC4/ EJ+gat09bRHhFT/eBY+VkyF0RjSEuGQHuIh8iaStpBxalI3p9/5saxJfTZU0C/Uq MXeskuYMht2IKrBoxO+4cJvHyPWqkN4eA/YUaNHafKj3xnJP+HsiL9i2WyCjimIG rcMnUi/Y4K6bzbHzjSU/auGs2niAfW1tP4JO+P1TS9A/BeG+8bpSLwpf8ocQqGyX J+7e9WqS+Zg8QDMXad/k8z64jCoTLlhw6mA1w7hp30NC0UK+hdSvqAh05j7KAMlI B5AuSAZaX3Thn+iOYy9XbtrYVJtdWy4FmLvf5Y+XQOdtKfkiJ9ChigUSYQQ1s5vH nAmU4mpNcRBWgNonC2lK4hDuW6ikSl1hj3LwQXBPr41Rsx82JVkaIxluvHqTsFsb g35mr5oYfx1IEr29dVSVD6X0MOQEVFP1ep2E7gHOVbzMQcTpm2PTEtvRpI6oM0bW xTXbrFwgZfXHvvYgMiEhpfanPH9XPM8bi5HILbleA23+v+QHFiV6nLbMQr0kP3nF v0Cwzr4iHNFZXJRdDu4cK+IWIRbQjeCh6a3MvcF9uye+62+yqvQN1x7Vfdunxaib 4hkaQXhe/njKMZti89/4oV5hiWJuS1ffVfIgj+BUQlN5tFP2uKk= =7sH5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/93e1714d-00b0-0175-43cf-659880a069f0%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Can I have Windows & Qubes on the same laptop?
unman: > On Mon, May 11, 2020 at 04:17:39AM -0700, Andrew Sullivan wrote: >> >> >> On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote: >>> >>> On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote: >>> >>> Not *double* but *top-posted*. Please don't do this. >>> >>> It's not a naive idea - it's a good one. Depending on your machine you >>> may be able to find ways to do this, by installing a kill switch, or by >>> BIOS configuration. >>> You may find that your BIOS allows you to disable certain devices pre >>> boot, and this may enable you to switch between active disks. Have a >>> look.(Depending on what's available this may determine what sort of disk >>> you use to install Qubes) >>> I have an x230 with some extra hardware switches installed to allow for >>> device isolation. With minimal skills you could do the same yourself. >>> Take a look at what's already there and have a think about what you >>> might manage to do. If it's important enough you'll find a way. >>> >> >> Not *double* but *top-posted*. Please don't do this. - oops, sorry; is this >> the right place? > > Yes, it is. Thanks. > Inline replies are also fine. > >> >> When I get a suitable laptop (I have a separate post on this) I'll look >> into that. Are you able to share >> how you implemented hardware switches on your X230? Do you find the X230 >> "man enough" to run Qubes? They're not expensive... >> > > I bought the x230 with HW switches and Qubes installed. > There's already a switch for WiFi, and control over the > speakers and Mic. > There's a micro switch to isolate the mSata SSD or main drive. > Another for the camera. > There was option to install a switch to isolate USB/SD slots, but I > haven't seen that, and wouldn't use it much anyway. > Coreboot allows you to control many other components. > > The x230 is great - I posted some comparisons here some time back > between x220/x230 with different configurations. Takeaway was that 16GB > RAM and fast SSD are optimal. > As with security, assessing the (wo)manliness of a laptop depends on > what you will use it for. I'm using an x220 tablet right now, and it's > fine for multiple qubes, music/video/compiling. I did some video editing > last week and the x230 was fine. BUT, for various reasons, I don't game, I > tend > not to use heavy graphical components, and I work in terminal *a lot*, > so I guess you should factor that in to my view. > > unman > Could you share where did you buy the X230 with HW switches already installed? I didn't see the vendor that would offer this. Thank you ! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39d92186-c32c-89f4-f91d-3e13db2dc85f%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Can I have Windows & Qubes on the same laptop?
unman: > On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote: >> Sorry if I have double-posted this... >> >> The link to "multiboot" seems to refer to a conventional dual-boot >> installation, where the two OSs are on the same disc. If the OSs were >> installed n physically separate (internal) drives, would this mitigate the >> risk (accepting that /boot would be exposed)? >> >> Probably a naive idea, but is it possible to somhow "switch off" or >> inactivate one disc (short of physically removing it)? >> >> On Monday, 11 May 2020 10:11:47 UTC+1, dhorf-hfr...@hashmail.org wrote: >>> >>> On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com >>> wrote: >>> Firstly, is it safe to have Windows and Qubes on the same machine? I use VeraCrypt for full disc encryption >>> >>> veracrypt does not support actual full disc encryption. >>> >>> Also, I've got a 2TB external HDD, would it be safer to run Qubes from that and keep Windows on my internal drive or is that worse? >>> >>> if that HDD is connected via USB, i would not recommend installing >>> qubes to it. >>> while both "install to usb" and "install to hdd" are supported, they >>> have major drawbacks. >>> >>> I want to keep maximum security and keep Windows and Qubes seperate. >>> >>> this is not possible. >>> if you multiboot, you are very far from "maximum security". >>> >>> Any answers to questions or installation guidance is greatly >>> >>> https://www.qubes-os.org/doc/multiboot/ >>> > > > Not *double* but *top-posted*. Please don't do this. > > It's not a naive idea - it's a good one. Depending on your machine you > may be able to find ways to do this, by installing a kill switch, or by > BIOS configuration. > You may find that your BIOS allows you to disable certain devices pre > boot, and this may enable you to switch between active disks. Have a > look.(Depending on what's available this may determine what sort of disk > you use to install Qubes) > I have an x230 with some extra hardware switches installed to allow for > device isolation. With minimal skills you could do the same yourself. > Take a look at what's already there and have a think about what you > might manage to do. If it's important enough you'll find a way. > This is quite interesting. Could you be more specific about the extra HW switches you made for the device isolation? The X230 as far as I remember has built in HW kill switch for wifi. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16a60727-ae0d-13fb-1fa7-ce476f3011aa%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Re: Password not working a day after reinstall
Anil: > The log from journalctl in mulvad-vpn is attached. Any hint? Should I > look at some other logs? How do I do that? > > These lines seems to be related to VPN, but I don't know what it means? > > nm-openvpn-auth[802]: cannot open display: > Anil, do you try to connect through Tor or directly? If directly, it should be quite straightforward. I also fought with it, but now direct connection with mullvad works well. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e442634-d648-757c-91d3-404548a8d627%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Salt worm
haaber: >> Qubes uses Salt, and there's something nasty going around: >> https://saltexploit.com/ > > Risk = (probability of an event) x (consequences of the event). > > At which levels is salt used in qubes? I remember my last "active" use >>1 year ago to get hopefully clean templates after the apt-"crisis". > But maybe is is "under the hood" at each qubes-dom0-update? If it were > to be used "by hand only" we could enforce risk = 0 by the above formula > and keeping fingers off salt for a while. Thanks! > > There was today an update for all templates related to the salt. Doesn't it include a patch? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/136a7ceb-4c1c-f64c-8f73-fccc7dfe5532%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 5/2/20 6:54 AM, unman wrote: >> On Sat, May 02, 2020 at 08:22:57AM +, taran1s wrote: >>> >>> >>> unman: >>>> On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: >>>>> >>>>> >>>>> taran1s: >>>>>> >>>>>> >>>>> Chris, I tried now to connect to the kraken.com, which seems to be tor >>>>> unfriendly through me->tor->VPN->kraken.com but it returns error on >>>>> the >>>>> site "Disabled". >>>>> >>>>> I learned now that despite I use the above connection model, using VPN >>>>> as an exit, I still exit from the tor exit not and not from the VPN. I >>>>> am not sure what broke. >>>>> >>>> >>>> If I understand your model: me->tor->VPN->kraken.com >>>> you are running Tor *through* your VPN - this means that your service >>>> provider sees your connection to the VPN, and your VPN provider sees >>>> your connection to the first Tor hop. >>>> Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor >>>> exit node that connects to kraken. >>>> The VPN is NOT an exit in this model. Nothing has broken. >>>> >>> >>> I am actually using mullvad VPN. The idea is to have the possibility to >>> access websites or services (like kraken.com) that are not tor-friendly. >>> I would like to connect first to Tor through sys-whonix than connect to >>> the VPN through VPN AppVM and from that VPN to connect to the clearnet. >>> >>> I set the AppVMs networking following way: anon-whonix networking set >>> to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to >>> the clearnet. Is that right for my model? >>> >> No. >> Think about it. >> anon-whonix creates a request. >> sys-whonix takes that request, and builds a circuit. >> VPN-AppVM sees the traffic to the first hop, and sends it down the VPN. >> The VPN provider gets the Tor traffic, and sends it on to the first >> hop. >> Then it goes via Tor to the exit node and then to the target. >> Your ISP sees traffic to the VPN; the VPN provider sees traffic from you >> going to Tor; the target sees traffic coming from Tor network. >> >> *Always* use check.torproject.org to confirm your exit IP in this sort of >> case (always) so that actual matches expectations. >> >> What you have built (in packet terms) is: >> me - Tor - VPN - target. >> >> What you seem to want is: >> me - VPN - Tor - target >> >> To do that you need to build the VPN traffic and send it down a Tor >> circuit. >> Your Qubes network configuration should be: >> client - VPN qube - Tor qube - sys-firewall - sys-net > > A good rule of thumb is that whichever proxyVM is directly attached to > your appVM will be the type of network that the remote service sees. > >> >> I have no idea if Whonix will let you do this. > > This should work for most VPNs, as Patrick and I and others have tested > it (though I haven't tested Whonix specifically with Mullvad). The only > constraint is that the VPN use TCP instead of UDP. > Thank you for the hint with ProxyVM logic. I tried both configurations from Mullvad with UDP and TCP 443, but didn't get it work. The VPN-ProxyVM cycles at ready to start link but never goes to the Link Up. Mullvad's options are Default (UDP), UDP 53, TCP 80 and TCP 443. Chris, if you have any chance to try the setup, would be very much appreciated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d657f35-0639-6467-851b-7cedb6f9f9ef%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Frank: >> >> unman: >>>> On Sun, May 03, 2020 at 08:01:59AM +, taran1s wrote: >>>> >>>> >>>>>> What you have built (in packet terms) is: >>>>>> me - Tor - VPN - target. >>>>>> >>>>>> What you seem to want is: >>>>>> me - VPN - Tor - target >>>>>> >>>>>> To do that you need to build the VPN traffic and send it down a Tor >>>>>> circuit. >>>>>> Your Qubes network configuration should be: >>>>>> client - VPN qube - Tor qube - sys-firewall - sys-net >>>>>> >>>>>> I have no idea if Whonix will let you do this. >>>>>> >>>>>> unman >>>>>> >>>>> >>>>> Ah, omg I see. I thought about it in regards of seeing other AppVMs like >>>>> sys-whonix -> sys-firewall -> sys-net. I am not experienced in >>>>> networking and so just followed the logic of whats first gets first. But >>>>> now I see that packet wise, it is vice versa. It is a bit confusing for >>>>> me, but if it is working, I will be more than happy :) >>>>> >>>>> So if I understand it properly, I set the networking of the AppVMs >>>>> following way: >>>>> >>>>> anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use >>>>> tor first, exit from tor-exit-node to the VPN and than exit from VPN to >>>>> clearnet. Am I right? >>>>> >>>> >>>> I tried the setup, but in this case the the VPN proxy doesn't go to Link >>>> UP and TB in anon-whonix isn't connected to the internet. Any ideas? >>>> >>>> BTW I downloaded the default UDP setting package from mullvadVPN as >>>> Chris mentioned. I know that tor is using TCP only. Could this be an >>>> issue with this setup and I should get the TCP package instead of UDP? >>>> >>> Yes. Your UDP traffic wont go through Tor. >>> You need a TCP VPN to route through Tor. >>> >>> unman >>> >> >> I downloaded the TCP port 443 (there is also TCP port 80?) file from >> Mullvad and tried to go through, but the VPN Proxy AppVM cycles with >> 'Ready to start link' only and never goes to the 'Link is UP'. >> >> Maybe there is something in the script from Chris that doesn't cooperate >> with the whonix setup and something needs to be adjusted for this model >> of connecting to VPN after Tor. But no idea what it could be.I am >> unfortunately not able to check the script itself as I am not a programmer.. > > What exactly are you trying to accomplish with this kind of set-up? If you > want to stay anonymous, your connection through the VPN should accomplish > that already (if you make sure your browser doesn’t contain any information > that can be traced back to you) and if not (because you didn’t pay with > Bitcoin or cash and there is a possible paper-trail back to your person from > your mullvad VPN account number) then using it through Tor doesn’t help > either. > > Maybe I am missing something here and I would love to be enlightened if that > is the case... > > Regards, Frank > As I mentioned, I would like to use Tor before VPN to be able to connect to the tor-unfriendly services like kraken.com. VPN itself is not anonymous and so connect to the VPN from the Tor exit node helps. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0d02f08-f3ea-1eea-db71-edf8ff2598dd%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
unman: > On Sun, May 03, 2020 at 08:01:59AM +0000, taran1s wrote: >> >> >>>> What you have built (in packet terms) is: >>>> me - Tor - VPN - target. >>>> >>>> What you seem to want is: >>>> me - VPN - Tor - target >>>> >>>> To do that you need to build the VPN traffic and send it down a Tor >>>> circuit. >>>> Your Qubes network configuration should be: >>>> client - VPN qube - Tor qube - sys-firewall - sys-net >>>> >>>> I have no idea if Whonix will let you do this. >>>> >>>> unman >>>> >>> >>> Ah, omg I see. I thought about it in regards of seeing other AppVMs like >>> sys-whonix -> sys-firewall -> sys-net. I am not experienced in >>> networking and so just followed the logic of whats first gets first. But >>> now I see that packet wise, it is vice versa. It is a bit confusing for >>> me, but if it is working, I will be more than happy :) >>> >>> So if I understand it properly, I set the networking of the AppVMs >>> following way: >>> >>> anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use >>> tor first, exit from tor-exit-node to the VPN and than exit from VPN to >>> clearnet. Am I right? >>> >> >> I tried the setup, but in this case the the VPN proxy doesn't go to Link >> UP and TB in anon-whonix isn't connected to the internet. Any ideas? >> >> BTW I downloaded the default UDP setting package from mullvadVPN as >> Chris mentioned. I know that tor is using TCP only. Could this be an >> issue with this setup and I should get the TCP package instead of UDP? >> > Yes. Your UDP traffic wont go through Tor. > You need a TCP VPN to route through Tor. > > unman > I downloaded the TCP port 443 (there is also TCP port 80?) file from Mullvad and tried to go through, but the VPN Proxy AppVM cycles with 'Ready to start link' only and never goes to the 'Link is UP'. Maybe there is something in the script from Chris that doesn't cooperate with the whonix setup and something needs to be adjusted for this model of connecting to VPN after Tor. But no idea what it could be.I am unfortunately not able to check the script itself as I am not a programmer.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/450ea647-ba17-d0ec-71e6-d9599654f455%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
unman: > On Fri, May 01, 2020 at 11:54:27AM +0000, taran1s wrote: >> >> >> taran1s: >>> >>> >> Chris, I tried now to connect to the kraken.com, which seems to be tor >> unfriendly through me->tor->VPN->kraken.com but it returns error on the >> site "Disabled". >> >> I learned now that despite I use the above connection model, using VPN >> as an exit, I still exit from the tor exit not and not from the VPN. I >> am not sure what broke. >> > > If I understand your model: me->tor->VPN->kraken.com > you are running Tor *through* your VPN - this means that your service > provider sees your connection to the VPN, and your VPN provider sees > your connection to the first Tor hop. > Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor > exit node that connects to kraken. > The VPN is NOT an exit in this model. Nothing has broken. > I am actually using mullvad VPN. The idea is to have the possibility to access websites or services (like kraken.com) that are not tor-friendly. I would like to connect first to Tor through sys-whonix than connect to the VPN through VPN AppVM and from that VPN to connect to the clearnet. I set the AppVMs networking following way: anon-whonix networking set to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to the clearnet. Is that right for my model? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/109885fc-9032-d1ea-b725-5180db8086ae%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
taran1s: > > > Chris Laprise: >> On 4/21/20 11:30 AM, taran1s wrote: >>> Thank you, this did the trick ^^ Link is up. I will test it with the >>> setup me -> sys-whonix -> ProxyVM setup -> >>> clearnet_Tor_unfriendly_services ;) >>> >>> If I understand it well, I can select a new VPN country for the >>> particular session just by executing sudo cp any_country_I_need.ovpn >>> vpn-client.conf right? >>> >> >> Yes, that will work. To change without restarting the VPN VM, you can do: >> >> sudo service qubes-vpn-handler stop >> sudo cp some_location.ovpn vpn-client.conf >> sudo service qubes-vpn-handler start >> > > All is working well. Thank you very much Chris. At the end it is > actually very easy to set up and run. The point was my luck of > experience in basic commands related to Linux and most probably > selecting wrong mullvad setup files for my planned routing > (me->tor->vpn). Now it is much clearer. > > You mention in your previous email "I suggest you look at an > introduction to Linux command line". Do you have any good resource for that? > > Thank you again ;) > Chris, I tried now to connect to the kraken.com, which seems to be tor unfriendly through me->tor->VPN->kraken.com but it returns error on the site "Disabled". I learned now that despite I use the above connection model, using VPN as an exit, I still exit from the tor exit not and not from the VPN. I am not sure what broke. Can you please try to connect through this setup to for example kraken.com and click on Features if it returns the "Disabled" error too? If you have any advice for me, would be very much appreciated. Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/672bd5a5-8aef-4800-8f9a-456c82c923a1%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] fastboot in qubes
Does anyone have an experience with flashing the android phone with new OS, like GrapheneOS on Pixel 3 XL for example with QubesOS? If you do, how did you do that? -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/55f88632-9a80-1999-065f-c6b7e6c063d3%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] dom0 update over .onion repo failing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi all, I am experiencing issues with dom0 updating through .onion repo today. Clearnet addresses are working fine. Is it a known issue? - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl6pLecACgkQ5k6hqPgA y0QTlg//ftuMCc3o54ieqghiE8OPlVHwVXbU8PN0s2R/1zAxkb9SRukk4vJFo9Kl R7efkeC2wWkfnMIyBBXTMaVpvE2arSR2JG1IUAATE0aUIskR1gwmF3AxxRVru3OG iTSBzympRaLd4YnNon08uwUgFqnjDgqAaDJPFqMqEXO9ah2JAfD+pHHYIrK8tUBg jEqZ6feeHVAS9PWXGuPQmQzTGYAyPV6+0qegCXkl664SJrKpWx3x1bc7CvHI11GF Ly0fPnR867JlvGbfSsysEppZW3w7yQLJKDuUbtEvHdxXXF3RJJLqdFjo4XLrEeUD 1Mtb7HSB33Us+9egoxvsl/IRPP2/ztjF8gfAMkNzDrhYH8kAK5A1Lr972qVJKolK yHmj2mxmZmikl2zxgTnp/1srjRRm1mvBiCZtsEgBYpbcCJ6PebzzyyDDP7XybtN6 KIhWNvy5d1saEXVXCgj9thaWaJeSfz7xzp+2xBi/yHVCuZNKEYPO23dJVCbyt2bZ bUWJA9rvdM2uRGPWxwhHHQWuPBPHwpFyqi5vK5VNbFxkZy0XDWjh344ZhMmvu0n0 EzVLNIQRyaNW/0wbbV9U63yNNDSngjTSx6upFfaujmYSkwkNL46tgpr/RLCE1Zu2 HumIPsxdij0gzojdKJujr1hPpbmZgoPkO7wx9WEzMLJnx1mmz50= =s/pi -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5b4b0db9-4be4-a660-d191-f4ee4fba51d4%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] QUBES Friendly Version
'[NOTIFICATION]' via qubes-users: > Do you think QUBES is better than COPPERHEAD or does COPPERHEAD have better > features than QUBES? > > It would be great if you opened up QUBES for worldwide editing and audit and > development. Or maybe merge with PARROT or TAILS or OPENBSD or WHONIX to > further friendly usability for all people instead of making it so complex for > hardcore users without compromising its robust secure foundation? > > Reference Source Link: https://copperhead.co/android/ > > FOOTER > > Express Actual Notice: This message is deemed private or confidential. Unless > for criticism or news-report or research or scholarship or teaching or > comment or opinion, this message may also be deemed copyright. Due to > existence of sophisticated data collection programs globally, assume or > presume by default that all digital data associated with this account is > subject to intercepts, storage, surveillance or monitoring by intelligence > systems and agencies, anytime or anywhere regardless of privacy or security > or encryption (EO10995). Sender(s) or agent(s) accepts no liability for any > message(s) or its attachment(s). All typing errors are not intended or > intentional. Keep sent attachment size less than inbox size of 1 GB. Without > Prejudice. All Rights Reserved. Special Deposit. > > You are receiving this may due to possible time zone conflicts & to reduce > and save forever paper, ink, phone minutes, fax, travel fuel and > national-international mail postage expenses, excluding incurred data costs. > > Sent with [ProtonMail](https://protonmail.com) Secure Email. > Do you mean the COPPERHEAD the Android project that was previously developed by Daniel Micay and was stolen from him by his colleague? Daniel Micay recovered already from the fuck-up and moved on to his new excellent project GrapheneOS. COPPERHEAD is developer-wise, dead. Check it please. He is, as far as I know, cooperating with Qubes on an Android-GrapheneOS template VM. It is possible to install any of the mentioned OSes like TAILS, or PARROT in Qubes already. Consider please that the Threat model of these OSes and its usage varies greatly. Whonix is a default part of the Qubes already. (??) While Qubes can seem to be complex and hardcore as you mention, it is necesssary to understand just few basic rules and facts and you are good to go. Anything else can be found on Qubes docs easily or ask here and people just help like pros. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/871cacb2-2646-0599-f4b6-bf598ccab0e9%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/21/20 11:30 AM, taran1s wrote: >> Thank you, this did the trick ^^ Link is up. I will test it with the >> setup me -> sys-whonix -> ProxyVM setup -> >> clearnet_Tor_unfriendly_services ;) >> >> If I understand it well, I can select a new VPN country for the >> particular session just by executing sudo cp any_country_I_need.ovpn >> vpn-client.conf right? >> > > Yes, that will work. To change without restarting the VPN VM, you can do: > > sudo service qubes-vpn-handler stop > sudo cp some_location.ovpn vpn-client.conf > sudo service qubes-vpn-handler start > All is working well. Thank you very much Chris. At the end it is actually very easy to set up and run. The point was my luck of experience in basic commands related to Linux and most probably selecting wrong mullvad setup files for my planned routing (me->tor->vpn). Now it is much clearer. You mention in your previous email "I suggest you look at an introduction to Linux command line". Do you have any good resource for that? Thank you again ;) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac626b17-6ee7-4ac7-47cc-9eeff99141b8%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/21/20 7:03 AM, taran1s wrote: >> >> >> Chris Laprise: >>> The 'No such file' error is the one to correct. As I said earlier, you >>> will need to move the files out of the "mullvad_config_linux" >>> subdirectory into the vpn dir. It can't find the .crt file because its >>> in the subdirectory. >>> >> So it seems like I will need to use the ProxyVM based on debian-10 >> template instead of fedora-30. In case of Fedora-30 ProxyVM, the error >> is different for some mysterious reason, even the process was the same. >> >> I try to unzip the files into the /rw/config/vpn directory, but whatever >> I try, the unzip comand still creates the subdirectory. When I try to >> get just the files there, without the subdirectory, I don't have enough >> permissions. Is there any way how to unzip or somehow get the files into >> /rw/config/vpn? Sorry for the noob questions :) > > You could try 'sudo unzip -j' to extract without the subdirectory. > > Or you could move the existing files with: > > 'sudo mv /rw/config/vpn/mullvad_config_linux/* /rw/config/vpn' > > In any case, I suggest you look at an introduction to Linux command line > to get better acquainted with the OS. > >> >> Btw is it enough to have the ProxyVM routed through sys-net instead of >> sys-firewall? >> > > Yes. > Thank you, this did the trick ^^ Link is up. I will test it with the setup me -> sys-whonix -> ProxyVM setup -> clearnet_Tor_unfriendly_services ;) If I understand it well, I can select a new VPN country for the particular session just by executing sudo cp any_country_I_need.ovpn vpn-client.conf right? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/10542f82-fcbf-6ac5-59e4-6fff3d182bd9%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/20/20 3:01 PM, taran1s wrote: >> >> Chris Laprise: >>> You'll need to put the files in the vpn directory, not a subdirectory >>> like "mullvad_config_linux". >> >> Is there any particular comand, instead of unzip, to not create the >> sub-directory but unzip it in the vpn directory directly? >> >>> >>> That particular error, however, indicates that the config expects >>> "update-resolv-conf" to be in "/etc/openvpn". You can copy it there for >>> the test, but this part of the config is overridden by Qubes-vpn-support >>> so in the end you won't need it there. >> >> Should the Qubes-vpn-support be unzipped and installed in /home/user/ or >> an another path or it doesn't matter? > > You can unzip it in any user directory and the installer will know where > to install the program files. > >> >> BTW this is the log from debian-10 based ProxyVM. The error seems to be >> different: >> >> user@open:~$ sudo mkdir -p /rw/config/vpn >> user@open:~$ cd /rw/config/vpn >> user@open:/rw/config/vpn$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip >> Archive: /home/user/mullvad_openvpn_linux_all_all.zip >> creating: mullvad_config_linux/ >> extracting: mullvad_config_linux/mullvad_ae_all.conf >> extracting: mullvad_config_linux/mullvad_al_all.conf >> extracting: mullvad_config_linux/mullvad_at_all.conf >> extracting: mullvad_config_linux/mullvad_au_all.conf >> extracting: mullvad_config_linux/mullvad_be_all.conf >> extracting: mullvad_config_linux/mullvad_bg_all.conf >> extracting: mullvad_config_linux/mullvad_br_all.conf >> extracting: mullvad_config_linux/mullvad_ca_all.conf >> extracting: mullvad_config_linux/mullvad_ch_all.conf >> extracting: mullvad_config_linux/mullvad_cz_all.conf >> extracting: mullvad_config_linux/mullvad_de_all.conf >> extracting: mullvad_config_linux/mullvad_dk_all.conf >> extracting: mullvad_config_linux/mullvad_es_all.conf >> extracting: mullvad_config_linux/mullvad_fi_all.conf >> extracting: mullvad_config_linux/mullvad_fr_all.conf >> extracting: mullvad_config_linux/mullvad_gb_all.conf >> extracting: mullvad_config_linux/mullvad_gr_all.conf >> extracting: mullvad_config_linux/mullvad_hk_all.conf >> extracting: mullvad_config_linux/mullvad_hu_all.conf >> extracting: mullvad_config_linux/mullvad_ie_all.conf >> extracting: mullvad_config_linux/mullvad_il_all.conf >> extracting: mullvad_config_linux/mullvad_it_all.conf >> extracting: mullvad_config_linux/mullvad_jp_all.conf >> extracting: mullvad_config_linux/mullvad_lu_all.conf >> extracting: mullvad_config_linux/mullvad_lv_all.conf >> extracting: mullvad_config_linux/mullvad_md_all.conf >> extracting: mullvad_config_linux/mullvad_nl_all.conf >> extracting: mullvad_config_linux/mullvad_no_all.conf >> extracting: mullvad_config_linux/mullvad_nz_all.conf >> extracting: mullvad_config_linux/mullvad_pl_all.conf >> extracting: mullvad_config_linux/mullvad_pt_all.conf >> extracting: mullvad_config_linux/mullvad_ro_all.conf >> extracting: mullvad_config_linux/mullvad_rs_all.conf >> extracting: mullvad_config_linux/mullvad_se_all.conf >> extracting: mullvad_config_linux/mullvad_sg_all.conf >> extracting: mullvad_config_linux/mullvad_us_all.conf >> extracting: mullvad_config_linux/mullvad_userpass.txt >> extracting: mullvad_config_linux/mullvad_ca.crt >> extracting: mullvad_config_linux/update-resolv-conf >> user@open:/rw/config/vpn$ sudo cp >> mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf >> user@open:/rw/config/vpn$ sudo openvpn --cd /rw/config/vpn --config >> vpn-client.conf --auth-user-pass >> mullvad_config_linux/mullvad_userpass.txt >> Mon Apr 20 16:03:58 2020 Note: option tun-ipv6 is ignored because modern >> operating systems do not need special IPv6 tun handling anymore. >> Options error: --ca fails with 'mullvad_ca.crt': No such file or >> directory (errno=2) >> Mon Apr 20 16:03:58 2020 WARNING: file >> 'mullvad_config_linux/mullvad_userpass.txt' is group or others accessible >> Options error: Please correct these errors. >> Use --help for more information. >> > > The 'No such file' error is the one to correct. As I said earlier, you > will need to move the files out of the "mullvad_config_linux" > subdirectory into the vpn dir. It can't find the .crt file because its > in the subdirectory. > So it seems like I will need to use the ProxyVM based on debian-10 template ins
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/20/20 9:31 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/20/20 8:12 AM, taran1s wrote: >>>> >>>> >>>> Chris Laprise: >>>>> On 4/17/20 7:12 AM, taran1s wrote: >>>>>> >>>>>> >>>>>> Chris Laprise: >>>>>>> On 4/15/20 6:35 AM, taran1s wrote: >>>>>>>> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ >>>>>>>> guide >>>>>>>> there is the cd Qubes-vpn-support command as the first one. This >>>>>>>> assumes >>>>>>>> that the file is unzipped already, right? So I unzip it in the >>>>>>>> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 >>>>>>>> and >>>>>>>> execute sudo bash ./install. Than proceed to the restart. Is this >>>>>>>> how it >>>>>>>> was meant? >>>>>>> >>>>>>> Yes, if you're installing it in the Proxy VM (VPN VM) itself. >>>>>>> Otherwise, >>>>>>> installing it in a template means you have to do step 4 also. >>>>>> >>>>>> Yes, I install it in the ProxyVM. Is my procedure right? The >>>>>> >>>>>>> >>>>>>> Hmmm. Its not showing the full "Options error" lines. Try >>>>>>> redirecting >>>>>>> the output to a text file instead: >>>>>>> >>>>>>> sudo journalctl -u qubes-vpn-handler >log.txt >>>>>>> >>>>>> >>>>>> See the log attached please. >>>>>> >>>>> >>>>> It doesn't look like the same error as before. This one says the >>>>> config >>>>> has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' >>>>> to see if it has a line like "dev tun"? >>>>> >>>> >>>> If I go to the /rw/config/vpn/ there is no vpn-client.conf file but >>>> vpn-client.conf-example only. This is content of the >>>> vpn-client.conf-example: >>> >>> OK, it looks like you skipped the part of Step 2 where you copy or link >>> your config file so that "vpn-client.conf" exists. For example: >>> >>> sudo cp US_East.ovpn vpn-client.conf >>> >> I created another ProxyVM ovpn and do it from the scratch. Can you >> please check if this is the right procedure? >> >> [user@ovpn ~]$ sudo mkdir -p /rw/config/vpn >> [user@ovpn ~]$ cd /rw/config/vpn >> [user@ovpn vpn]$ ls >> [user@ovpn vpn]$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip >> Archive: /home/user/mullvad_openvpn_linux_all_all.zip >> creating: mullvad_config_linux/ >> extracting: mullvad_config_linux/mullvad_ae_all.conf >> extracting: mullvad_config_linux/mullvad_al_all.conf >> extracting: mullvad_config_linux/mullvad_at_all.conf >> extracting: mullvad_config_linux/mullvad_au_all.conf >> extracting: mullvad_config_linux/mullvad_be_all.conf >> extracting: mullvad_config_linux/mullvad_bg_all.conf >> extracting: mullvad_config_linux/mullvad_br_all.conf >> extracting: mullvad_config_linux/mullvad_ca_all.conf >> extracting: mullvad_config_linux/mullvad_ch_all.conf >> extracting: mullvad_config_linux/mullvad_cz_all.conf >> extracting: mullvad_config_linux/mullvad_de_all.conf >> extracting: mullvad_config_linux/mullvad_dk_all.conf >> extracting: mullvad_config_linux/mullvad_es_all.conf >> extracting: mullvad_config_linux/mullvad_fi_all.conf >> extracting: mullvad_config_linux/mullvad_fr_all.conf >> extracting: mullvad_config_linux/mullvad_gb_all.conf >> extracting: mullvad_config_linux/mullvad_gr_all.conf >> extracting: mullvad_config_linux/mullvad_hk_all.conf >> extracting: mullvad_config_linux/mullvad_hu_all.conf >> extracting: mullvad_config_linux/mullvad_ie_all.conf >> extracting: mullvad_config_linux/mullvad_il_all.conf >> extracting: mullvad_config_linux/mullvad_it_all.conf >> extracting: mullvad_config_linux/mullvad_jp_all.conf >> extracting: mullvad_config_linux/mullvad_lu_all.conf >> extracting: mullvad_config_linux/mullvad_lv_all.conf >> extracting: mullvad_config_linux/mullvad_md_all.conf >> extracting: mullvad_config_linux/mullvad_nl_all.conf >> extracting: mullvad_config_linux/mu
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/20/20 8:12 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/17/20 7:12 AM, taran1s wrote: >>>> >>>> >>>> Chris Laprise: >>>>> On 4/15/20 6:35 AM, taran1s wrote: >>>>>> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide >>>>>> there is the cd Qubes-vpn-support command as the first one. This >>>>>> assumes >>>>>> that the file is unzipped already, right? So I unzip it in the >>>>>> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 >>>>>> and >>>>>> execute sudo bash ./install. Than proceed to the restart. Is this >>>>>> how it >>>>>> was meant? >>>>> >>>>> Yes, if you're installing it in the Proxy VM (VPN VM) itself. >>>>> Otherwise, >>>>> installing it in a template means you have to do step 4 also. >>>> >>>> Yes, I install it in the ProxyVM. Is my procedure right? The >>>> >>>>> >>>>> Hmmm. Its not showing the full "Options error" lines. Try redirecting >>>>> the output to a text file instead: >>>>> >>>>> sudo journalctl -u qubes-vpn-handler >log.txt >>>>> >>>> >>>> See the log attached please. >>>> >>> >>> It doesn't look like the same error as before. This one says the config >>> has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' >>> to see if it has a line like "dev tun"? >>> >> >> If I go to the /rw/config/vpn/ there is no vpn-client.conf file but >> vpn-client.conf-example only. This is content of the >> vpn-client.conf-example: > > OK, it looks like you skipped the part of Step 2 where you copy or link > your config file so that "vpn-client.conf" exists. For example: > > sudo cp US_East.ovpn vpn-client.conf > I created another ProxyVM ovpn and do it from the scratch. Can you please check if this is the right procedure? [user@ovpn ~]$ sudo mkdir -p /rw/config/vpn [user@ovpn ~]$ cd /rw/config/vpn [user@ovpn vpn]$ ls [user@ovpn vpn]$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip Archive: /home/user/mullvad_openvpn_linux_all_all.zip creating: mullvad_config_linux/ extracting: mullvad_config_linux/mullvad_ae_all.conf extracting: mullvad_config_linux/mullvad_al_all.conf extracting: mullvad_config_linux/mullvad_at_all.conf extracting: mullvad_config_linux/mullvad_au_all.conf extracting: mullvad_config_linux/mullvad_be_all.conf extracting: mullvad_config_linux/mullvad_bg_all.conf extracting: mullvad_config_linux/mullvad_br_all.conf extracting: mullvad_config_linux/mullvad_ca_all.conf extracting: mullvad_config_linux/mullvad_ch_all.conf extracting: mullvad_config_linux/mullvad_cz_all.conf extracting: mullvad_config_linux/mullvad_de_all.conf extracting: mullvad_config_linux/mullvad_dk_all.conf extracting: mullvad_config_linux/mullvad_es_all.conf extracting: mullvad_config_linux/mullvad_fi_all.conf extracting: mullvad_config_linux/mullvad_fr_all.conf extracting: mullvad_config_linux/mullvad_gb_all.conf extracting: mullvad_config_linux/mullvad_gr_all.conf extracting: mullvad_config_linux/mullvad_hk_all.conf extracting: mullvad_config_linux/mullvad_hu_all.conf extracting: mullvad_config_linux/mullvad_ie_all.conf extracting: mullvad_config_linux/mullvad_il_all.conf extracting: mullvad_config_linux/mullvad_it_all.conf extracting: mullvad_config_linux/mullvad_jp_all.conf extracting: mullvad_config_linux/mullvad_lu_all.conf extracting: mullvad_config_linux/mullvad_lv_all.conf extracting: mullvad_config_linux/mullvad_md_all.conf extracting: mullvad_config_linux/mullvad_nl_all.conf extracting: mullvad_config_linux/mullvad_no_all.conf extracting: mullvad_config_linux/mullvad_nz_all.conf extracting: mullvad_config_linux/mullvad_pl_all.conf extracting: mullvad_config_linux/mullvad_pt_all.conf extracting: mullvad_config_linux/mullvad_ro_all.conf extracting: mullvad_config_linux/mullvad_rs_all.conf extracting: mullvad_config_linux/mullvad_se_all.conf extracting: mullvad_config_linux/mullvad_sg_all.conf extracting: mullvad_config_linux/mullvad_us_all.conf extracting: mullvad_config_linux/mullvad_userpass.txt extracting: mullvad_config_linux/mullvad_ca.crt extracting: mullvad_config_linux/update-resolv-conf [user@ovpn vpn]$ sudo cp mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf [user@ovpn vpn]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt Mon Apr 20 15:27:43 2020 Note: option tun-ipv6 is ignored because modern operating system
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/15/20 6:35 AM, taran1s wrote: >> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide >> there is the cd Qubes-vpn-support command as the first one. This assumes >> that the file is unzipped already, right? So I unzip it in the >> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and >> execute sudo bash ./install. Than proceed to the restart. Is this how it >> was meant? > > Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise, > installing it in a template means you have to do step 4 also. Yes, I install it in the ProxyVM. Is my procedure right? The > > Hmmm. Its not showing the full "Options error" lines. Try redirecting > the output to a text file instead: > > sudo journalctl -u qubes-vpn-handler >log.txt > See the log attached please. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/111b736b-da9c-3088-7f34-9d9e322cc3ea%40mailbox.org. -- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Fri 2020-04-17 13:08:07 CEST. -- Apr 17 13:07:49 openvpn systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 13:07:49 openvpn qubes-vpn-setup[753]: grep: /rw/config/vpn/vpn-client.conf: No such file or directory Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: EXEC /usr/sbin/openvpn --cd /rw/config/vpn/ --config /tmp/vpn-client.conf --verb 3 --mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qvpn --script-security 2 --up "/usr/lib/qubes/qubes-vpn-ns up" --down "/usr/lib/qubes/qubes-vpn-ns down" --auth-user-pass /tmp/userpassword.txt Apr 17 13:07:49 openvpn qubes-vpn-setup[806]: STARTED network forwarding! Apr 17 13:07:49 openvpn systemd[1]: Started VPN Client for Qubes proxyVM. Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: Fri Apr 17 13:07:49 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: Options error: You must define TUN/TAP device (--dev) Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: Use --help for more information. Apr 17 13:07:49 openvpn systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 13:07:49 openvpn qubes-vpn-setup[822]: STOPPED network forwarding! Apr 17 13:07:49 openvpn systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 17 13:08:00 openvpn systemd[1]: qubes-vpn-handler.service: Scheduled restart job, restart counter is at 1. Apr 17 13:08:00 openvpn systemd[1]: Stopped VPN Client for Qubes proxyVM. Apr 17 13:08:00 openvpn systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 13:08:00 openvpn qubes-vpn-setup[1167]: grep: /rw/config/vpn/vpn-client.conf: No such file or directory Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: EXEC /usr/sbin/openvpn --cd /rw/config/vpn/ --config /tmp/vpn-client.conf --verb 3 --mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qvpn --script-security 2 --up "/usr/lib/qubes/qubes-vpn-ns up" --down "/usr/lib/qubes/qubes-vpn-ns down" --auth-user-pass /tmp/userpassword.txt Apr 17 13:08:00 openvpn qubes-vpn-setup[1173]: STARTED network forwarding! Apr 17 13:08:00 openvpn systemd[1]: Started VPN Client for Qubes proxyVM. Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: Fri Apr 17 13:08:00 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: Options error: You must define TUN/TAP device (--dev) Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: Use --help for more information. Apr 17 13:08:00 openvpn systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 13:08:00 openvpn qubes-vpn-setup[1179]: STOPPED network forwarding! Apr 17 13:08:00 openvpn systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/9/20 3:34 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/8/20 6:25 AM, taran1s wrote: >>>> I try to set the VPN in my laest qubes with your guide on >>>> https://github.com/tasket/Qubes-vpn-support. I use the version >>>> 1.4.3. and followed the guide. >>>> >>>> My setting from mullvad is UDP (default) for Linux. No IPs. >>>> >>>> When asked, I entered correct login. The link but doesn't go up, >>>> no popup notification LINK IS UP when restarting the proxy VM. >>>> >>>> I also added vpn-handler-openvpn to the proxy VM services as required. >>>> >>>> Executing systemctl status returns this: >>>> >>>> [user@ovpn ~]$ systemctl status qubes-vpn-handler >>>> ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM >>>> Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; >>>> enabled; vendor preset: disabled) >>>> Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d >>>> └─00_example.conf >>>> Active: activating (auto-restart) (Result: exit-code) since Tue >>>> 2020-04-07 15:30:15 CEST; 4s ago >>>> Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup >>>> --check-firewall (code=exited, status=0/SUCCESS) >>>> Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup >>>> --pre-start (code=exited, status=0/SUCCESS) >>>> Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec >>>> (code=exited, status=1/FAILURE) >>>> Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup >>>> --post-start (code=exited, status=0/SUCCESS) >>>> Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup >>>> --post-stop (code=exited, status=0/SUCCESS) >>>> Main PID: 3110 (code=exited, status=1/FAILURE) >>>> >>>> Any idea how to set this up properly? >>>> >>> >>> The one exception I can think of for setting up with a Mullvad account >>> is that they use a single-character "m" password for everyone. So if you >>> typed something into the password prompt other than "m" or left it >>> blank, then it won't connect. >>> >>> To see a more detailed log you should use 'journalctl -u >>> qubes-vpn-handler'. >>> >> >> Yes Chris, mullvad uses the "m" for password and I put this in when >> asked. I checked this in the pass file from mullvad. >> >> I did the following. I downloaded the default UDP settings for "All >> countries" from mullvad as adviced, without ticking the IPs. Than I took >> one of the countries from the downloaded list and copied this particular >> country to the vpn-client.conf with sudo cp whatver-country.ovpn >> vpn-client.conf. But it doesn't connect. > > Did you do the link testing suggested in Step 2? > >> >> Is this setup ok for me-tor-vpn situation? > > These network representations can easily get reversed in people's heads. > Best thing to do is look at your 'Networking' setting for your VPN VM. > If its set to 'sys-whonix' then UDP won't work. > >> >> I executed the command in the proxyVM (fedora-30 based) with following >> results: >> >> [user@ovpn ~]$ journalctl -u qubes-vpn-handler >> Hint: You are currently not seeing messages from other users and the >> system. >> Users in groups 'adm', 'systemd-journal', 'wheel' can see all >> messages. >> Pass -q to turn off this notice. >> -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09 >> 09:21:21 CE> >> -- No entries -- >> lines 1-2/2 (END) >> >> I tried also the micahflee guide and it connects so the settings should >> be ok. >> > > Sorry, you need to put 'sudo' in front of the 'journalctl' command. > In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? This is the output from the sudo journalctl -u qubes-vpn-handler in teh openvpn VM. [user@ovpn ~]$ sudo journalctl -u qubes-vpn-handler -- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Wed 2020-04-15 12:22:55 CE> Apr 15 12:22:12 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM...
Re: [qubes-users] Nyx in sys-whonix - Tor 0.4.2.6 unrecommended
taran1s: > In the Nyx in sys-whonix I spotted on the first page, top right the > Tor 0.4.2.6 unrecommended (the "unrecommended" is in red) line. I > run latest qubes, all templates fully updated. > > Is the Tor 0.4.2.6 really not recommended or is it whonix/qubes > specific? > > Thank you! > Sorry to add now, the version of Tor in the my sys-whonix is already the newest version (0.4.2.6-1~d10.buster+1). Most probably, the "unrecommended" notice is just something in the Nyx monitor which preferes some other versions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b132acc7-4ea2-d771-271b-1af90ba2516e%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
[qubes-users] Nyx in sys-whonix - Tor 0.4.2.6 unrecommended
In the Nyx in sys-whonix I spotted on the first page, top right the Tor 0.4.2.6 unrecommended (the "unrecommended" is in red) line. I run latest qubes, all templates fully updated. Is the Tor 0.4.2.6 really not recommended or is it whonix/qubes specific? Thank you! -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/29d1c909-b841-04e2-97ea-6beb5cf5d118%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/8/20 6:25 AM, taran1s wrote: >> I try to set the VPN in my laest qubes with your guide on >> https://github.com/tasket/Qubes-vpn-support. I use the version >> 1.4.3. and followed the guide. >> >> My setting from mullvad is UDP (default) for Linux. No IPs. >> >> When asked, I entered correct login. The link but doesn't go up, >> no popup notification LINK IS UP when restarting the proxy VM. >> >> I also added vpn-handler-openvpn to the proxy VM services as required. >> >> Executing systemctl status returns this: >> >> [user@ovpn ~]$ systemctl status qubes-vpn-handler >> ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM >> Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; >> enabled; vendor preset: disabled) >> Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d >> └─00_example.conf >> Active: activating (auto-restart) (Result: exit-code) since Tue >> 2020-04-07 15:30:15 CEST; 4s ago >> Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup >> --check-firewall (code=exited, status=0/SUCCESS) >> Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup >> --pre-start (code=exited, status=0/SUCCESS) >> Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec >> (code=exited, status=1/FAILURE) >> Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup >> --post-start (code=exited, status=0/SUCCESS) >> Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup >> --post-stop (code=exited, status=0/SUCCESS) >> Main PID: 3110 (code=exited, status=1/FAILURE) >> >> Any idea how to set this up properly? >> > > The one exception I can think of for setting up with a Mullvad account > is that they use a single-character "m" password for everyone. So if you > typed something into the password prompt other than "m" or left it > blank, then it won't connect. > > To see a more detailed log you should use 'journalctl -u > qubes-vpn-handler'. > Yes Chris, mullvad uses the "m" for password and I put this in when asked. I checked this in the pass file from mullvad. I did the following. I downloaded the default UDP settings for "All countries" from mullvad as adviced, without ticking the IPs. Than I took one of the countries from the downloaded list and copied this particular country to the vpn-client.conf with sudo cp whatver-country.ovpn vpn-client.conf. But it doesn't connect. Is this setup ok for me-tor-vpn situation? I executed the command in the proxyVM (fedora-30 based) with following results: [user@ovpn ~]$ journalctl -u qubes-vpn-handler Hint: You are currently not seeing messages from other users and the system. Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages. Pass -q to turn off this notice. -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09 09:21:21 CE> -- No entries -- lines 1-2/2 (END) I tried also the micahflee guide and it connects so the settings should be ok. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da5e3086-581e-f966-1cc1-30c6dee66416%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
scurge1tl:
>
>
> Chris Laprise:
>> On 3/29/20 5:16 AM, scurge1tl wrote:
>>>
>>>
>>> Chris Laprise:
On 3/27/20 5:02 AM, scurge1tl wrote:
>>>
>
> Hello all,
>
> I would like to ask about proper setting of AppVM flow if using
> Mullvad VPN. I would like to connect to the clearnet following way: Me
> - -> Tor -> VPN -> clearnet.
>
> When setting up mullvad in their web page, I set the parameters for
> download here https://mullvad.net/en/download/openvpn-config/ in a
> following way:
> - - All countries (so that I can change my exit country as needed)
> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
> - - tick Use IP addresses
Using TCP 443 for the connection helps only if you are running the VPN
on top of Tor. With Tor on top of VPN, you're probably better off
with UDP.
>>>
>>> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
>>> with UDP mullvad settings? Just to clear the "on top of".
>>
>> To make it less ambiguous:
>>
>> AppVM -> sys-whonix -> sys-vpn -> sys-net
>>
>> The above connection is Tor on top of (or inside of) VPN, so UDP can be
>> used for the VPN. If sys-whonix and sys-vpn places were reversed, then
>> VPN should switch to TCP mode.
>>
>> An easy way to remember this is that the sys-* VM attached to the AppVM
>> is the one the service sees on the other end.
>>
>>>
>
> To set the Mullvad VPN AppVM, I followed this guide from micahflee
> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
> mullvad is vpn-mullvad. All works fine and connects to the network.
>
> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
> this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
> vpn-mullvad -> sys-firewall, or I should use different setup?
Whonix has a guide that examines the issues of combining Tor and a VPN.
However, I think its better as a 'what-if/why' guide than a Howto...
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
>>>
>>> Thank you I will check it.
>>>
>
> Are there any other steps to follow to prevent leaks?
Yes.
The Qubes-vpn-support project is much easier to setup and should work
more smoothly, in addition to providing better protection against leaks:
https://github.com/tasket/Qubes-vpn-support
There is also a VPN setup guide on the Qubes doc page (this is the one
the Whonix page links to). FWIW, I wrote the scripts for both but the
idea for Qubes-vpn-support was to automate the setup and improve the
connection handling of Openvpn so re-connection doesn't take 5 minutes.
It also checks the firewall to make sure leak prevention is in place
before initiating connections.
>>>
>>> I will try to set the additional AppVM for this and try this guide. What
>>> would be the linking of the AppVMs, if I would like to go Me -> Tor ->
>>> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
>>> -> sys-firewall ?
>>>
>>> Also I would like to use different exit countries of choice, so I
>>> downloaded all countries from mullvad. Is there any simple way to switch
>>> countries with this VPN settings?
>>
>> There is no GUI way to do it when using the Qubes scripts. However, if
>> you use the Network Manager method on the Qubes vpn howto, then you can
>> import multiple configs (and cross your fingers that they can make
>> connections :) ).
>>
>> For a non-GUI solution, you could create a small script that lets you
>> choose which ovpn config to use, and 'cp' or 'ln' that choice to the
>> config filename that the scripts use (then restart the vpn). Some people
>> have used simple random selection without a prompt, like 'ln -s $( ls
>> *ovpn | shuf | head -n1 ) vpn-client.conf'.
>>
>>> Sorry for noob questions, I am new to the VPN stuff, just used Tor only
>>> till now, but I need to use tor-unfriendly services from time to time
>>> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
>>> work in qubes-whonix and I therefore can't select exit country easily if
>>> I need to. So I need to have the VPN country as a strict exit.
>>
>> To use Tor-unfriendly services, the service has to see the VPN IP not
>> Tor exit node IP. Therefore...
>>
>> AppVM -> sys-vpn -> sys-whonix -> sys-net
>>
>> If you add sys-firewall (or similar proxyVM, as you probably don't want
>> to change sys-firewall netvm setting) in the mix, it just depends on
>> which VM you wish to add 'Qubes firewall' rules to it always goes
>> 'to the right of' whichever VM you added rules. In my experience,
>> however, such rules are not required for securing a VPN link; The
>> internal (scripted) rules used by the VPN doc or Qubes-vpn-support
>> handle VPN security rather well. IOW, its better to forget placing
>> sys-firewall in the loop, at least until you're more used to Qubes
>> networking.
>>
>>>
Re: [qubes-users] Re: Whonix TB Downloader doesn't see the new emergency release of TB, version 9.0.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Lorenzo Lamas: > Same thing happens here when TB Downloader is automatically run > after it is updated. However, if I manually run TB updater, I can > select version 9.0.7 In addition to this, the security update to > Tor itself, version 4.2.7, is not yet available in Whonix. > - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 Lorenzo, just to be clear, you meant you CAN'T select version 9.0.7 in the TB updater, right? -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl57IHwACgkQ5k6hqPgA y0RTrRAAwszJLQBQD+fBkWKOsMB483DN6q1c6PxSefDxAq37nn1GpXqV5VBQRNJR YauQ70TpQey31nRimRliT8gqYITzegWGcocPvL800ia2Cg+XLhZFVnuKJBA0lq9H yXiSoWCdhdbdKE7HIy7ObMXgLXlE4ZFsbi7msZxODeIsesz+NA2GQfVbePSV8/nH vYn6zwG1h9MXAKtHCReXDSnDK2Tg+30ju2Twz8LV1xbLwPXFSNwlJ0kkTxUsB5Gp cLC1zyxv9218Prr41HzCsEbrRrx3mRVHfbbVgogb5Wfo4Gctt3BNbfideZeXaT9i mdIE8Ck3JlPyrnY7xN48OrBXaGQgRyL1FjSsjCn0fZg5j0Z2DYIalvJDJjGTMBLB 9xgcREP5RMAiTMXD8fajr2uOyRhddgaV/sjU/7t2/6v7qhjATBDabXgrxo92kUPH 51AshcCTXi0pyLA9G8IRX2OUTBkoZt/JgfLcQWjSCFj6IYVhYU1tBfSPpUtd/dTJ 0pn0AWqibX/9kN3NyqjkBq8f6HnHGU4JpjauSbbGS9lhlU2zQUON59tTby1jmqF2 AroNodETnJj7IsdvFQl8nJ9NjDqEA64yuF/QksJLZh4Fsovrn9YqrpP4RbwQD49f mrKIU6KNAIsQWjNialVn5w3MDaMXXqiqjJzDiO9RJKzd/1k+4+U= =w5dH -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f33fd61-e929-b35e-e492-98238c013c24%40mailbox.org.
[qubes-users] Whonix TB Downloader doesn't see the new emergency release of TB, version 9.0.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 *Desired behavior* After launching whonix-ws-15: Tor Browser Downloader directly in the whonix-ws-15 template, the downloader will find the newest version of TB, which is now 9.0.7. After confirmation, the updater will update the TB to the selected version 9.0.7 *Current behavior* After launching whonix-ws-15: Tor Browser Downloader directly in the whonix-ws-15 template, the downloader DOESN'T find the newest version of TB, which is now 9.0.7 at all. *Other AppVMs* After launching the TB in any AppVM, the AppVM TB immediately downloads the 9.0.7 version and installs it. - -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl5569IACgkQ5k6hqPgA y0TrbxAAqYyE5M0yzcI4wLzkYHNMePEou8oiNxw0oGhxl2zTSJECpmoogIVrmj04 tju32kZN0nalaOV1IwA2vNYfSNgpVplvdiccaUMjX3SY5/CR7XzErY2YhiO/twfd lG5ehnhekQlnhovkei2q8G4yA+GwXB0wqd0268ifiSUxi7p8Nm840XYAsBzB10DF 2FNmn1wmhH8yHl0EdB0bFkSHzxRhbHLlrdycJO34wfDok7rFjMV4OmDORYs2LVQH yBATqkDUz90Zf83klgwmKTn4ItoVZ57tFLNx0kpK8BwaiFNmm3AZNwWeXBcytiDF 2EoI9HimHccADOqD82x8XQEtAfQ00nvfAbxfjCZDw/eDs7B6J6lLdDUBbDOeT7Wd w9NCxBFyK2J3Z3VJ4zknsbvbjGN9zRUuub5rU+0O0AE5uOR0m1xjuGiSmPbCfzsi fQ5DscrSzdb6puCQFNEg2hfUwLsTRa4snaS3KxLpoQ4ymPHbk6QDh7iWTO0DLTvx Js4EW3DpV6TBroGaOhyxGdVs6wlorlIAcZHyYsWTusS1xndRdgOitZyz1gh46O15 ES94st1lGDT2P1dPtxFaL7D6QPhYGS7aO2QcvYrZvmBNZ7WYRziXdcNVSL3Zq81E T1Cyjkfyawf5jVs8FmMsGS6eBQg5mwkKJVeaCym8fGGgdIuwBEI= =qgVZ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9cc01852-6b99-4f8e-6f51-02eb2e0bb7d6%40secure.mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Update issue of whonix-15 and debian-10 templates
donov...@unseen.is: > > > - On Mar 13, 2020, at 8:19 AM, taran1s tara...@mailbox.org wrote: > >> Hi, all, >> >> I am trying to update whonix-ws-15 and whonix-gw-15, but it fails to do >> anything. All fedora-30 templates, and dom0, are updating just fine. >> >> In my Qubes Manager I see an update arrow for both whonix templates gw >> and ws. >> >> Using Qubes Updater it starts disp-mgmt-dvm and than starts the >> whonix-xx-15 just fine. In my Nyx I but don't see any traffic running. >> The update seems to finish with a green tick but the green update arrow >> in the Qubes Manager remains and requires an update. >> In the Details tab of the Qubes Updater I get only this, I dont see any >> details as before (or as when updating Fedora-30 template): >> >> Updating whonix-gw-15 >> >> whonix-gw-15: >> >> >> Once I try to update the whonix templates directly with sudo apt update, >> I get "14 packages can be upgraded. Run 'apt list --upgradable' to see >> them." >> >> I get a bit similar results for my debian-10 template. After I execute >> the sudo apt update in debian-10 template, it doesn't show any traffic >> in the Nyx, it ends with the green tick in the Qubes Updater and it >> tells me that "1 package can be upgraded. Run 'apt list --upgradable' to >> see it." >> >> >> The issue started after the latest dom0 update. I tried to even onionize >> the templates update process but it remains the same. >> >> How should I proceed? Is the qubes updater broken for Debian based >> templates? >> >> Should I run sudo apt update && sudo apt dist-upgrade in the related >> qubes templates? >> >> Thank you for help! > > I have this same issue with whonix-xx-15. > I solved this by executing sudo apt update && sudo apt dist-upgrade directly in the respective whonix templates. My question is if this is a normal procedure that needs to be done on top of normal qubes updater, or it is a bug in the qubes updater or it was just this time exception. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d070db61-8d68-dbce-b6a1-41ca8ef0f262%40mailbox.org.
Re: [qubes-users] Whonix: configure Torbrowser for use in DispVM
Sven Semmler: > I used to make some minor preference changes in torbrowser in the dvm > template ... but that no longer works. > > template: tpl-who-15-ws > dvm-template: dvm-anon based on tpl-who-15-ws > > dom0# qvm-run -a dvm-anon xfce4-terminal > dvm-anon# torbrowser > > ... here I make my changes: > > - remove all search engines except DuckDuckGoOnion > - set security to 'safest' > > These changes survive in dvm-anon, but if I start a dispvm based on > dvm-anon the slider is on standard and all the search engines are > present. > > I think torbrowser is a whonix-specific script that somehow detects that > it's running in a dispvm and then nukes the profile and replaces it with > a default. Is that true? > > In that case, I would like to copy my profile from dvm-anon into the > actual template to the path from where the script copies. I get that > doing other changes to the preferences might harm. I want only the > default search engine to change and the security to be 'safest' (no > scripts at all) > > What's the best way to do this? > > /Sven > As far as I understand it, you should not touch the dvm template with any changes at all, but make any needed changes in the whonix-ws template instead. Like for example using Tor Browser Downloader - you run it directly in the whonix-ws-xx template instead of whonix-ws-xx-dvm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11fedfed-2f5c-f9c4-11af-4fc1838b8ad6%40mailbox.org.
[qubes-users] Update issue of whonix-15 and debian-10 templates
Hi, all, I am trying to update whonix-ws-15 and whonix-gw-15, but it fails to do anything. All fedora-30 templates, and dom0, are updating just fine. In my Qubes Manager I see an update arrow for both whonix templates gw and ws. Using Qubes Updater it starts disp-mgmt-dvm and than starts the whonix-xx-15 just fine. In my Nyx I but don't see any traffic running. The update seems to finish with a green tick but the green update arrow in the Qubes Manager remains and requires an update. In the Details tab of the Qubes Updater I get only this, I dont see any details as before (or as when updating Fedora-30 template): Updating whonix-gw-15 whonix-gw-15: Once I try to update the whonix templates directly with sudo apt update, I get "14 packages can be upgraded. Run 'apt list --upgradable' to see them." I get a bit similar results for my debian-10 template. After I execute the sudo apt update in debian-10 template, it doesn't show any traffic in the Nyx, it ends with the green tick in the Qubes Updater and it tells me that "1 package can be upgraded. Run 'apt list --upgradable' to see it." The issue started after the latest dom0 update. I tried to even onionize the templates update process but it remains the same. How should I proceed? Is the qubes updater broken for Debian based templates? Should I run sudo apt update && sudo apt dist-upgrade in the related qubes templates? Thank you for help! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c8a8518-5830-09b5-c676-997bdf38482f%40mailbox.org.
