Re: [qubes-users] Windows 10 on Qubes (freeRDP)

2017-12-01 Thread entr0py 
alvaro.ran...@hotmail.com:
> Hi!
> 
> Thanks so much for writing this down. 
> 
> On step 2, these instructions to establish inter VM networking [1] seem to be 
> aimed at linux vms. It says we should use iptables and and edit the rc.local 
> file on both vms. Any tip on how we could do that on the windows 10 qube?
> 
> [1] 
> https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
> 

In case you haven't gotten past this hurdle yet, the general idea is that the 
following rules need to be in place:

1. windows vm needs to allow input (port 3389)
2. proxy vm needs to allow forwarding of port 3389 from linux vm to windows vm
3. linux vm needs to allow output (port 3389)

Nearly every OS has the same defaults when it comes to firewalls. Allow output, 
block input, block forwarding.

That's the reason the documentation you referred to only specifies rules for #1 
& #2.

You have several options for allowing port 3389 input on the windows vm:

1. Simply enabling Remote Desktop in the System control panel will usually 
prompt you with the "Allow program through firewall" dialog

2. Start menu -> Firewall, advanced settings -> create a rule to allow port 
3389 input.

3. Start menu -> Firewall. Disable the entire firewall in Windows and let your 
proxy vm handle it.

(obviously no rc.local on windows. not needed since windows will remember 
changes to firewall.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f0036e3-2c1c-0354-38ad-97ccabc20d19%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Windows 10 on Qubes (freeRDP)

2017-11-13 Thread alvaro . rannon 
Hi!

Thanks so much for writing this down. 

On step 2, these instructions to establish inter VM networking [1] seem to be 
aimed at linux vms. It says we should use iptables and and edit the rc.local 
file on both vms. Any tip on how we could do that on the windows 10 qube?

[1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae9fca7e-cd24-4dc0-8453-8466cffb9c11%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Windows 10 on Qubes (freeRDP)

2017-11-09 Thread 3n7r0py1 
I noticed several folks looking for a way to use Windows 10 on Qubes. Since 
there is currently no ETA for Windows 10 support via `qubes-windows-tools`[1], 
I thought I'd share an alternative method. I don't have time for a full writeup 
at the moment but importantly, nothing in this post is really Qubes-specific, 
meaning you can find plenty of relevant resources elsewhere. 

Windows 10 / Server 2016 installs and runs without any issues as an HVM on 
Qubes 3.2 (4.0 not tested). Inter-VM functionality can be achieved using any 
remote desktop protocol, including X11, VNC and RDP. This post is about using 
the freeRDP client with Windows' built-in RDP server functionality.

The RDP protocol enables the following major features: seamless windows, shared 
clipboard, shared folders, and audio & usb redirection. GPU-accelerated VMs are 
possible if they are hosted on a separate Hyper-V machine. Keep in mind that 
all of these features are provided by the RDP protocol over standard networking 
interfaces. This is in contrast to `qubes-windows-tools` which provides similar 
functionality using Qubes' back-end. Determine if that risk is appropriate for 
you. QWT also provides access to qrexec and persistent profiles (that enable 
immutable root filesystems and simplified offline HVMs).

1. Install Windows 10 as a Standalone HVM or HVM Template (if you have the 
appropriate licenses). The template will have limited usage unless you can 
offload data you want to persist onto a separate volume (or you can use as a 
disposable vm). Also, make sure you setup a password. Enable Remote Desktop in 
Settings > System. Leave NLA enabled.

2. InterVM Communication: This will be the hardest step for those of you new to 
this. You'll need to allow one of your LinuxVMs (freeRDP client) to communicate 
with one of your Windows VMs (RDP server). Create or use a proxyVM to act as a 
router. 

Example of basic setup:

 win10   
   | 
   | 
 sys-net --- sys-firewall
   | 
   | 
 workVM  
 
Instructions are here: 
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
Don't proceed until you succeed with this step.
 
3. Install `freerdp` in workVM. Fedora-25 has v2.0.0 as does Debian 
stretch-backports.

4. Test with `xfreerdp /v::3389`. If server responds and you can log 
in, then you can pile on the options.

5. There are MANY options. See `man xfreerdp` and docs[2]. I haven't used a GUI 
but some exist, like Remmina. You may want to add the following:
```
  /v::3389
  /u:[domain\]
  /p:
  /w:
  /h:
  /network:lan # network speed
  /drive:myShare,/home/user/myShare   # share name, location
  /rfx # remote-fx works will all vm's; only hyperv for gpu
  /rfx-mode:
  /multimedia  # for sync'd audio/video, see docs
  /sound   # sound redirection
  /sound:latency:
  /microphone
  /usb:id,dev  # usb redirection, see docs
  /clipboard
  /fonts   # cleartype
  /app:"C:\Windows\explorer.exe"  # remote-apps (see below)
```

** Remote Apps **

For seamless windows, in RDP host > Group Policy:
`Computer Configuration/Administrative Templates/Windows Components/Remote 
Desktop Services/Remote Desktop Session Host/Connections/Allow remote start of 
unlisted programs`: Set to "Enabled"
Easiest way to use is to launch File Explorer (C:\Windows\explorer.exe) or 
Console (C:\Windows\System32\cmd.exe). Set up shortcuts and launch from these 
programs - then applications will open in their own seamless windows.


** Offline Windows **

The best feature of `qubes-windows-tools` is that you can use Windows offline 
with networking completely disabled. Without QWT, the best you can do is have 
strict firewalls everywhere but especially on your proxyVM.

The only traffic that is necessary for this setup (in proxyVM):
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vif+ -s  -o vif+ -d  \
  -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Drop all other windows outbound traffic entering proxyVM: 
iptables -A FORWARD -i vif+ -s  -j DROP
iptables -A INPUT -i vif+ -s  -j DROP

Some other ports that you may require:
WSUS: tcp 8530-8531
KMS: tcp 1688
Samba is a mess: tighten with -s and -d


** Torrified Windows ** 

Of questionable benefit since win10 is a leaky sieve, but for fun you can route 
traffic through `sys-whonix`.

# Redirect DNS to Whonix-Gateway
iptables -t nat -A PREROUTING -i