Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Chris Laprise]

On 07/16/2017 09:23 PM, Gaiko Kyofusho wrote:


Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address:
vpnprovidermod'dname.com : No address associated with
hostname


Hmmm, looks like a malformed address to me.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39e0c64f-55e7-3fcc-6132-a2a4d46e11a2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Gaiko Kyofusho]

Thanks again.

I did it according to the docs.

It shows me a bunch of info, not totally sure what I am looking for, the
most obvious error is:

Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address:
vpnprovidermod'dname.com: No address associated with hostname

I changed the vpn host part but the "can't resolve the host address" seems
to be pretty important no?

Problem is, I have no idea why? I would think maybe the firewallVM is
blocking something (as I have AppVM->VpnVM->firewallVM->net-sys) but if I
point my appvms directly to firewallvm they are able to connect no problem
so that would indicate the firewallvm is ok... right?

On Sun, Jul 16, 2017 at 9:01 PM, Chris Laprise 
wrote:

> On 07/16/2017 07:56 PM, Gaiko Kyofusho wrote:
>
>> Thanks for the response.
>>
>> I didn't look at the openvpn log, sorry but where would that be (in my
>> VpnVM I know but where there I am less sure).
>>
>> I def do not get the usual VPN connected popup
>>
>> I am not able to ping any ip addresses from a appvm using the vpnvm
>>
>
> If your setup is from the VPN doc (iptables/CLI), the best way to look at
> log output is to run openvpn manually:
>
> sudo pkill openvpn
> sudo openvpn --cd /rw/config/vpn/ --config openvpn-client.ovpn --verb 4
>
> If you used a different method for setup, your best bet is 'journalctl'.
>
>
> --
>
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxPB%2BvKy2pccnPbHALrvCMSi%3DkWNvdjMPJw-pS%2Bs1X8T0A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Chris Laprise]

On 07/16/2017 07:56 PM, Gaiko Kyofusho wrote:

Thanks for the response.

I didn't look at the openvpn log, sorry but where would that be (in my
VpnVM I know but where there I am less sure).

I def do not get the usual VPN connected popup

I am not able to ping any ip addresses from a appvm using the vpnvm


If your setup is from the VPN doc (iptables/CLI), the best way to look 
at log output is to run openvpn manually:


sudo pkill openvpn
sudo openvpn --cd /rw/config/vpn/ --config openvpn-client.ovpn --verb 4

If you used a different method for setup, your best bet is 'journalctl'.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ec8eccb-ead0-1679-ddda-39bc23451ace%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Gaiko Kyofusho]

I should totally know what the "address space" is but I am afraid I don't.

Is that the gateway address or modem's ip address?



On Sun, Jul 16, 2017 at 7:54 PM, Unman  wrote:

> On Sun, Jul 16, 2017 at 02:53:14PM -0400, Gaiko Kyofusho wrote:
> > I can't figure this one out. two things are indeed different, I am on a
> new
> > ISP using a new modem and when I try to use my VpnVM I can't access the
> > Internet (or local LAN for that matter) _however_ I am able to access the
> > Internet on the same computer if I connect only using the firewallVM.
> > Strangely enough, I am able to connect to the net using the same VPN
> > provider installed on an iphone with the VPN provider software, and on an
> > android using OpenVPN... I am stumped because on other networks I am able
> > to connect to the Internet through my VpnVM no problem?!
> >
> > I had originally contacted my ISP but of course they said it was the VPN
> > providers fault, I was then going to try to contact the modem/router
> > manufacturer but while waiting (forever) I figured out vpn access was
> > working on my phones.
> >
> > Any help/thoughts would _*really*_ be appreciated.
>
> Is there an IP conflict with the new ISP? What's the address space
> there?
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxMfU9zH0Patdxm2SefnXRB65%3DdmXFiw_jr%2BWoUB%3D6GGXQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Gaiko Kyofusho]

Thanks for the response.

I didn't look at the openvpn log, sorry but where would that be (in my
VpnVM I know but where there I am less sure).

I def do not get the usual VPN connected popup

I am not able to ping any ip addresses from a appvm using the vpnvm

On Sun, Jul 16, 2017 at 7:11 PM, Chris Laprise 
wrote:

> On 07/16/2017 02:53 PM, Gaiko Kyofusho wrote:
>
>> I can't figure this one out. two things are indeed different, I am on a
>> new ISP using a new modem and when I try to use my VpnVM I can't access
>> the Internet (or local LAN for that matter) _however_ I am able to
>> access the Internet on the same computer if I connect only using the
>> firewallVM. Strangely enough, I am able to connect to the net using the
>> same VPN provider installed on an iphone with the VPN provider software,
>> and on an android using OpenVPN... I am stumped because on other
>> networks I am able to connect to the Internet through my VpnVM no
>> problem?!
>>
>> I had originally contacted my ISP but of course they said it was the VPN
>> providers fault, I was then going to try to contact the modem/router
>> manufacturer but while waiting (forever) I figured out vpn access was
>> working on my phones.
>>
>> Any help/thoughts would _*really*_ be appreciated.
>>
>>
> Have you looked at the openvpn log messages?
>
> Do you see a popup saying the link is up?
>
> Can you ping IP addresses from an appVM?
>
> --
>
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxNHav0oCgYubh8XMZ2Ehbuf2UYQJg5QCwDki08GTrZWbw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Unman]

On Sun, Jul 16, 2017 at 02:53:14PM -0400, Gaiko Kyofusho wrote:
> I can't figure this one out. two things are indeed different, I am on a new
> ISP using a new modem and when I try to use my VpnVM I can't access the
> Internet (or local LAN for that matter) _however_ I am able to access the
> Internet on the same computer if I connect only using the firewallVM.
> Strangely enough, I am able to connect to the net using the same VPN
> provider installed on an iphone with the VPN provider software, and on an
> android using OpenVPN... I am stumped because on other networks I am able
> to connect to the Internet through my VpnVM no problem?!
> 
> I had originally contacted my ISP but of course they said it was the VPN
> providers fault, I was then going to try to contact the modem/router
> manufacturer but while waiting (forever) I figured out vpn access was
> working on my phones.
> 
> Any help/thoughts would _*really*_ be appreciated.

Is there an IP conflict with the new ISP? What's the address space
there?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170716235441.f5lhtsjujxkslofa%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Chris Laprise]

On 07/16/2017 02:53 PM, Gaiko Kyofusho wrote:

I can't figure this one out. two things are indeed different, I am on a
new ISP using a new modem and when I try to use my VpnVM I can't access
the Internet (or local LAN for that matter) _however_ I am able to
access the Internet on the same computer if I connect only using the
firewallVM. Strangely enough, I am able to connect to the net using the
same VPN provider installed on an iphone with the VPN provider software,
and on an android using OpenVPN... I am stumped because on other
networks I am able to connect to the Internet through my VpnVM no problem?!

I had originally contacted my ISP but of course they said it was the VPN
providers fault, I was then going to try to contact the modem/router
manufacturer but while waiting (forever) I figured out vpn access was
working on my phones.

Any help/thoughts would _*really*_ be appreciated.



Have you looked at the openvpn log messages?

Do you see a popup saying the link is up?

Can you ping IP addresses from an appVM?

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a97fc0e-a809-108a-e7dd-39c512b61748%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Can't access the net via my VpnVM now? (could before)

[Gaiko Kyofusho]

I can't figure this one out. two things are indeed different, I am on a new
ISP using a new modem and when I try to use my VpnVM I can't access the
Internet (or local LAN for that matter) _however_ I am able to access the
Internet on the same computer if I connect only using the firewallVM.
Strangely enough, I am able to connect to the net using the same VPN
provider installed on an iphone with the VPN provider software, and on an
android using OpenVPN... I am stumped because on other networks I am able
to connect to the Internet through my VpnVM no problem?!

I had originally contacted my ISP but of course they said it was the VPN
providers fault, I was then going to try to contact the modem/router
manufacturer but while waiting (forever) I figured out vpn access was
working on my phones.

Any help/thoughts would _*really*_ be appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxMw8o-qOdfzpcetB9A4JXAOYhB94ZCgsSaJtrE%3DvRiPhw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Workaround for building Ubuntu xenial+desktop with qubes-builder

[Foppe de Haan]

On Sunday, July 16, 2017 at 4:15:35 PM UTC+2, Unman wrote:
> On Sun, Jul 16, 2017 at 12:41:43AM -0700, Foppe de Haan wrote:
> > Bit OT, but Would anyone be willing to (briefly) indicate the difference 
> > between xenial and xenial+desktop? I tried googling, but I can't really 
> > find any info on it.
> > 
> 
> Xenial template provides a basic system, not minimal but quite
> small.
> Xenial-desktop installs the ubuntu-desktop package, which gives you
> pretty much everything you would expect in a standard "desktop"
> installation - graphics tool and viewers , office suite, music player,
> etc.
> For full details look at the package contents here:
> https://packages.ubuntu.com/xenial/ubuntu-desktop
> 
> unman

Thanks :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8fd022bf-a9d5-4a3e-9eba-389fa00e07eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: heads up, qubes 3.2 still vuln to cve-2016-4484 (minor severity)

[yreb-qusw]

On 07/16/2017 01:27 AM, pixel fairy wrote:

---
In Dom0 install anti-evil-maid:

sudo qubes-dom0-update anti-evil-maid
---
Doesn't sound like 'more work' just doing the above, perhaps there is 
more to it, I thought, it mentioned it's better to install via a USB Drive?



What would be the "trade off"  and/or  How would I disable it , if it 
somehow messes up my Qubes install?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/47a17193-5591-d170-a3bf-453dc80db9f0%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Proxy for packages

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Salmiakki:
> Has anybody managed to set up a proxy or mirror of sorts in the
> net-vm or firewall-vm or something similar to avoid downloading all
> the packages several times for updating all the templates?

https://github.com/rustybird/qubes-updates-cache

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZa4bTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf81gP/jzqTkT6Yw+2kwDaLmNr/Pg1
srRoPL2s/gTt/0MVapJ2XjsrxyoSX1FSjiVjtZ4yA1QQJUa+8TyzJsxeXd8TMqeL
YbNaA+/vkzZT6eAxnniZfm2tZsCKZj72Q8jftQNz7ppQqwkMPOmI4U4r5o/pjzoL
Ra50TMssSr1lf2rAJzjjduX7gN1en1bg4ycukuDTKxiNP06rO12E7ed3g75LnEo4
MrtcWi4u0/R6fX9sO8DHlu2gJx3NDo4mdqGyxVsLb2ampInegiSAv5MluqLZPMFr
YNVNaiarvPw4IISZT3FB+KUPC2lN1XUmziYByFdYOEE5OIEYrMmAQ6B+W2oFGJ5k
M0h74z3uM4B2csq/m2meW3yINgh7e8anECE/Z+73UTNMpgvYrJYsgmPfiSQ/B/Fw
f+SMUHvoxFWdc+T/qMRn4znd5nyoLFOlE/ps+HWVdDGDSjBhqTZoFmOnSMRob8J7
Y2lowhS0MztGz1Ngoyt2lIkguD+tIRT/pdr7Z5W5VDSoFEhu8vq6LXxPgufM/z6V
zqAFaZU1XhnAhBT8fe558P//nyRq3OV0Uni4B9fc6kvAIM/9A92snrrbE4LOKZhj
b+xMZDOaBz844qP5G2udu3fLL+pQk16KRXDjHY9wkz/ZwZ89vgxhZxt/cZQquHrb
Ycw6KKeTSeiGNslB1Tjx
=j5YK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170716153131.GA1069%40mutt.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Workaround for building Ubuntu xenial+desktop with qubes-builder

[Unman]

On Sun, Jul 16, 2017 at 12:41:43AM -0700, Foppe de Haan wrote:
> Bit OT, but Would anyone be willing to (briefly) indicate the difference 
> between xenial and xenial+desktop? I tried googling, but I can't really find 
> any info on it.
> 

Xenial template provides a basic system, not minimal but quite
small.
Xenial-desktop installs the ubuntu-desktop package, which gives you
pretty much everything you would expect in a standard "desktop"
installation - graphics tool and viewers , office suite, music player,
etc.
For full details look at the package contents here:
https://packages.ubuntu.com/xenial/ubuntu-desktop

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170716141531.uhcgy7bzks2xtlnb%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: heads up, qubes 3.2 still vuln to cve-2016-4484 (minor severity)

[pixel fairy]

On Saturday, July 15, 2017 at 10:11:47 PM UTC-7, yreb-qusw wrote:
> On 07/14/2017 05:40 PM, pixel fairy wrote:
> > any network available OOB
> 
> sorry what would be an example of this ?  "out of band" ?

yes. ipmi, idrac etc. these usually have a vnc interface to the "console" you'd 
normally have from the attached keyboard, mouse, and monitor. so this exploit 
would work on those. usually these interfaces exist on bussiness class 
hardware, like vpro on some laptops. you may be able to disable it in bios.

this is not the intel M.E. (management engine), though its functionally 
related. 

> 
> I'm not clear what SED is , :)

self encrypting drive 

https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption

> I don't really see  any docs on ?initializing  AEM  , I do see that it 
> says  to :
> 
> ---
> In Dom0 install anti-evil-maid:
> 
> sudo qubes-dom0-update anti-evil-maid
> ---
> 
> I personally  have no USB-VM  ,  would my Bios need to be configured 
> some particular way, beyond what it already is with 3.2  booting and stable

yes, you would need the iommu enabled. for intel, this is called vt-d

> I have about zero concern on  malware  from  USB drives,  maybe I 
> shouldn't , but seems far -fetched in my case.  So,   maybe I don't need 

sometimes its the firmware, sometimes its the devices themselves. for example, 
you wouldn't want a web cam, gps, or microscope available to just any appvm. 

for block devices qubes already filters usb to use those those safely, but i 
suspect sys-usb is safer than dom0 doing it. dont know exactly how that works.

then theres the malicious hub devices like rubber ducky, bash bunny etc. dont 
know the likelyhood of you running into that.

> AEM  depending  on  what  "network OOB"   would mean .

sys-usb is easy enough that anyone with an iommu should use it, unless you only 
have like 4 gigs of ram. 

AEM is more work, and has its trade offs.

> regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8bcdb8d-9b79-4609-b6fc-64d11db7b704%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Workaround for building Ubuntu xenial+desktop with qubes-builder

[Foppe de Haan]

Bit OT, but Would anyone be willing to (briefly) indicate the difference 
between xenial and xenial+desktop? I tried googling, but I can't really find 
any info on it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3e2e85c6-e4ce-4503-b1ce-89f55623023a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.