Re: [qubes-users] Configuration of selective, optional network interface in ProxyVM

2017-11-09 Thread kasi
Sorry for poor description. Let's just go with 2 ProxyVMs for illustration. I 
have 2 network adapters, eth0 and enp0s0. Here's a diagram:

  eth0 --- proxyvm1 --- enp0s0
   |
  proxyvm2

proxyvm1 & 2 are both based on same fedora template.

template vm: /etc/sysconfig/network-scripts/ has
    ifcfg-enp0s0 --> /rw/config/ifcfg-enp0s0

proxy vm1 has /rw/config/ifcfg-enp0s0
    and rc.local: ifup enp0s0

proxy vm2 has no file

When proxy vm1 boots, it brings up enp0s0 using the config in /rw/config and 
everything is fine.

When proxy vm2 boots, it expects interface enp0s0 but has no config file (and 
no device passed-through) and times out waiting for interface. I don't want to 
wait for this.

IIUC, the prerequisite for binding files is that it must exist on the template 
already, so I can not bind /etc/sysconfig/network-scripts/ifcfg-enp0s0 on proxy 
vm1 but not on proxy vm 2. Even if that's incorrect, it says in docs that files 
that exist on Template can not be deleted in proxy vm using bind-dirs. So I'm 
not sure how to put on one VM but not the other. 

Alternatively, is there a way to write the config file to say "ignore me"?


9. Nov 2017 23:49 by un...@thirdeyesecurity.org:


> On Mon, Nov 06, 2017 at 05:27:45AM +0100, > k...@tuta.io>  wrote:
>> On Qubes 3.2:
>>
>> * I have a network interface that I would like to expose to some ProxyVMs 
>> but not to others. 
>> * I would like all of these AppVMs to share the same Fedora-25 TemplateVM.
>>
>> * In TemplateVM, I created a symbolic link to interface configuration file:
>>     ln -s /rw/config/ifcfg-enp0s0 /etc/sysconfig/network-scripts/ifcfg-enp0s0
>> * In device-enabled ProxyVM, I added device via VM Settings, and manually 
>> added ifcfg-enp0s0 to /rw/config.
>> * In device-disabled ProxyVM, I removed device via VM Settings, and left no 
>> configuration file in /rw/config.
>>
>> This setup works - but every device-disabled VM has a very long startup time 
>> because of the timeout caused by waiting for device response. Is there a 
>> better way to do this? Thanks.
>
> I'm trying (and failing) to get a clear idea of what you are trying to
> achieve.
> Are you trying to have some configuration done in the Template which you
> want inherited by only some of the qubes that use that template? (You
> don't say how many proxyVMs are involved.)
> If that IS the case then you might find it easier to NOT configure the
> template but to use bind-dirs to set the configuration in some of the
> qubes. In fact you could do this in one qube and then clone it to create
> all the proxyVMs you wish. That seems a somewhat cleaner solution to
> (what I think is )your problem.
> Apologies if I've missed the point.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KyZ2g08--3-0%40tuta.io.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] installing a clean template

2017-11-09 Thread Ted Brenner
Thanks Chris and Unman! Yes, I'm on 3.2.

On Thu, Nov 9, 2017 at 6:40 PM, Chris Laprise  wrote:

> On 11/09/2017 06:36 PM, Unman wrote:
>
>> On Tue, Oct 24, 2017 at 09:31:21PM -0500, Ted Brenner wrote:
>>
>>> Hi all,
>>>
>>> I'd like to install a clean version of my debian-8 template. I tried
>>> following the instructions on this page
>>>  but the command didn't
>>> work. I see a message that "No Match for argument
>>> qubes-template-debian-8".
>>> Perhaps out of date or only works if you don't already have a debian-8
>>> template? Is there a way to create a new fresh version of the standard
>>> templates?
>>>
>>> The reason I ask is that I installed some non supported binaries in my
>>> debian 8 template to support playing DVDs. I'd like to use my debian 8
>>> template to also do email but am nervous about using the same template
>>> for
>>> something I'd like to be secure along side something I don't expect to be
>>> secure. Namely multimedia. Obviously I should have cloned my debian 8
>>> template before installing the multimedia packages. Oh well.
>>>
>>> Thanks!
>>>
>>> Hi Ted
>>
>> Which Qubes version are you using?
>>
>> There's no reason why you cant reinstall a standard template.
>> If you want to keep your existing template, I suggest you clone it, and
>> then delete the template before reinstalling from the ITL repository.
>> You can also download the template from yum.qubes-os.org, copy it to
>> dom0 and install it there.
>>
>>
> If you're on Qubes 3.2, you can reinstall a template in one step:
>
> https://www.qubes-os.org/doc/reinstall-template/
>
> This function doesn't work yet in R4.0.
>
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
>


-- 
Sent from my Desktop

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANKZutxiTPXQp4AMsAGLiD55bPMj519jbDOKRj5DFLNyD8jm5Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 4.0-rc2 install error

2017-11-09 Thread Sergio Matta
I have this problem with my unsupported iommu motherboard. My solution was 
change my vms to pv in a dom0 terminal with qvm-prefs vm-name 
(sys-net,sys-firewall,personal,work) virt_mod pv
and insert ip commands in rw-config-rc.local (sorry but this mac has no slash)
 
In sys-net edit rw-config-rc.local
ip link set vif2.0 up
ip addr add 10.137.0.4/255.255.255.255 dev vif2.0
ip route add 10.137.0.6/255..255.255.255 dev vif2.0

then save it and change it with chmod +x

do the same In sys-firewall too and change the vif# to the one  created to 
connect to work or personal - run ifconfig -a

change the ip. the first is the vm you are editing and the other is the vm will 
connects thru it.

Mos of the times it runs ok, but if you has no network, you should manually run 
rc.local with sudo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a23459b1-0804-41fa-9460-19e5d99a6e67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Recommendations for VPN on the debian8 template ?

2017-11-09 Thread Chris Laprise

On 11/09/2017 07:36 PM, Alexandre Brutelle wrote:
Hmm... I think I found out why. I must have had played with the wrong 
files previously on the debian template, through hours of randomn 
tests, so I must have change some essential settings. Though you might 
be right also. The only way to find out would be for me to reinstall a 
new debian template.


 I decided to stick with Fedora to create this second proxy meanwhile.

Thank you for your help !



Ah... I forgot to ask if you were using the script method in the VPN 
doc[1]. That doesn't modify templates beyond installing openvpn. BTW the 
doc method comes with leak prevention so you might consider it if you're 
not already using it.


1. https://www.qubes-os.org/doc/vpn/

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/48d5e06f-d799-8e72-d051-80bf1ff17739%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] installing a clean template

2017-11-09 Thread Chris Laprise

On 11/09/2017 06:36 PM, Unman wrote:

On Tue, Oct 24, 2017 at 09:31:21PM -0500, Ted Brenner wrote:

Hi all,

I'd like to install a clean version of my debian-8 template. I tried
following the instructions on this page
 but the command didn't
work. I see a message that "No Match for argument qubes-template-debian-8".
Perhaps out of date or only works if you don't already have a debian-8
template? Is there a way to create a new fresh version of the standard
templates?

The reason I ask is that I installed some non supported binaries in my
debian 8 template to support playing DVDs. I'd like to use my debian 8
template to also do email but am nervous about using the same template for
something I'd like to be secure along side something I don't expect to be
secure. Namely multimedia. Obviously I should have cloned my debian 8
template before installing the multimedia packages. Oh well.

Thanks!


Hi Ted

Which Qubes version are you using?

There's no reason why you cant reinstall a standard template.
If you want to keep your existing template, I suggest you clone it, and
then delete the template before reinstalling from the ITL repository.
You can also download the template from yum.qubes-os.org, copy it to
dom0 and install it there.



If you're on Qubes 3.2, you can reinstall a template in one step:

https://www.qubes-os.org/doc/reinstall-template/

This function doesn't work yet in R4.0.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a698409a-640d-16b9-691e-751fdb7dc221%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Recommendations for VPN on the debian8 template ?

2017-11-09 Thread Alexandre Brutelle
Hmm... I think I found out why. I must have had played with the wrong files
previously on the debian template, through hours of randomn tests, so I
must have change some essential settings. Though you might be right also.
The only way to find out would be for me to reinstall a new debian template.

 I decided to stick with Fedora to create this second proxy meanwhile.

Thank you for your help !

On 10 November 2017 at 01:32, Chris Laprise  wrote:

> On 11/09/2017 06:57 PM, brutellealexan...@gmail.com wrote:
>
>> On Friday, 10 November 2017 00:39:32 UTC+1, Chris Laprise  wrote:
>>
>>> On 11/09/2017 05:51 PM,wrote:
>>>
 I've successfully installed a VPN Tunnel as a proxy-VM (on a Fedora 23
 template) in my set up.

 However I don't seem to able to reproduce the same template and make
 another one using the Debian8 template. Is the process any different ? When
 trying I get a TLS Error.

 Hope someone can help !

>>> Setup is the same on the different templates (only variation is in Qubes
>>> R4.0 which isn't in the doc yet).
>>>
>>> How does the connection go when you start it manually from the terminal?
>>>
>>> I just get this message : SSL3_CLIENT_HELLO:no ciphers available + these
>> two error messages : TLS Error, incoming plain text read error, TLS
>> handshake failed.
>>
>> This is something I got several times before being actually able to set
>> up my first VPN, but I don't remember how I solved this...
>>
>
> Check that the configuration files in /rw/config/vpn are the same. Also,
> compare the version of openvpn in fedora-23 with the one in debian-8...
> IIRC they had an upgrade that introduced an incompatibility with older
> services. That could mean you need to get an updated config file from your
> VPN provider.
>
>
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
>


-- 
*Alexandre Brutelle*


*http://linfinigeste.com/ *

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAHyoY%2BXRnYrYbAC3agqMStBFcdWibesLb1Wd7vSJEs1mJP8byA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Recommendations for VPN on the debian8 template ?

2017-11-09 Thread Chris Laprise

On 11/09/2017 06:57 PM, brutellealexan...@gmail.com wrote:

On Friday, 10 November 2017 00:39:32 UTC+1, Chris Laprise  wrote:

On 11/09/2017 05:51 PM,wrote:

I've successfully installed a VPN Tunnel as a proxy-VM (on a Fedora 23 
template) in my set up.

However I don't seem to able to reproduce the same template and make another 
one using the Debian8 template. Is the process any different ? When trying I 
get a TLS Error.

Hope someone can help !

Setup is the same on the different templates (only variation is in Qubes
R4.0 which isn't in the doc yet).

How does the connection go when you start it manually from the terminal?


I just get this message : SSL3_CLIENT_HELLO:no ciphers available + these two 
error messages : TLS Error, incoming plain text read error, TLS handshake 
failed.

This is something I got several times before being actually able to set up my 
first VPN, but I don't remember how I solved this...


Check that the configuration files in /rw/config/vpn are the same. Also, 
compare the version of openvpn in fedora-23 with the one in debian-8... 
IIRC they had an upgrade that introduced an incompatibility with older 
services. That could mean you need to get an updated config file from 
your VPN provider.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/49790214-650f-bf56-e507-823cd169f17a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Recommendations for VPN on the debian8 template ?

2017-11-09 Thread brutellealexandre
On Friday, 10 November 2017 00:39:32 UTC+1, Chris Laprise  wrote:
> On 11/09/2017 05:51 PM,wrote:
> > I've successfully installed a VPN Tunnel as a proxy-VM (on a Fedora 23 
> > template) in my set up.
> >
> > However I don't seem to able to reproduce the same template and make 
> > another one using the Debian8 template. Is the process any different ? When 
> > trying I get a TLS Error.
> >
> > Hope someone can help !
> 
> Setup is the same on the different templates (only variation is in Qubes 
> R4.0 which isn't in the doc yet).
> 
> How does the connection go when you start it manually from the terminal?
> 

I just get this message : SSL3_CLIENT_HELLO:no ciphers available + these two 
error messages : TLS Error, incoming plain text read error, TLS handshake 
failed.

This is something I got several times before being actually able to set up my 
first VPN, but I don't remember how I solved this...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b52c47b3-a0d3-4d09-ac5c-1f34f526c047%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Recommendations for VPN on the debian8 template ?

2017-11-09 Thread Chris Laprise

On 11/09/2017 05:51 PM, brutellealexan...@gmail.com wrote:

I've successfully installed a VPN Tunnel as a proxy-VM (on a Fedora 23 
template) in my set up.

However I don't seem to able to reproduce the same template and make another 
one using the Debian8 template. Is the process any different ? When trying I 
get a TLS Error.

Hope someone can help !


Setup is the same on the different templates (only variation is in Qubes 
R4.0 which isn't in the doc yet).


How does the connection go when you start it manually from the terminal?

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7a97745-37dc-6bd4-5a98-f845bcc02390%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] installing a clean template

2017-11-09 Thread Unman
On Tue, Oct 24, 2017 at 09:31:21PM -0500, Ted Brenner wrote:
> Hi all,
> 
> I'd like to install a clean version of my debian-8 template. I tried
> following the instructions on this page
>  but the command didn't
> work. I see a message that "No Match for argument qubes-template-debian-8".
> Perhaps out of date or only works if you don't already have a debian-8
> template? Is there a way to create a new fresh version of the standard
> templates?
> 
> The reason I ask is that I installed some non supported binaries in my
> debian 8 template to support playing DVDs. I'd like to use my debian 8
> template to also do email but am nervous about using the same template for
> something I'd like to be secure along side something I don't expect to be
> secure. Namely multimedia. Obviously I should have cloned my debian 8
> template before installing the multimedia packages. Oh well.
> 
> Thanks!
> 

Hi Ted

Which Qubes version are you using?

There's no reason why you cant reinstall a standard template.
If you want to keep your existing template, I suggest you clone it, and
then delete the template before reinstalling from the ITL repository.
You can also download the template from yum.qubes-os.org, copy it to
dom0 and install it there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171109233627.qbadditk4zt5rv66%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Trouble installing Qubes 3.2-stable and 4.0rc2

2017-11-09 Thread dmrq70
I tried installing 3.2.  X starts and before I can select any option in 
anaconda an error window pops up saying something like 'missing disklabel', in 
the logs it looks like the error refers to one of the partitions in the usb 
stick (/dev/sdb1).
Tried booting with the same stick on another computer, and I got the same 
error.  The only two options are to report the bug and to quit.
Now I'm trying with 4.0rc2.  The installation moves forward, but after 
selecting the target disk I get "An unkown error has ocurred", anaconda 
exception "ValueError: Device 'sdb1' not in tree'.  Didn't try to export the 
logs (don't know how to do it).
I found a similar bug report on Fedora 
(https://bugzilla.redhat.com/show_bug.cgi?id=1462063 don't know what to do with 
it), but can't find anything Qubes related. 
I'm I doing something wrong?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3172697d-72c7-4737-bd62-f0be71172ff4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Please specify which Qubes version you are using when you post

2017-11-09 Thread Unman
Now there are increasing numbers of people using 4rc2, it would be
really helpful if you specify WHICH version you are using when you post
to the list, particularly if you have a problem..
Sometimes it's obvious from the context, sometimes not, and the
differences between 3.2 and 4 make it difficult to help if you don't say.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171109231513.gajhxj2xl2q5choj%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is there a way to use secure boot with qubes?

2017-11-09 Thread Guerlan
On Thursday, November 9, 2017 at 9:27:01 AM UTC-2, blacklight wrote:
> On Wednesday, 8 November 2017 20:52:14 UTC, Guerlan  wrote:
> > My computer complains about bad signature when I try to install qubes. Is 
> > there a way to install it without disabling secure boot? Does qubes support 
> > secure boot? Is there a way to install qubes keys on the BIOS? Why did it 
> > reject the keys?
> 
> the question is more that if secureboot supports qubes, rather than the 
> otherway around.  to be supported by secureboot, one would need to buy a very 
> expensive license from microsoft, something qubes is not able afford atm.

thanks, now I understand. I thought qubes had a signature but it was failing in 
my computer. I'm gonna try to install without secure boot then :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/890e05a1-407a-42d1-a0ab-572d12298c18%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: HCL - HP envy 13-ab003nf

2017-11-09 Thread eliott . teissonniere
Quick update: discovered a TPM in the bios, that's a simple option to enable. 
Also no luck on sleep, wondering if someone has a workaround.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a92739c5-ec60-403f-9941-9f4dcc2df4dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Windows 10 on Qubes (freeRDP)

2017-11-09 Thread 3n7r0py1
I noticed several folks looking for a way to use Windows 10 on Qubes. Since 
there is currently no ETA for Windows 10 support via `qubes-windows-tools`[1], 
I thought I'd share an alternative method. I don't have time for a full writeup 
at the moment but importantly, nothing in this post is really Qubes-specific, 
meaning you can find plenty of relevant resources elsewhere. 

Windows 10 / Server 2016 installs and runs without any issues as an HVM on 
Qubes 3.2 (4.0 not tested). Inter-VM functionality can be achieved using any 
remote desktop protocol, including X11, VNC and RDP. This post is about using 
the freeRDP client with Windows' built-in RDP server functionality.

The RDP protocol enables the following major features: seamless windows, shared 
clipboard, shared folders, and audio & usb redirection. GPU-accelerated VMs are 
possible if they are hosted on a separate Hyper-V machine. Keep in mind that 
all of these features are provided by the RDP protocol over standard networking 
interfaces. This is in contrast to `qubes-windows-tools` which provides similar 
functionality using Qubes' back-end. Determine if that risk is appropriate for 
you. QWT also provides access to qrexec and persistent profiles (that enable 
immutable root filesystems and simplified offline HVMs).

1. Install Windows 10 as a Standalone HVM or HVM Template (if you have the 
appropriate licenses). The template will have limited usage unless you can 
offload data you want to persist onto a separate volume (or you can use as a 
disposable vm). Also, make sure you setup a password. Enable Remote Desktop in 
Settings > System. Leave NLA enabled.

2. InterVM Communication: This will be the hardest step for those of you new to 
this. You'll need to allow one of your LinuxVMs (freeRDP client) to communicate 
with one of your Windows VMs (RDP server). Create or use a proxyVM to act as a 
router. 

Example of basic setup:

 win10   
   | 
   | 
 sys-net --- sys-firewall
   | 
   | 
 workVM  
 
Instructions are here: 
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
Don't proceed until you succeed with this step.
 
3. Install `freerdp` in workVM. Fedora-25 has v2.0.0 as does Debian 
stretch-backports.

4. Test with `xfreerdp /v::3389`. If server responds and you can log 
in, then you can pile on the options.

5. There are MANY options. See `man xfreerdp` and docs[2]. I haven't used a GUI 
but some exist, like Remmina. You may want to add the following:
```
  /v::3389
  /u:[domain\]
  /p:
  /w:
  /h:
  /network:lan # network speed
  /drive:myShare,/home/user/myShare   # share name, location
  /rfx # remote-fx works will all vm's; only hyperv for gpu
  /rfx-mode:
  /multimedia  # for sync'd audio/video, see docs
  /sound   # sound redirection
  /sound:latency:
  /microphone
  /usb:id,dev  # usb redirection, see docs
  /clipboard
  /fonts   # cleartype
  /app:"C:\Windows\explorer.exe"  # remote-apps (see below)
```

** Remote Apps **

For seamless windows, in RDP host > Group Policy:
`Computer Configuration/Administrative Templates/Windows Components/Remote 
Desktop Services/Remote Desktop Session Host/Connections/Allow remote start of 
unlisted programs`: Set to "Enabled"
Easiest way to use is to launch File Explorer (C:\Windows\explorer.exe) or 
Console (C:\Windows\System32\cmd.exe). Set up shortcuts and launch from these 
programs - then applications will open in their own seamless windows.


** Offline Windows **

The best feature of `qubes-windows-tools` is that you can use Windows offline 
with networking completely disabled. Without QWT, the best you can do is have 
strict firewalls everywhere but especially on your proxyVM.

The only traffic that is necessary for this setup (in proxyVM):
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vif+ -s  -o vif+ -d  \
  -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Drop all other windows outbound traffic entering proxyVM: 
iptables -A FORWARD -i vif+ -s  -j DROP
iptables -A INPUT -i vif+ -s  -j DROP

Some other ports that you may require:
WSUS: tcp 8530-8531
KMS: tcp 1688
Samba is a mess: tighten with -s and -d


** Torrified Windows ** 

Of questionable benefit since win10 is a leaky sieve, but for fun you can route 
traffic through `sys-whonix`.

# Redirect DNS to Whonix-Gateway
iptables -t nat -A PREROUTING -i 

Re: [qubes-users] work: volume qubes dom0/vm-work-private missing

2017-11-09 Thread Chris Laprise

On 11/09/2017 04:44 PM, Jon Solworth wrote:

I'm unable to start up work qubes, with the above error message.
The problem might be related to attempts to remove the debian 8
templates after problems with it.

Jon



Do you see that volume (or one with a similar name) when you list them 
with 'sudo lvs'?


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c47e639-ca1c-78d6-e84e-a2a34cd3ce7a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] work: volume qubes dom0/vm-work-private missing

2017-11-09 Thread Jon Solworth
I'm unable to start up work qubes, with the above error message.
The problem might be related to attempts to remove the debian 8
templates after problems with it.

Jon

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/708a3041-4a0a-45ea-b479-4ba4167774d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] template vm netvm

2017-11-09 Thread Roy Bernat
Hi 

at first installation i enabled sys-whonix .   and than all templates and dom0 

used the sys-whonix to go out . i wanted to disable it with no success . using 
the gui and using the ;

qvm -prefs -s someVM netvm sys-firewall . 

This procedure also didnt help me to change the gateway. 

Please advice . 

Roy 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e37fcfd3-12c9-4b37-98a9-89286d432b74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] reboot and shutdown qubes 4 rc2

2017-11-09 Thread Roy Bernat
On Wednesday, 8 November 2017 14:45:53 UTC-5, Roy Bernat  wrote:
> On Wednesday, 8 November 2017 14:39:22 UTC-5, Chris Laprise  wrote:
> > On 11/08/2017 12:54 PM, Roy Bernat wrote:
> > > Hi all
> > >
> > > until now i am not able to have shutdown or reboot without press the 
> > > physical.
> > >
> > > some one has some idea ?   seems that it is stuck on
> > >
> > > failed to read reboot  parameter : no such file or directory .
> > >
> > > on shutdown it stuck on watchdog .
> > >
> > > any idea ?
> > >
> > > Roy
> > 
> > I think its a common problem. What I use is this:
> > 
> > qvm-shutdown --all --wait --timeout=20
> > sudo poweroff -f
> > 
> > -- 
> > 
> > Chris Laprise, tas...@posteo.net
> > https://github.com/tasket
> > https://twitter.com/ttaskett
> > PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> HI Thanks for your answer.
> 
> what about reboot ?


The same procedure with reboot . 

10x 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5a3e6b47-8513-4c19-871c-3124d11c2fa5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Connected to wifi but no ping

2017-11-09 Thread brutellealexandre
On Thursday, 9 November 2017 16:05:14 UTC+1, brutelle...@gmail.com  wrote:
> On Thursday, 9 November 2017 12:28:34 UTC+1, blacklight  wrote:
> > On Thursday, 9 November 2017 04:26:27 UTC, Quewbie_Newbie  wrote:
> > > Hello, 
> > > 
> > > I'm despaired about ever re-opening a web page again on this system ! I 
> > > must have changed something by mistake in the settings and screwed up my 
> > > network configuration. 
> > > 
> > > I think I have re-etablished the global settings alright :
> > > 
> > > UpdateVM = Firewall
> > > ClockVM = Sys-net
> > > Default net = Firewall
> > > 
> > > Can't ping on sys-net even though my wifi connection established 
> > > succesfully...
> > > 
> > > Firmware on the template Fedora a/o sys-net aren't (and can't) be 
> > > installed. 
> > > 
> > > Did the basic troubleshooting methods to reload automatically the wifi 
> > > drivers...
> > > 
> > > Also saw the possibility of permissive PCI but I have the feeling this is 
> > > not the thing to do in my situation (wifi was working find after several 
> > > reboots) and I honestly think I must have changed some basic setting by 
> > > mistake or something...
> > > 
> > > Template for sys-net is Fedora23 and my machine is a Lenovox220.
> > > 
> > > Any help welcome !
> > 
> > did you check if the block icmp requests are unchecked in the firewall 
> > settings of your vms?
> 
> I did and the "allow ICMP" criteria was uncheck for every single VM. So I 
> went now and checked it in order to allow for each of them... Will see how it 
> turns out !

Thank you Blacklight. This actually allowed to do the Fedora update and install 
the update (including firmwares). I hope this network set up will stay stable ! 
I know this is unrevelant to this topic perhaps but it is not recommended to 
not update to higher versions of Fedora (the template is running 23) ? Could I 
have other problems if I don't upgrade ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0352265-f02c-4fb1-a08b-d1f1e4c3b5ca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Connected to wifi but no ping

2017-11-09 Thread brutellealexandre
On Thursday, 9 November 2017 12:28:34 UTC+1, blacklight  wrote:
> On Thursday, 9 November 2017 04:26:27 UTC, Quewbie_Newbie  wrote:
> > Hello, 
> > 
> > I'm despaired about ever re-opening a web page again on this system ! I 
> > must have changed something by mistake in the settings and screwed up my 
> > network configuration. 
> > 
> > I think I have re-etablished the global settings alright :
> > 
> > UpdateVM = Firewall
> > ClockVM = Sys-net
> > Default net = Firewall
> > 
> > Can't ping on sys-net even though my wifi connection established 
> > succesfully...
> > 
> > Firmware on the template Fedora a/o sys-net aren't (and can't) be 
> > installed. 
> > 
> > Did the basic troubleshooting methods to reload automatically the wifi 
> > drivers...
> > 
> > Also saw the possibility of permissive PCI but I have the feeling this is 
> > not the thing to do in my situation (wifi was working find after several 
> > reboots) and I honestly think I must have changed some basic setting by 
> > mistake or something...
> > 
> > Template for sys-net is Fedora23 and my machine is a Lenovox220.
> > 
> > Any help welcome !
> 
> did you check if the block icmp requests are unchecked in the firewall 
> settings of your vms?

I did and the "allow ICMP" criteria was uncheck for every single VM. So I went 
now and checked it in order to allow for each of them... Will see how it turns 
out !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04c0d52a-8d07-479b-979d-658d1491f9fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Anti Evil Maid (AEM) - possible to use text and picture at the same time?

2017-11-09 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Patrick,

> Got secret.txt as well as secret.png - now it's only showing the image
> at plymouth but no text. Looks like both cannot be combined?

Yes. Image support is intended to be dropped in AEM4 anyway:

https://groups.google.com/forum/#!msg/qubes-devel/PsTA-3m0xA0/0N0c3dFaAgAJ

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaBEokXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfvhgQAJNIEMO8ipX5tY/6ww0HD8zF
YlM1MpGpeELZj7/LNPBBotGgEVICwdoYUBQgKPIM06MuNaI6aWeUXMP0fdBnhLT7
e9z4vQ5pZi7JkMK2pv/RFLG4z/epgEbd/UQWb+NV+xFIbL/op+q+6ljn+9YRYciW
LK7fNAsjq/+/9Ck7pW5wwwBT6Z/vtS3MpRPdWIaeFK8ZQWuSY5YEq6+KuX6kWPQW
biaAuuGL06x6CAP/hMQbduARLFO6CbSOzGR5GpEb7TqE8i4fQqgVcMPBzSFRpsp9
OPXp/AGkTD/Lw17MLwZSJyEgraN5ue0YXvnO8lD5xIWqlhQZ6Tzs2PPgZrMt6wJA
hccxa44cSXxT7gqO/6f5KA94fGC6z0COxzjEQZdIsq4hi0CyfHg7+Jb90rN/t4a8
lqB0nfMS1AHyWwWW2Z654Pc5vKQ2RP1Swi+39qjumGSWKzCABpODWwMebnAXKI7q
7anaHgQtxOhfdyPa/bn2sf0zn01icL+ypI7FjASSVJ85xIACXO03RjdmJPs00XSy
GjoILcFXNIf78h3So7BSKNxx4XREPWtiR5bNBPuSBM3V5Dd5bSmZhbuan9R+p4ht
pKN+WNM5zU6UNdz2tZTcJnKSpcQ1VKF7Q39oT9Y7IowsjphpO/J5Eapsr4EdhhTE
isr0vhEiaP5YPZlS9pW1
=FaWZ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171109122925.GA1171%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: About Qubes 4

2017-11-09 Thread blacklight
On Wednesday, 8 November 2017 16:14:23 UTC, fer...@openmailbox.org  wrote:
> Hi,
> In Qubes website you said that is best to use Qubes 3.2 for daily use.
> This is just because there are probably data loss due to bug? Or is for 
> security reason?
> 
> Since I always backup and mostly I surf the web I just don't care about data 
> loss.
> But I like to have more secure due to better virtualization. 
> So, I'm asking.. This advice is related also to security or only production 
> data?
> 
> For a security point of view is safe to use Qubes 4?
> 
> Thanks you a lot.

from my experience, i can say that stability is alot of times more effective 
than having the bleeding edge.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0803f0d5-7959-43b8-9533-8fd7bc91c783%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] build usb-vm and net-vm using openbsd?

2017-11-09 Thread blacklight
On Thursday, 9 November 2017 04:30:23 UTC, Jean-Philippe Ouellet  wrote:
> On Wed, Nov 8, 2017 at 3:37 PM, ludwig jaffe  wrote:
> > Hi, I saw that the linux kernel has some flaws 
> > (http://www.openwall.com/lists/oss-security/2017/11/06/8) in the usb stack, 
> > so I am
> > thinking about security against common errors, I would suggest to use
> > OpenBSD as USB-VM. Maybe, as Net-VM one could use open-bsd.
> > But how to integrate open-bsd with qubes and the virtual network inside 
> > qubes?
> >
> > Has anyone tried such?
> 
> Yes, I looked into this some time last year and plan to return to work
> on it one day. I was an OpenBSD person before I came to Qubes.
> 
> Several things need to happen first before any meaningful Qubes
> integration can be done though. First would be a vchan driver.
> 
> Don't expect anything soon... unless perhaps you're willing to fund such work?

would a specialised unikernel for usb operations make sense for this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be50cbd5-eb24-4fbb-943b-7c0540312a32%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Connected to wifi but no ping

2017-11-09 Thread blacklight
On Thursday, 9 November 2017 04:26:27 UTC, Quewbie_Newbie  wrote:
> Hello, 
> 
> I'm despaired about ever re-opening a web page again on this system ! I must 
> have changed something by mistake in the settings and screwed up my network 
> configuration. 
> 
> I think I have re-etablished the global settings alright :
> 
> UpdateVM = Firewall
> ClockVM = Sys-net
> Default net = Firewall
> 
> Can't ping on sys-net even though my wifi connection established 
> succesfully...
> 
> Firmware on the template Fedora a/o sys-net aren't (and can't) be installed. 
> 
> Did the basic troubleshooting methods to reload automatically the wifi 
> drivers...
> 
> Also saw the possibility of permissive PCI but I have the feeling this is not 
> the thing to do in my situation (wifi was working find after several reboots) 
> and I honestly think I must have changed some basic setting by mistake or 
> something...
> 
> Template for sys-net is Fedora23 and my machine is a Lenovox220.
> 
> Any help welcome !

did you check if the block icmp requests are unchecked in the firewall settings 
of your vms?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b8c02715-4e48-4b04-9247-0904b55e2c09%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Is there a way to use secure boot with qubes?

2017-11-09 Thread blacklight
On Wednesday, 8 November 2017 20:52:14 UTC, Guerlan  wrote:
> My computer complains about bad signature when I try to install qubes. Is 
> there a way to install it without disabling secure boot? Does qubes support 
> secure boot? Is there a way to install qubes keys on the BIOS? Why did it 
> reject the keys?

the question is more that if secureboot supports qubes, rather than the 
otherway around.  to be supported by secureboot, one would need to buy a very 
expensive license from microsoft, something qubes is not able afford atm.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d992bb8c-5e8b-4bdd-8bb6-726b8cf54c3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.