[qubes-users] Forwarding a port to a VM behind a VPN ProxyVM

2019-10-25 Thread Verifiable List

Hello All,

I use Mullvad as my VPN provider. They allow you to forward a port 
through the VPN. However, I'm having a hard time wrapping my head around 
how to get this to work with Qubes OS. This is what the network chain in 
question looks like:


AppVM > ProxyVM (VPN Client Here) > sys-firewall > sys-net > Internet

Because the port is being forwarded through the VPN tunnel, I expected 
it to be accessible from the ProxyVM without altering the configurations 
on sys-net or sys-firewall. However, after enabling the port forward on 
Mullvad and testing as described in their documentation:


- In a terminal window, run netcat -l -p 
- In another terminal window, run curl 
https://ipv4.am.i.mullvad.net/port/
- If everything is working properly, the result will show 
"reachable:true".


the result is always "reachable:false". (Note: I'm running this test on 
the ProxyVM itself.)


Any assistance would be appreciated.

Thank you.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e358603cfdb66cdf001385f6055306d9%4086.is.


[qubes-users] equivalent of grub kernel parameters on qubes?

2019-10-25 Thread Guerlan
There's a quirk for laptop suspend problem that I want to try on Qubes that 
is the following on Ubuntu:

sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="button.lid_init_state=open"

However dom0 does not have such file. How do I pass kernel parameters to Qubes?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a5feb78-fabb-48af-9d80-29c20dab5d0c%40googlegroups.com.


Re: [qubes-users] Re: Qube R4: Portforwarding (for torrent)

2019-10-25 Thread 'anarcomnor' via qubes-users
Thanks. I'm trying to use it, but I get permission denied for some reason when 
trying to copy it to dom0 even though I use the appropriate qvm-run --pass-io 
command... sudo doesn't help.



‐‐‐ Original Message ‐‐‐
On Thursday, October 24, 2019 10:07 PM,  wrote:

> On 2019-10-24 16:49, 'anarcomnor' via qubes-users wrote:
>
> > Hello dear qubers!
> > I've been following this https://qubes-os.org/doc/firewall guide on how to 
> > open a port to the outside world with the intention of allowing 
> > Transmission to connect, but I'm struggling. Transmission does not find any 
> > peers and testing the port says it's closed. I've been following the guide 
> > very carefully and done the commands with both tcp and udp protocols. The 
> > port has been opened in the router.
> > One thing I've been somewhat confused about is which interface I should use 
> > when entering the commands. The examples always use eth0, but in my case 
> > the physical NIC is called wls7 (even though it actually sometimes changes 
> > to wls6, which doesn't make it easier, but let's just say it's wls7).
> > As far as I understand wls7 is only used when applying rules in sys-net 
> > since it is only VM that can actually connect to it, so I'm hoping that's 
> > correct.
> > I've tried switching things around, hoping to more or less stumble on a 
> > configuration that works, but nothing seems to. Now I'm somewhat worried 
> > that there are rules in place that might be conflicting and that this might 
> > actually be the cause of my issue now.
> > The way it's set up is I have a qube called Transmission connecting to 
> > sys-firewall which again connects to sys-net.
> > Can anyone help me out here?
>
> I found this script very useful:
> https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
>
> --
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/eaa72f4d-59da-e729-856c-88d2e78d33b2%40gmx.de.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/TBvaEsn0g0_Oi_xr9ZTVATsGMuTlYCMuxwIZC0gnXsViAbiJfND1VuLk8wSkB0p_yzCvFGOxdgEfvYnpQrKC53al__xH-wloLhFIMXcujIg%3D%40protonmail.com.


Re: [qubes-users] Re: Qube R4: Portforwarding (for torrent)

2019-10-25 Thread 'anarcomnor' via qubes-users
I eventually managed to copy the script over to dom0 and run it, but it still 
doesn't work. The tracker gives the error message "Connection failed" or that 
"the requested download is not authorized" which doesn't make any sense. All 
I'm trying to do is download an iso from their official page on their own 
tracker.

Maybe this means I hadn't done it wrong myself after all and that there may be 
some other problem - or - it could be that all my previous attempts have caused 
an issue.

I would greatly appreciate any help on this!

‐‐‐ Original Message ‐‐‐
On Friday, October 25, 2019 4:29 PM, 'anarcomnor' via qubes-users 
 wrote:

> Thanks. I'm trying to use it, but I get permission denied for some reason 
> when trying to copy it to dom0 even though I use the appropriate qvm-run 
> --pass-io command... sudo doesn't help.
>
> ‐‐‐ Original Message ‐‐‐
> On Thursday, October 24, 2019 10:07 PM, lik...@gmx.de wrote:
>
> > On 2019-10-24 16:49, 'anarcomnor' via qubes-users wrote:
> >
> > > Hello dear qubers!
> > > I've been following this https://qubes-os.org/doc/firewall guide on how 
> > > to open a port to the outside world with the intention of allowing 
> > > Transmission to connect, but I'm struggling. Transmission does not find 
> > > any peers and testing the port says it's closed. I've been following the 
> > > guide very carefully and done the commands with both tcp and udp 
> > > protocols. The port has been opened in the router.
> > > One thing I've been somewhat confused about is which interface I should 
> > > use when entering the commands. The examples always use eth0, but in my 
> > > case the physical NIC is called wls7 (even though it actually sometimes 
> > > changes to wls6, which doesn't make it easier, but let's just say it's 
> > > wls7).
> > > As far as I understand wls7 is only used when applying rules in sys-net 
> > > since it is only VM that can actually connect to it, so I'm hoping that's 
> > > correct.
> > > I've tried switching things around, hoping to more or less stumble on a 
> > > configuration that works, but nothing seems to. Now I'm somewhat worried 
> > > that there are rules in place that might be conflicting and that this 
> > > might actually be the cause of my issue now.
> > > The way it's set up is I have a qube called Transmission connecting to 
> > > sys-firewall which again connects to sys-net.
> > > Can anyone help me out here?
> >
> > I found this script very useful:
> > https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
> >
> > You received this message because you are subscribed to the Google Groups 
> > "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to qubes-users+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/qubes-users/eaa72f4d-59da-e729-856c-88d2e78d33b2%40gmx.de.
>
> --
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/0y2Ag4P1miOQbraFLnM7Rc3bOOGLTkOdaAdnVUTr7m2Cn_7Ru3RPVMJT51hDSgSY2_QFf73XcpevesALjmagJ3Rje8lfaeYwoMQtyCsMtOI%3D%40protonmail.com.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/sP2wtjt2xtwMafPmmgQVczlWWwkXHxfCWGWIkRSwT0lSpDkE9YtRwNlRWWGQfOiez18EVlSqozQdveTB4RxIuVNw0qbSFSSPsb21TeSvQNk%3D%40protonmail.com.


[qubes-users] Re: Why is there no option to save VM state?

2019-10-25 Thread qtpie
Guerlan:
> In KVM with Qemu I used a lot of VM state saving, where I could save the 
> entire VM to disk and restore that. Since my SSD is very fast that only 
> took 5 seconds in average, so it was very useful. Specially, since I cannot 
> put my laptop to sleep and hibernate wont work either, my only option was 
> to be able to save VM state, but I don't see any way of doing it.
> 
> Is it possible or is it a feature to be implemented?
> 


The feature of Qubes concerning state, is that the state is *not* saved,
apart from the files in the home directory, since state can include
malware. On every start of a vm, you get a clean machine, since it
copies its state from a template-vm, which is kept secure.

This is a core feature of Qubes so I dont think saving state will be
considered, but Im curious to hear what others have to say?

You can create a 'standalone' qube which doesnt use templates and so
preserves more of its state, but this is not the same as saving full
state obviously.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/qoqhok%247912%241%40blaine.gmane.org.


Re: [qubes-users] Qubes 4 and VPN, client VMs cannot access Internet

2019-10-25 Thread Chris Laprise

On 10/24/19 10:00 PM, Eric S wrote:
I have successfully created new netVM named 'sys-vpn' based on 
fedora-30, installed VPN functionality using qubes-vpn-support 
 script, and have 
successfully connected to Internet with VPN's IP address, verified using 
browser in sys-vpn. My network connections look like this:

      sys-vpn --> sys-firewall --> sys-net --> Internet

However, when I try to use another client VM with sys-vpn as netVM, the 
client is not able to connect to the Internet. Example network connection:
      fedora-30 --> sys-vpn --> sys-firewall --> sys-net --> Internet 
(fedora-30 cannot access Internet).


I suspect this might be firewall rules, but am pretty noobish on how to 
troubleshoot and configure (all rules are default or configured as per 
qubes-vpn-support script). I have read the Firewall and VPN docs on 
qubes.org (firewall docs are a bit over my head), and scoured firewall 
and VPN threads on a number of discussion sites (reddit, qubes-users, 
stack overflow, etc.) to understand how to troubleshoot, I am simply at 
a loss for figuring out how to resolve.


I have attached graphic to illustrate problem. Any guidance and support 
greatly appreciated, thanks for assistance.


'fedora-30' would be the name of a template VM, not a regular app VM. 
Templates are blocked from regular Internet access in Qubes.


If all you want fedora-30 to do is update or install software, it can be 
done if an update proxy is added to the system (the existing update 
proxy in sys-net can no longer see the template's requests bc its 
traffic is encrypted by sys-vpn). This could be done by enabling the 
Qubes service 'qubes-updates-proxy' for your sys-firewall-vpn VM. 
Alternately, you could make the templates update directly by adding 
'updates-proxy-setup' to their Qubes services tab and then un-checking 
it (this has the effect of disabling the updates-proxy client).


A note about the firewall in qubes-vpn-support: If its configured 
correctly with the example settings (using the 'vpn-handler-openvpn' 
Qubes service) then you should not be able to browse Internet sites from 
inside sys-vpn. Also, you should see a popup notification stating that 
the VPN link is 'UP' when sys-vpn starts.


You can check on the VPN status in sys-vpn with 'sudo journalctl -u 
qubes-vpn-handler'. You can also check firewall settings with 'sudo 
iptables -L -v -t nat' and the 'Chain PR-QBS' should have ip addresses 
pointing to your VPN provider's DNS server in the rightmost column 
(traffic can appear to be blocked if this doesn't get set).


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e28534bd-e73b-87d7-7d2b-3281361c2114%40posteo.net.


Re: [qubes-users] Re: Qube R4: Portforwarding (for torrent)

2019-10-25 Thread 'anarcomnor' via qubes-users
Thanks. I'm trying to use it, but I get permission denied for some reason when 
trying to copy it to dom0 even though I use the appropriate qvm-run --pass-io 
command... sudo doesn't help.

‐‐‐ Original Message ‐‐‐
On Thursday, October 24, 2019 10:07 PM,  wrote:

> On 2019-10-24 16:49, 'anarcomnor' via qubes-users wrote:
>
> > Hello dear qubers!
> > I've been following this https://qubes-os.org/doc/firewall guide on how to 
> > open a port to the outside world with the intention of allowing 
> > Transmission to connect, but I'm struggling. Transmission does not find any 
> > peers and testing the port says it's closed. I've been following the guide 
> > very carefully and done the commands with both tcp and udp protocols. The 
> > port has been opened in the router.
> > One thing I've been somewhat confused about is which interface I should use 
> > when entering the commands. The examples always use eth0, but in my case 
> > the physical NIC is called wls7 (even though it actually sometimes changes 
> > to wls6, which doesn't make it easier, but let's just say it's wls7).
> > As far as I understand wls7 is only used when applying rules in sys-net 
> > since it is only VM that can actually connect to it, so I'm hoping that's 
> > correct.
> > I've tried switching things around, hoping to more or less stumble on a 
> > configuration that works, but nothing seems to. Now I'm somewhat worried 
> > that there are rules in place that might be conflicting and that this might 
> > actually be the cause of my issue now.
> > The way it's set up is I have a qube called Transmission connecting to 
> > sys-firewall which again connects to sys-net.
> > Can anyone help me out here?
>
> I found this script very useful:
> https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
>
> --
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/eaa72f4d-59da-e729-856c-88d2e78d33b2%40gmx.de.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0y2Ag4P1miOQbraFLnM7Rc3bOOGLTkOdaAdnVUTr7m2Cn_7Ru3RPVMJT51hDSgSY2_QFf73XcpevesALjmagJ3Rje8lfaeYwoMQtyCsMtOI%3D%40protonmail.com.