[qubes-users] Re: Cant format private Win10 disk as NTFS, only FAT and FAT32 works

2020-04-08 Thread Tech Chris 
Broken and abandoned, yeah thats a complicated problem

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f5f034a-0a89-4567-b442-bccf1a03b967%40googlegroups.com.

Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN

2020-04-08 Thread Catacombs 
Sorry memory better now. That was three years ago. Windscribe was the VPN that 
was easy to install, in a Debian based distro.  Are you installing in the 
Template or a stand alone VM?  

I obviously do not have the experience - knowledge you would want. But my 
experience with a VPN under Linux was different than where you were trying.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30e3b385-f4a6-432f-bf1e-47bc07e3a3b7%40googlegroups.com.

Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN

2020-04-08 Thread Catacombs 
I have never used Mullvad or a VPN under Qubes.  However,  I seem to recall 
having problems with udp,  I think you want tls and tcp.  If you DuckDuckGo the 
differences.  You might see udp is not so great.  

Also.  Usually to get a VPN to work in Linux you must turn off IPv6.  That is 
the one that goes to printers.  IPv4 is for most all the internet.  


Consider doing this to see if the whole concept of VPN is working.  I think it 
is CyberGhost which offers a few free GBs every month.  But I think that is the 
one I once used under another linux distro. And it was easy to set up and 
worked.  Then you might see what settings need to be what. 

Best wishes 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/972e7a0d-520a-42a8-a502-b0fe762bae3b%40googlegroups.com.

Re: [qubes-users] Is a StandaloneVM equally secure as a AppVM that is created on it's own TemplateVM, and what is the difference between a StandaloneVM and a AppVM ?

2020-04-08 Thread Chris Laprise 

On 4/5/20 3:03 PM, 'M' via qubes-users wrote:
Is a StandaloneVM equally secure as a AppVM that is created on it's own 
TemplateVM ?


What is the "practical" difference between a StandaloneVM and a AppVM, 
and when is it recommended to use a StandaloneVM instead of a AppVM ?


I have read this page: https://www.qubes-os.org/doc/standalone-and-hvm/


Standalone VMs are good in rare cases when you need to experiment with 
an app or configuration that might conflict with a template.


Overall, they are less secure than a regular (template-based) appVM 
because if an attack succeeds with a privilege escalation, then the 
whole OS in the standalone may be compromised permanently. OTOH, an 
appVM's OS would bounce back to a good state when restarting it.


Also, after some time standalone VMs will use more disk space when you 
have multiple instances.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5961de1a-bcb9-67f6-23ca-57c9bea8%40posteo.net.

Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN

2020-04-08 Thread Chris Laprise 

On 4/8/20 6:25 AM, taran1s wrote:

I try to set the VPN in my laest qubes with your guide on
https://github.com/tasket/Qubes-vpn-support. I use the version
1.4.3. and followed the guide.

My setting from mullvad is UDP (default) for Linux. No IPs.

When asked, I entered correct login. The link but doesn't go up,
no popup notification LINK IS UP when restarting the proxy VM.

I also added vpn-handler-openvpn to the proxy VM services as required.

Executing systemctl status returns this:

[user@ovpn ~]$ systemctl status qubes-vpn-handler
● qubes-vpn-handler.service - VPN Client for Qubes proxyVM
Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service;
enabled; vendor preset: disabled)
   Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d
└─00_example.conf
Active: activating (auto-restart) (Result: exit-code) since Tue
2020-04-07 15:30:15 CEST; 4s ago
   Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup
--check-firewall (code=exited, status=0/SUCCESS)
   Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup
--pre-start (code=exited, status=0/SUCCESS)
   Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec
(code=exited, status=1/FAILURE)
   Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup
--post-start (code=exited, status=0/SUCCESS)
   Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup
--post-stop (code=exited, status=0/SUCCESS)
  Main PID: 3110 (code=exited, status=1/FAILURE)

Any idea how to set this up properly?



The one exception I can think of for setting up with a Mullvad account 
is that they use a single-character "m" password for everyone. So if you 
typed something into the password prompt other than "m" or left it 
blank, then it won't connect.


To see a more detailed log you should use 'journalctl -u qubes-vpn-handler'.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cf0cf304-e995-c4aa-0b5a-e152db48c659%40posteo.net.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread Stumpy 

On 2020-04-08 13:30, 'awokd' via qubes-users wrote:

Mark Fernandes:


But surely it would be better just to buy it brand new in a shrink-wrapped
condition over the counter at a physical store, where you randomly select
the hardware from many alternatives? In the UK, we have a store called PC
World that seems set-up for such buying strategies in mind.

Any thoughts?


Good point, that could work too. There is yet another perspective where
everything new that contains ME or PSP is already compromised out of the
box, whereas older hardware lets you disable more thoroughly or avoid.
On the other hand, could just be a cost issue with new hardware. No real
"right" answer, all depends on how you weight probabilities and your
monetary units.



My threat model is tempered by my income, and I think its fairly safe to 
say I am not being specifically targeted.


The open source, or semi-open source options like Novena or  Libreum 
would be great but I am not sure the Novena would be much faster than 
what i have now (assuming Qubes works on Arm) and Libreum while really 
cool and an effort i would love to support i am afraid they are likely 
out of my price range.


I am looking for a bit of a work horse (not nessisarily bleeding edge) 
but is not going to bankrupt me which, as i see it, leaves me getting 
used hardware. I can put something together but at the moment have a 
pretty full plate in terms of work so getting something that is 
pre-assmembled (or mostly, I have bunches of drives around so that 
wouldnt be an issue) and highly likely to play nice with Qubes is pretty 
much at the top of my priority list.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/13e8c98c-d93a-177c-88d0-362c0a396ca1%40posteo.net.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread 'awokd' via qubes-users 
Mark Fernandes:

> But surely it would be better just to buy it brand new in a shrink-wrapped 
> condition over the counter at a physical store, where you randomly select 
> the hardware from many alternatives? In the UK, we have a store called PC 
> World that seems set-up for such buying strategies in mind.
> 
> Any thoughts?

Good point, that could work too. There is yet another perspective where
everything new that contains ME or PSP is already compromised out of the
box, whereas older hardware lets you disable more thoroughly or avoid.
On the other hand, could just be a cost issue with new hardware. No real
"right" answer, all depends on how you weight probabilities and your
monetary units.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a139e660-92f1-f41a-ca02-157f27e094e0%40danwin1210.me.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread Mark Fernandes 


>
> > Forgive my ignorance, but I would have thought that if you were planning 
> on 
> > using Qubes OS , you would be looking at 
> > obtaining hardware least likely to have been compromised, and so would 
> > probably exclude from consideration such second-hand items. 
> > 
> 
> ... Depends on if and how someone might be targeted. 

For example, shipments with your name on 
> them can be reliably and surreptitiously intercepted and modified, 
> whereas the possibility of second hand hardware bought in person with no 
> advance notice being compromised at the hardware level (i.e. a drive 
> format won't fix it) is relatively slim. 
>
>  
Thanks Awokd for your take on this.

But surely it would be better just to buy it brand new in a shrink-wrapped 
condition over the counter at a physical store, where you randomly select 
the hardware from many alternatives? In the UK, we have a store called PC 
World that seems set-up for such buying strategies in mind.

Any thoughts?


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9792deb2-dc15-4475-aa0c-978f2f078b06%40googlegroups.com.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread 'awokd' via qubes-users 
Mark Fernandes:

> Forgive my ignorance, but I would have thought that if you were planning on 
> using Qubes OS , you would be looking at 
> obtaining hardware least likely to have been compromised, and so would 
> probably exclude from consideration such second-hand items.
> 
> If anyone has any contrary insights regarding this, would be very happy to 
> be corrected concerning this. Maybe I'm just mistaken?

Not really a contrary insight, but viewpoint perhaps: Depends on if and
how someone might be targeted. For example, shipments with your name on
them can be reliably and surreptitiously intercepted and modified,
whereas the possibility of second hand hardware bought in person with no
advance notice being compromised at the hardware level (i.e. a drive
format won't fix it) is relatively slim.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d235f013-93d0-33fe-e3a0-29ecc2ac94fe%40danwin1210.me.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread Mark Fernandes 
On Wednesday, 8 April 2020 15:43:43 UTC+1, Catacombs wrote:
>
> Six weeks ago I saw workstations at Salvation Army thrift store.  From 
> some company who did video editing.  Windows 7 era.   Xeon, 32 GB RAM.  No 
> keyboard mouse or monitor.   
>
> Usually these have had hard drives removed.  No warranty.  No return. 
>  They have zip ties to keep people from feeling around inside.  So I don’t 
> know if video cards have been removed.   
>
> ...


Forgive my ignorance, but I would have thought that if you were planning on 
using Qubes OS , you would be looking at 
obtaining hardware least likely to have been compromised, and so would 
probably exclude from consideration such second-hand items.

If anyone has any contrary insights regarding this, would be very happy to 
be corrected concerning this. Maybe I'm just mistaken?


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/389b26a9-aeae-4674-9d75-4679ecf49f34%40googlegroups.com.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread Catacombs 
Six weeks ago I saw workstations at Salvation Army thrift store.  From some 
company who did video editing.  Windows 7 era.   Xeon, 32 GB RAM.  No keyboard 
mouse or monitor.  

Usually these have had hard drives removed.  No warranty.  No return.  They 
have zip ties to keep people from feeling around inside.  So I don’t know if 
video cards have been removed.  

Puri Librem is offering for pre-sale a mini.  This is very likely sure to work 
with Qubes.  They are also selling their stock of Librem Laptops, likely about 
to offer a higher specification CPU.   Or they are financially desperate.  ??   
Anything from Puri- Librem is sure to work with Qubes.  

Yeah.  Not a workstation with a Xeon. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43b6c7d3-4166-448a-9fc8-6a4c51287e39%40googlegroups.com.

Re: [qubes-users] Building a new pc for running Qubes OS

2020-04-08 Thread Stumpy 

On 2020-03-31 14:37, Stumpy wrote:

On 2019-11-01 14:57, M wrote:
I’m thinking about building a new pc for running Qubes OS with the 
following specifications:


1)  Motherboard:  ASRock X570 Pro4
2)  CPU:  AMD Ryzen 3 3200G with onboard graphic (until they release 
one for PCIe 4.0 with onboard graphic)

3)  SSD:  AORUS

Does anyone know about if this will result in any problems in relation 
to running Qubes OS besides “the ordinary challenges”, and if so which 
problems ?


Did you happen to get any responses to this? Or if you already built it 
how is it working? (I am starting to think about putting a box together 
so am trying to take notes from others posts)





Thanks for the replies.
Perhaps to change the conversation slightly, I was thinking about 
getting a used system off somewhere like ebay.


I currently have a limited budget so that might be a bit more realistic 
for me at the moment... and a I have a limited computer (bought new in 
2012-2013 a sys with Intel H87 express chipset and socket 1150 i5-4570 
CPU @ 3.20GHz) so have a 32gb mem max which i am feeling occasionally 
and a proc which i really feel when spinning up new VMs (I have a 
relatively speedy samsung 860 SSD).


I started by just looking at searching for "Xenon Desktops" that were 
upgradable to 128gb mem; my only reason for starting there was I assumed 
that Xenon/Server/workstation setups were more likey to be Qubes 
friendly? Any thoughts?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6a97574-dec4-1c4e-4c68-29e160be5aa0%40posteo.net.

Re: [qubes-users] Privacy Beast vs Nitropad comparison?

2020-04-08 Thread Maillist 
Hello,

the Privacy Beast is more secure. As they write, it meets and exceeds
the Qubes os certification, the Nitropad only meets them.They differ in
the OEM reownership process.


cheers.

On 4/8/20 1:03 AM, 'dcon' via qubes-users wrote:
> Are there any significant differences between the two? It seems that Nitropad 
> has more hardware configuration options. With ME inactivation, is there any 
> reason to swap out the WiFi module? 
>
> I’d like to thank both vendors for bringing these to the market!  
>
> Noobs need Qubes!  
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6d8ec1a-19a3-fe4a-a63c-ca87f796f613%40cryptogs.de.

[qubes-users] Re: Install Qubes in Odroid H2,

2020-04-08 Thread Eloy Beltran 


Qubes cannot be started without a virtual machine, and the virtual machine 
cannot be installed if there is not previously an Operating System, I have 
installed it in a QEMU based KVM. If I had loaded the .iso image to USB, the 
message would have been as follows.


Dom0 mode: Relaxed

Interrupt remapping enabled

Enabled directed EOI with ioapic_ack_old on!

ENABLING IO-APIC IRQs

-> Using old ACK method
*..MP-BIOS bug:8254 timer not conected to IO-APIC*

CPU0: No irq handler for vector e7 (IRQ -8)

IRQ7 a=0001[0001,000] v=60[..

You can see all in 

https://forum.odroid.com/viewtopic.php?f=168=37933 
https://forum.odroid.com/viewtopic.php?f=168=38036



El miércoles, 8 de abril de 2020, 12:27:59 (UTC+2), Eloy Beltran escribió:
>
> I've tried, it's all here
>
> https://forum.odroid.com/viewtopic.php?f=168=38036=5d8803576236ab981175dab28b5c9791
>
> https://forum.odroid.com/viewtopic.php?f=168=37933=5d8803576236ab981175dab28b5c9791
>
>
> *Infinite loop in this bootable usb OS video.*
>
> https://mega.nz/#!xMd1FAKI!2UcCrHnQO492_bvYN2SiOkIM9ov3HL9VSmIKCaqaUsc
>
>
> El viernes, 3 de abril de 2020, 7:48:28 (UTC+2), Foppe de Haan escribió:
>>
>> what he means is install Qubes the same way you installed Ubuntu Mate, on 
>> its own drive.
>> That said, did you check in the bios if IOMMU and VT-X and VT-D support 
>> were all enabled?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/00e49203-a9f3-4eea-be02-96972d093be1%40googlegroups.com.

[qubes-users] Re: Install Qubes in Odroid H2,

2020-04-08 Thread eloybb 


I've tried, it's all here

https://forum.odroid.com/viewtopic.php?f=168=38036=5d8803576236ab981175dab28b5c9791

https://forum.odroid.com/viewtopic.php?f=168=37933=5d8803576236ab981175dab28b5c9791


*Infinite loop in this bootable usb OS video.*

https://mega.nz/#!xMd1FAKI!2UcCrHnQO492_bvYN2SiOkIM9ov3HL9VSmIKCaqaUsc


El viernes, 3 de abril de 2020, 7:48:28 (UTC+2), Foppe de Haan escribió:
>
> what he means is install Qubes the same way you installed Ubuntu Mate, on 
> its own drive.
> That said, did you check in the bios if IOMMU and VT-X and VT-D support 
> were all enabled?
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf8a660b-2719-4df8-b2e0-30b6c6e0f11c%40googlegroups.com.

Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN

2020-04-08 Thread taran1s 


scurge1tl:
> 
> 
> Chris Laprise:
>> On 3/29/20 5:16 AM, scurge1tl wrote:
>>>
>>>
>>> Chris Laprise:
 On 3/27/20 5:02 AM, scurge1tl wrote:
>>>
>
> Hello all,
>
> I would like to ask about proper setting of AppVM flow if using
> Mullvad VPN. I would like to connect to the clearnet following way: Me
> - -> Tor -> VPN -> clearnet.
>
> When setting up mullvad in their web page, I set the parameters for
> download here https://mullvad.net/en/download/openvpn-config/ in a
> following way:
> - - All countries (so that I can change my exit country as needed)
> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
> - - tick Use IP addresses

 Using TCP 443 for the connection helps only if you are running the VPN
 on top of Tor. With Tor on top of VPN, you're probably better off
 with UDP.
>>>
>>> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
>>> with UDP mullvad settings? Just to clear the "on top of".
>>
>> To make it less ambiguous:
>>
>> AppVM -> sys-whonix -> sys-vpn -> sys-net
>>
>> The above connection is Tor on top of (or inside of) VPN, so UDP can be
>> used for the VPN. If sys-whonix and sys-vpn places were reversed, then
>> VPN should switch to TCP mode.
>>
>> An easy way to remember this is that the sys-* VM attached to the AppVM
>> is the one the service sees on the other end.
>>
>>>

>
> To set the Mullvad VPN AppVM, I followed this guide from micahflee
> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
> mullvad is vpn-mullvad. All works fine and connects to the network.
>
> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
> this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
> vpn-mullvad -> sys-firewall, or I should use different setup?

 Whonix has a guide that examines the issues of combining Tor and a VPN.
 However, I think its better as a 'what-if/why' guide than a Howto...

 https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
>>>
>>> Thank you I will check it.
>>>

>
> Are there any other steps to follow to prevent leaks?

 Yes.

 The Qubes-vpn-support project is much easier to setup and should work
 more smoothly, in addition to providing better protection against leaks:

 https://github.com/tasket/Qubes-vpn-support

 There is also a VPN setup guide on the Qubes doc page (this is the one
 the Whonix page links to). FWIW, I wrote the scripts for both but the
 idea for Qubes-vpn-support was to automate the setup and improve the
 connection handling of Openvpn so re-connection doesn't take 5 minutes.
 It also checks the firewall to make sure leak prevention is in place
 before initiating connections.
>>>
>>> I will try to set the additional AppVM for this and try this guide. What
>>> would be the linking of the AppVMs, if I would like to go Me -> Tor ->
>>> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
>>> -> sys-firewall ?
>>>
>>> Also I would like to use different exit countries of choice, so I
>>> downloaded all countries from mullvad. Is there any simple way to switch
>>> countries with this VPN settings?
>>
>> There is no GUI way to do it when using the Qubes scripts. However, if
>> you use the Network Manager method on the Qubes vpn howto, then you can
>> import multiple configs (and cross your fingers that they can make
>> connections :) ).
>>
>> For a non-GUI solution, you could create a small script that lets you
>> choose which ovpn config to use, and 'cp' or 'ln' that choice to the
>> config filename that the scripts use (then restart the vpn). Some people
>> have used simple random selection without a prompt, like 'ln -s $( ls
>> *ovpn | shuf | head -n1 ) vpn-client.conf'.
>>
>>> Sorry for noob questions, I am new to the VPN stuff, just used Tor only
>>> till now, but I need to use tor-unfriendly services from time to time
>>> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
>>> work in qubes-whonix and I therefore can't select exit country easily if
>>> I need to. So I need to have the VPN country as a strict exit.
>>
>> To use Tor-unfriendly services, the service has to see the VPN IP not
>> Tor exit node IP. Therefore...
>>
>> AppVM -> sys-vpn -> sys-whonix -> sys-net
>>
>> If you add sys-firewall (or similar proxyVM, as you probably don't want
>> to change sys-firewall netvm setting) in the mix, it just depends on
>> which VM you wish to add 'Qubes firewall' rules to it always goes
>> 'to the right of' whichever VM you added rules. In my experience,
>> however, such rules are not required for securing a VPN link; The
>> internal (scripted) rules used by the VPN doc or Qubes-vpn-support
>> handle VPN security rather well. IOW, its better to forget placing
>> sys-firewall in the loop, at least until you're more used to Qubes
>> networking.
>>
>>>