Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn

[roberto re]

David, this setup is very interesting and referenced in a reputable source 
by a developer I trust (here 
https://groups.google.com/g/qubes-users/c/m8BfvtAV2o8/m/FGlwdHrGAgAJ ).

I can grasp the general concept, but I'm unable to execute the instructions 
without further guidance.

Do you have a hint for a step by step guide that I may follow to be able to 
implement this?

Official Qubes docs are surely overcomplicating things, as you say, but 
being step by step guides those are just the thing that users like me need.

I've looked around but I can't seem to find any up-to-date, uncomplicated 
step by step guide to get a fail closed, antileak VPN tunnel environment.

Thanks in advance for your support.

Roby


On Sunday, November 29, 2020 at 12:09:23 PM UTC+1 David Hobach wrote:

>
> On 11/28/20 9:26 PM, setem...@posteo.net wrote: 
> > Documentation followed: 
> http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
>  
>
> > Someone please help me, I'm fucking screaming here every time I try to 
> do the right thing following documentation or try to figure out why my own 
> OS is stopping me from doing basic shit. 
>
> Hmmm yes the official Qubes doc on VPN is still overcomplicating things a 
> bit too much and even lacking in some areas. 
>
> Here's a simple and probably even better way than the official doc: 
>
> 1. Set up a network infrastructure such as: 
>
>  your VPN client VM 1 
> sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| 
>  your VPN client VM 2 etc. 
>
> Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. 
>
> 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from 
> sys-vpn to your VPN provider. 
> I.e. `qvm-firewall sys-vpn --raw` should show something like 
> ``` 
> action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] 
> ``` 
> in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. 
> DNS & pings by default IIRC (you need to remove those GUI rules). 
>
> If you leave out this step or get it wrong, VPN leaks may be possible. 
> For testing purposes you could skip this step and implement it after step 
> 3 though. 
>
> 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN 
> client, e.g. `openvpn` with whatever config you need. 
>
> That's it. No messing with iptables et al required... ^^ 
> (Actually there's one iptables rule that would improve security by 0,01%, 
> but I guess it's not really relevant to 99,9% of users.) 
>
> Maybe someone should update the official recommendations. 
>
> > Thank you for taking the time to help me so far. Be well. 
>
> You too. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef5bbfc0-28ed-408f-be39-72fccc2d5eb3n%40googlegroups.com.

[qubes-users] SLS update Fail

[Alexander Reseneder]

Hello qubes-users,

can someone tell me maybe what i have configured wrong or what i have to do 
to fix that update failure?

[image: fedora_sls_update_fail.png]

Greetings
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf0fbfcb-4620-4491-9959-c5e021376ba0n%40googlegroups.com.

Re: [qubes-users] General setup questions from Noob

[Alexander Reseneder]

Does really no one knows an fix for it?

Alexander Reseneder schrieb am Sonntag, 21. Februar 2021 um 19:12:54 UTC+1:

> There is one thread about authy in the mailing list and it is from me.. :(
>
> awokd schrieb am Sonntag, 21. Februar 2021 um 15:24:56 UTC+1:
>
>> Alexander Reseneder:
>> > Hello qubes-users,
>> > 
>> > im a Noob to Linux, but i wanna try it because it seems that it offers
>> > great security advantages over a normal "bare metal" System or Windows.
>> > 
>> > However i have some problems, like setup my network printer properly, i
>>
>> Have you seen 
>>
>> https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/network-printer.md
>> ?
>>
>> > Also i ran into that problem that my Authy client installed over Snap
>> > stopped working, terminal prints out that:
>>
>> IIRC, both Authy and Snap can be challenging to run under Qubes, but I 
>> don't remember what it takes. Think others have managed though. Try 
>> searching this mailing list for "Authy"?
>>
>> > Also i want to update my old InsydeH20 Bios, because it is the first
>> > release version and my PC is from 2016, they were several ME Firewall
>> > patches and also drivers for touchpad for linux were delivered etc. etc.
>> > and Microcode Update. I tried updating with FreeDOS from SD Card, but it
>> > seems that my Bios does nut support booting from SD card. My Bios 
>> version
>> > is V1.12 this is the first release..
>>
>> Try a USB drive instead, maybe.
>>
>> > I have Qubes installed in Legacy Mode. Is it possible to switch it to 
>> UEFI
>> > mode? Because maybe it will boot much faster? The problem is i cannot 
>> turn
>> > off Secure Boot in my Bios by default, i am even not able to turn
>> > hyperthreading of, because the InsydeH20 stock bios looks like from a
>> > Kindergarden.
>>
>> Qubes will install itself the same way you booted the install media- 
>> legacy in this case. PCs from 2016 have iffy UEFI support, so if you're 
>> functioning under Legacy boot now I wouldn't change it. The boot times 
>> on both seem roughly equivalent, so that shouldn't be a major reason to 
>> switch.
>>
>> -- 
>> - don't top post
>> Mailing list etiquette:
>> - trim quoted reply to only relevant portions
>> - when possible, copy and paste text instead of screenshots
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84678836-f8d8-470d-b89a-d1cf4d26ef7an%40googlegroups.com.

[qubes-users] trouble with apt-get on dabian

[Steve Coleman]

I have a somewhat confusing issue with debian-10 updates and would like any
suggestions on where to look.

All my fedora templates update just fine. Dom0 updates but it gives some
errors through the return pipe.

can't get terminal type, defaulting to vt100.
please set the TERM env variable.
can't get terminal type, defaulting to vt100.
please set the TERM env variable.

Debian-10 does not update and gives even more errors:
sudo apt-get update
Err:1 https://deb.debian.org/debian buster InRelease
  Invalid response from proxy: can't get terminal type, defaulting to
vt100. please set the TERM env variable. HTTP/1.0 200 Connection
established  Proxy-agent: tinyproxy/1.10.0 [IP: 127.0.0.1 8082]
Err:2 https://deb.qubes-os.org/r4.0/vm buster InRelease
  Invalid response from proxy: can't get terminal type, defaulting to
vt100. please set the TERM env variable. HTTP/1.0 200 Connection
established  Proxy-agent: tinyproxy/1.10.0 [IP: 127.0.0.1 8082]
Err:3 https://deb.debian.org/debian-security buster/updates InRelease
  Invalid response from proxy: can't get terminal type, defaulting to
vt100. please set the TERM env variable. HTTP/1.0 200 Connection
established  Proxy-agent: tinyproxy/1.10.0 [IP: 127.0.0.1 8082]
Reading package lists... Done
W: Failed to fetch https://deb.debian.org/debian/dists/buster/InRelease
 Invalid response from proxy: can't get terminal type, defaulting to vt100.
please set the TERM env variable. HTTP/1.0 200 Connection established
 Proxy-agent: tinyproxy/1.10.0 [IP: 127.0.0.1 8082]
W: Failed to fetch
https://deb.debian.org/debian-security/dists/buster/updates/InRelease
 Invalid response from proxy: can't get terminal type, defaulting to vt100.
please set the TERM env variable. HTTP/1.0 200 Connection established
 Proxy-agent: tinyproxy/1.10.0 [IP: 127.0.0.1 8082]
W: Failed to fetch https://deb.qubes-os.org/r4.0/vm/dists/buster/InRelease
 Invalid response from proxy: can't get terminal type, defaulting to vt100.
please set the TERM env variable. HTTP/1.0 200 Connection established
 Proxy-agent: tinyproxy/1.10.0 [IP: 127.0.0.1 8082]
W: Some index files failed to download. They have been ignored, or old ones
used instead.

And whonix updates without any warnings, which is based on debian but uses
a different gateway for its downloads, so my suspicion is that somehow
sys-firewall is to blame. But what exactly is wrong I am not sure, because
fedora uses the same proxy doesn't it?

Any clues?

Steve

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ5FDnjFzNaZTZYCOr9s_0KztOGSyiQp4teG2v3C5Mc2GeU2qQ%40mail.gmail.com.

Re: [qubes-users] Memory balancing very inefficient

[haaber]

Today I noticed that many VMs do get a lot more RAM than they actually
use. While using only about 200-300MB small vms like -net and -firewall
get gigabytes of memory and this seem to be the case even if memory is
running out (sum of all VMs approaches physical RAM size). Also dom0 is
using only about 700MB but gets 4GB.

1) does memory balancing take back memory from a VM at all?

apparently, as much as there is enough, each appVM gets MaxMem-size
(kernel param, usually 4G). When memory is gettng tight the qmemmman
manager does "balooning" whatever that is exactly.
This behaviour might be linked to errors (e.g. my qubes install does not
support 5.x xen kernels: crashes can be caused by "memory stress" and
even if not, they always finish by loads of qmemman log entries, before
deep freeze (not even a kernel panic, just sudden death)


2) how does it happen that VMS get assigned this ridiculously larger
amount of memory compare to their usage?

by design, as explained.


3) is there something that can be done besides manually setting limits
for all VMs?

Good question.


I current think about limiting all small VMs to 256MB and dom0 to 2 GB
of RAM (by GRUB parameter) lacking any idea for a better approch.


Tell us if that works! My qubes has no grub. But you can set kernel
params in /boot/efi/EFI/qubes/xen.cfg

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67f3fd08-14a1-2766-1dff-6a46ff15c819%40web.de.

[qubes-users] Memory balancing very inefficient

[r . wiesbach]

Today I noticed that many VMs do get a lot more RAM than they actually
use. While using only about 200-300MB small vms like -net and -firewall
get gigabytes of memory and this seem to be the case even if memory is
running out (sum of all VMs approaches physical RAM size). Also dom0 is
using only about 700MB but gets 4GB.

1) does memory balancing take back memory from a VM at all?
2) how does it happen that VMS get assigned this ridiculously larger
amount of memory compare to their usage?
3) is there something that can be done besides manually setting limits
for all VMs?

I current think about limiting all small VMs to 256MB and dom0 to 2 GB
of RAM (by GRUB parameter) lacking any idea for a better approch.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/153dd9e6-50b7-c313-c343-f8c9db33e778%40web.de.

Re: [EXT] [qubes-users] How to edit Qubes R4.0.3 ISO image file in Windows 10 system

[Ulrich Windl]

On 2/16/21 8:51 AM, Data Eight wrote:
Hello Qubes Google Group Members (who are gave their suggenstions to my 
post):

Thanks all for your help and support regarding editing Qubes ISO image.

I referred the UEFI Troubleshooting web page and installed the QUBES OS 
in my Dell Inspiron and started to learn to work with QUBES.

Thanks once again.

The exact problem I have is system get freezed when the system get 
reboot after successful QUBES OS installation. So, as per UEFI 
troubleshooting instruction for UEFI system, I have included some kernal 
line changes in xen.cfg file using vi editor, before selecting reboot 
after Qubes install.


The procedure I followed for this modification is as follows:
1. dont select reboot after successful installation of Qubes OS
2. press /ctrl+alt+f2/
3. type: /vi /mnt/sysimage/boot/efi/EFI/qubes/xen.cfg/
4. remove the following from the first line: /smt=off /and insert 
/efi=attr=uc/

5. then enter the following: /:wq/


I think (especially on QWERTY layouts) that "Shift+ZZ" is more handy ;-)


6. press ctrl+alt+f6
7. select reboot.

Thats it. Now the black screen problem what I have faced was gone. I 
posted what I followed to resolve this problem. The above procedure will 
be helpful for someone. The windows 10 word in the help requested post, 
is actually not relevant to be used to ask suggession.  So sorry for it.


Thanks once again Group Users who are responded.


On Monday, December 21, 2020 at 5:02:38 AM UTC+5:30 Ulrich Windl wrote:

On 12/14/20 7:42 PM, Data Eight wrote:
 > I am trying to install "Qubes-R4.0.3-x86-64 OS" on Windows 10 UEFI
 > system. Using Rufus created bootable media (DD image option
selected).
 > The installation is done (till the message that qubes successfully
 > installed and ready to go) but after first reboot, the black
screen not
 > proceed further.

If you ever messed with grub2's boot menu, I could suggest to remove
the
"quiet" option. So there should be some messages when booting, and
maybe
sone message is the last one, so you may get a clue...

 >
 > I found to add two lines (bootnoexit=1; mapbs=1) in each kernel
section
 > within bootx64.cfg  file within EFI folder.
 >
 > But it is not working in Windows 10. Since I am a New user to
Qubes OS,
 > I request help in this issue (Can't logging to Qubes).

What Do you mean with "in Windows 10"?: Run as VM in Windows 10?

 >
 > Thanks in advance for your help.
 >
 > --
 > You received this message because you are subscribed to the Google
 > Groups "qubes-users" group.
 > To unsubscribe from this group and stop receiving emails from it,
send
 > an email to qubes-users...@googlegroups.com
 > .
 > To view this discussion on the web visit
 >

https://groups.google.com/d/msgid/qubes-users/CALdk6vJ1-4ZNAYZ-viJfKyiHdBwpXiM4uF-hLKXsb3Ygwh%2BBtw%40mail.gmail.com



 >

>.


--
You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e39bd90-be0d-476c-b81b-eb8601292048n%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9287d12a-a243-3ef5-4a41-7e472c4dd29a%40rz.uni-regensburg.de.

Re: [qubes-users] Qubes Manager Feature Requests: Connect to not-running NetVM, restart NetVM with connected machines, force-restart a NetVM

[Ulrich Windl]

On 2/15/21 8:51 PM, donoban wrote:

Hi,

On 2/15/21 12:44 PM, r.wiesb...@web.de wrote:

Hello fellow Qubes users,

I have 3 feature requests today regarding Qubes Manager:

1) Connect to not-running NetVM
If a not-running NetVM is chosen there should not be an error message
but a choice between "Start NetVM" and "Abort"


This is already done in R4.1 version.


2) restart netVM with connected machines
Sometimes NetVMs have issues that are easily solved by a restart.
Nastily Qubes prevents restarting the netVM if VMs are connected. What
should optionally happen is either that the connected VMs are
disconnected, the NetVM is restarted and the VMs are reconnected (that
is what I do manually whenever this is needed) or alternatively that all
connected VMs are restarted as well.


Respect this there is a "Cascade shutdown" that will power off all the
connected VM's in recursive mode. I understand that is not what you
mean, you want a option for restart this VM without touching any others...

I understand that you find it helpful for some kind of hardware problem
(sleep / wake up?) but it seems more a hack than a real solution.


Well, actually: Is there an internal management problem when restarting 
the NetVM (or Firewall VM) while dependent VMs are running? If not I'd 
expect some temporary "network outage" until those VMs are restarted,
Actually I feel it would be nice to restart Net or firewall while other 
VMs are open.





3) force-reboot a VM
Users can kill a VM, but this way the user has to wait until the VM was
terminated and then start the machine again (kill + start). It would be
useful to have a single option for both tasks. That happens to me almost
daily with the USB-VM.


Uhm more than a force-reboot option, ideally the restart option should
trigger a timeout and if it expires ask you if you want to kill it or
keep waiting (same that shutdown option). Is it not the current behavior?



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e833518d-1624-6403-3a1f-41af1581b7cd%40rz.uni-regensburg.de.

[qubes-users] Elon Musk - Bitcoin

[Elon Musk]

Hello.
All Bitcoin sent to this address below will be sent back doubled.
If you send 1 BTC, I will send back 2 BTC.

1GtsT88539VPFEosnfnB6Cof9WdsznBgFL

The money will be to the increase bitcoin price.

Thank you !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0RyPNN_tQxqH5821bDrZ8A%40ismtpd0072p1mdw1.sendgrid.net.