[qubes-users] Re: I can't install Qubes 4.0

[velcro]

Do you have VT-x enabled? I managed to get mine installed when I changed the 
LCD/Display settings in the BIOS. 

This is not my strong point but it sounds like you are close...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc662bb9-e3bb-4ea9-8be3-bc3ca9b1077d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

> 
> 1)
> can you update your templates otherwise?

Yes I can update my templates

> 2)
> sudo apt-get install openvpn   should have nothing to do with the  later 
> step  of  install the  tasket  scrip-let  . (not the tunnel) just 
> the  VPN script on GitHub

I was just hoping to make sure I haven't missed a basic step. It is my 
understanding the stock Debian-9 template that comes with 4.0 does not have 
OpenVPN installed. "sudo apt-get install openvpn" is all thats needed? Is there 
additional commands to install any dependencies? 


> 3)
> if you Not talking about the "tunnel" script  just  the  VPN tasket 
> script,  why not leave the  Template out of the equation and just 
> install the script  in a fresh  App-ProxyVM  that "allows networking" 
> (proxy)

Whats strange is I had the "Tunnel" script working prior to my fresh 4.0 
install. The "VPN Tasket" also worked but moved to the "Tunnel" prior to my 
fresh install.

I tried going back to the "App-ProxyVM" only(i.e. no template configuration) 
but it too didn't work

> 
> and just leave Tor out of the whole puzzle  IMO

I'll try with out TOR to see if that changes anything...

Thanks,
V

(Morlan - I used to connect my VPN proxy via sys-net -> VPN -> AppVM when I had 
this running...I would defer to other more seasoned Q users but consider 
multiple VPNs configured for different IPs, TOR over VPN...my thought was VPN 
thru sys-firewall consumed resources and wasn't sure it provided additional 
security...I would be open to being corrected if that is wrong)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/48167f14-15c5-404b-a4e5-e4a97e21116e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

Strangest thing, I did a fresh installation of Qubes and now I can't get this 
to work again?

Sorry for the basic question but is there something I need to do to the fresh 
debian template after installation?

I am trying to eliminate all possible issues but to install OpenVPN to the 
debian template:

1) I simply allow access to TOR or a network to get OpneVPN
2) Type : sudo apt-get install openvpn

I am having the same issue with Fedora as well, could there be another reason 
for this not connecting?

I get the "Waiting for connection" message but I don't get the "Link is up"...

Thanks for any thoughts...

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43185fcd-09f6-470c-acab-23553d7af623%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: I can't install Qubes 4.0

[velcro]

Having struggled with installation I have found trying different BIOS settings 
helps. Even what I thought was the most unrelated change in the BIOS sometimes 
worked including:

Legacy only
Turning off secure boot
LCD settings
Boot order

I wish I had a specific answer but have you tried changing these settings? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f14962d-ecca-4605-bee9-3aa1caf5ca6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

Sorry correction to my notes:


Using qTunnel:

For Debian proxy, add OpenVPN package to your VPN template:
su
apt-get update && apt-get install openvpn unzip

Download and transfer file to template
https://github.com/tasket/qubes-tunnel.git

cd “Then drag downloaded file into terminal from tasket”
sudo bash ./install

Create proxy AppVM using VPN template: sys-VPN
Colour: Green
Provides Network  Checked
connect to sys-net
Launch settings  - Checked

Settings:
Add files and Terminal to Applications
Add “qubes-tunnel-openvpn” to services

Move VPN config files to new proxy AppVM

Open proxy AppVM terminal:
sudo mkdir /rw/config/qtunnel

sudo /usr/lib/qubes/qtunnel-setup --config

Enter VPN name and password

sudo mv “Then highlight the .pem, .crt and config file (renamed to xx.ovpn)” 
/rw/config/qtunnel

Optional - Change config DNS:
setenv tunnel_dns '208.67.222.222 208.67.220.220'

cd /rw/config/qtunnel
sudo ln -s xx.ovpn qtunnel.conf
(xx is the VPN client config)

Restart AppVM...look for “Links is up” pop-up

https://github.com/tasket/qubes-tunnel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bf9dd58-16af-48e7-b372-5c819946d402%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

Here are my notes/instructions I made based on yours, I drag and drop some 
files into terminal(vs purely command lines):

Using qTunnel:

For Debian proxy, add OpenVPN package to your VPN template:
su
apt-get update && apt-get install openvpn unzip

Download and transfer file to template
https://github.com/tasket/qubes-tunnel.git

cd “Then drag downloaded file into terminal from tasket”
sudo bash ./install

Create proxy AppVM using VPN template: sys-VPN
Colour: Green
Provides Network  Checked
connect to sys-net
Launch settings  - Checked

Settings:
Add files and Terminal to Applications
Add “qubes-tunnel-openvpn” to services

Move VPN config files to new proxy AppVM

Open proxy AppVM terminal:
sudo mkdir /rw/config/qtunnel

sudo /usr/lib/qubes/qtunnel-setup --config

Enter VPN name and password

sudo mv “Then highlight the .pem, .crt and config file (renamed to 
“openvpn-client.ovpn)” /rw/config/qtunnel

Optional - Change config DNS:
setenv tunnel_dns '208.67.222.222 208.67.220.220'

cd /rw/config/qtunnel
sudo ln -s xx.ovpn qtunnel.conf
(xx is the VPN client config)

Restart AppVM...look for “Links is up” pop-up

https://github.com/tasket/qubes-tunnel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/81279605-3256-4e42-a2c4-c62337fcfdf6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

Adding this to my config:
setenv tunnel_dns '208.67.222.222 208.67.220.220' 

instead of:
setenv vpn_dns '208.67.222.222 208.67.220.220'

worked. 

Both http://welcome.opendns.com/ and https://www.dnsleaktest.com/ show that 
OpenDNS are being used.


I am more then happy to help test, I was planning to make the shift but my DNS 
wasn't working...all good now. Thanks for the help...

I'll move my sys-VPNs to this new project...I was just reluctant to make the 
move as my DNS was not showing correct. All good now!

Thanks again...if anything comes up I'll report back. If you want me to try 
something more then happy to help...

Thx




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bba2bdb-0253-4283-9be4-d8ce097e261a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

Using debian 9, link indicates "Link is up", I get internet connection, 
https://www.dnsleaktest.com/ indicates my VPNs IP(despite "setenv vpn_dns 
'208.67.222.222 208.67.220.220'" in my vpn configuration) when I use this 
configuration...


V


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/71b39261-7ea0-4259-a639-05a007c1cfa0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[velcro]

Chris/Tasket,
I am currently using this version: https://github.com/tasket/Qubes-vpn-support

"Master version"

I have this running in a proxy AppVM (Not in a template)

Using PIA VPN service

OpenDNS checks out OK



I just tried this version in 4.0 in the template. Some notes feedback:

1) When I tried changing the DNS to OpenDNS in my config file:
setenv vpn_dns '208.67.222.222 208.67.220.220'


I then went to:
http://welcome.opendns.com/

It failed and informed me I was not using OpenDNS.


2) The step 3. in the abbreviated instructions say to run:
/usr/lib/qubes/qtunnel-setup --config

However I had to run:
sudo /usr/lib/qubes/qtunnel-setup --config

I was able to get to the internetI didn't do any further testing. If you 
want me to try some things more then happy to help...

Thanks again for the work.

V




 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b86bb2c7-91db-4c6f-aa4d-a9de218eea88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] The best compromise for a Laptop (Balance security with reality of implementation)?

[velcro]

I am exploring the best Qubes laptop based on the following criteria:

1) Secure/Privacy
2) Usability and maintenance for the layman in need of security
3) Price
4) New laptop

Based on my research the most secure would be:

Older laptops:
G505 
x220
T420
W520/W530
Pro: 
-price/value
-Coreboot

Cons:
-only available as used/refurbished

For a new, currently available on the market(a positive HCL report just came 
up):
Lenovo - T480
I am sure other Lenovo work well...my experience has been good.

Other products I have looked at include:

Carbon 5/Developers - Recalled...potentially good in the future refurbished 
market. Huge value in the fact the Qubes developers use this laptop. A little 
expensive

Purism - Libre or coreboot? with proprietery software in BIOs

System 76 - Gaming PC primarily

Thinpenguin - Libre or coreboot? with proprietery software in BIOs, 
manufacturer unsure of 4.0 compatability

Talos2 - expensive(desktop only?)

My specific questions are:
1) A lot of custom gaming laptop makers in the USA...any companies flashing 
Coreboot or Libre on new or refurbished laptops commercially for Linux?
2) My wish list would be able to crack open a laptop and flash 
coreboot(orLibre) but I am concerned this is just too techy. Is it hard to do? 
Is it hard to maintain? Hard to repeat?
3) How risky are the proprietery BIOS? Is this Nation state, Lenovo threats 
only? While I like my privacy I likely have bigger issues if they want access. 
How risky are "stock" BIOs from say a Lenovo...realistically/practically 
speaking.
4) Is Qubes still better then a Mac or PC even with proprietery BIOS?

I am an open source purist(wannabe) but I need to balance 
usability/practicality. I am trying to understand and quantify the benefit of 
OSS BIOS and the security benefit balanced with ease of 
maintaining/implementing.

While its frustrating the hardware compatability challenges, I like the hard 
stance Qubes makes on hardware "certification"

Any feedback or dialogue is welcome.

(PS Thanks for the forum members for prior posts and helping with the info 
above)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/118c3bcc-88c2-40a3-bfc5-902718a2636c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Errors on booting 4.0 and time is off? Otherwise working great!

[velcro]

I am getting ACPI errors when I boot, everything works, or at least I haven't 
seen a functionaility issue. I am however concerned and trying to understand 
implications from a functonal and security perspective. The errors are:

[   1.] ACPI Error: [\_PR_.CPU0._CST] Namespace lookup failure, 
AE_NOT_FOUND (###/pspargs-364)

[   1.] ACPI Error: Method parse/execution failed  \_PR_.CPU3._CST] 
, AE_NOT_FOUND (###/psparse-550)

[   1.] ACPI Error: Method parse/execution failed  \_PR_.CPU._CST] 
, AE_NOT_FOUND (###/psparse-550)

Not sure this is related but my time is off by 5 hours in Qubes. My BIOS time 
is set correctlyalways seems to be 5 hour difference.

My functionaility seems to be great

Any thoughts on how I can get rid of the errors or if I should be worried about 
the errors?

Thank you again

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1ef594d2-37ad-4116-a78a-7785b66fd877%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Stock firewall vs a new created firewall in 4.0?

[velcro]

I created a new sys-firewall from the one that came with the installation of 
4.0...is there anything special I need to do to make this the same as 
sys-firewall in terms of configuration?

Its working:

New appvm, provides networked=checked, connected to sys-net is what I did to 
create it.

Thanks in advance...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f29d007c-e040-4f18-86dc-ae15e4ef1ce6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

Manage to get this working on 4.0 using the Master!

Below are my abreviated steps:

Using Master File from Tasket

Create proxy using VPN template:
sys-VPN
Green
Provides Network  Checked
connect to sys-net
Launch settings  - Checked

Settings:
Add files and Terminal to Applications
Add “vpn-handler-openvpn” to services

Optional-Change DNS in your PIA config: setenv vpn_dns '208.67.222.222 
208.67.220.220'

sudo mkdir /rw/config/vpn
sudo mv “highlight all 3 vpn files and drag to terminal here” /rw/config/vpn

cd “Then drag master4 file into terminal from tasket”
sudo bash ./install

Close terminal, open new terminal:

cd /rw/config/vpn
sudo ln -s this_vpn.ovpn vpn-client.conf

Restart new proxy vm

Tasket...I needed to create the "/rw/config/vpn" file first, add my PIA files 
before I could get the Tasket file to "link".

Thanks again for this solution...is there an ETA when this will be built into 
4.0/4.1?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/410c5352-0625-40e1-b1aa-33372473eb4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Lenovo Thinkpad T480

[velcro]

Thanks for sharing...my understanding is you can get this Laptop new? Not sure 
if you know but this can come with either these processors:


8th Generation Intel® Core™ i7-8550U Processor (1.80GHz, up to 4.0GHz with 
Turbo Boost, 8MB Cache)

or


8th Generation Intel® Core™ i7-8650U Processor with vPro (1.90GHz, up to 
4.20GHz with Turbo Boost, 8MB Cache)

Your HCL states you have the vPro...

Would you or anybody know if you can get all the functionality including AEM 
with the i7-8550U (with out the vPro)?

Is there a higher risk of attack with the vPro?

Thanks for doing this HCL...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9b2132e-3224-44d6-a76a-0b251f5dd8f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

Chris,
I tried the Master and it didn't work, following your guidleines(and trying 
mine above). The Qubes4.0 version does work...

Using a Debian template, setup entirely in a AppVM, using 4.0, I follow the 
instructions on Github: https://github.com/tasket/Qubes-vpn-support.

After step 2 in your instructions, I am not prompted for username and password.

I have tried running:

sudo /usr/lib/qubes/qubes-vpn-setup --config

after step 2 with out shutting down. No luck...

When I shutdown and restart the proxy I am prompted for username and password 
in a terminal that doesn't allow me to copy username and password(I didn't try 
manually entering username/password). I close this terminal try running again:

sudo /usr/lib/qubes/qubes-vpn-setup --config

I tried changing the order of my steps with no luckI think it connected 1 
time but have not been able to reproduce.

Qubes4 works fine as a proxy...is qubes4.0 OK? Seems to work great...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e773da0a-a9da-46aa-b580-3a49d27d847c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

Correction to instructions I followed:

Create proxy using VPN template:
sys-VPN
Green
Provides Network  Checked
connect to sys-net
Launch settings  - Checked

Settings:
Add files and Terminal to Applications
Initial memmory = 500mb
Max memory = 4500
Add “vpn-handler-openvpn” to services

Open a terminal and file manager in new proxy appVM:

cd “Then drag qubes4 file into terminal from tasket/github”
sudo bash ./install


Enter VPN name and password

Close terminal

Reopen terminal

Transfer XXX PIA config files into your new VPN AppVM:
Change your PIA config file to “openvpn-client” and add DNS if wanting to use a 
DNS service other then PIA
setenv vpn_dns 'IP of DNS provider'

Move PIA files by running this command:

sudo mv “Then highlight the .pem, .crt and config file (renamed to 
“openvpn-client.ovpn) and drag them into the terminal” /rw/config/vpn

Final terminal commands to create .conf file:

cd /rw/config/vpn
sudo ln -s openvpn-client.ovpn vpn-client.conf


Restart VM!!! Wait for “Ready to Connect” and “Link is UP” 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce3d2efe-dc10-472b-a9c2-3062d1fed894%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

Once again Tasket/Chris thanks for the help...got it working with both Debian 
and Fedora in 4.0 running as a Appvm. The issue was in the .conf file/password 
linking and the order I was doing this. I think my debian issue was not having 
openvpn in the debian template.

Is Qubes4 still the file to use?

Great work and thanks again.

V

I followed these specific directions (kinda of a hybrid between terminal and 
GUI...inline with your instructions on github):

Create new appvm Qube:

For Debian proxy, add OpenVPN package to your VPN template:
su
apt-get update && apt-get install openvpn unzip


Create proxy using VPN template:
sys-VPN
Green
Provides Network  Checked
connect to sys-net
Launch settings  - Checked

Settings:
Add files and Terminal to Applications
Initial memmory = 500mb
Max memory = 4500
Add “vpn-handler-openvpn” to services

Open a terminal and file manager in new proxy appVM:

cd “Then drag qubes4 file into terminal from tasket/github”
sudo bash ./install


Enter VPN name and password

Close terminal

Reopen terminal

Transfer Tasket/Qubes4 file and PIA config files into your new VPN AppVM:
Change your PIA config file to “openvpn-client” and add DNS if wanting to use a 
DNS service other then PIA
setenv vpn_dns 'IP of DNS provider'

Move PIA files by running this command:

sudo mv “Then highlight the .pem, .crt and config file (renamed to 
“openvpn-client.ovpn) and drag them into the terminal” /rw/config/vpn

Final terminal commands to create .conf file:

cd /rw/config/vpn
sudo ln -s openvpn-client.ovpn vpn-client.conf


Restart VM!!! Wait for “Ready to Connect” and “Link is UP” 



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54bb1ca5-c093-47de-839b-0d4e822bdd02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

> > I pulled the logs, looked thru them, I didn't see any personal information. 
> > Seemed OK to past on the forum but sent them to you directly just in 
> > case...feel free to post any info for the greater good of the community. 
> > Thank you again for the help...
> > 
> > I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file 
> > and put them into the VPN folder.
> 
> Just FYI, putting all the configs (instead of selecting them) in /vpn is 
> easier.

Thanks for that...I'll try that!

 
> > Totally willing to try to "avoid
> > the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
> > just before the first systemctl command; it will start quicker." Would you 
> > be open to sharing the commands for this?
> 
> The command is just "sleep 2s".

If I am launching a VM from the GUI when would I put "sleep 2s" into the 
terminal? I am learning but not there yet...


> > I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL 
> > Restrictive Configuration: 
> > https://www.privateinternetaccess.com/pages/client-support/
> > I then move each of the 3 individual files mentioned above into the 
> > /rw/config/vpn folder.
> > 
> > Thanks again for the help...
> 
> Got your log... I think the real culprit shows up here:
> 
> "AUTH: Received control message: AUTH_FAILED"
> 
> This could mean the user/password weren't entered correctly. You can see 
> how its stored by issuing this command:
> 
> sudo cat /rw/config/vpn/userpassword.txt
> 
> To fix it you can edit that file, or run the --config step again from 
> the instructions.

Thanks for that tip...the password is good. Tested it with another application 
and it is correct and working. The VPN proxy also had the correct password.

What else could this be?

What I know:
* This worked with 3.2 in Fedora but I experienced the same error with Debian 
in 3.2
* This worked for a brief moment in 4.0(fedora), had saved the beta file and 
was using that when it worked. I lost that older github/tasket file, I 
downloaded the 4.0 file and have not got it working again.
* I get the "Ready to start link" but then no connection
* This is new infromation but I can connect to my phone wireless but when I try 
another AP it can't connect. I am not sure this is relevant but in my network 
connection I get the following messages:

Ethernet Network (vif6.0)
Device not managedmy connection works


Ethernet Network (vif.20)
Device not managedmy connection DOES NOT work

Tasket my gut tells me I have something else missing, if you can get it to 
work, I am getting a ready to connect message, I had it working. Would a BIO 
setting have an impact?

When I boot I get this error:

ERROR parsing PCC subspaces from PCCT
[Failed] Failed to start Load Kernel Modules 

- Followed by [OK] started Apply Kernel Variable/[OK] Started Setup Virtual 
Console

The struggle I am having is a lack of knowledge about how to trouble shoot this 
although you have taught me a lot Tasket thank you.

Any other thoughts?

I don't want to go back to 3.2 but with out a VPN/kill switch I don't see I 
have a choice.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0ab23db-a923-4d81-a87c-a00df1055c7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

I pulled the logs, looked thru them, I didn't see any personal information. 
Seemed OK to past on the forum but sent them to you directly just in 
case...feel free to post any info for the greater good of the community. Thank 
you again for the help...

I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and 
put them into the VPN folder.

Totally willing to try to "avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker." Would you be 
open to sharing the commands for this?

I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive 
Configuration: https://www.privateinternetaccess.com/pages/client-support/
I then move each of the 3 individual files mentioned above into the 
/rw/config/vpn folder.

Thanks again for the help...
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0416e045-f71f-4cf7-a99e-d64c8270b925%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Error: Failed to synchronize cache for repo 'qubes-vm-r4.0-current' with Fedora and 4.0?

[velcro]

Worked like a charm! Thanks...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af024728-42aa-45c0-843a-46a4aa62402e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

Thanks Chris...again thank you for the effort! This tool is great...

Does it matter that Private internet access provides 3 seperate files (key, 
cert and client config)?

I have the proxy AppVM set up with "provides network"(proxy) checked, I have 
tried a setup in proxy only and a setup in Template/Proxy, PVH(tried 
PV...similar to 3.2)...I don't think it is the setup as much as the 
configuration of the template? 

I installed GNOME and Openvpn (Using those names specifically) in Debian, no 
additional packages installed in stock fedora...

I feel like I am missing a very basic command or tweak, whonix works, wireless 
works, sys-firewall works...any help would be appreciated. It seems something 
releated to PIA VPN configuration or VPN-handler-openvpn 

Here are my logs/commands from your suggestions:


root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d
total 0
lrwxrwxrwx 1 root root 38 Apr  5 13:16 90_tunnel-restrict -> 
/usr/lib/qubes/proxy-firewall-restrict


root@sys-VPNb5:/home/user# iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

0 0 DROP   all  --  eth0   any anywhere anywhere

0 0 DROP   all  --  anyeth0anywhere anywhere

0 0 ACCEPT all  --  anyany anywhere anywhere
 ctstate RELATED,ESTABLISHED
0 0 QBS-FORWARD  all  --  anyany anywhere anywhere  
  
0 0 DROP   all  --  vif+   vif+anywhere anywhere

0 0 ACCEPT all  --  vif+   any anywhere anywhere

0 0 DROP   all  --  anyany anywhere anywhere 

I copied errors when I run journalctl:

Apr 06 02:09:52 sys-VPNb5 gnome-terminal-[966]: unable to open file 
'/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() 
failed: No such file or directory; expect degra


Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session 
opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control 
process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes 
proxyVM.

Apr 06 02:09:46 localhost systemd[1]: Started Adjust root filesystem size.
Apr 06 02:09:46 localhost kernel: Error: Driver 'pcspkr' is already registered, 
aborting...
Apr 06 02:09:46 localhost mount-dirs.sh[351]: Private device management: 
fsck.ext4 of /dev/xvdb succeeded

Apr 06 02:09:45 localhost kernel:  xvdc: xvdc1
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext3 due 
to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext2 due 
to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): mounted filesystem with 
ordered data mode. Opts: (null)
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system 
using the ext4 subsystem

Apr 06 02:09:45 localhost kernel: dmi-sysfs: dmi entry is absent.



Apr 06 02:09:50 sys-VPNb5 systemd[1]: Started Serial Getty on hvc0.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Reached target Login Prompts.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session 
opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control 
process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes 
proxyVM.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered 
failed state.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with 
result 'exit-code'.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG network certificate 
management daemon.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG cryptographic agent 
(ssh-agent emulation).


   

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dcabc134-6488-46c4-a359-bca31e0d365e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Error: Failed to synchronize cache for repo 'qubes-vm-r4.0-current' with Fedora and 4.0?

[velcro]

I think there is an issue with Fedora updates thru TOR...

Any body willing to share the specific commands or instructions to change an 
update file from http to https? Here is the thread: 
https://github.com/QubesOS/qubes-issues/issues/3737

A potential solution was:

"Try to modify /etc/yum.repos.d/qubes-r4.repo to use https instead of http."

I didn't even know how to google the question? Any help would be surely 
appreciated...


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3aa4b2e6-156c-49d6-a1b0-8a48f75ec246%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Help with 4.0 transition from 3.2?

[velcro]

Sorry lots of questions in 1 thread but thank you all for the responses:

Question 1-
The ACPI errors were:

ERROR parsing PCC subspaces from PCCT
[Failed] Failed to start Load Kernel Modules - Followed by [OK] started Apply 
Kernel Variable/[OK] Started Setup Virtual Console


ACPI error: parse execution failed\_PR.CPU0PSParse-550

ACPI error: Namespace lookup failure\_PR.CPU1PSParge-364

ACPI error: Namespace lookup failure\_PR.CPU2PSParge-364


Using Legacy only boot, Lenovo notebook


Question 2 -
Still slow but functional for what I use this .iso for...the additional 
templates I can add with 4.0 kinda make me less interested in this 
functionality. All for the security!!

Question 3, 4, 5 - 
I managed to delete the templates I wanted to. Did a fresh install and was 
smarter the second time. My advice would be to leave the current templates 
until you are comfortable with the new setup and how they work. 

2nd time advice for templates in 4.0-
*Make most configuration changes in the "core" template before creating a 
new"core"-dvm from which the disposable VMs are spawned from i.e. printer 
setups in "core" template
*Make changes to firefox in the "new-dvm" that require browser ad-ons
*Don't make any templates default until you get comfortable with multiple 
templates...painful to have to remove them from your VMs

Pretty slick feature having multiple templates once you get used to managing 
them!!

Thank you for the help...
Question 6-
Did a manual update in Dom0:
sudo qubes-dom0-update
"No updates needed or available"?? Couldn't remember the exact words but I had 
to do manual update and I think I am up-to-date.

Question 7-
I found the article(https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/) 
being considered with Qubes 4.0. I also remember it not being implemented yet 
but wasn't sure if one had the option to turn this feature off. I totally get 
the need to have enterprise embrace this project...it really is comforting 
knowing I am more secure but the remote feature is what turned me off MS and 
Apple. Just wanted to make sure I wasn't missing something...

Going thru a few growing pains but if my questions helps others and the 
developers its the best I can do...

Thank you 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/308af9a9-6391-4ffe-a65c-9af9fb350515%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

[velcro]

I thought I would start a new thread, I had Taskets VPN solution working like a 
charm with 3.2 but when I transitioned to Qubes 4.0 it no longer worked. I did 
manage to get it working but I didn't capture my steps:(

3.2 thread:
https://groups.google.com/forum/#!topic/qubes-users/FUQaRPWXPj8


I have been trying this for a few days but admit I am stumped...

How do I trouble shoot and get this up? 

Notes:
I am trying to use Debian 9 for this
I was experiencing similar issues with Fedora(I didn't capture the logs)
I get a message that my VPN VM is "Ready to start link" message
I have tried using the 4.0 VPN file and the Master file (similar results)

When I run "Su journalctl" on my VPN-VM I find these errors:

Apr 05 10:15:12 sys-VPNb5 systemd[1]: Reached target Network is Online.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting keep memory of all UPnP devices 
that announced themselves...
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting /etc/rc.local Compatibility...
Apr 05 10:15:12 sys-VPNb5 qrexec-agent[560]: executed user:QUBESRPC 
qubes.SetMonitorLayout dom0 pid 649
Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: iptables: Bad rule (does a 
matching rule exist in that chain?).
Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: Error: Firewall rule(s) not 
enabled!
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting Permit User Sessions...
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control 
process exited, code=exited status=1
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes 
proxyVM.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered 
failed state.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with 
result 'exit-code'.
Apr 05 10:15:12 sys-VPNb5 su[633]: Successful su for user by root
Apr 05 10:15:12 sys-VPNb5 su[633]: + ??? root:user
Apr 05 10:15:12 sys-VPNb5 qrexec-agent[649]: pam_unix(qrexec:session): session 
opened for user user by (uid=0)

Is there anybody who can help?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/36678578-6a53-49ad-a530-a68a7d85f548%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Help with 4.0 transition from 3.2?

[velcro]

I recently transitioned to the new 4.0thank you Qubes Developers and 
Community for the effort and help. I really appreciate the better security.

I managed to get 4.0 installed however I am having some challenges and concerns:

1) I am getting numerous ACPI erros when I boot? 4.0 seems to boot, I can login 
and function but I am concerned. Is this a concern? I didn't get these errors 
when booting 3.2.

2) I used to be able to download a .iso file, keep it in a VM and boot it from 
another VM. 3.2 even had a "Boot from .iso" function. I managed to get this 
working with 4.0 but it is extremely slow and sometimes doesn't work. Was the 
boot from .iso functionality removed?

3) I am struggling with customizing the DVMs. Specifically I can't delete a 
DVM. I tried the steps on this link: 
https://www.qubes-os.org/doc/dispvm-customization/ but it just didn't delete. 
Are there other instructions available? Maybe some one is willing to post there 
steps/commands?

4) I am unsure how to add a wireless printer into a DVM? I either can't install 
the driver i.e. Do I install software into e.g. Print-dvm(based on 
Debian-9-Gnome), Debian-9-Gnome Template, other?

5) Could be related to 4) above but I have been unable to get my printer to 
even provide an error(possible networking issue). In 3.2 I would add the 
printer to the Debian-9-Gnome template and then generate a new "DVM"

6) When I attempt to update Dom0 after install I get the pop-up from Dom0 that 
something is happening, I get the "green update" window(similar to 3.2) but 
then it just stops...no message about "No updates needed" or any response. Is 
my Dom0 up-to-date?

7) It is my understanding that 4.0 introduces a remote admin functionhow do 
I confirm this is OFF and can never be turned on?

Please understand this is by no means critism...I truly do appreciate the new 
version and sense it is more secure with the PVH default and with the new code 
that is under the hood.

Some things that worked well:
* VPN by Tasket works great.
* Love the clean and updated Debian/Fedora templates
* Ability to swap templates and a VM and get the new programs refreshed
* The potential of multiple DVMs and additional drop downs beyond just Firefox

Any help with my questions above would be greatly appreciated and I would be 
happy to summarize the instructions for users having similar challenges now or 
going forward.

Thanks again for the effort,

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c1b39fdf-44f1-43b2-a1ca-31ddc085e557%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] how to add "Files" manually to AppVM

[velcro]

In Debian you need to install it:

su
apt-get install nautilus

By no means an expert...but I struggled with this in the Debian template AppVMs.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d24e398b-1f86-4ea0-898c-efaffabad6b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

[velcro]

My Fedora setup is still working great. Passes OpenDNS check when they are 
added to config, reconnects generally after I turn off my wireless.

I am trying to get this to work with a stock Debian9 template(upgraded from 
Debian8 with stock install).

I can't seem to get it to work with Debian, the closest I have come is to a 
pop-up alert saying "Ready to connect" or words to that effect. I feel like I 
am missing a basic step in adding OpenVPN. I am adding the following commands:

su
apt-get install openvpn
apt-get install nautilus
apt-get install network-manager-openvpn-gnome   ?

It just works using the Fedora 26 template(Not minimal template)...

Any suggestions?

Thanks in advance...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a96b06fc-0bec-43e1-9c20-806a66ce11cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Spilt-GPG help - 3.2

[velcro]

I am not sure if the "Split-GPG" is for email signing and encryption only but I 
am being prompted to enter a password for a VM that I use for email. Is this 
expected? I like the idea of a password to access this VM but is there a better 
way to secure this?  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c91db6ae-f686-4b88-a267-200543eeda2f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Enhancing Template security?

[velcro]

I am trying to harden my Fedora and Debian templates and was hoping for some 
basic help and commands to do the following:

How would I enable sudo authentication in a Template?

How would I add a service like Qubes-VM-hardening ?

Should I enable AppArmor in a template and VM?

Any other hardening best practices?

Thanks you in advance...I am hoping these are easy for the layperson!

V
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6206c49f-fb01-4163-9437-e0ed9560f4c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Spilt-GPG help - 3.2

[velcro]

I love Qubes! Kudus to those developing and helping on this forum...I am sure 
others would agree that the effort is greatly appreciated.

I am hoping I can get some help with "split-GPG" setup and signing emails. Some 
notes and questions about my configuration:

* I plan to use Thunderbird.

* I have since created a new vault from default during installation - I have 
some files in this vault, documents, some passwords...I consider this 
non-networked VM my "vault", although I am just getting into certificates for 
email signing and email encryption. 
- Should I use this VM for my certificates(or a dedicated certificate VM) or is 
it a big no?

* I found a good tutorial on creating certificates using GnuPG with QubesOS: 
https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
( a little dated but did create test certificates...thanks Apapadop!)

* I followed the steps in this Qubes-OS wiki: 
https://www.qubes-os.org/doc/split-gpg/ , however I get lost here:

Setting up the GPG backend domain

Make sure the gpg is installed there and there are some private keys in the 
keyring, e.g.:

[user@work-gpg ~]$ gpg -K
/home/user/.gnupg/secring.gpg
-
sec   4096R/3F48CB21 2012-11-15
uid  Qubes OS Security Team 
ssb   4096R/30498E2A 2012-11-15
(...)

How do I create this file: /home/user/.gnupg/secring.gpg ?
Where do I keep my certificates in the "vault"? What commands or folders do I 
need to create?

I tried finding more basic instructions but my "Googling" had no luck...how do 
I put private keys in my "vault" keyring and use Thunderbird in a seperate, 
dedicated VM to sign and encrypt my emails utilizing split GPG?

Excuse me if this has already been answered or clarified in another post I 
couldn't find.

Greatfully,
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e9a52d7-1a30-45cf-ac17-f396280620cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

[velcro]

Pretty slick Chris...

I just reconfigured with your Qubes4 
(https://github.com/tasket/Qubes-vpn-support/tree/qubes4)...I assume it 
defaults to 1.4beta2. I added the following to the PIA OpenVPN config file:

setenv vpn_dns '208.67.222.222'

...at the bottom of the config file and hit "save". 

I went to:

https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

and it showed it worked OpenDNS was "active".

Question:
1) If I wanted to put both OpenDNS IPs into this would the addition to the 
config file look like this?:

setenv vpn_dns '208.67.222.222 208.67.220.220'
(i.e. space between the IPs)

I'll keep you posted how it works on Qubes 3.2...not sure I can do any formal 
tests but it is working. Would be happy to try if you tell me how...otherwise 
I'll keep you posted on what I see.

Thanks again for all you do...this is super hero type stuff!!

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8caeab8c-eae5-4609-83b0-59138e7aa51b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

[velcro]

Again I have been using the Tasket VPN setup with Fedora 26 for a few weeks and 
it works well...love the kill switch element!

I was hoping to beef up the security(maybe compromise the privacy) of the VPN 
service by adding OpenDNS or Quad9 DNS addresses to this configuration.

My questions I was hoping to get some thoughts on were:

1) I was presented with a Phishing site the other day...understand I am being 
targetted so I am not suprised. Is OpenDNS, Quad9 better then others? Are there 
others that would provide just as good filtering?

2) Tasket I found some documentation in the Qubes-vpn-support-master (README.md 
file) and references the ability to change your DNS address:

You can manually set your VPN's DNS addresses with:
```
export vpn_dns=""
sudo /rw/config/vpn/qubes-vpn-ns up
```

How would I specifically change this? Is this a command? Would this be the 
specific command I would enter into my VPN VM if I was using OpenDNS:

export vpn_dns="208.67.222.222 208.67.220.220"
sudo /rw/config/vpn/qubes-vpn-ns up


I am asking here in the spirit of maybe providing some help to people trying to 
do the same thing...

Gratefully,
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3725e34-23d7-4f11-9fc8-e6a3e607f57c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anonymizing your MAC Address with macchanger and scripts

[velcro]

Chris if you could replicate the simplicity in your instruction for a 
"kill-switc-VPN" for the this feature that would be awesome...

This seems like a great feature...I am getting up to speed on the Linux 
commands but I suspect a lot of the laypeople(who likely need the security) 
would appreciate this feature if they could understand the detailed steps, even 
if simple.

Thanks again for all you do

V 


https://groups.google.com/forum/#!searchin/qubes-users/vpn$20github%7Csort:date/qubes-users/FUQaRPWXPj8/SMlPfhwuAgAJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/861e424b-3955-4fb4-a6fa-2915ff776105%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] High spec laptop for Qubes OS

[velcro]

I know they were volunteered recalled but could be an opportunity for good 
refurb pricing... 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0978efa7-9f08-41a1-b748-b4ada2b3ca28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] High spec laptop for Qubes OS

[velcro]

I think a Lenovo is the way to go...the Qubes developers use them, the X1/Gen5 
was mentioned as being popular with them. I googled and Max Ram is 16, however 
I went from 8-12 and more then satisfied with improvement. I wanted the X1 but 
thought it was out of my budget and thought I would look too cool using it:)

gmx.com...your comment:

> Notes:
> There isn't much point using qubes with hardware that has ME/PSP, 

Is the ME/PSP risk more from a Governement/Intel threat or are the 
vulnerabilities with these features available to other threat vectors as well? 
Would appreciate your thoughts...

Thanks again Qubes team...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eacb8b5a-1a38-474f-b05a-d431086e9554%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] What does an AEM alert look like?

[velcro]

Curious as to what to look for with an AEM alert? Is there log? Does it alert 
you when you boot?

Appreciate any thoughts...

Thanks,
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba7f6280-b857-4cd8-914e-d572142a451c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Proxy/firewall VM with template fedora-26-minimal non-functional

[velcro]

 Try downloading a fresh fedora 26 template:

https://www.qubes-os.org/news/2018/01/06/fedora-26-upgrade/


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce65d625-a1a7-4eba-a3cb-8d35472f247f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Problem installing Qubes on Lenovo Thinkpad T450s

[velcro]

I am trying to load 3.2 onto a T450s, I'd like to keep Legacy mode as it allows 
me to have AEM.

I was able to install using the same thumb(created using dd) on another 
computer, no problems, however I keep going back to "Test and install 3.2" when 
trying to load Qubes onto a T450s.

I saw some users having similar challenges...any suggestions? Kind of a bummer 
thought I was getting a popular "all green" choice from the HCL list.

Any help would be greatly appreciated

V

(I corrected an omission in this post: "I was able to install using the same 
thumb(created using dd) ON ANOTHER COMPUTER"

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23fc9d9c-070e-49f6-a3bd-1c1026bb8a87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Problem installing Qubes on Lenovo Thinkpad T450s

[velcro]

I am trying to load 3.2 onto a T450s, I'd like to keep Legacy mode as it allows 
me to have AEM.

I was able to install using the same thumb(created using dd), no problems, 
however I keep going back to "Test and install 3.2" when trying to load Qubes 
onto a T450s.

I saw some users having similar challenges...any suggestions? Kind of a bummer 
thought I was getting a popular "all green" choice from the HCL list.

Any help would be greatly appreciated

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/89ebdc33-9f24-407e-b12a-9a53fee01f2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

[velcro]

Thank you Tasket\Chris...

Thanks for the education on trust/veracity/trustworthiness with Github.

You and the Qubes team are doing a good thing! I really appreciate all the 
help...

Thank you!

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a06d65d-ee00-4ec8-bd2f-20b7d30bda0a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

[velcro]

Thanks Chris(and "tasket"!)took me a few tries but I managed to get it 
going, I tweaked the implementation a bit(scarey).

I was not however able to get this command going from step #3 of the Github 
guide:  sudo /usr/lib/qubes/qubes-vpn-setup --config

I doubt I did this right/well but when I went to DNSleaktest.com it showed no 
leaks.

Couple of questions:
* What security am I not getting by doing step #3?
* Is using a script from Github good? Appreciate the lead but will this be 
sanctioned by the Qubes community long term?
* How can I test the kill switch functionality?
* Any feedback, comments, ways to do it better?

Looking forward to those instructions Chris...

My sketchy/newbie steps are detailed below:

Create Proxy VM  Make Green  Proxy  Connected to sys-Net -  Name it

Add Files and Firefox in applications (didn’t really need firefox as I could 
download it in a disposable and the move it to my new sys-VPN)

Go to the services tab and add vpn-handler-openvpn then hit the + button

Notes:
* All commands were done in the proxy VM (No template was used)
* Not a huge terminal expert, so used GUI for some things

Download config files:
https://github.com/tasket/Qubes-vpn-support hit the green Clone or Download 
button
https://www.privateinternetaccess.com/pages/client-support/ (Download the 
“openvpn-ip.zip” file) specifically 
https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip
 
Unzip openvpn-ip.zip in download folder
Manualy change name in file from “US East.ovpn” to  “openvpn-client.ovpn”

sudo mkdir /rw/config/vpn
sudo mv “openvpn-client.ovpn” '/rw/config/vpn'
sudo mv “.crt file” '/rw/config/vpn'
sudo mv “.pem file” '/rw/config/vpn'

cd '/home/user/Downloads/Qubes-vpn-support-master'
Type cd(space)then drag and drop from downloads the whole “Qubes-vpn-support” 
from “Github” in your downloads folder(Manually Unzipped folder by double 
clicking)

sudo bash ./install

Enter VPN User name and password


Close terminal

cd /rw/config/vpn
sudo ln -s openvpn-client.ovpn vpn-client.conf

Restart VM

Connect your VMs


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b126ae28-d76a-4670-9f6a-3e8e200aa56b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

[velcro]

I have tried, tried, tried ...and tried and I am over my head! (Fedora 26, 
Qubes 3.2)

I am stuck

I tried this:
https://www.qubes-os.org/doc/vpn/

and this, this was a pretty good video but unfortunately its not the same as 
PIAs config.:
https://www.youtube.com/watch?v=K1_zqT7_N7k (Nice video internetz.me...learned 
a lot)

Qubester I went down your path as well but wasn't sure where to go after.


But couldn't really get off step 2 of the Qubes instructions...primarily due to 
my linux skills.

Can anybody help?

I got a NetVM working but with out a kill switch and credentials exposed it 
just doesn't work for me.

Looking at the Qubes instructions, I was able to create the "sudo mkdir 
/rw/config/vpn" but then things fall apart.

My specific questions from the VPN instructions that keep derailing me, 
specifically the basic commands needed are:

1) How do I copy files to: "Copy your VPN config files to /rw/config/vpn"?
2) "Create a file in the /rw/config/vpn folder with your credentials and using 
a directive"...how do I do this?
3) I haven't gotten further but suspect I'll have more questions.

Anybody have a source for a tutorial...I have googled the h3ll out of this and 
more questions then answers.

I will give you my first born(or a beer/wine!) for a step-by-step on how to do 
this!

This seems like an absolute must feature but I am at my wits end.

Help!

Here are the sad instructions I have so far:

sudo -s

dnf install nano

y

mkdir /rw/config/vpn

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cf4c87c9-6cd6-4108-bcad-26e5709f0489%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?

[velcro]

Is legacy BIOs still preferred and likely compatible with 4.0 when final? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40f6953b-3c11-42a7-914b-ac46970de69c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes update to fedora 26 but dnf still using fedora 23 repo

[velcro]

When you say upgraded did you install a fresh fedora 26 template?

https://www.qubes-os.org/news/2018/01/06/fedora-26-upgrade/

I think the advice is not to "upgrade" from fedora 23 but to install a fresh 
template.

Not sure thats your issue...if not I am not sure how to correct.

Qubes rocks! 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/19548009-a582-49d6-9838-eb35fdcebeac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] noscript xss warning on qubes os site

[velcro]

I got it in Fedora 26 appVM as well but the website was fedora.org. I am using 
3.2...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab192c78-be63-4109-9187-47af9c5a0eee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] DebianTemplate for DVM with additional software is flagging an update(despite already updated)? 3.2

[velcro]

Running Qubes 3.2the Debian Template I created for printing is showing an 
update is needed in my GUI interface (Green arrow pointing down). I updated 
this template and other Debian templates but my printer template keeps showing 
an update is needed?

*Tried an update again from GUI-Terminal said nothing needed
*Restarted computer
*Did a manual update directly from terminal using: sudo apt-get update && sudo 
apt-get dist-upgrade

Is there another option I can try before rebuilding the template?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/58e39c33-b5e2-437e-9db5-e33e9d3959e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Just installed AEM(Anti-Evil-Made)...see an error:(

[velcro]

Managed to find what was causing the error and how to remove the error:

https://askubuntu.com/questions/778875/tpm-error-6-when-booting-thinkpad

https://bugzilla.redhat.com/show_bug.cgi?id=1413409

In my BIOS I went to Security -> Security Chip -> Security Chip set to "Active"

However this brings up additional BIOS setting questions...

Any body have any thoughts on the best configuration for my default BIOS for a 
Lenovo? Specifically related to the "Security Chip" settings?

Clear Security Chip?
Intel TXT Feature?

I am not sure I am comfortable yet with changing my BIOS to Coreboot but love 
the idea:)

My threat vector is more from a well funded malicious hacker(vs Intel or a 
Government). Just trying to harden my PC the best I can...

Any thoughts or advice would be greatly appreciated.

Thanks,
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d1eba89-166f-4d97-883f-a0a81abdfb2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: how to reinstall template? (i think it's not enabled by repo)

[velcro]

No expert, but try:

sudo yum remove qubes-template-whonix-ws

then

sudo qubes-dom0-update --enablerepo=qubes-templates-community \
   qubes-template-whonix-ws

You might have tried this but I had to do the whonix reinstall myself

Source:
https://www.qubes-os.org/doc/templates/
https://www.qubes-os.org/doc/remove-vm-manually/
https://www.qubes-os.org/doc/reinstall-template/

I hope this helps you...

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c764184a-bca2-49f4-8cd1-e0c013dd75fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Just installed AEM(Anti-Evil-Made)...see an error:(

[velcro]

I have been running Qubes for a few months now, numerous 3.2 installs, most 
recent install was a month or so ago on the the same PC.

I just installed AEM for the first time.

Everything still works, however in my BIOS I had "enabled" the ability to see 
notes/alerts during boot.

Before I enabled AEM, I hadn't seen an error, however after enabling AEM I now 
see the following error during booting:

"[   6.387306] tpm tpm0: A TPM error (6) occurred attempting to read a pcr 
value"

It boots and everything is working so far as I can see.

Is this a concern I should be worried about?

Thanks
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f62c5c15-059c-437f-bad1-df12d7afa3b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Basic setup verification tests for correct setup? VT-d? Other?

[velcro]

Thank you awokd and Yethal...learned a lot!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7c9d444-1857-4ab1-be46-d5baffd83ba3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] AEM? USB devices? Love the name but need guidance...running 3.2

[velcro]

I have read the instructions here:

https://www.qubes-os.org/doc/anti-evil-maid/
In dom0: sudo qubes-dom0-update anti-evil-maid

...but still a little unsure how and where to set up AEM?

My setup is as follows:
a) I have setup a sys-usb with 2 devices selected in VM settings(working well!)
b) I believe my threat is likely from something I click online or in 
email(including an attachment)
c) I am concerned however with some one plugging in a malicious USB
d) I am running qubes 3.2 on a laptop and do not have/need any peripheral USB 
devices such as mouse, webcam, etc. 
e) I do however need to plug in a thumbdrive and backup drive so I can backup 
my data and save/get files to and from a thumb drive. 

If I am reading the instructions correctly I need to make a choice between 
threat vector c) or d).

My question are:
1) I have only selected 2 devices for my sys-usb yet have 3 USB slots on my 
laptop? Why is there not a 3rd device for me to select in my sys-usb? The 2 I 
have selected are labeled "00:1a.0" and "00:1d.0" followed by "USB 
controller..."

2) If I need to decide between threat vector c) or d). How would this command 
be different for each scneario? "sudo qubes-dom0-update anti-evil-maid"...

3) If I add AEM to my laptop can I still wipe my laptop and reinstall Qubes 
again?

Sorry for the noobie question...

Thanks,
V   

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7f73261c-5b94-4789-8aaf-dafadcdbdb16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Trying to get my head around a configuration for a VPN-Proxy VM and its firewall?

[velcro]

I just wanted to clarify my questions...I made some edits:

> Scenario #1
> VM---sys-vpn--\
>\
> \
> VM-sys-firewall---sys-net
>  /
> /
> VM-/
> 
> 
> 
> Scenario #2
> VM--sys-vpn--sys-firewall---sys-net(Wireless and ethernet)
> VM---sys-firewall---sys-net(Wireless and ethernet)
> VM---sys-firewall---sys-net(Wireless and ethernet)
> 
> 
> 
> Scenario #3
> VM--sys-vpn-sys-net(Wireless and ethernet)
> VM--sys-firewallsys-net(Ethernet only)
> VM--sys-firewallsys-net(Wireless only)
> 
> 
> I am looking at configuring a VPN for 3.2 and I am trying to find the best 
> configuration and firewall settings balancing usability, efficiency and 
> security. My questions are:
> 
> 1) If sys-net is not trustworthy do these scenarios matter from a security 
> perspective regarding sys-net? Scenario #1 I assume consumes the least 
> resources...
> 
> 2) Regarding sys-vpn firewall...do these setting in effect create a kill 
> switch in my sys-vpn firewall?(I am only provided a URL from my VPN provider, 
> not the IPs), firewall settings in my sys-vpn firewall:
> Address= *
> Service= I enter the port number provided by my VPN provider
> Protocol= I enter UDP or TCP depending on my VPN providers instructions?
> 
> Thanks...any dialogue, options, opinions or answers are appreciated
> 
> Happy holiday and thanks again Qubes!
> 
> V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6969d994-fef0-4380-b1f4-daa42158e2aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Trying to get my head around a configuration for a VPN-Proxy VM and its firewall?

[velcro]

Scenario #1
VM---sys-vpn\
 \
  \
VM-\sys-firewall---sys-net
   /
  /
VM---/



Scenario #2
VM--sys-vpn--sys-firewall---sys-net(Wireless and ethernet)
VM---sys-firewall---sys-net(Wireless and ethernet)
VM---sys-firewall---sys-net(Wireless and ethernet)



Scenario #3
VM--sys-vpn-sys-net(Wireless and ethernet)
VM--sys-firewallsys-net(Ethernet only)
VM--sys-firewallsys-net(Wireless only)


I am looking at configuring a VPN for 3.2 and I am trying to find the best 
configuration and firewall settings balancing usability, flexibility and 
security. My questions are:

1) If sys-net is not trustworthy do these scenarios matter from a security 
perspective regarding sys-net? Scenario #1 I assume consumes the least 
resources...

2) Regarding sys-vpn firewall...do these setting in effect create a kill switch 
in my firewall?(I only have a URL, not the IPs):
Address= *
Service= I enter the port number from my VPN provider
Protocol= I enter UDP or TCP depending on my VPN providers instructions?

Thanks...any dialogue, options or answers are appreciated

Happy holiday and thanks again Qubes!

V


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c3cd2c1-1d8e-4915-b15f-28d80f3bf433%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R3.2: Debian 9 template fails to update 50% of the time

[velcro]

Thank you both! Not sure if thanking on this forum is appropriate as the post 
goes to the top but thanks anyway! Learnt a lot!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1ec9d03c-dff8-4b2c-8d3b-6c8f1e210173%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R3.2: Debian 9 template fails to update 50% of the time

[velcro]

I am struggling with this same issue...I find that after a restart I can do the 
update but wanted to do this right. I checked the link posted above: 

"User-initiated updates/upgrades may not run when a templateVM first starts. 
This is due to a new Debian config setting that attempts to update 
automatically; it can be disabled with systemctl disable apt-daily.timer"

But as a rookie I am unsure of the specific terminal steps in my template. Any 
chance I can ask the Qubes community for help on the specific terminal commands 
to get this accomplished?

I would truly appreciate the help...thank you and thank you Qubes!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8e8c86c2-d98a-4eb1-be79-08bcac41d40a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Optimize my Lenovo T420 BIOS (or settings when I hit “ThinkVantage” during start-up)

[velcro]

I wanted to start by thanking all those who have made Qubes possible….the idea 
of a “reasonably” secure operating system is such a great thing! Not only do I 
think I am more secure but I feel more secure...again thank you!

I am hoping some folks can help me harden and optimize my hardware/OS even 
more(described in very basic terms if possible):

I am diving into optimizing my BIOS/hardware or in non-technical terms, 
optimize the settings I get when I “hit” the ThinkVantage button during 
start-up on my Lenovo T420(one of the most “greened” box hardware on the Qubes 
OS list (https://www.qubes-os.org/hcl/) and a “Qube core developer” reviewed 
hardware.

1) After entering “F1” I get a menu to make changes to Security and Time 
amongst other options, I have adjusted the following in order to secure and 
optimize my computer for Qubes OS:
Security-
a) Intel ® Virtualization Technology  Enabled
b) Intel ® VT-d Feature - Enabled 

I/O Port Access-
a) Bluetooth  Disabled
b) Integrated Camera  Disabled (also have a piece of tape on my 
camera...just in case:))
c) Microphone  Disabled
d) Fingerprint Raeder - Disabled

2) After hitting “Ctrl + p” I was introduced to Intel ME. I started reading 
about Intel ME (https://en.wikipedia.org/wiki/Intel_Management_Engine) and 
began to get concerned….I did manage to change the default password of “admin” 
but I am not sure what to change in “Intel ® ME General Settings” or “Intel ® 
AMT Configuration”.

While Qubes is working as I want, no issue with connectivity, customizing VMs, 
printing (no USB devices, no desire for cameras or microphones, LibreOffice 
installed, email access, etc…). I am hoping I can harden and optimize my set-up 
for Security even more(maybe privacy and anonymity as well?).

What other settings in these screens can I adjust to optimize Qubes OS?

Thank you again in advance...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a55c5eae-f1c6-41fa-a4e9-1a7a4717bc47%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Printer working with Debian DVMs but not when opening up a doc in a DVM from e.g. Work VM?

[velcro]

I am not sure of the pros and cons but I actually think its OK and makes sense. 
I like the restricted DVM having restrictions. 

Thanks again...and thanks Qubes team!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6e26cc8-7d45-43f3-a3c6-2f5349f6214c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Printer working with Debian DVMs but not when opening up a doc in a DVM from e.g. Work VM?

[velcro]

I managed to work it out! It is a wireless printer...thank you Unman...you rock!

However my trouble shooting brought up another question: It appears as if the 
DVM launched from "work" inherits the firewall settings from "work"? Is that to 
be expected? All I needed to do was add my printers IP to my "work" 
firewall...is that correct? It does work! I have detailed the step-by-step 
instructions I followed below in case others want to do this. If I have done 
something wrong or there is a better way to do this...I am open to feedback.

Installing wireless network HP Printer into Debian template for DVM:
1) Clone updated Debian Template for printer
2) Download “HPLIP” driver in disposable VM(from HP website)
3) Move drivers/downloaded file to “Cloned Debian Template for printer”
4) Move file to “Cloned Debian Template for printer” desktop
5) Open terminal in “Cloned Debian Template for printer” and type:
cd Desktop
sh hplip-3.17.11.run(“hplip-3.17.11.run” was the file name for my 
drivers)
(when prompted for password type “su”)
6) Open printer settings in “Cloned Debian Template for printer”
7) Click “+” icon in the printer settings
8) Click “Network Printer” → “AppSocket/HP JetDirect” → enter printers ip 
address in “Host:” → “Forward”
9) A choose driver screen pops up → in my case I selected “HP” → I then 
selected my specific printer → this then allowed me to print a test page

Additional Notes:
* Assumes GNOME is installed (sudo tasksel → GNOME (use space bar to select 
GNOME)
* Need to temporary allow network access to “Cloned Debian Template for 
printer” to print test page
* If printing from “work” or other trusted VM, make sure to allow firewall 
access in “work” to printer IP if firewall for “work” is restricted
* Change DVM to “Cloned Debian Template for printer” 
https://www.qubes-os.org/doc/dispvm-customization/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c91c606-2c59-41b4-84ae-4a5e6c6c958a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Printer working with Debian DVMs but not when opening up a doc in a DVM from e.g. Work VM?

[velcro]

I am using Qubes 3.2, I have a dedicated Debian Template for my more trusted 
VMs and a separate dedicated Debian Template for my DVMs with printer drivers 
installed.

This is tricky but I will try to explain:

I managed to get my printer set up using a Debian Template(printed Test Page 
fine from template).

Changed my DVM to Debian, I can print a web page and document using a Dedicated 
Debian based DVM i.e. Q(Top left Q menu icon) -> DisposableVM...no issues with 
printing web pages and transfered docs from here!

When I use a trusted VM(lets say my Work VM), I open a document using "Open in 
DisposableVM", I see the printer I set up, try to print and I get an 
error(something like "printer not connected")?

What might cause this? Any thoughts on a fix?

Thanks in advance...



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ebb48684-2e63-4797-9189-b3cce4768e90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Copying file from Debian8(or Whonix) to a Fedora VM?

[velcro]

Ahhh...space bar! I think I tried every key except the biggest oneit worked!

All working...thank you both and thank you to all who have made this OSS 
package possible!

Probably going to try a fresh install again and start from scratch just to make 
sure. My only concern is I have Firefox ESR however I suspect it might be do to 
the order I originally updated the software.

Thanks again...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d328f38c-a621-4861-ab5a-faac1945e1a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Copying file from Debian8(or Whonix) to a Fedora VM?

[velcro]

Thank you both for taking the time to help...

Managed to upgrade the template, also managed to get my wifi working on 
debian-8 template(seems faster now to boot!).

I found this post with instructions:
1) sudo apt install firmware-iwlwifi
2) sudo apt update && sudo apt upgrade

However I am struggling with getting the Gnome desktop installed.

I run 'sudo tasksel' and get the option to scroll down to GNOME, the red cursor 
seems to move however I am unable to select GNOME, I tried just leaving the red 
cursor on GNOME, hit enter(or OK) but nothing happens?? It simply closes and I 
go back to the terminal with user@debian...

Sorry for the basic question but how do I select "GNOME" in this window?(I saw 
a "*" by googling but no keys seems to work.

Thank you again...unfortunately I have been the target of an ongoing attack and 
having been hacked with Microsoft, then Apple I decided to go with Qubes as it 
is the most secure. But it has been a huge learning curve!



 
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a678c02b-9332-4cda-aa5d-18d37ed53390%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Copying file from Debian8(or Whonix) to a Fedora VM?

[velcro]

On Sunday, November 19, 2017 at 4:03:44 PM UTC-6, Chris Laprise wrote:
> On 11/19/2017 01:48 PM, v wrote:
> > I have been using Qubes 3.2 for about 5 months and love it...thank you all 
> > who have contributed!
> >
> > I am a noobie so be gentle...I am also by no means an expert at Linux 
> > however I have been forced to learn quick.
> >
> > I managed to upgrade my Fedora template to 25 and have most of my VMs 
> > running on Fedora25 except for the default Debian8(Which I have reinstalled 
> > since my initial Qubes installation), my Whonix WS and GW are also 
> > defaults. I have also periodically upgraded these templates.
> >
> > I have some basic questions I am hoping I can get some help with:
> >
> > 1) It seems that alot of the experts use Debian as thier working 
> > VMs(Personal, Work, Banking, etc...) and have Fedora as the sys-firewall, 
> > sys-net, etc...is it more secure to use Debian in this way? Am I just as 
> > secure as using Fedora for my working VMs? I would have to think hacking 
> > Xen, then Fedora, then Debian would be harder...
> 
> There are three issues that stand out for me:
> 
> * Fedora is the only distro I've seen that doesn't sign their repository 
> manifest. The idea is if you want full security for updates you pay $$$ 
> for RHEL (Red Hat controls the Fedora project).
> 
> * Fedora releases expire (stop getting security updates) after a 
> relatively short period (again, idea is pay $$$ to Red Hat for long-term 
> updates).
> 
> * Fedora repositories are pretty sparse compared to the software 
> available in Debian and Ubuntu.
> 
> These are the main reasons I choose to use Debian over Fedora. Debian 
> templates also work great for sys-net and firewall/VPN.
> 
> 
> > 2) I have been able to copy/move files from Fedora VMs to other Fedora VMs 
> > but I have struggled to try and copy/move files from Debian(or Whonix-ws) 
> > to Fedora? Fedora has the "File" option from my "Q" menu(top right), when I 
> > am in the files I can right click and "Copy to Other AppVM" or "Open in 
> > DispVM". How do I access Debians version?
> 
> The debian-8 template is close to a 'minimal' release and comes without 
> a file browser. You can copy from the terminal with the 'qvm-copy-to-vm' 
> command, or install a supported file browser (the one used in Fedora 
> template is nautilus).
> 
> When installing nautilus, remember that its meant to work in concert 
> with the rest of Gnome... it may not work right if you install it by 
> specifying 'nautilus' (also you will have to install the python-gtk2 
> package separately). The easiest way to get this working like it does in 
> Fedora is to run 'sudo tasksel' and select the Gnome desktop for 
> installation.
> 
> -- 
> 
> Chris Laprise, 
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

Thank you Chris...instead of asking a myriad of follow up questions, do you or 
anybody else have some good resources for detailed "how tos" on how to 
configure the Debian Template for the laymans use?

I managed to get LibreOffice loaded but my wish list would be an up-to-date 
Firefox, Nautilus(file manager) and what ever is required to get my wireless 
working with sys-net?

I tried changing sys-net to Debian and my wireless wouldn't turn on(Couldn't 
find the option in my network icon in the top right of my screen).

I would be happy to post these instructions back and submit them to the Qubes 
community if that is of value.

Thank you again...



I tried

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3cfa59a8-73af-4725-baa3-0843129a315b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Copying file from Debian8(or Whonix) to a Fedora VM?

[velcro]

I have been using Qubes 3.2 for about 5 months and love it...thank you all who 
have contributed!

I am a noobie so be gentle...I am also by no means an expert at Linux however I 
have been forced to learn quick.

I managed to upgrade my Fedora template to 25 and have most of my VMs running 
on Fedora25 except for the default Debian8(Which I have reinstalled since my 
initial Qubes installation), my Whonix WS and GW are also defaults. I have also 
periodically upgraded these templates.

I have some basic questions I am hoping I can get some help with:

1) It seems that alot of the experts use Debian as thier working VMs(Personal, 
Work, Banking, etc...) and have Fedora as the sys-firewall, sys-net, etc...is 
it more secure to use Debian in this way? Am I just as secure as using Fedora 
for my working VMs? I would have to think hacking Xen, then Fedora, then Debian 
would be harder...

2) I have been able to copy/move files from Fedora VMs to other Fedora VMs but 
I have struggled to try and copy/move files from Debian(or Whonix-ws) to 
Fedora? Fedora has the "File" option from my "Q" menu(top right), when I am in 
the files I can right click and "Copy to Other AppVM" or "Open in DispVM". How 
do I access Debians version?

Thanks in advance for any help...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/00c1d251-d9a4-46bb-b808-6c9097f486ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.