Verified Commit 3f4218a2 authored by Clark's avatar Clark
Browse files

sys-vpn working, documentation updated

parent 0eefe656
......@@ -11,7 +11,7 @@ Qubes OS features strong isolation using the Xen Project hypervisor to deploy vi
A gentle introduction is provided [[][here]], with a lot of detailed docs [[][here]]. Follow is how /I/ bootstrapped my Lenovo P51 laptop with Qubes OS.
* TODO Digital signatures and key verification
* Digital signatures and key verification
I'll use a USB drive to flash the Qubes OS ISO image to my UEFI. This requires exposing my laptop to: 1) the Qubes OS ISO, and 2) the USB drive. I do not trust the [SanDisk] USB drive, since I did not write the firmware. Thus, I am accepting this risk.
......@@ -61,6 +61,16 @@ Then flash the ISO to the USB.
sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sda status=progress
* TODO Qubes installation
Use the USB to install.
Need virtualization technology enabled in BIOS.
Set up encryption.
Additional steps?
* TODO Qubes VM architecture
#+begin_src plantuml :file img/Qubes-VM-architecture.svg
......@@ -149,8 +159,9 @@ entity "sys-firewall" as sys_firewall {
entity "sys-vpn" as sys_vpn {
{static} TemplateVM < ??? >
{static} TemplateVM <fedora-30>
{static} NetVM <sys-firewall>
{field} vpn proxy scripts
entity "sys-whonix" as sys_whonix {
......@@ -435,14 +446,14 @@ fedora <.. fedora_gpg_vault
ubuntu <.. ubuntu_ws
* TODO Custom VMs
* Custom VMs
Creating custom virtual machines for QubesOS for Ubuntu and Windows.
** TODO Ubuntu
** Ubuntu
Going to use qubes-builder package to build a "official" Ubuntu template. Start by creating a template (later to be deleted) that is used to build the Ubuntu template from =dom0=, then launch a terminal.
......@@ -453,13 +464,13 @@ qvm-clone fedora-30 ubuntu-builder && \
qvm-run -a ubuntu-builder gnome-terminal
Then on the =ubuntu-builder= terminal, build the Ubuntu template...
Then on the =ubuntu-builder= terminal, build the Ubuntu template.
gpg2 --import /usr/share/qubes/qubes-master-key.asc
Trust the master key just imported above...
Trust the master key just imported above.
gpg2 --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
......@@ -483,52 +494,30 @@ gpg2 --fetch-keys && \
Once setup begins, provide the following responses to each setup question.
| Question | Setting |
| Download all dependencies? | Y |
| Add Key 0x36879494 | Yes |
| Add Key 0x42CFA724 | Yes |
| Qubes Release To Use To Build Packages | 4.0 (my installed version) |
| Source Repos To Use To Build Packages | QuesOS/qubes- (Stable) |
| Git Clone Faster? | Yes |
| Choose Pre-Built Packages | [none] |
| Build Template Only | Yes |
| Template... | ... |
| Builder Plugins Selection | (focal: builder-deb; fedora-31: builder-rpm, mgmt-salt) |
| Get Sources | Yes |
| Question | Setting |
| Download all dependencies? | Y |
| Add Key 0x36879494 | Yes |
| Add Key 0x42CFA724 | Yes |
| Qubes Release To Use To Build Packages | 4.0 (my installed version) |
| Source Repos To Use To Build Packages | QuesOS/qubes- (Stable) |
| Git Clone Faster? | Yes |
| Choose Pre-Built Packages | [none] |
| Build Template Only | Yes |
| Template | bionic+desktop |
| Builder Plugins Selection | builder-deb, mgmt-salt |
| Get Sources | Yes |
Then make the template.
make install-deps
make get-sources
make qubes-vm
make template
Then on =dom0=.
Copy it to =dom0= and install it.
qvm-run --pass-io ubuntu-builder 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/' > && \
......@@ -536,17 +525,14 @@ qvm-run --pass-io ubuntu-builder 'cat /home/user/qubes-builder/qubes-src/linux-t
Then, add missing =qubes= packages using the repository hosted by =unman= of the Qubes OS project.
Add missing =qubes= packages using the repository hosted by =unman= of the Qubes OS project.
First, import his Qubes OS GPG Signing key from 0x8B3F30F9C8C0C2EF using =sudo apt-key add C8C0C2EF.asc=.
Then append the repository to =/etc/apt/sources.list=.
deb focal main
deb bionic main
Then =sudo apt update= and install some additional qubes packages.
......@@ -595,41 +581,111 @@ qvm-features --unset windows-10-template video-model
qvm-prefs windows-10-template qrexec_timeout 300
* TODO Enforce VPN Routing -> Move this to a NetVM (Qubes)
** VPN ProxyVM
This requires some kind of VPN access. I'm using a low cost VPN provider, PIA. After signing up, the provide authentication credentials, what I'm using below as =vpn_username= and =vpn_password=.
Following this guide:
#+begin_src sh
sudo apt install -y openvpn && \
wget --secure-protocol=pfs --https-only && \
unzip -d openvpn && \
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ && \
sudo cp openvpn/US\ California.ovpn /etc/openvpn/local_profile.conf && \
sudo rm -rf openvpn && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/login
This step relies on already having a /well-specified/ openvpn config file. I'm using protonvpn for my VPN services.
Create a new qube, providing networking, here named =sys-vpn=.
From your VPN provider of choice, get an =openvpn= config file, and corresponding creds to use for authentication with that config. Prefer UDP protocol. Place the config file at =/rw/config/vpn/openvpn-client.ovpn=.
Replace the =auth-user-pass= line with a reference to a local file and add a DNS handling script.
sudo sed -i '/auth-user-pass/c\auth-user-pass /rw/config/vpn/pass.txt' /rw/config/vpn/openvpn-client.ovpn && \
sudo bash -c 'cat <<EOT >> /rw/config/vpn/
set -e
export PATH="\$PATH:/usr/sbin:/sbin"
case "\$1" in
# To override DHCP DNS, assign DNS addresses to '"'"'vpn_dns'"'"' env variable before calling this script;
# Format is '"'"'X.X.X.X Y.Y.Y.Y [...]'"'"'
if [[ -z "\$vpn_dns" ]] ; then
# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
for optionname in \${!foreign_option_*} ; do
unset fops; fops=(\$option)
if [ \${fops[1]} == "DNS" ] ; then vpn_dns="\$vpn_dns \${fops[2]}" ; fi
iptables -t nat -F PR-QBS
if [[ -n "\$vpn_dns" ]] ; then
# Set DNS address translation in firewall:
for addr in \$vpn_dns; do
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to \$addr
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to \$addr
su - -c '"'"'notify-send "\$(hostname): LINK IS UP." --icon=network-idle'"'"' user
su - -c '"'"'notify-send "\$(hostname): LINK UP, NO DNS!" --icon=dialog-error'"'"' user
su - -c '"'"'notify-send "\$(hostname): LINK IS DOWN !" --icon=dialog-error'"'"' user
EOT' && \
sudo chmod 600 /etc/openvpn/login && \
sudo sed -i '/ca ca.rsa.2048.crt/c\ca /etc/openvpn/ca.rsa.2048.crt' /etc/openvpn/local_profile.conf && \
sudo sed -i '/auth-user-pass/c\auth-user-pass /etc/openvpn/login' /etc/openvpn/local_profile.conf && \
sudo sed -i '/crl-verify crl.rsa.2048.pem/c\crl-verify /etc/openvpn/crl.rsa.2048.pem' /etc/openvpn/local_profile.conf &&
sudo systemctl enable openvpn@local_profile && \
sudo systemctl start openvpn@local_profile && \
sudo bash -c 'cat <<EOT >> /etc/openvpn/restart-service
if [ "$(ping -c 3 | grep '100% packet loss' )" != "" ]; then
sudo systemctl restart openvpn@local_profile
sudo chmod +x /rw/config/vpn/ && \
sudo sed -i '/up /c\' /rw/config/vpn/openvpn-client.ovpn && \
sudo sed -i '/down /c\' /rw/config/vpn/openvpn-client.ovpn && \
sudo sed -i "/script-security /c\script-security 2 \\
up ' up' \\
down ' down'" /rw/config/vpn/openvpn-client.ovpn && \
sudo rm /rw/config/qubes-firewall-user-script && \
sudo bash -c 'cat <<EOT >> /rw/config/qubes-firewall-user-script
# Block forwarding of connections through upstream network device
# (in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
# Accept traffic to VPN
iptables -F OUTPUT
# Add the qvpn group to system, if it doesn'"'"'t already exist
if ! grep -q "^qvpn:" /etc/group ; then
groupadd -rf qvpn
sleep 2s
# Block non-VPN traffic to clearnet
iptables -I OUTPUT -o eth0 -j DROP
# Allow traffic from the qvpn group to the uplink interface (eth0);
# Our VPN client will run with group qvpn.
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
EOT' && \
sudo chmod +x /etc/openvpn/restart-service && \
sudo crontab -l | { cat; echo "* * * * * /etc/openvpn/restart-service"; } | sudo crontab -
sudo chmod +x /rw/config/qubes-firewall-user-script && \
Test the VPN service initializes using =sudo openvpn --config /etc/openvpn/local_profile.conf= (and exit with =Ctrl-c=).
sudo rm /rw/config/rc.local && \
sudo bash -c 'cat <<EOT >> /rw/config/rc.local
VPN_OPTIONS='"'"'--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'"'"'
groupadd -rf qvpn ; sleep 2s
sg qvpn -c "\$VPN_CLIENT \$VPN_OPTIONS"
sed -i d /etc/resolv.conf
echo "nameserver" > /etc/resolv.conf
echo "nameserver" >> /etc/resolv.conf
EOT' && \
sudo chmod +x /rw/config/rc.local
Verify the service status using =sudo systemctl status openvpn@local_profile= and checking one's public IP using =wget --secure-protocol=PFS --https-only -qO-
Start it manually with: =sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn=
* Split SSH
......@@ -700,7 +756,7 @@ EOT'
Then restart =bytecache-ssh-vault= and =bytecache-dev=. I repeat these steps for each set of SSH keys, and AppVM users (e.g., for work).
* TODO Split GPG
* Split GPG
Split GPG is /officially/ supported by Qubes OS, so the implementation is more automated. Again, I setup separate domains for each set of GPG key.
......@@ -772,7 +828,9 @@ After restarting, test the split GPG vault by exporting the public key, which ca
qubes-gpg-client --armor --export FCC7CFB2
* TODO Install software
* Install software
These are installed on various qubes per the architecture provided above.
** TODO Wazuh Agent - Endpoint Security
......@@ -787,7 +845,7 @@ sudo apt install curl apt-transport-https lsb-release gnupg2 -y && \
For addition steps registering agents to the Wazuh manager, see [[][the Wazuh guide]].
** TODO Harden Firefox
** Harden Firefox
Go through all the about:preferences particularly the /search/ and /privacy & security/ settings.
......@@ -808,7 +866,7 @@ wget --secure-protocol=pfs --https-only
sudo apt install -y ./protonmail-bridge_1.5.2-1_amd64.deb
** TODO Git
** Git
Live and die by Git. I'm using the handle =sentry=.
......@@ -993,7 +1051,13 @@ cd /tmp && \
sudo dnf localinstall -y slack-4.11.3-0.1.fc21.x86_64.rpm
** TODO Cell Phone Utilities
** Discord
Just download the file over a browser at
Then install with =sudo dpkg -i discord-0.0.13.deb= (or substitute your version here).
** Cell Phone Utilities
I have a Pixel 3 running the [[][GrapheneOS]]. To flash the OS to my cell phone, it requires =abd= and =fastboot=, which are not part of Debian. To add these utilities, I'll download and install the [[][Android SDK Platform-Tools]], as follows.
......@@ -1003,3 +1067,19 @@ cd ~/ && \
sudo unzip -d /etc/ && rm && \
export PATH="/etc/platform-tools:$PATH"
** Wine
For playing Windows games on Ubuntu.
sudo dpkg --add-architecture i386 && \
wget -nc && \
sudo apt-key add winehq.key && \
sudo apt-add-repository 'deb xenial main' && \
sudo apt update && \
sudo apt upgrade -y && \
sudo apt install -y winehq-stable && \
sudo apt --fix-broken install && \
sudo apt install -y winehq-stable
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment