Hello, I’m thinking about updating all my guides related to VPN for 4.3, with some overall but I’d like your opinion about some decisions.
Should it use a minimal template? It’s not too much extra work, but is it worth it? Some users may have a hard time to debug issues.
Debian or fedora? I’d be tempted to switch all the guides to Debian because you don’t have to upgrade every 6 months… It loses selinux protection though.
Should it be explained to use it as a disposable qube? This adds a lot of explanations and complexity to the guide, many people are lost with named disposables.
Should we cover openvpn as well?
The current approach is to use a fedora standalone with apps, and a fedora appvm for plain wireguard, but it’s not great although I made it as simple as possible.
Considering the popularity of your really well explained guides, I’d say base them on the same format as before. When I go through the posts on them, they fit well with a wide range of uses, but of course, not everyone.
The minimal template will be useful to the minority, but still useful. I find the majority of members are already dealing with a whole range of complexities they’re really unfamiliar with. Agree on your point on debug issues.
Stick with fedora, even with the periodic upgrades.
Agreed.
Not necessary in my case since I use mullvad.
And I’d like to add a whole heap of gratitude for all that you do for the community here.
I prefer debian because of easier to maintain updates and smaller template size. You also don’t have to bother with restorecon.
Once you have a script to quickly launch root shells minimal templates should be the go to. Maybe make make a separate guide for more advanced users with it
Instead of fedora-xx template I would specify fedora-xx-xfce as it’s already available from scratch. (It might have been implicit but other noob like me might not know).
Hello, I’m thinking about updating all my guides related to VPN for
4.3, with some overall but I’d like your opinion about some decisions.
Should it use a minimal template? It’s not too much extra work, but is
it worth it? Some users may have a hard time to debug issues.
Minimal template.
Debian or fedora? I’d be tempted to switch all the guides to Debian
because you don’t have to upgrade every 6 months… It loses selinux
protection though.
Debian 13.
Should it be explained to use it as a disposable qube? This adds a lot
of explanations and complexity to the guide, many people are lost with
named disposables.
I am indecisive on it. Currently I am using debian 13 minimal template
based qube for my own sys-vpn qube. And my sys-vpn qube is not
disposable, so, my wireguard vpn config survives. However, I would be
tempted to switch to a disposable sys-vpn setup if setting it up was
reasonably simple.
Should we cover openvpn as well?
I would say, “nah”. Wireguard seems to be all we need nowadays.
I used a disposable vpn setup for a couple years. In my opinion it just adds an unnecessary layer. If somebody gets access to you VPN configs it does not matter if they are clean afterwards if they have your private key
What is the work? Isn’t that just the qubes networking agent and tun/tap support packages? They are dependencies regardless, and will make the guide more complete.
Debugging is hard to predict but my guess is that network debugging is equally hard on all templates. Minimal templates just make you amend -u root to qvm-run qubes-run-terminal
Both! People can chew through a mildly outdated guide. Last time I checked some of our official documentation mentions fedora versions with “2” in the second digit.
Maybe structuring it like an extension could help? I’m thinking of a self-sufficient guide for appvm vpn qube with a dispvm chapter that builds on top of it (with higher user knowledge expectation, for true nerds completionists). Not sure how possible is that though.
Jokes aside, disposables are the way to go for any storage-less service. If anything they make management easier because I am incapable of littering in them.
Only if time allows. It is valuable though, openvpn might be less minimal but I believe it can work in tcp-only? Maybe something even more modern and powerful than wireguard would a good addition as well.
I think we need a simple guide explaining how to create a disposable named qube, this could be in the official documentation, what steps by steps instructions, and refer to it for the disposable part.
My point is more that it is less maintenance over a year to use Debian than fedora.
Yes, openvpn can work in TCP, it’s the only one. I’m not aware of any serious VPN technology outside TLS based, IPsec or wireguard VPN.
Wine the windows compatibility suite? I don’t get it. Besides, we already have this
Then let people pick their poison
I think I’ve seen some emerging open-source vpn project by google somewhere but I can no longer find it. Probably have been cancelled, as they do in google. Definitely not serious kind, more of a fun exploration.
Well, I still don’t entirely get it. Creation of a named disposable is literally one step. There may be more to it due to specifics of a given topic, but that wouldn’t be generic
Even in the case of “Dispoify my service” it would be three steps:
Set appvm to be disposable template
Create named disposable
Set whatever uses your service to use name of the named disposable (situational)
From a quick thinking, these 3 steps also involve:
explain how to achieve the 3 steps (it’s more than 3 clicks unfortunately)
explain where to change the VPN configuration
explain to make sure how to use the disposable qube and not its template
There are people reading the guides that barely understand what are appvm and templates.
I think I’ll make a separate guide explaining how and why make a named disposable of a VPN qube, so I can just link from the various VPN guides without duplicating the text, this also ease maintenance to keep it up to date.
Should the guides use the GUI or CLI commands? It’s easier to tell the user to type instructions, or even provide a script, rather than “click here, and click there, then in that window, click there”. But in my mind, leading users through the GUI help them understanding a bit what’s going on, even if they don’t fully understand what they do, they can guess with the context and the GUI, whereas blindly following CLI commands (although names are explicit enough for most commands?) is not really helpful for these users.