Ah. I see what the problem might be. Did you perhaps foget to type the .d
? It was supposed to be /policy.d/
and not /policy/
. And it’s not just this but also /etc/qubes/policy.d/
and not /etc/qubes-rpc/policy/
.
Notice the command:
Ah. I see what the problem might be. Did you perhaps foget to type the .d
? It was supposed to be /policy.d/
and not /policy/
. And it’s not just this but also /etc/qubes/policy.d/
and not /etc/qubes-rpc/policy/
.
Notice the command:
I did not forget it and executed exactly your provided command.
I have deleted the files /etc/qubes/policy.d/30-remote-admin.policy
and /etc/qubes-rpc/policy/qubes.ConnectTCP
so I don’t know why there is still a reference to remote-admin
Also this command
grep -r 'remote-admin' /etc/qubes/
yields no result.
And now I noticed another issue with the guide. It should have been 5900 and not 5901
Try
grep -r 'remote-admin' /etc/qubes-rpc/
Ahh I did find a difference:
# your command
echo "qubes.ConnectTCP +5901 remote-admin @default allow target=dom0" | sudo tee - /etc/qubes/policy.d/30-remote-admin.policy
# my command
echo "qubes.ConnectTCP +5901 remote-admin @default allow target dom0" | sudo tee - /etc/qubes/policy.d/30-remote-admin.policy
Ah. That was it, then! But don’t forget to change +5901
to +5900
in this and the following command
Ahh yes
grep -r 'remote-admin' /etc/qubes-rpc/
/etc/qubes-rpc/policy/-:qubes.ConnectTCP +5901 remote-admin @default allow target dom0
OK. That’s my fault. the tee
command shoudn’t have the -
dash. I have fixed it in the guide now.
I get
[user@dom0 policy] ll
-rw-r--r-- 1 root root 63 Sep 28 22:58 -
...
So can I savely delete this file?
Yes. You were the one creating with my wrong tee
command. And I don’t have it on my Qubes system. So you’re good to go.
It has those permissions because you created it with sudo
.
That did it. So the correct command is
echo "qubes.ConnectTCP +5900 remote-admin @default allow target=dom0" | sudo tee /etc/qubes/policy.d/30-remote-admin.policy
?
Yes!
Allright. In your guide step 1. has a double space between tee
and /etc/...
. Is this important?
No that shouldn’t matter. I’ve just fixed it now.
Thanks! It’s working now:)
One last question: Is this guide outdated: (Firewall | Qubes OS)?
It is stated there to create a file in /etc/qubes-rpc/policy/qubes.ConnectTCP
rather than /etc/qubes/policy.d/30-remote-admin.policy
.
Fantastic!
My overall goal is to access dom0 via vnc from the outside world. (I’m aware of the security risks.)
I have configured a wireguard gateway into my local network and want to expose a port of my qubes desktop computer to the local network for vnc access. (so sys-net → sys-firewall → remote-admin) .
Are you aware of a good guide?
I have found this (Firewall | Qubes OS)
and this ([Contribution] qvm-expose-port · Issue #4028 · QubesOS/qubes-issues · GitHub) but this may be also outdated.
Well, because you’re punching a hole so big in this Qubes system then maybe you could run this in sys-net
rather than remote-admin
and have a way easier time exposing that qube.