Hmm, why not? I have used the virtual dns reported in Qube Manager of sys-net-openbsd inside /etc/resolv.conf and it works. I’ll change it if it’s wrong.
Also I have an unrelated question, since you have this setup too, do you have better firewall rules for packet filtering on OpenBSD? The ones in the guide aren’t strict enough.
Thank you.
not being sarcastic nor fatalist BUT if this is that as you and all others agree in this great discussion here, why default Qubes setting for sys-net is not openBSD ?
A simple answer might be that Qubes is somewhat difficult for some users to
get to grips with, particularly users coming from Windows.
If they had to battle with OpenBSD and one of the Linux distros, that
would add another level of complexity. (Try to explain why users have to
get to grips with nftables and PF.)
Given that dom0 is bound to Fedora for the moment, it’s hard not to see
the argument that system qubes should be based on Linux.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
has been a while now I was thinking sharing my experience with Qubes, will be short in this post: I jumped from macos to Qubes in one night. Never opened terminal before in my whole life, I suffered to die and had sleepless nights trying to configure debian-mini for sysnet , 4 years later I am more fluid with Linux in and with Qubes ended up learning “many” things among some javascript, now kicking in RUST. I had to play with Raspberries, I can write simple shebangs. Qubes pushed me hard to learn ( I am closer to 50 years old)
the “claim” that Qubes is for journalists makes me laugh, or they should have an avatar who will want to keep a spare life for learning IT ( its possible)
As said, 4 years ago I only knew to turn on the computer and click on Firefox or so, but today -after two days hard work - I finally succeeded to run openBSD on this computer from which I am writing this comment now -I even connected to wifi lol
All this to say, never mind " some users coming from windows" ,
by the way, some of your posts are religiously saved on my devices and I biblically return to them for tweaks
Thanks for sharing your experience. It sounds as if you are enjoying
learning and securing your systems in equal measure.
Not every user is as tenacious as you, and many would have given up.
good lord.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Has someone managed how to fix it? I didn’t find a solution yet.
I will try during the coming week but I have an idea: soldering to usb a raspberry pi zero running openBSD and use it as router , from there a sys-net openbsd following this post and the other unman post. if that works would be double golden.
but maybe some Qubes ninjas can come up sooner or later with openBSD template ?
@unman : Today after my two days battle against openBSD I wondered if I was masochist torturing myself with all this IT sufferance.
I had a conversation with a friend - who couldn’t understand my point - was saying should be a vanilla Qubes where " " journalists" " dont worry about knowing who is what in Qubes. let me explain. Say the out of the box installation for vanillas running (without compromise )under the hood all the technicities ( I don’t know how to say it in English) of Apps, Templates , Deb , Fedora…The same " " journalist " " doesn’t need to be intimated cause after all it is very overwhelming for the lambda user.
a Qubes-dog for journalists.
Fix what?
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
There’s a basic template here. You
can use it to create OpenBSD qubes, and there’s some tooling to allow
permanent IP addresses and use of /home after restart.
Whats’ lacking is full integration in to Qubes, so no copy/paste - this
is quite difficult.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
@unman Is it possible to include it into official templates in near future even without copy paste functionality.
Copy/paste we could live without but what about qrexec/qvm-copy?
This problem. I gave all the details of my problem in the entire thread. Basically, with tcpdump, openbsd sys-net receive all the logs of the sites that im trying to access in a qube named personal with NetVM mirage-firewall, but it just doens’t connect to the site in the end. I don’t have any idea of what it could be.
It made me laugh at first too… but then I realised that Qubes does work out of the box and it will protect its users much more than an out-of-the-box Mac or (God forbid!) Windows machine. You only need compatible hardware and realistic expectations.
Many of the headaches with QubesOS are self-inflicted, trying to tweak or install settings that are not really needed by a journalist. Those headaches appear for tech-savvy users.
I’d like to see Qubes installer offer an “out-of-the-box” VPN installation for the popular VPNs (Mullvad, Proton, Nord) and a decent “browser qube” ditching Firefox (Librewolf? Mullvad? Brave? all of the above?). Then Qubes will legitimately be journalist-friendly.
Yet troubleshooting-wise Qubes is something like Linux from 2001. To make it suitable for non-geeks a lot of work is ahead.
I find that a little difficult to follow, so these are general remarks.
In the sys-net you want DNS set to some external IP address - either
on the network, or 9.9.9.9, or similar. The Qubes IP addresses wont be
any use.
You must have forwarding enabled, and some pf magic to masq the
incoming packets from sys-firewall.
On the firewall qube you want to have nftables configured to pass
traffic between the qubes and the OpenBSD sys-net: this is well
documented.
From the sound of it you see the traffic arriving at OpenBSD, but
nothing leaving. That sounds like an issue with pf, or no forwarding
set.
Also, I would test first with standard Qubes firewall in the mix, make
sure it is working there, and then swap in the mirage-firewall.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
In my experience, with suitable hardware and set-up the demand for
support is not significantly greater than with Windows/Mac - or indeed,
Linux from 2025.
suitable hardware and set-up is doing quite a lot of heavy lifting.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
YMMV! I had an impression that NUC as intel reference platform is a safe choice, and it worked for years (I had two of them before). Then boom, gen 14 and you get non-accelerated video in dom0. Also, do you remember vm pool disk allocation issues? You have half of a disk free, but you need to allocate your space manually otherwise you run out of it! That’s weird even for a “normal” linux user.
OpenBSD 7.7 released with—
OpenBSD with its updated bootloader can now run as an AMD SEV guest with QEMU using EFI. The OpenBSD kernel itself can now also boot on QEMU with AMD Secure Encrypted Virtualization (SEV).
I have just built an updated HVM template - source
on GitHub here
I’ve past out for testing, and if all looks good will upload to
[3isec](https://qubes.3isec.org/Templates] tomorrow.
The same mechanism is used for setting network and private disk in qubes
based on the template.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
great guide!
i had trouble again and again following this guide, using ping as checking network, and finally figured out that there exist an ISP-level censorship blocking my internet connection via default router. i have managed to connect via OpenBSD netvm using my grapheneOS smartphone’s cellular data.