I have for a long time wanted to use kicksecure17 as my sys-net, sys-firewall and VPN qubes.

I will start with asking for help regarding changing the template of default-dvm which is the template for sys-net, sys-firewall and sys-usb to kicksecure17, from currently fedora41.

How I have done it and what issues have come up:

In Qube Manager, I simply right clicked the default-dvm qube and selected kicksecure17 in the template list.

sys-usb worked out the box, for sys-net I installed macchanger inside the kicksecure17 profile, and in order for macchanger to work, although I enabled auto mac randomize for any network cable inserted, it did not work. I had to manually use the following commands:

sudo ip link set ens6 down

sudo macchanger -m 00:11:22:33:44:55 ens6

sudo ip link set ens6 up

sudo systemctl restart networking

After these commands, the mac did change, and my connection was up, however nothing in the browser from sys-net or sys-firewall was loading. But my router local ip 192.168.0.1 was working. Eventually my VPN qube connected as well and everything was working fine.

The issue appeared when I tried to restart or shutdown, or even kill the sys-net qube, which was working fine until recently, it started lagging and not responding to my commands and this error would appear

cannot connect to qrexec agent for 60 seconds

Eventually I managed to kill it and changed the template back to fedora41, everything working the same, but my question is:

1. What can be causing the qrexec to not work in kicksecure after making all the mac/networking restart changes
2. Any way I could automate the maccchanger random mac/every qube restart, or at least have it display the little computer icon in the taskbar like fedora is doing and right click and set the mac from there, without having to go through dom0 xterm for sys-net qube every time it gets restarted
3. Is it normal to now allow anything to load in browsers outside internal IP’s? I don’t mind it, I just want to double check that it is expected behavior.

That is all I would need from sys-net, sys-firewall and sys-usb. They should work easy with no issues with kicksecure17 and thus hardening against any external attacks.

After this is figured out, my next goal is to migrate my mullvad vpn qube to kicksecure as well, would this be very challenging to have a state of the art mullvad qube over kicksecure with everything blocked and only allowing traffic over vpn without any leaks?

Thank you

Hi. I morphed Debian 12 into Kicksecure and I’m using Kicksecure and Kicksecure-dvm for sys‑usb, sys‑net, sys‑firewall and sys‑vpn without any problems

Why are you installing macchanger in kicksecure-17?

If you are trying mac randomization for outbound traffic, AFAIK, it is handled by dom0, not sys-net or templates like Kicksecure-17. Installing macchanger in Kicksecure won’t affect it.

linuxuser1

13h

Hi. I morphed Debian 12 into Kicksecure and I’m using Kicksecure and Kicksecure-dvm for sys‑usb, sys‑net, sys‑firewall and sys‑vpn without any problems

I would prefer to resolve these issues in kicksecure directly, not sure how to morph debian 12 into kicksecure.

marcos-morar

7h

Why are you installing macchanger in kicksecure-17?

If you are trying mac randomization for outbound traffic, AFAIK, it is handled by dom0, not sys-net or templates like Kicksecure-17. Installing macchanger in Kicksecure won’t affect it.

From my experience, the change has to be made in sys-net. I have confirmed in the router logs that the mac change happens using the macchanger, which in fedora 41 I just right click the little computer icon and set it to random from there, but in kicksecure17 there is no computer icon, so I had to do it using the macchanger.

I reinstalled kicksecure17 template and my qrexec issues disappeared. The mac randomization issue remains.

Randomize all Ethernet and Wi-Fi connections

These steps should be done inside the template of the NetVM to change as it relies on creating a config file that would otherwise be deleted after a reboot due to the nature of AppVMs.

Write the settings to a new file in the /etc/NetworkManager/conf.d/ directory, such as 50-macrandomize.conf. The following example enables Wi-Fi and Ethernet MAC address randomization while scanning (not connected), and uses a randomly generated but persistent MAC address for each individual Wi-Fi and Ethernet connection profile. It was inspired by the official NetworkManager example.

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}
ipv6.dhcp-duid=stable-uuid

#the below settings is optional (see the explanations below)
ipv6.ip6-privacy=2

I made these changes in /etc/NetworkManager/conf.d/50-macrandomize.conf in kicksecure17 template that I used for default dvm using the qvm-run -u root kicksecure-17 xterm command. Then this text was not found in /etc/NetworkManager/conf.d/50-macrandomize.conf in sys-net, although the template was the kicksecure-17 that I had set that in. I then tried to set the same code in sys-net using the qvm-run -u root sys-net xterm command. This did not persist after restart either.

How do I make these settings be persistent in my sys-net and allow auto randomized mac to work? I do not use Wifi, but ethernet plugged cable.

Thank you

Hello. Please write a beginner’s guide on how you set up the sys‑net, sys‑firewall, and VPN qubes on kicksecure‑17 template

That’s pretty much out of the box, you change the template of default-dvm from debian or fedora, whatever you are currently using, to kicksecure17. If you don’t have the kicksecure template installed, you can do so in the Qubes Template Manager. It is available for download.

Complications arise when you want to change your mac like I am trying, that’s when things get confusing for beginners. But maybe a good samaritan will lend a hand to us noobs.

Think that I found more secure and easy way,

1. Clone Kicksecure-17 template for Qubes
2. run from dom0: qvm-run -u root Kicksecure-17-clone-1 xterm
3. Within cloned kicksecure terminal:

apt remove -y kicksecure-qubes-gui
apt -y autoremove

We have Kicksecure-cli for Qubes, and avoid limitation of morphing debian-minimal.
I’m right or there is any hidden detail?

yes