Monero Wallet/Daemon Isolation with Qubes + Whonix

Solomon1732 · January 4, 2023, 8:22pm

I got an update suggestion. On ArchWiki it is stated that this is the usual place to host user systemd unit files:

~/.config/systemd/user/ where the user puts their own units.

Therefore I decided to put mine there. It avoids the need for root (or sudo?) to own it. In such a setup, systemd already “knows” that the file is to be run as user. Therefore, the User and Group parameters become superfluous. In fact, I discovered the hard way they just confuse it. Of course, it means that the cp command in rc.local should be modified to this:

cp /home/user/.config/systemd/user/monerod.service /lib/systemd/user

Also, it looks like the service should be enabled. Maybe even restarted.

systemctl --user enable monerod
systemctl --user restart monerod

At the very least it helped me. The following two commands, and searching the errors on the web, helped me discover issues (including the one I mentioned):

systemctl -- user status monerod
journalctl --boot --user -f -u monerod

Furoshima · January 14, 2023, 4:54pm

i would also like to know the commands because i was following this tutorial: How-to: Use Monero with Wallet Isolation in Qubes-Whonix ™ like @Mdogg was and now i will try to follow your guide, also thank you for the effort of writing this for all of us

Solomon1732 · June 6, 2023, 10:19am

I have trouble mining with this setup. I launch the mining daemon through the wallet with this command: start_mining 1 true true. It launches one mining thread, tells it to background-mine, and tells it to not query battery statues (which it can’t do anyway). After an hour, the log shows this message:

…[P2P9] WARNING global src/p2p/net_node.inl:2093 No incoming connections - check firewalls/routers allow port 18080

How do I solve it? Do I need to forward the port in some way?

Edit: Also, when I installed qubes 4.1 I set sys-net as a static disposable VM. I thought it may be worth mentioning.

scallyob · February 2, 2024, 5:20am

This needs to be updated for Whonix 17 on Qubes 4.2

I had this setup working on whonix 15-16, but it is not working on Whonix 17. I want to try your solution here of using qvm-connect-tcp, however Whonix 17 no longer uses /etc/qubes-rpc/policy, so where would you setup the qubes.ConnectTCP info? In /etc/qubes/policy.d/ somewhere? It seems 30-user.policy is the only place you are supposed to edit there.

DVM · February 2, 2024, 9:46am

Qubes 4.2 is based on the new policy system. Now you must explicitly write the qrexec policy name you want to use in a policy file. For example, you could have a file here /etc/qubes/policy.d/30-user.policy with:

qubes.ConnectTCP +18081 monero-wallet @default allow target=monerod

scallyob · February 2, 2024, 4:50pm

Thanks! I added that and my connection worked immediately. To summarize, with Qubes 4.2 and Whonix 17 @MrA’s post should work, with the following changes @DVM gives above.

OLD Step 4 (in dom0)

NEW Step 4 (in dom0)

Edit the policy file:
sudo nano /etc/qubes/policy.d/30-user.policy

Add the following line:
qubes.ConnectTCP +18081 monero-wallet @default allow target=monerod

MrA · February 25, 2024, 7:00pm

I had hopes I’d be saving myself some time, so I got around to upgrading a box to 4.2 using backups of monerod and wallet VMs moved to Whonix 17 on restore. However, despite the policy edit in dom0, monerod doesn’t want to fly. Did you use a backup for yours? @scallyob

journalctl tells me it doesn’t have /usr/bin/monerod to play with. (Guessing …) Does the edit also require a change to /qubes-rpc/user.monerod?

Mirai · February 25, 2024, 9:45pm

I reinstalled from 4.1 to 4.2 (and whonix 17) restored with qubes backup and just set the exact same policies from 4.1.

Everything works fine.

My policy is in

/etc/qubes-rpc/policy/qubes.ConnectTCP

monero-wallet-ws @default allow, target=monerod-ws

Mirai · February 25, 2024, 9:49pm

Is my current policy fine or insecure? (and future proof?)

DVM · February 25, 2024, 9:57pm

That’s fine. It works for backward compatibility reasons, but you should use the new policy format as much as possible.

scallyob · February 26, 2024, 4:57pm

I did an install in place from 4.1 to 4.2, then installed Whonix 17 template, made a modified one to work with my monero AppVMs and then switched that to be the template for them.

Whonix does not come with monerod installed so you do need to install it. The Whonix docs have you use flatpak, but I just manually download it from the monero project and copy the executables I need to /usr/bin/

tanky0u · June 11, 2024, 6:40pm

I was checking this out as well. Is the policy stuff on the whonix wiki correct for QubesOS 4.2? Here: How-to: Use Monero with Wallet Isolation in Qubes-Whonix

It only mentions /etc/qubes-rpc/policy/user.monerod file and uses:

monero-wallet-ws monerod-ws allow

Which looks different from that of

apparatus · June 12, 2024, 4:03am

The Whonix guide is using custom service with qrexec + socat and other is using Qubes OS service qubes.ConnectTCP:

Both are using old policy format so it’s better to change policy to the new format e.g.:

tanky0u · June 12, 2024, 5:29am

Can someone write a new guide on doing the Monero wallet, Monero daemon isolation with the new QubesOS qrexec policy architecture?

apparatus · June 12, 2024, 6:07am

Create file in dom0 using terminal:

sudo nano /etc/qubes/policy.d/30-monerod.policy

Or using Qubes Policy Editor GUI tool.
Add this inside:

user.monerod * monero-wallet-ws monerod-ws allow

tanky0u · June 12, 2024, 9:47am

can you explain followings:

user.monerod : what is this?
* : what is this?

Other posters in this thread (a few posts above) have different directives in their policy files, including, qubes.ConnectTCP and @default directives. While your example doesn’t have those? Why? What’s the difference?

apparatus · June 12, 2024, 9:59am

user.monerod - service name
* - argument
It’s described in the qrexec doc:

Policies are defined in lines with the following format:
service-name|* +argument|* source destination action  [options]

user.monerod is custom qrexec service that you define, qubes.ConnectTCP is already existing Qubes OS service that you can use like this:

You can read qrexec doc to know about specifics.

tanky0u · July 1, 2024, 7:49pm

Isn’t using the existing qubes.ConnectTCP better (“more secure”) in this case? It seems like qubes.ConnectTCP limit the capability to sharing just a single tcp port, while defining user.monerod seems like allowing “everything” between the target and source qubes.

apparatus · July 1, 2024, 9:08pm

Not sure if it’s more secure, but it should be less error-prone during configuration.

Yes.

tanky0u · July 3, 2024, 11:25am

Okay so I am trying to understand this whole thing. I have been reading the qubes os documentation as well as whonix guide and the protonmail-bridge guide you’ve linked. It seems like main the cause for complexity is that I need to setup policy files, startup command files, in dom0 AND the AppVM’s.

The policy file in the dom0 will be stored in /etc/qubes/policy.d/30-user.policy file and will contain, what? – I guess something about qubes.ConnectTCP?
there will be another qubes-rpc stuff inside monerod-ws qube, which will be stored in /rw/usrlocal/etc/qubes-rpc/user.monerod file and will contain some socat command.
there will be a command line command defined in monero-wallet-ws qube inside the /rw/config/rc.local/ file which will contain socat TCP-LISTEN[...] command
another cause for confusion is, the terms “service name” and “policy”. What is “service name” in this context?

Policies are defined in lines with the following format:
service-name|* +argument|* source destination action  [options]

Is service-name a systemd service (is it a --user service, or a root account service)? Or do we name stuff like qubes.ConnectTCP as “services” ?