Mullvad VPN setup guide

TommyTran732 · May 27, 2024, 4:01am

Doesn’t matter, the templates are Linux and so is dom0. Services are run by Linux qubes, not the hypervisor. This statement is completely useless and doesn’t even apply to the discussion at hand.
Doesn’t matter, most of the anti systemd people don’t know what they are talking about. Just because there are a group of angry people saying ridiculous stuff like the Suckless group or Devuan doesn’t mean that you bastardize your own system design to appeal to them.
Doesn’t mean it is the proper way to do things, as demonstrated above.

And no, this is not how a system should be designed. If you care so much about being inclusive and providing freedom, the proper solution is to engineer the guest agent to cater to each operating system’s way of handling services. If Qubes were to be treated like a Hypervisor, it should work with everything, Windows, macOS, the BSDs, etc… not just those anti-systemd-for-no-sensible-reason distros.

qubist · May 27, 2024, 6:06pm

If Qubes were to be treated like a Hypervisor, it should work with everything

Can you do it?

TommyTran732 · May 27, 2024, 6:29pm

What are you even talking about at this point? That is just to show how the whole “hurr hurr Qubes is not a Linux distro” argument is ridiculous when you are trying to schedule a service inside of a systemd Linux system.

At this point I think we should just stop talking, because you clearly are insisting on not scheduling services properly cuz “hurr hurr Qubes has not decprecated rc.local yet its a fact!!!” and “systemd is controversial cuz the Suckess people say so!!!” regardless of how it is in reality. I have given you a concrete example of why it’s not proper, I don’t even know what else I can possibly give you at this point.

qubist · May 28, 2024, 4:54pm

When I asked:

That said, if you have arguments against it, have you reported it to GitHub?

you bombarded me with counter-questions:

It makes a mess out of managing services. How are you gonna run 2 concurrent services? How are you gonna manage logging for them? How are you going to their status? What about timers? Path? Runtime hardening?

which is not an answer.

Now you say:

What are you even talking about at this point?

I asked if you can do what you suggest. You are “answering” with a counter-question.

That is just to show how the whole “hurr hurr Qubes is not a Linux distro” argument is ridiculous when you are trying to schedule a service inside of a systemd Linux system.

I have never used the words “hurr hurr”. That is your way of discussing.

Qubes OS is not a Linux distro - that is a fact. It is a valid argument because you speak of “other distros”, implying that Qubes (not being one) should follow:

Just because qubes hasn’t deprecated it doesn’t mean that other distros have not done it.

In that sense, your argument is not valid (and note: I am not saying ridiculous, I am explaining why it is invalid).

Considering Qubes OS’s specifics, long-term, it may be improper to have it depend on systemd. Currently dom0 is too big and will hopefully be minimized one day. A minimal dom0 may use a different distro which will not use systemd, and that may be more appropriate from security perspective. I am not saying this will be so - that is up to devs to decide. I am just explaining there may exist valid reasons for other considerations, different from the desires of a single user, of multiple users, or of “most major” distros. In any case, templates are something different from the core and one should be able to use various OSs.

At this point I think we should just stop talking, because you clearly are insisting on not scheduling services properly cuz “hurr hurr Qubes has not decprecated rc.local yet its a fact!!!”

Where exactly did you see me insist on that?

and “systemd is controversial cuz the Suckess people say so!!!”.

This “cuz…” is another thing I have never said. Yes, systemd is controversial - that is a fact, regardless of the source and regardless of the labels you slap on those who don’t like it. That doesn’t mean I am against systemd (or for it), or “hurr hurr”. I am just saying it is controversial and that’s all. The “cuz…” is entirely your invention. I really don’t understand your desire to turn this into a fight.

I have given you a concrete example of why it’s not proper, I don’t even know what else I can possibly give you at this point.

A link to the GitHub issue, so we can all know what devs think about your suggestion. No need to get worked up.

TommyTran732 · May 28, 2024, 7:38pm

This is literally just me talking about the general design of a hypervisor.

In that sense, your argument is not valid (and note: I am not saying ridiculous , I am explaining why it is invalid).

How is it invalid? The services are being scheduled on Linux, not Xen. If you were going to schedule service for Windows on Qubes, you have to cater to Windows’s way of doing things.

Considering Qubes OS’s specifics, long-term, it may be improper to have it depend on systemd.

No it’s not. It is proper for it to depend on how the guest OS expects to schedule services inside of the guest OS. It’s a fact.

Currently dom0 is too big and will hopefully be minimized one day. A minimal dom0 may use a different distro which will not use systemd, and that may be more appropriate from security perspective.

It absolutely does not matter what dom0 uses. You are scheduling services inside of Linux guest with systemd, therefore inside of those guests you should be using systemd. The init system for dom0 has no baring on how service scheduling is done in a guest. This is a fact.

Removing systemd to use a bunch of half-baked tools which can’t do the job properly like Suckless are not reducing the attack surface. If you care about security, you should be keep systemd and add runtime hardening for the services. That is a much better way to do attack surface reduction. Which other init systems support that? Are they actually doing the job more properly than systemd?

Yes, systemd is controversial - that is a fact, regardless of the source and regardless of the labels you slap on those who don’t like it. That doesn’t mean I am against systemd (or for it), or “hurr hurr”. I am just saying it is controversial and that’s all. The “cuz…” is entirely your invention. I really don’t understand your desire to turn this into a fight.

They cannot back it up with real technical arguments and their systems are terrible. You linked a completely incoherent post which just craps on systemd for no reason and advocates for a terrible init system which doesn’t even understand basic dependency management, let alone more advanced stuff like runtime hardening.

Anyone can make up any amount of ridiculous things about a product and make it “controversial”. It doesn’t mean anything.

qubist · May 29, 2024, 5:19pm

How is it invalid?

Because it is comparing oranges (“other distros”) to an apple (not a Linux distro). In that sense, your:

Just because qubes hasn’t deprecated it doesn’t mean that other distros have not done it.

can be answered with the opposite, similarly invalid:

“Just because other distros have done X, doesn’t mean Qubes OS should do the same”.

The services are being scheduled on Linux, not Xen.

As discussed, there are non-systemd distros and those can be used as templates. If you mean that Qubes OS’s official templates that are systemd-based should implement a better scheduling of systemd units (with which, FWIW, I agree) - that is something entirely different from Qubes deprecating /rw/config/rc.local.

Considering Qubes OS’s specifics, long-term, it may be improper to have it depend on systemd.

No it’s not. It is proper for it to depend on how the guest OS expects to schedule services inside of the guest OS.

What I said was about dom0.

It absolutely does not matter what dom0 uses. You are scheduling services inside of Linux guest with systemd, therefore inside of those guests you should be using systemd.

Yes, for the templates, it does not matter what dom0 uses. My note was in regards to systemd and Qubes OS design in general.

Yes, systemd is controversial - that is a fact, regardless of the source and regardless of the labels you slap on those who don’t like it.

They cannot back it up with real technical arguments and their systems are terrible.

You continue with slapping labels - OK, that is your way. I am nobody’s advocate. Facts are facts - there are such systems, there are technical experts developing them:

The only thing that matters for Qubes OS is what you can suggest and what the devs will say about it.

TommyTran732 · May 29, 2024, 5:50pm

I do not think you are posting in good faith at this point. It looks more like you are just trying to derail the thread.

Because it is comparing oranges (“other distros”) to an apple (not a Linux distro).

No, I am comparing the behavior of normal distributions and their counterpart inside of a Qubes template. This is Linux to Linux comparison.

“Just because other distros have done X, doesn’t mean Qubes OS should do the same”.

Sure, except using rc.local on systemd systems is bad practice.

As discussed, there are non-systemd distros and those can be used as templates. If you mean that Qubes OS’s official templates that are systemd-based should implement a better scheduling of systemd units (with which, FWIW, I agree) - that is something entirely different from Qubes deprecating /rw/config/rc.local.

No. They should be using what those distros expect. You can’t just make a blanket designation that oh it should be rc.local. It doesn’t even work the same way with different init systems.

You continue with slapping labels - OK, that is your way. I am nobody’s advocate. Facts are facts - there are such systems, there are technical experts developing them:

Once again, you have linked something that says absolutely nothing in relation to the topic at hand. You just listed some Linux systems that do not use systemd for various technical reasons, then use it to make it a “fact” that systemd is somehow controversial.

GrapheneOS, DivestOS, etc are Android variants. They are using a whole different system design based on AOSP, so of course they aren’t using systemd. This is not because systemd is controversial or so bad that they avoid it at all cost. These are not your traditional Linux desktop stack. Oh, and what do you think the developers of these OSes use on their servers/workstations? systemd. I know this for a fact.
OpenWRT and DD-WRT are meant for extremely underpowered consumer routers, so they need to strip them down as much as possible. It has nothing to do with systemd being controversial.
Alpine is generally meant for OCI containers, so they don’t need systemd by virtue of the fact that the entrypoint of a container is just 1 binary that it’s supposed to run.
etc and etc

The only thing that matters for Qubes OS is what you can suggest and what the devs will say about it.

You keep bringing this up as if it is some kind of “gotcha” talking point. Even if Qubes keep rc.local because of legacy cruff, it doesn’t change the fact that it is legacy stuff and shouldn’t be used on systemd systems, as I have demonstrated above.

No matter how you engineer it (be it through the qubes service or the rc-local service systemd used to provide), it will never work properly. It’s is impossible to guarantee something to “run last” because such concept doesn’t exist in systemd. Also, using something that actually “runs last” to run stuff is not proper service scheduling either.

github.com/systemd/systemd

How to run /etc/rc.d/rc.local as the last Linux bootup task?

opened 05:22AM - 20 Apr 23 UTC

closed 08:07AM - 20 Apr 23 UTC

aki-k

misfiled use-mailing-list-instead version-too-ancient

### systemd version the issue has been seen with 239-68.el8_7.4 ### Used d…istribution Rocky Linux 8.7 ### Linux kernel version used 6.2.10-100.fc36.x86_64 (host kernel, LXC container) ### CPU architectures issue was seen on x86_64 ### Component other ### Expected behaviour you didn't see On Rocky Linux 8.7, the file /etc/rc.d/rc.local contains the following lines: ``` # In contrast to previous versions due to parallel execution during boot # this script will NOT be run after all other services. ``` How to run /etc/rc.d/rc.local as the last Linux bootup task? On Rocky Linux 8.7 it fails to do the task that it has always served. If it can't be made to run as the last task in Linux bootup, please remove rc-local.service from systemd to avoid confusion. ### Unexpected behaviour you saw ``` # cat /etc/rc.d/rc.local ``` ### Steps to reproduce the problem ``` # cat /etc/rc.d/rc.local ``` ``` # rpm -qf /etc/rc.d/rc.local systemd-239-68.el8_7.4.x86_64 ``` ### Additional program output to the terminal or log subsystem illustrating the issue _No response_

qn00r3 · June 11, 2024, 6:59am

Hello, thank you for your work.
Could you please tell me how to solve the problems with the broken link in your script?

I run this script on my template to trim it down:

github.com

TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh

#!/bin/bash

# Copyright (C) 2022-2024 Thien Tran
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy of
# the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under
# the License.

unpriv(){
    sudo -u nobody "$@"
}

This file has been truncated. show original

sudo dnf -y install 'https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm'
[MIRROR] divested-release-20231210-2.noarch.rpm: Status code: 404 for https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm

Thanks in advance for your help.

qn00r3 · June 12, 2024, 10:19pm

New setup hardened_malloc:

sudo dnf -y install 'https://gitlab.com/divested/divested-release/-/jobs/7046900191/artifacts/raw/build/noarch/divested-release-20240607-1.noarch.rpm'

TommyTran732 · June 13, 2024, 1:29pm

On second thought, the Divested repo is a bit problematic so I might replace it with the secureblue copr

Mirai · June 15, 2024, 10:16pm

How about opening an issue about this on GitHub? Not sure what qubes devs opinion on this is…

behemothwerecat · June 30, 2024, 3:08pm

I’d like to get your guide working with a debian-12-xfce TemplateVM. I followed everything apart from the trim down script, and the Mullvad app is connecting as anticipated, but there is unfortunately no network connection from the AppVM which has it’s net qube set to the ProxyVM. Any idea why this might be the case?

TommyTran732 · July 5, 2024, 12:51pm

Did you follow this step?

behemothwerecat · July 17, 2024, 4:58pm

Yes, Local Network Sharing and Lockdown Mode are both enabled as per the guide.

I’m able to ping 8.8.8.8 successfully, but not curl anything, so seems to be DNS-related.

TommyTran732 · July 25, 2024, 10:42pm

Strange, it works just fine for me on GNOME. Did you try switching DNS servers and switching back? Did you make sure that the systemd service is enabled?

behemothwerecat · July 26, 2024, 5:21pm

Ah, the issue seems to be that systemd-resolved is not present on default bookworm installations. So indeed, dnat-to-ns.service failed to start because “Unit systemd-resolved.service not found”.

From the above Debian release notes:

" Note that systemd-resolved was not, and still is not, the default DNS resolver in Debian. "

How could /etc/systemd/system/dnat-to-ns.service be modified to use the default DNS resolver? Thanks for the help!

TommyTran732 · July 26, 2024, 5:33pm

Seems like a problem with qubes templating. Can’t you just install systemd-resolved though?