OpenBSD Template sys-net

bcz · August 8, 2022, 1:29am

I want to know how can i use OpenBSD Template on sys-net to have a more hardened sys-net. I already searched for this, found unman’s notes and etc, but none of them helped me unfortunately. I don’t know if i misunderstanding or something. Can anyone help me? Thanks.

renehoj · August 8, 2022, 8:38am

This should have the information you need.

github.com/QubesOS/qubes-issues

Use OpenBSD as NetVM

opened 12:29PM - 04 Sep 19 UTC

tetrahedras

T: enhancement C: other security P: default

**The problem you're addressing (if any)** The NetVM is exposed to a wide varie…ty of attacks, and it's the first line of defense in hostile local network environments. (e.g there is evidence certain Middle Eastern countries have been building infrastructure to automatically attempt exploiting every device connected to public WLAN networks) There is demand (see #4551) for running OpenBSD as a VM but efforts are stalled due to OpenBSD's lack of PV support. Since the NetVM is run in HVM mode, PV support is not necessary in this application. **Describe the solution you'd like** OpenBSD offers well-reviewed driver code, high code quality, innovative exploit mitigations, excellent hardware support, low resource consumption, and a much smaller attack surface than Linux. OpenBSD also offers a [much simpler](https://www.openbsd.org/faq/faq6.html#Wireless) approach to connecting to wireless networks than does Linux. **Where is the value to a user, and who might that user be?** Adding it as a NetVM would likely increase resistance to attackers on the local network, and increase the diversity of the system (from the current-best MirageFW+Linux to OpenBSD+MirageFW+Linux). **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** https://github.com/QubesOS/qubes-issues/issues/4551

tanky0u · August 8, 2022, 10:37am

I would appreciate if someone could distill and simplify the instructions in there for getting an OpenBSD sys-net qube up and running.

unman · August 8, 2022, 11:00am

I think the only working solution currently is in my notes:

Look at openBSD_as_netvm

These are old notes, not instructions.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

tanky0u · August 8, 2022, 11:02am

Appreciate it.

Yep, I noticed that, too. I would like to see a guide on setting this up similar in kind to @Sven 's minimal template setup guide.

unman · August 8, 2022, 12:08pm

If you need help ping back

bcz · August 8, 2022, 11:58pm

Hello! I don’t understand the step to create NetVM Fw. I need to create this NetVM based on Debian? OpenBSD? I don’t know. If it is based on Debian or smth, so the NetVM will not have the OpenBSD hardening right?

unman · August 9, 2022, 10:57am

Create the FW using whatever template you like.
It’s just providing the link between the other qubes and the openBSD
qube.
The openBSD qube will have the NIC attached, and will function like
sys-net.

Instead of :
qube → FW → sys-net–NIC

You will have:
qube → FW ← openBSD–NIC

The FW here has no netvm set.

bcz · August 9, 2022, 1:52pm

Got it! But unfortunately i don’t get access to internet. I did all the steps but i still don’t have access to the internet. When i set a Qube to use Fw as NetVM, all pages that i try to access stay loading for 1 minute and after bring the error: “We’re having trouble finding that site.” The Qube that i used use kicksecure-16 as template. And the only error i got with the steps on notes was in “bring up em0” with dhclient em0 on OpenFW. I got the error "fatal in dhclient: if_nametoindex(em0) == 0.

unman · August 11, 2022, 1:17am

Check the interface names in the OpenBSD qube

thewanderer · August 20, 2022, 12:33am

@jcholsap has also put together a guide based on the work of @unman https://github.com/jcholsap/freemod/issues/1#issue-1016495279