Practical experience with multiple USB-WiFi adapters for per-qube physical network isolation (no VPN/Tor)?

General Discussion
1

Subject: Practical experience with multiple USB-WiFi adapters for per-qube physical network isolation (no VPN/Tor)?

Body:

Hello everyone,

I want to set up Qubes OS so that different groups of qubes (e.g., work, personal, banking) appear to websites and ISPs with different public IP addresses, without using any VPN or Tor. I’m considering the following approach:

Plug several USB-WiFi adapters directly into the Qubes machine, then:

· Pass each adapter to a dedicated sys-net (e.g., sys-wifi1, sys-wifi2).
· Have each sys-net connect to a different wireless network (mobile hotspot, public Wi-Fi, etc.).
· Attach different app qubes to different sys-net gateways.

My questions for the community:

  1. Has anyone run such a multi-USB-WiFi setup on Qubes for an extended period? How stable/reliable is it for daily use?
  2. Are there known issues with running 2–4 Wi-Fi adapters simultaneously on the same host (RF interference, driver conflicts, USB bus contention)?
  3. Which specific chipsets (e.g., Mediatek MT7612U, Atheros AR9271, etc.) are proven to work “out of the box” in a Fedora/Debian template for this purpose, without needing external drivers or dkms?
  4. Any security caveats I should consider (e.g., passing individual USB devices vs. whole controllers, or the attack surface of a sys-net that directly manages a Wi-Fi interface)?
  5. Are there better hardware alternatives I’m overlooking that achieve per-qube public IP diversity without external routers?

Thank you very much for your experience and advice.

2

I did. Still use it to the day. Had to set dkms for specific wifi dongle, because I specifically choose the dongle. Can’t say more for privacy reasons. It works great. Separate network chain for each setup. The only caveat I am aware of is wifi per se, so I’m using it for non sensitive purposes. For sensitive purposes, ethernet of course. If I were you, I wouldn’t use portable hotspot, but usb connection to the phone if possible. Whaever happens, at least stays in its dedicated sys-usb. No sensitive traffic over it too, of course.

3

I’ve tried separating WiFi and Ethernet before, and it works. The problem with Ethernet, though, is that it’s not available everywhere, and it’s tied to you personally – it points back to your identity.

As for the phone (USB tethering), I’ve also tried it. It works well and behaves similarly to Ethernet, but it’s still personally identifiable.

What pushed me toward WiFi is that, in my country, Ethernet is only available in cities. WiFi, on the other hand, is everywhere. Anyone can set up a network and sell subscriptions, which makes it much easier to blend in and avoid being personally tied to the connection.

One more question about how you actually connect the dongles. When I go to the Qubes Devices tab, I see the whole USB controller as a PCI device. If I assign that PCI controller to a single sys-net, wouldn’t that force all the USB WiFi dongles into the same sys-net and therefore the same network? That defeats the purpose of having separate IPs.

So which method are you using exactly? Passing the entire USB controller via PCI to one qube, or attaching individual USB dongles to different sys-nets via the per-qube Devices tab (or qvm-usb)? If you’re using the second method, do you still keep a sys-usb in the loop, or do you attach the dongles directly from dom0 to each sys-net? Just trying to figure out the right way to keep them truly separate.

4

Its old, but still relevant, I believe you may still get a lot out this op

5

I will not go into details, as I said. I can give you general tip:

  • carefully develop your threat model, to the tiniest detail possible.
  • develop maximum compartmentalization according to your TM.
  • Find the hardware that would support such a TM, including laptop/PC
  • Get informed if it works with Qubes well, and if does, don’t spare money on it.
  • Deploy your TM

What are people usually doing is vice versa. First buying hardware, then thinking “let’s see how to achieve what I want”. No help with such approach, I am almost sure.

So, if I’d answer your dilemmas in a short sentence, it would be: Compartmentalize as much as possible, it’s better than not do it because of any reason.

6

Thank you, that’s really well said.

1 Like
7

Thank you

8

What I learned about you by your OP is that "Now You're Thinking with Qubes" , definitely.

9

Thank you! The core idea I’m trying to pursue is maximum compartmentalization. I want each group of qubes to have its own physically separate network path (dedicated sys-net, dedicated NIC or WiFi dongle, dedicated firewall VM) so that they appear with different public IPs and cannot see each other at all. It’s like running several isolated computers on one machine, each with its own internet connection. Your feedback tells me I’m on the right track. Really appreciate it.

1 Like