Remote desktop questions of a newbie

Dear all,
I am a quite new user to QubesOS and still learning about the design philosophy and the principles. I understand that Dom0 is isolated for security purposes. However, this has to be weakened if you want to have remote access to your machine. My old workflow used to be that I have a main machine running at home with e.g. Windows RDP or NoMachine remote access. To keep this access reasonably secure, all my machines have a second network card which is connected to a separate LAN that provides a closed VPN network. This VPN network I maintain myself between all the places where I want to work from (my parent’s place, my girlfriends place and so on). Incoming connections are only answered from this separate network interface. At those places, I have usually an old computer which I use then to remote into my main machine. This is very convenient because it allows me continue my work and at the same time leave my machine working while I am on the move (mainly simulation stuff).

How would I translate such a usage concept to the Qubes world? I saw, that there are quite some efforts to modernize the graphics system, however, this is not yet available. Therefore, I think I have to connect Dom0 to the separate network. Furthermore, are there recommendations for a good remote desktop solution? NoMachine? Thinlinc? X2GO? Or even something fancy hardware-based e.g. like Teradici? Ideally, even video playback should be possible. The connection between the sites is not the problem, I have at least 40 MBit/s symmetrically between all sites. My main location has an even higher upload.

I already apologize for those simple questions.

Peter

By default
-most “security” OS’s do not have remote access built into them. They work strictly by isolation. You also have to be physically in front of it to use the system.

-remote ssh is not available for root accounts

-only 1 user account per OS

-security operating systems are not designed per say where a end users can pickup and go. They take fair amount of understanding and practice. The software and applications a end-user is use to and use are not built-in let alone actively developed. Because this software, applications and features in and of themselves present big risk and vulnerabilities.

I would recommend that you search the community with a catch words like…
Remote desktop, RDP Qubes or remoting in to qubes os.

After your research, you will have to ask yourself is Qubes going to fit into your work flow,life style.

Then there tends to be specific hardware requirements. The normal everyday computer usually doesn’t have all features to support the needed parameters this OS would need.

First research Qubes features. If it fits what you need and want them…
Second research your hardware. See if Qubes will run on your system…

Hi @peterle, welcome to the Community!

This is exactly right. Here is the info about the dedicated remote access tool fof Qubes:

I am far, far from being expert, and exactly that would be the reason I wouldn’t allow myself to try to access dom0 (and templates) remotely.
Now, since mostly any online AppVm is considered by default to be compromised, the worst I’d allow myself would be to remotely access online AppVm, the one I intentionally left up for this purpose. And that AppVm wouldn’t contain any sensitive or valuable data.

More about this could be found here

To utilize most of the advantages of qubes, your qubes system would be the one rdping into the other machines.

Reason being, that if your main machine with connection to all workers gets hacked, all your workers would be compromised too. Minimizing damage in case of pwnage through compartmentalization is the main goal of qubes.

Qubes offers very fitting features like disposable qubes, vaults (virtually air gapped qubes), split-ssh, and vpn qubes to make sure that you only keep the state you really intend between your remote control sessions and if set up correctly, to allow your rdp clients to only connect to the one specific server they are intended to.

Do put it simple: Look at your qubes machine as the worker machines but in one physical machine + a secure platform to access all remote workers in a reasonably secure way.

It can be used as a worker as your search result after the mentioned keywords on this forum will show, but it really shines in the described usage as a “main machine”.