Sys-net Networking: Caution!

Melly21 · February 10, 2022, 4:47pm

I just viewed my sys-net settings and noticed a yellow sign saying

"Caution: default DispVM template has a different networking than this qube. Unexpected network access may occur!

what does the last sentence mean? Is it bad? I have recently checked the Global Settings and tried setting Default template and Default DisposableVM template to whonix-ws-16. It’s probably because of that.
What would you do?

tech3599 · February 10, 2022, 6:29pm

The part about “Unexpected network access may occur!” is saying that if you were to open a DisposableVM from sys-net, the DisposableVM would have a different network route than sys-net. This is important if, for example, you have a Qube that always needs to go through tor and it receives networking from sys-whonix, but the DisposableVM is set to receive networking from sys-firewall. In this case, if you were to open a DisposableVM from that Qube, it could de-anonymize you. However, this caution note doesn’t really apply to sys-net because 1. I don’t think there’s a need to open DisposableVMs from sys-net anyway and 2. sys-net is already the highest level networking VM and the DisposableVM having different networking wouldn’t really matter. You can safely ignore that caution note for sys-net.

adw · February 11, 2022, 3:16am

This text has been updated in 4.1 to be more explanatory and descriptive. (You must be on 4.0.)

Here’s a previous issue for it:

github.com/QubesOS/qubes-issues

UX problem with warning icon next to "Networking" field

opened 09:56PM - 23 Jun 19 UTC

closed 03:56AM - 24 Oct 19 UTC

TNTBOMBOM

T: bug C: manager/widget ux r4.1-dom0-cur-test P: default

**Qubes OS version** 4.0.1 **Affected component(s) or functionality** Q…ubes Manager **Brief summary** Installing Debian Buster 10 from testing then open Basic settings page from Qubes manager it will show up a yellow mark (look at the screenshot). **Expected behavior** Doesnt show any error mark/sign **Actual behavior** Showing error mark/sign **Screenshots** ![busterqubesmanager](https://user-images.githubusercontent.com/11895339/59982413-932f6000-9601-11e9-9f7c-68c683ba6398.png)

Here’s the commit where the text was updated:

Melly21 · February 11, 2022, 10:38am

Yeah, it’s a bit misleading then. I cannot even set ‘Default DisposableVM’ to sys-net in the global settings, only whonix and fedora.
for that reason, I cannot do anything wrong here, right? I’m asking to fully understand the backgrounds.

PS: the only default setting which uses sys-net is ClockVM. does that matter for my privacy?
the others are firewall (netVM) and the rest is all whonix (Dom0 UpdateVM, Default template, Default DisposableVM template).

tech3599 · February 11, 2022, 2:52pm

You can choose one of the templates to use as a DisposableVM, but sys-net isn’t a template. Also, just as a note, you shouldn’t do any actual work inside of sys-net; the only things you need to do in sys-net are connect to wifi networks or set up a VPN if you need to.

The clock qube should be set to sys-net, even if you use sys-whonix for everything else. Everything there looks good.