There may be some very obvious reason why I should not use a template VM for everyday use like browsing but I’m asking anyway.
The reason I ask is because I have posted elsewhere that I have successfully set up a template VM based on fedora where it works via mullvad as a vpn. I don’t think that I can get this VM to work as hoped because I can’t get other VMs to successfully connect to it and access the internet. And there doesn’t appear to be solutions forthcoming. So, is there any reason why I shouldn’t just use this template which connects via mullvad to browse the net and use as I would some other app vm? That would suit my purposes which are not huge anyway.
If this is obviously a no-no I’m happy to hear about it. And I’m keen to hear what people say to this idea.
Possible, but actually not really comfortable. All your own files (downloads, videos, music, docs, etc.) will disappear on every shutdown/restart, if you don’t moved them to a attached drive (connected drive/server) before shutting down the template.
If you don’t have any files and just browse every now and then - it’s a way…
Templates are not supposed to be used like that, that’s why they have no internet connection.
What’s your issue with the VPN and the client not working? It’s possible to make a VPN qube and link other qubes to it, I’ve done it for years without issues.
Technically, it would mean that you would use StandaloneVM instead of a normal App qube for your tasks. It’s not recommended, because you will not benefit from the advantages of the template system.
It also seems that in your case, the VPN would be configured in the same VM as the browser, so you won’t have security by compartmentalization, i.e., by compromising the browser, an attacker might deanonymize you.
Having said that, nothing prevents you from doing this if you know what you are doing and decide which risks you are taking yourself.
This is the reason this forum has been created: Start a new topic and ask for help.
@fslover is absolutely right.
You can do this if you want.
I would recommend solving your issue with using the VPN instead, and use
templates as they are meant to be used. But if it works for you, and you
are aware of the downsides, then it will work as a quick and dirty
solution.
What do you mean with that? Every time you reboot your AppVM, its root partition is reset. You don’t have to update it separately (updates come from its template). In this sense, you can’t make a 1:1 relation.
A Standalone is just like a regular Linux installation, with all its (dis)advantages. Nothing is compartmentalized inside it.
E.g. the template I use for my VPN sys isn’t shared with any other VMs, and I don’t think that will ever change, it’s one specialized template used by one appVM.
Anyone with access to appVM would be able to backdoor /rw or /home, with one template used by one VM does it really matter if the root fs resets?
If I added netvm to the template, wouldn’t I still get the updates for the template?
I’m not trying to say that this is good or better, and it’s not something I’m doing, I just feel the advantages of templates become a lot less clear once the templates are specialized to the point they are no longer shared between multiple VMs.
Just because you don’t want another VPN qube now doesn’t mean you wont want
one in the future.
You always have the advantage with templates that it’s trivial to blow
away a qube and recreate, even if you only have one qube using that
template.
In such case, at least one advantage is that you can backup your AppVM independently and not waste space to store the root partition in the backup – saving disk space. And you can upgrade or replace the template from, e.g., Debian-10 to Debian-11 with a few mouse clicks – flexibility. You are also protected from at least some malware which assumes that root partition is saved.
I have posted about my problem not being able to get a template vm with Mullvad working in the manner that Micah Lee describes. I tried doing it months ago on the iteration of qubes before this one (4.1.0?) I can get the template working without an issue, but I can’t get any app vm to network through it to the internet. I have not had anyone be able to come up with a solution, and it is not just me who encounters this.
BUT.
The last time I couldn’t get it going I had the same thought that just making a standalone vm would do me. But at that time the ‘Network Manager’ wouldn’t let me load an ‘open vpn’ configuration. Whereas I can load it with the template, with the standalone vm the drop down box in the ‘network manager’ icon that could have allowed me to load the config I think it was greyed out. But yesterday I set up an app vm and that option is now there. So I set up an app vm and it works. This fulfills my requirements beautifully. I have no idea if there was a change in qubes but I couldn’t do it before, but now I have a specific browsing vm with Mullvad.
I note people suggesting a standalone vm. Is that a better way to go rather than the app vm?
So, I hear all of the reservations about using a template but it appears that I don’t need to. Thank you for your replies very much.
I’d still like to know why I couldn’t get it working as per Micah’s instructions.
I just feel the advantages of templates become a lot less clear once the templates are specialized to the point they are no longer shared between multiple VMs.
On one level, I certainly understand this. I have almost exactly the same number of templates as I do VMs. In fact I probably have more templates, because my script that generates them operates by cloning one template into the next and there are a couple of steps in the process where template A needs sofware packages 1 and 2 added to create template B, and software packages 1 and 3 to create template C. I create an intermediate template D with package 1 on it, then the two “real” templates, B and C, from it. No AppVM is based on template D, but B and C are “descendants” of [edit: or, better yet, “derived from”] it. (I could delete D, but I’ll just end up having to recreate it next time. And since I never could get the cacher to work, that’s can be a penalty.)
If you’re trying, somehow, to minimize the total number of VMs on your system, then of course you’ll see no advantage here.
But there are good reasons to keep template and AppVM separate, many mentioned above, but I’ll repeat some of them: 1) Backups of your data can copy the AppVM and leave the whole system area (which runs about 2GB for me) behind [though I would do an occasional full backup…but since my templates are generated by script, even that, strictly speaking, isn’t necessary]. 2) you can get an instant “clean install” of your system by shutting down your AppVM and restarting–your data will persist. (This sounds trivial but most Windows installations aren’t set up like this and upgrading or reinstalling involves blowing your data away. Bill Gates is a putz.) 3) If your system area is compromised, see #2…shut your VM down and it isn’t, any more.
You lose all of that if you simply do normal work in your template.
To me it’s well worth having a ridiculously long list of VMs in a menu as a price. (And there are ways to mitigate THAT, too–KDE or, possibly, the newer menu coming out in the next version. KDE is much more flexible in this regard. But that’s a different topic. I only mention it just in case “get rid of the ridiculously long menu list” is part of your motivation for wanting to use a template for regular work.)
Try out my suggestion in the Mullvad VPN topic and I promise, you’ll get your VPN qube finally working.
Had the very same problems with the Micah solution and never got net through that VPN qube. Never found out what was wrong. But the new VPN step-by-step I’ve posted, works perfectly now - especially for the use of Mullvad VPN.