What is stopping you from using QubesOS?

I’m in a similar boat. Files on a NAS.

It was easy enough to set up a qube to mount the NAS. I could even install the encryption program ON that qube. But then as you noted, the files aren’t where they need to be.

I have managed, with a LOT of work over the last two weeks, to figure out how to pass a mount of one of the encrypted files to another qube, which decrypts it and passes on a link to that to yet a third qube–who can mount it into their file system.
I’ve even managed to automate the process…somewhat. But it’s very “fragile,” there are five steps involved (two of them must be done by dom0) and if any one of them goes wrong all hell breaks loose, and I have to manually undo the steps that did happen, to be able to try again. I’d certainly not recommend what I have done for a general user.

Hi @aquser. I would like to reply on two points you mentioned some thoughts. They may not solve your problems, but I will share just in case.

Do you use it with a Debian or a Fedora template? I switched sys-vpn to a Debian template when Fedora 33 or 34 update broke the VPN, and it’s been working well for me.

Again, since I switched some work VMs to Debian, minimal templates are working well.

I’m using NM, it’s not been unreliable for me.

I use a shell script to enable the VPN and the Qubes firewall settings to reject all traffic not going to the VPN gateway.

This does allow any host using the VPN to access 3 or 4 ports on the VPN getway even if the VPN tunnel is down, but I was too lazy to change the iptables forward rules to only allow the use of the VPN interface.

oops wrong place to ask question

I have a custom built PC with a Ryzen 5900x and RTX 3090, one of which is unsupported with Xen and another of which is untested :smiling_face_with_tear:

It’s not a deal-breaker, but for me, not having S3 suspend working properly on some laptops is “mildly inconvenient”. It’s one of those “it would be nice to have” things…

Yes, I know that it’s because of reason that are way beyond the control of Qubes OS, but still, “it would be nice to have”…

Patience, young grasshopper. Qubes will be unleashed on your beast of a machine as soon as we figure out how…

…and with what nVIDIA and AMD have been doing with the Linux kernel, I remian optimistic that it’s only a matter of time before your frown turns upside-down :slight_smile:

Neither Debian nor Fedora based templates work for me anymore. I believe it was Debian 10 (not available to me now that I’m on 4.1) and Fedora 33 (EoL) that last worked.

I use a mix of both depending on which is easier to customize for the problem at hand. When updating my Debian 11 templates for 4.1, they became unbootable. I rebuilt one I couldn’t easily switch to Fedora and deleted the rest. I’m now much more selective when deciding to make minimal templates.

Qubes using the internet connection provided by their net qube before it can bring up the VPN will access the internet in the clear. The VPN can also go down or fail in a couple of ways that result in the same. The purpose of a VPN qube for me is that everything goes through the VPN or goes nowhere. NO EXCEPTIONS!

Yes, you remove the forward rules from eth0 in sys-net, and set the firewall to only allow access to the VPN gateway. Then sys-net can’t forward any traffic while the tunnel is down, and you can only access the VPN gateway though the internet connection.

I’m pretty sure you have the tools to do what you ask.

Currently?

A piercing headache and an aural temperature of 101.7F.

:frowning:
B

I just confirm the Qubes OS VPN issue. The only how to which worked for me was Using Mullvad VPN in Qubes.

I am pretty sure no VPN description is wrong but some aren’t simply written for newbies. On some “how to setup your VPN” I miss (for coder obvious) …enter this here and there, download you VPN file here, move to… or this is your *crt or *conf…

Now, that I have improved my Qubes OS :blush: and I am working an my automated minimal template setup I need to deal with my VPN setup again. Let’s see if can setup this https://github.com/tasket/Qubes-vpn-support#wireguard-vpn .

Sorry to hear that brendanhoar, I hope you get well fast … and that you practice proper compartmentalization :wink:

2 Likes

IMHO that’s the issue right there: “reasonably” is not good enough.

I want security. Maybe I shouldn’t have answered since I am using Qubes, but I am thinking of moving back to Tails at least for some tasks. I prefer Qubes to Tails becasue Tails is unusable for many tasks (e.g. development, in my experience).

In my non-expert opinion sys-net seems to be the main issue with Qubes security. Though something like the Purism system at least seems to have provable protection from BIOS malware, but that still wouldn’t prevent transient attacks on sys-net.

I would like to see more info/tools on Qubes on how to detect and try to mitigate sys-net attacks.

I am assuming that Tails is more secure with regards to network attacks (at the expense of usability) but I could be mistaken.

This is a pun and also a reminder that you can’t make a perfectly secure OS.

See also: QubesOS vs OpenBSD Security.

1 Like

The thing is, “reasonable” security is all you can realistically hope to achieve as a regular individual right now. Anyone promising you more is probably selling you a bill of goods.

1 Like

True. Some people are in a position where a false perception of security could get them killed.

Nothing. I even got to the phase that I’m lazy to fire up my Windows qube to do some tasks I can’t in Linux world, not to mention to revert to some other OS.

Until cloudification of Qubes.

What HAS prevented me in the past?

RAM and HCL compatibility.

I purchased a rather pricey but wonderful laptop that handles QubesOS just fine. But I think the HCL and RAM requirements may impede some. I’ve heard of folks getting away with 16GB but I cannot imagine such a life myself.

1 Like

I am unable to get it to install. That is my main problem. Here is my linked post