Kushal Das4

FOSS and life. Kushal Das talks here.

Network isolation using NetVMs and VPN in Qubes

In this post, I am going to talk about the isolation of network for different domains using VPN on Qubes. The following shows the default network configuration in Qubes.

The network hardware is attached to a special domain called sys-net. This is the only domain which directly talks to the outside network. Then a domain named sys-firewall connects to sys-net and all other VMs use sys-firewall to access the outside network. These kinds of special domains are also known as NetVM as they can provide network access to other VMs.

Creating new NetVMs for VPN

The easiest way is to clone the existing sys-net domain to a new domain. In my case, I have created two different domains, mynetwork and vpn2 as new NetVMs in dom0.

$ qvm-clone sys-net mynetwork
$ qvm-clone sys-net vpn2

As the next step, I have opened the settings for these VMs and marked sys-net as the NetVM for these. I have also install openvpn package in the templateVM so that both the new NetVM can find that package.

Setting up openvpn

I am not running openvpn as proper service as I want to switch to different VPN services I have access to. That also means a bit of manual work to setup the right /etc/resolv.conf file in the NetVMs and any corresponding VMs which access the network through these.

$ sudo /usr/sbin/openvpn --config connection_service_name.ovpn

So, the final network right now looks like the following diagram. The domains (where I am doing actual work) are connected into different VPN services.

Updating Qubes OS

Using updated software is a normal thing, also a few of us get more excited and use latest (not so stable) packages from the testing branch. This helps to detect bugs in the software before they go out the general availability.

As I was already using the RC1 release of Qubes, I thought of upgrading to the latest testing packages.

$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

As we already know that dom0 does not connect to the network, it actually uses an UpdateVM to download the packages first, and then the packages are sent to dom0. DNF takes care of the actual install/update of the package.

I rebooted the box after the update was done. One of the major change I can see is with copy/pasting text. It is not asking to confirm the extra dialog box while pasting. I can simply copy text, press Ctrl+shift+c and then go to another domain and press Ctrl+shift+v, and then right click and paste (or press Ctrl+v).

I have also updated the Fedora25 templateVM to the latest from my local Fedora mirror. While trying to attach a local image file using loop device (in dom0) to a VM I got into this issue.

I could not find any Fedora 26 repo for Qubes yet, Fedora 25 is the latest there. Fedora 27 release date is in less than 2 months. And then in another month Fedora 25 will be EOL. I hope developers will release packages to upgrade to F26 at least by then.

Qubes OS part 2

In this post, I am going to talk about sharing data between domains. You can read part one here.

Update: Read part 3 about network isolation.

One of the most common operation while working on many domains is copy/pasting text or files. Though it is something very much necessary, at the same time this can be a security risk. Randomly copy pasting data or file into a trusted domain, can be dangerous. We also have to make sure that random scripts can not copy paste without proper authorization. Qubes uses Xen shared memory for copying files instead of any block device.

Copy pasting text

One can copy text to the clipboard of the VM as usual, and then one can press Ctrl+Shift+c, then if one press Ctrl+Shift+v in any VM, it will ask for a menu like below screenshot to confirm if you want to paste to that VM’s clipboard. After that, you can normally paste with Ctrl+v or from the GUI.

Copying file to another VM

We can copy a file to another VM using the file browser. Just right click on any file, and click copy to the right VM. The following screenshots shows this way.

The other way to copy paste is using the command line. For example, the following command copies hello.txt file to the personal VM.

$ qvm-copy-to-vm personal hello.txt
sent 0/1 KB

Executing any command on a given VM

dom0 is the privileged domain in the system. From that, you can actually execute any command to another domain. In the following example, I am running the date command in the personal domain. With the --pass-io command line flag, we are saying to pass across the STDOUT and STDIN from the remote VM to dom0.

$ qvm-run --pass-io personal date
Tue Sep  5 17:42:11 IST 2017

Introduction to Qubes

I heard the name Qubes OS as an Operating System which was built while keeping security in mind, and also they used Fedora as the base Operating System. A reasonably secure operating system is the tagline and they also have a few testimonials in the site, I guess the most famous one is the following tweet.

The name again came up this week. This time I thought of trying it out, but, this is something I had to do on a bare-metal box, than on a VM. Luckily I bought extra drives in the last PyCon trip. I downloaded the stable 3.2 release, but the installer was failing into a Dracut shell saying /dev/mapper/live-rw is write protected. So, I moved on to the 4.0RC1 image. The installer is a modified Anaconda, means something very familiar to any Fedora/CentOS/Red Hat user. 4.0RC1 is based on Fedora 25, means more known points there.

Qubes uses Xen to manage VMs (for the rest of the post, I will keep using both VM, and domain interchangeably). The dom0 is the initial domain which comes up on boot. It is a short form of Domain 0. This is a privileged domain which manages all the other domains (domU). The default desktop for 4.0rc1 is XFCE. The dom0 does not have standard networking enabled. Actually, to have a working network to connect to outside world, the OS creates two special VMs.

sys-firewall

This special VM is the firewall for every other application VMs. You can actually create more than one firewall VMs and have a different set of rules.

sys-net

This VM has access to the network hardware and can create a connection with your local Wi-Fi or LAN/cable network. In my case, Fedora was failing to create internal interfaces which are being used by sys-firewall, so I rebooted the VM with a Debian-8 template. It solved my networking issue.

Regular Application VMs

When you first install the system, the installer will create a few domains for you, personal, work, untrusted, vault. It will create proper application shortcuts in the menu. This means when you click on the application menu for the Terminal for personal domain, it will first start the domain, and then open up the gnome-terminal for you. Each domain also gets a /rw partition which gets mounted as home. For every reboot, they start from a clean template, with only home consistent between boots.

This also means there is no easy way for applications/malware to talk between different VMs. If you open up a wrong website (with malware) on the untrusted domain, it will not have access to the filesystem under your work domain. There are special ways to copy/paste text between domains.

You can see in the above screenshot, the applications from each domain have different colors, that helps for quick recognition of each application for different domains. You can also see details about the running VMs by clicking on the Qubes icon on the tray in the menubar.

Disposable domains

There are times when you want to open a downloaded file (say PDF or a spreadsheet) on a VM which is only for single use. As soon as you close the application, the VM gets destroyed. For more details, read this document.

VMs without network access

The Vault is a special domain which does not connect to any network. You can also create new VMs in the same way, which does not connect to any firewall VM. The isolation from the network means nothing will go out in case of a malware in the file.

The following screenshot is showing the output of the qvm-ls command in dom0.

I will write more posts in future as I figure out things. Running F26 on the VMs is one them, because Python3.6 :) #qubes channel on Freenode is not that very active, but you will be able to find help in the channel if you wait.