Qubes as server

[chrisro...@gmail.com]

Hello,

I am considering the feasibility of using Qubes as the OS for a home server.

I am aware it is primarily a desktop OS at this time (although I hope with Qubes Air on the horizon that may change to accommodate the server space better), and can live with configuring the system locally via a GUI; but I would like to run at least two or three VMs which each offer a service (a web server, a media streaming service, etc) to external connections.

I previously did something like this with VirtualBox on Linux, and was able to assign a couple of VMs with their own IPs and SSH instances, etc.

Is this something I can realistically achieve with Qubes?

Thanks in advance for any advice.

[Unman]

Yes, it is.
Qubes isn't designed with this in mind, but it can easily be used in
this way.
You'll need an understanding of Qubes networking and be able to push
traffic from sys-net down to the target qubes. This is quite well
documented.

If you hit any problems just post here.

unman

[Who Cares]

I did the same and you just should keep in mind that the sys-firewall would block any communication between VM's or between Clients and Qubes VM´s.

Someone posted this Link:
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
it helped a lot.

Just make sure that you either update iptable rules for each of your Service VM´s (for example Web-server-VM) or connect the Service VM's directly to sys-net without sys-firewall but this is, I think, not recommended.

[Unman]

Definitely not recommended and unnecessary.
The Qubes networking structure is flexible enough to let you do pretty
much whatever you like without unduly compromising security.

If you have 2 NICS, you could allocate one to a new sys-net and get even
greater isolation between your standard qubes and those offering
external services: DMZ on the cheap.

unman

[chrisro...@gmail.com]

Great, thank you both for your responses. I'll check into inter-qube networking and see what makes sense for me. Mostly I am concerned with just making a given qube accessible to outside, I don't think I care about inter-qube networking too much beyond that.

One other thing I am wondering about is how feasible it is to selectively allow a given qube/VM to access a given directory (and only that directory) of my server's media drives. In particular, I am also wondering how well Qubes works with ZFS in practice (I have taken a quick look at the Qubes ZFS info page and see it does support it), as currently all my data is in a zpool. Should I expect trouble with either of those aspects?

[awokd]

On Sat, August 25, 2018 2:50 pm, Unman wrote:

> The Qubes networking structure is flexible enough to let you do pretty
> much whatever you like without unduly compromising security.

Say someone would like to set up an internal vswitch with multiple VMs on
it with one acting as a gateway, or set up multiple portgroups each on its
own VLAN trunked outside. This can be relatively easily accomplished with
some virtualization products, but Qubes isn't really designed to
accommodate lab/server setups like that.

[Unman]

But Xen is, and you *can* implement this should you wish. But as you say
Qubes isn't designed for this purpose.

I wasn't clear enough though. VLANs are just a tool, not an end in
themselves. It's almost always possible to build a Qubes infrastructure
that provides the isolation that VLANs provide.
In the time I've been working with Qubes I haven't found a real world
implementation that cant be accommodated with some careful thought.