ANN: Qubes network server available for Qubes OS release 4.0.x

161 views
Skip to first unread message

Manuel Amador (Rudd-O)

unread,
Apr 14, 2020, 4:30:05 AM4/14/20
to qubes-users

Hello, folks!

After a long hiatus because of reasons, I'm happy to announce Qubes network server -- an add-on to Qubes OS that allows you to expose selected AppVMs to other VMs and to other machines in your LAN as well.  The latest tagged release is compatible with Qubes 4.0.

The URL to check is: https://github.com/Rudd-O/qubes-network-server

An excerpt from the README.md file follows here.  I hope this helps you understand what possibilities Qubes network server opens up for you.

I'm happy to report that, with a minor readjustment (attaching my networked AppVMs to NetVMs instead of ProxyVMs), this functions as an adequate replacement for Qubes network server from release 3.2.

--------------------------------------------------------------

QUBES NETWORK SERVER

This software lets you turn your [Qubes OS 4.0](https://www.qubes-os.org/) machine into
a network server, enjoying all the benefits of Qubes OS (isolation, secure
inter-VM process communication, ease of use) with none of the drawbacks
of setting up your own Xen server.

WHY?

Qubes OS is a magnificent operating system, but there are so many use cases that its networking model cannot crack:

  • As an automated integration testing system.  Qubes OS would be phenomenal for this, and its automation tools would make it extremely easy to bring up and tear down entire environments.
  • If only those environments could network with each other securely!* Remote management of Qubes OS instances.  Vanilla Qubes OS cannot easily be managed remotely.  A better networking model would allow for orchestration tools such as [Ansible Qubes](https://github.com/Rudd-O/ansible-qubes)  to manage entire Qubes OS deployments, all of their VMs, and even minutiae within each VM.
  • Anything that involves a secure server, serving data to people or machines, simply cannot be done under vanilla Qubes OS.

ENHANCED NETWORKING MODEL

The traditional Qubes OS networking model contemplates a client-only use case.  User VMs (AppVMs or StandaloneVMs) are attached to ProxyVMs, which give the user control over outbound connections taking place from user VMs.  ProxyVMs in turn attach to NetVMs, which provide outbound connectivity for ProxyVMs and other user VMs alike.

No provision is made for running a server in a virtualized environment, such that the server's ports are accessible by (a) other VMs (b) machines beyond the perimeter of the NetVM.  To the extent that such a thing is possible, it is only possible by painstakingly maintaining firewall rules for multiple VMs, which need to carefully override the existing firewall rules, and require careful thought not to open the system to unexpected attack vectors.  The Qubes OS user interface provides no help either.

Qubes network server changes all that.

With the Qubes network server software, it becomes possible to make network servers in user VMs available to other machines, be them peer VMs in the same Qubes OS system or machines connected to a physical link shared by a NetVM.  Those network server VMs also obey the Qubes OS outbound firewall rules controls, letting you run services with outbound connections restricted.

This is all, of course, opt-in, so the standard Qubes OS network security model remains in effect until you decide to enable the feature on any particular VM.

The only drawback of this method is that it requires you to attach VMs meant to be exposed to the network directly to a NetVM, rather than through a ProxyVM.  VMs exposed through a ProxyVM will not be visible to machines on the same network as the NetVM.

HOW TO USE THIS SOFTWARE

Once installed (see the full README.md at the URL posted above), usage of the software is straightforward.

These sample instructions assume you already have an AppVM VM set up, named testvm, and that your sys-net VM is attached to a LAN with
subnet 192.168.16.0/24.

First, attach the VM you want to expose to the network to a NetVM that has an active network connection:

qvm-prefs -s testvm netvm sys-net

Then, set an IP address on the VM:

qvm-prefs -s testvm ip 192.168.16.25

(The step above requires you restart the testvm VM if it was running.)

Then, to enable the network server feature for your testvm VM, all you have to do in your AdminVM (dom0) is run the following command:

qvm-features testvm routing-method forward

Now testvm is exposed to the network with address 192.168.16.25, as well as to other VMs attached to its sys-net NetVM.

Do note that testvm will have the standard Qubes OS firewall rules stopping inbound traffic.  To solve that issue, you can [use the standard rc.local Qubes OS mechanism to alter the firewall rules](https://www.qubes-os.org/doc/firewall/#where-to-put-firewall-rules) in your testvm AppVM.

-- 
    Rudd-O
    http://rudd-o.com/
Reply all
Reply to author
Forward
0 new messages