Windows 10 / Server 2016 installs and runs without any issues as an HVM on Qubes 3.2 (4.0 not tested). Inter-VM functionality can be achieved using any remote desktop protocol, including X11, VNC and RDP. This post is about using the freeRDP client with Windows' built-in RDP server functionality.
The RDP protocol enables the following major features: seamless windows, shared clipboard, shared folders, and audio & usb redirection. GPU-accelerated VMs are possible if they are hosted on a separate Hyper-V machine. Keep in mind that all of these features are provided by the RDP protocol over standard networking interfaces. This is in contrast to `qubes-windows-tools` which provides similar functionality using Qubes' back-end. Determine if that risk is appropriate for you. QWT also provides access to qrexec and persistent profiles (that enable immutable root filesystems and simplified offline HVMs).
1. Install Windows 10 as a Standalone HVM or HVM Template (if you have the appropriate licenses). The template will have limited usage unless you can offload data you want to persist onto a separate volume (or you can use as a disposable vm). Also, make sure you setup a password. Enable Remote Desktop in Settings > System. Leave NLA enabled.
2. InterVM Communication: This will be the hardest step for those of you new to this. You'll need to allow one of your LinuxVMs (freeRDP client) to communicate with one of your Windows VMs (RDP server). Create or use a proxyVM to act as a router.
Example of basic setup:
win10
|
|
sys-net --- sys-firewall
|
|
workVM
Instructions are here: https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
Don't proceed until you succeed with this step.
3. Install `freerdp` in workVM. Fedora-25 has v2.0.0 as does Debian stretch-backports.
4. Test with `xfreerdp /v:<server IP>:3389`. If server responds and you can log in, then you can pile on the options.
5. There are MANY options. See `man xfreerdp` and docs[2]. I haven't used a GUI but some exist, like Remmina. You may want to add the following:
```
/v:<serverIP>:3389
/u:[domain\]<user>
/p:<password>
/w:<pixel width>
/h:<pixel height>
/network:lan # network speed
/drive:myShare,/home/user/myShare # share name, location
/rfx # remote-fx works will all vm's; only hyperv for gpu
/rfx-mode:<video|image>
/multimedia # for sync'd audio/video, see docs
/sound # sound redirection
/sound:latency:<in ms>
/microphone
/usb:id,dev # usb redirection, see docs
/clipboard
/fonts # cleartype
/app:"C:\Windows\explorer.exe" # remote-apps (see below)
```
** Remote Apps **
For seamless windows, in RDP host > Group Policy:
`Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections/Allow remote start of unlisted programs`: Set to "Enabled"
Easiest way to use is to launch File Explorer (C:\Windows\explorer.exe) or Console (C:\Windows\System32\cmd.exe). Set up shortcuts and launch from these programs - then applications will open in their own seamless windows.
** Offline Windows **
The best feature of `qubes-windows-tools` is that you can use Windows offline with networking completely disabled. Without QWT, the best you can do is have strict firewalls everywhere but especially on your proxyVM.
The only traffic that is necessary for this setup (in proxyVM):
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vif+ -s <workVM IP> -o vif+ -d <win10 IP> \
-p tcp --dport 3389 -m state --state NEW -j ACCEPT
Drop all other windows outbound traffic entering proxyVM:
iptables -A FORWARD -i vif+ -s <win10 IP> -j DROP
iptables -A INPUT -i vif+ -s <win10 IP> -j DROP
Some other ports that you may require:
WSUS: tcp 8530-8531
KMS: tcp 1688
Samba is a mess: tighten with -s and -d
** Torrified Windows **
Of questionable benefit since win10 is a leaky sieve, but for fun you can route traffic through `sys-whonix`.
# Redirect DNS to Whonix-Gateway
iptables -t nat -A PREROUTING -i vif+ -s <win10 IP> -d <proxyVM IP> \
-p udp --dport 53 -j DNAT --to-destination <sys-whonix IP>
# Allow TCP from Windows
iptables -A FORWARD -i vif+ -s <win10 IP> -o eth0 -p tcp \
-m multiport --dports 80,443 -m state --state NEW -j ACCEPT
** Hyper-V GPU Passthrough **
Remote-FX allows Win VMs running on Hyper-V to access GPUs. There is some expected overhead but otherwise works well. Potential option if you need accelerated Photoshop on your Qubes desktop. Or if you need to play 3D games on a reasonably secure OS. ;)
Hope that helps! Let me know if you have better methods...
[1] From https://github.com/QubesOS/qubes-issues/issues/1861
[2] https://github.com/FreeRDP/FreeRDP/wiki
Thanks so much for writing this down.
On step 2, these instructions to establish inter VM networking [1] seem to be aimed at linux vms. It says we should use iptables and and edit the rc.local file on both vms. Any tip on how we could do that on the windows 10 qube?
[1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
** Offline Windows **
The best feature of `qubes-windows-tools` is that you can use Windows offline with networking completely disabled. Without QWT, the best you can do is have strict firewalls everywhere but especially on your proxyVM.
The only traffic that is necessary for this setup (in proxyVM):
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vif+ -s <workVM IP> -o vif+ -d <win10 IP> \
-p tcp --dport 3389 -m state --state NEW -j ACCEPT
Drop all other windows outbound traffic entering proxyVM:
iptables -A FORWARD -i vif+ -s <win10 IP> -j DROP
iptables -A INPUT -i vif+ -s <win10 IP> -j DROPSome other ports that you may require:
WSUS: tcp 8530-8531
KMS: tcp 1688
Samba is a mess: tighten with -s and -d