diff --git a/docs/configuration/screen-share.md b/docs/configuration/screen-share.md new file mode 100644 index 0000000..f2b8d17 --- /dev/null +++ b/docs/configuration/screen-share.md @@ -0,0 +1,105 @@ + +How to Share A Screen Across Qubes +================================== + +> Warning: +> This guide involves opening up a TCP port between qubes. This is discouraged from the security standpoint and should only be used as a last resort, use sparingly. + +## Terminology +PRESENTATION-QUBE is the Qube you want to view the screen from + +CONTENT-QUBE is the Qube that has the window you want to share + +## Setup The Shared Screen Server + +Choose one of these sub-sections depending on whether you want to open a new screen (increased isolation), or use an existing monitor or screen. + +### If You Want To Share a New Screen + +In the Content Qube: + +1. Install packages `sudo apt install xfwm4 tigervnc-standalone-server tigervnc-viewer` or `sudo dnf install xfwm4 tigervnc-server tigervnc` + +2. Enter the password by executing `vncpasswd` + + 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` + + 2. Enter one password for read/write (first password and verify prompt) + + 3. Enter a different password for the view only password (second password and verify prompt) + +3. Start the server `vncserver :1 -xstartup /usr/bin/xfwm4 -geometry 1920x1080 -localhost no` + +4. View the shared screen `vncviewer -passwd ~/.vnc/passwd :1` + +5. Open applications `DISPLAY=:1 xterm` where xterm can be any binary on your system + +## If You Want To Share an Existing Monitor or Window + +In the Content Qube: + +1. Install packages `sudo apt install xfwm4 x11vnc x11-utils` or `sudo dnf install xfwm4 x11vnc xwininfo` + +2. Enter the password by executing `x11vnc -storepasswd` + + 1. You can generate secure enough passwords for this purpose using `openssl rand -base64 16 | tr -d '+/=' | head -c 8;echo` + +3. Start the server + + 1. If you want to share a window `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901 -clip 1920x1080+0+0` + + - Replace `1920x1080+0+0` with the resolution (e.g. `1920x1080`) and offset (e.g. `+0+0`) of the screen area you want to share. The coordinates 0,0 are in the top left, increasing down and to the right. + + - Use `xrandr --listactivemonitors` in Dom0 to get a list of all monitors and their offsets. That command returns in the form `W/_xH/_+X+Y`. For example to share DP-1, with xrandr output of ` 0: +DP-1 1920/510x1080/287+1280+0 DP-1`, 1920x1080+1280+0 would share just that screen. + + - `arandr` is a useful graphical tool to show where all the monitors are in relation to each other. + + 2. If you want to share a monitor `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901 -id pick` + + - This retrieves the numerical id of the next window you click on. + + 3. If you want to share all the monitors use `x11vnc -viewonly -rfbauth ~/.vnc/passwd -rfbport 5901` + +4. View the shared screen as specified in "View The Shared Screen" + +5. Open applications like normal + +## Qubes Connect TCP Service + +These steps are a simpler version of [The Qubes Firewall](https://www.qubes-os.org/doc/firewall/#opening-a-single-tcp-port-to-other-network-isolated-qube). In dom0 execute these steps: + +1. Edit /etc/qubes-rpc/policy/qubes.ConnectTCP + +2. Add the line: ` @default ask,target=` + + - (recommended) By specifying `ask`, dom0 will ask each time a connection is attempted on that port + + - (not recommended) Rather than specifying `ask` you can use `allow` to allow all connections without a prompt, this leaves you unaware of new attempted connections. + +3. After you are done sharing you screen, remove this line to prevent further unwanted connections + +## View The Shared Screen + +In the Presentation Qube: + +1. Install package `sudo apt install -y tigervnc-viewer` + +2. Bind TCP port using Qubes Connect TCP service `qvm-connect-tcp ::5901` + +3. Start the VNC Viewer `vncviewer -Shared -ViewOnly -RemoteResize=0 -SendPrimary=0 -SendClipboard=0 -SetPrimary=0 127.0.0.1:5901` + +4. Confirm that you want to connect to the Presentation Qube in the dom0 prompt + +5. Enter password for the VNC server you created above + +6. In your presentation software share the VNC viewer + +## Present + +In the Content Qube interact with the shared screen, the changes will be mirrored back to your Presentation Qube. + +## Notes + +- To reset the VNC password delete `~/.vnc/passwd` in the Content Qube + +- The Content Qube does not need to have access to the internet \ No newline at end of file