qubes vpn update

2025-06-08 14:52:54 -04:00 · 2024-04-25 00:52:31 +00:00 · 2024-04-25 00:52:31 +00:00 · d6c72fd6b9
commit d6c72fd6b9
parent 61a9fdb3e8
2 changed files with 69 additions and 30 deletions
--- a/content/posts/grapheneos/index.md
+++ b/content/posts/grapheneos/index.md
@ -118,7 +118,7 @@ To reiterate, the user profiles and their purposes are:
 The GrapheneOS app store contains the standalone applications developed by the GrapheneOS project, such as Vanadium, Auditor, Camera, and PDF Viewer. These are automatically updated. 
-To install additional software, a [Sandboxed](/glossary/#sandboxing) Google Play can be installed through the GrapheneOS app store: ["Google Play receives absolutely no special access or privileges on GrapheneOS."](https://grapheneos.org/features#sandboxed-google-play) 
+To install additional software, [Sandboxed](/glossary/#sandboxing) Google Play can be installed through the GrapheneOS app store: ["Google Play receives absolutely no special access or privileges on GrapheneOS."](https://grapheneos.org/features#sandboxed-google-play) 
 Avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/en/android/#f-droid). The [Aurora Store](https://www.privacyguides.org/en/android/#aurora-store) has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
@ -134,6 +134,8 @@ To install and configure Sandboxed Google Play:
 * Automatic updates are enabled by default on the Google Play Store: **Google Play Store Settings → Network Preferences → Auto-update apps**.   
 * Notifications for Google Play Store and Google Play Services must be enabled for auto-updates to work: **Settings → Apps → Google Play Store / Google Play Services → Notifications**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18).
 ### Installing a VPN
 You are now ready to install applications from the Google Play Store. The first application we are going to install is a [VPN](/glossary/#vpn-virtual-private-network). If you can afford to pay for a VPN, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). Otherwise, we recommend RiseupVPN. A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without cryptocurrency. 
 VPNs must be installed in each user profile separately. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). We recommended using a VPN in every profile, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
@ -142,6 +144,8 @@ VPNs must be installed in each user profile separately. All standard GrapheneOS
 Using the example of RiseupVPN, once installed, accept the 'Connection request' prompt. A green display means that the VPN has been successfully connected. Note that **Always-on VPN** and **Block connections without VPN** are enabled by default on GrapheneOS. From now on, the VPN will connect automatically when you turn on your phone. Continue installing other apps — see [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas. 
 ### Delegating apps 
 Now we will delegate apps to the profiles they are needed in:
 * In the Owner profile, disable all applications downloaded from the Play Store except for the VPN: **Settings → Apps → [Example] → Disable**. 
@ -159,7 +163,7 @@ As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signa
 If there is an app you want to use that requires Google Play services, create another secondary user profile for it. This is also a good way to isolate any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. You will need to install and configure Sandboxed Google Play in this "Google" user profile. 
-Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid the need for this Google user profile.  
+Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid the need for this "Google" user profile.  
 # VoIP
--- a/content/posts/qubes/index.md
+++ b/content/posts/qubes/index.md
@ -116,7 +116,7 @@ The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is
 # How to Update 
-On Qubes OS, you should NOT use the `apt update` or `apt upgrade` commands, which you may be used to from other Linux experiences. As the [documentation](https://www.qubes-os.org/doc/how-to-update/) states, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing you'll want to do after connecting to the Internet is run Qubes Update. From the docs: 
+On Qubes OS, you should **not** use the `apt update` or `apt upgrade` commands, which you may be used to from other Linux experiences. As the [documentation](https://www.qubes-os.org/doc/how-to-update/) states, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing you'll want to do after connecting to the Internet is run Qubes Update. From the docs: 
 > you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
@ -254,16 +254,6 @@ The cloned Template we will need is already configured: `debian-12-documents`. G
 Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.  
 ## A VPN Qube
 You should configure your non-Tor qubes to be forced through a reputable [VPN](/glossary/#vpn-virtual-private-network), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
 >Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
 If you can afford to pay for a VPN, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). Otherwise, we recommend RiseupVPN. A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without cryptocurrency. 
 There are guides for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/), [Mullvad without the app](https://forum.qubes-os.org/t/tutorial-4-2-4-1-mullvad-wireguard-with-qubes/21172), and [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804).    
 ## Additional Settings 
 By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly — when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube. 
@ -292,6 +282,67 @@ If your file opens in an application other than the one you want, you'll need to
 You can also use disposables to "sanitize" an untrusted file, which means making it trusted. It does this by converting it to images in a disposable and wiping the metadata. For PDF files, right-click and select **Convert To Trusted PDF**, and for image files, right-click and select **Convert To Trusted Img**. See [the guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) to open all file types in a disposable by default. 
 # Whonix and Tor
 The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides. 
 Multiple default applications on a Whonix-Workstation App qube are [configured to use unique circuits](https://www.whonix.org/wiki/Stream_Isolation#List) of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated — this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
 To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](/posts/qubes/#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time:
 > While multiple Whonix-Workstation are recommended, this is not an endorsement for using them simultaneously! It is safest to only use one Whonix-Workstation at a time and for a single activity. New risks are introduced by running multiple Whonix-Workstation at the same time. For instance, if a single Whonix-Workstation was compromised, it could potentially perform various side channel attacks to learn about running processes in other VMs, and not all of these can be defeated. Depending on user activities, a skilled adversary might be able to correlate multiple Whonix-Workstations to the same pseudonym. 
 Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
 Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Whonix up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting. 
 Occasionally, Tor Browser will notify you that a new version is available before it can be updated by using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do **not** run this tool from a disposable Template — the disposable Template will be updated automatically.
 # Create a VPN Qube
 You should create a [VPN](/glossary/#vpn-virtual-private-network) qube, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
 >Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
 We recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without cryptocurrency. 
 We're going to name the new VPN qube `sys-vpn`. Follow the guide for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/) or the [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804). Now `sys-vpn` will force all network traffic through the VPN before it reaches `sys-firewall`.
 ## Change the default net qube 
 * Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Switch the default net qube from `sys-firewall` to `sys-vpn`. 
 * Then, go to debian-12-dvm's **Settings → Basic** tab and change the net qube to `sys-vpn`.
 * Do the same for any other disposables or App qubes that were already created which used `sys-firewall` for their net qube. 
 To understand this configuration, it may help to visualize the qubes involved in networking for debian-12-dvm: 
 | Qube name | Qube description | Net qube |
 | ------ | ----------- | -- |
 | sys-net | *Your default network qube (pre-installed)* | *n/a* |
 | sys-firewall | *Your default firewall qube (pre-installed)* | sys-net |
 | `sys-vpn` | The VPN qube you created | sys-firewall |
 | debian-12-dvm | Your disposable Debian qube | `sys-vpn` |
 ## Configure connecting to the VPN before Tor 
 Unless you are intentionally using [Internet not tied to your identity](/posts/tails-best#internet-not-tied-to-your-identity), we recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)).   
 * To configure connecting to a VPN *before* connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube to `sys-vpn`.
 	* When using Internet from home, its best to use a VPN for all network traffic. But if you are intentionally using Internet not tied to your identity, such as Wi-Fi at a random cafe, the VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, you can change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription. 
 * As a last step, we will verify that only `sys-vpn` has its net qube set to `sys-firewall`. Go to **Applications menu → Qubes Tools → Qube Manager** and sort the entries by "Net qube" to make this easier. 
 For more information on the rationale of this configuration, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). Note that you should not connect to a VPN *after* Tor because this [breaks Stream Isolation](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-tor-x).
 To understand this configuration, it may help to visualize the qubes involved in networking for whonix-workstation-17-dvm:
 | Qube name | Qube description | Net qube |
 | ------ | ----------- | -- |
 | sys-net | *Your default network qube (pre-installed)* | *n/a* |
 | sys-firewall | *Your default firewall qube (pre-installed)* | sys-net |
 | `sys-vpn` | The VPN qube you created | sys-firewall |
 | sys-whonix | The Whonix-Gateway qube | `sys-vpn` |
 | whonix-workstation-17-dvm | A disposable Whonix-Workstation qube | sys-whonix |
 # How to Use Devices (like USBs) 
 To learn how to attach devices, let's format the empty USB or hard drive that will be used for backups. Attaching the USB to an offline disposable mitigates against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB). 
@ -327,23 +378,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
 >* **Backup directory**: click **...** to select the newly created folder `backups`. 
 >5. Enter an encryption passphrase, which can be the same as your Qubes OS user passphrase, because you will need to memorize it to restore from backup, and it will contain the same data. This is dom0, so you won't be able to paste it from a password manager.
 >6. Untick "Save settings as default backup profile", and press **Next**. 
->7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you can’t restore your data from it. You can also verify that a backup is not [silently corrupted](https://github.com/QubesOS/qubes-issues/issues/6386) by actually restoring it — first rename the App qube you will restore to avoid confusion. 
+>7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. Do not forget to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you can’t restore your data from it. You can also verify that a backup is not [silently corrupted](https://github.com/QubesOS/qubes-issues/issues/6386) by actually restoring it — first rename the App qube you will restore to avoid confusion. 
 # Whonix and Tor
 The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides. 
 Multiple default applications on a Whonix-Workstation App qube are [configured to use unique circuits](https://www.whonix.org/wiki/Stream_Isolation#List) of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated — this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
 To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](/posts/qubes/#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time:
 > While multiple Whonix-Workstation are recommended, this is not an endorsement for using them simultaneously! It is safest to only use one Whonix-Workstation at a time and for a single activity. New risks are introduced by running multiple Whonix-Workstation at the same time. For instance, if a single Whonix-Workstation was compromised, it could potentially perform various side channel attacks to learn about running processes in other VMs, and not all of these can be defeated. Depending on user activities, a skilled adversary might be able to correlate multiple Whonix-Workstations to the same pseudonym. 
 Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
 Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Whonix up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting. 
 Occasionally, Tor Browser will notify you that a new version is available before it can be updated by using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template — the disposable Template will be updated automatically.
 # Password Management