qusal/salt/sys-gui-vnc/README.md

2.7 KiB

sys-gui

VNC GUI domain in Qubes OS.

Table of Contents

Description

Setup a VNC GUI domain named "sys-gui-vnc". The qube spawns a VNC server and you can connect from other qubes to it. It is primarily intended for remote administration.

Installation

WARNING: unfinished formula.

  • Top:
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl top.enable sys-gui-vnc
sudo qubesctl --targets=tpl-sys-gui,sys-gui-vnc state.apply
sudo qubesctl top.disable sys-gui-vnc
sudo qubesctl state.apply sys-gui-vnc.prefs
  • State:
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl state.apply sys-gui-vnc.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-vnc.install
sudo qubesctl --skip-dom0 --targets=sys-gui-vnc state.apply sys-gui-vnc.configure
sudo qubesctl state.apply sys-gui-vnc.prefs

Shutdown all your running qubes as the global property default_guivm has changed to sys-gui-vnc.

Access control

Default policy: any qube is denied to connected to any other qube.

Allow qube sys-remote to connect sys-gui-vnc on port 5900:

qubes.ConnectTCP +5900 sys-remote @default allow target=sys-gui-vnc
qubes.ConnectTCP *     sys-remote @anyvm   deny

Usage

Qubes that have their guivm preference set to sys-gui-vnc, will use it as the GUI domain.

It unnecessary to have a netvm set for the VNC client qube for testing, but it is necessary to make the VNC server accessible from remote computers. If you plan to expose sys-gui-vnc to the network, it must have another authenticated transport such as a VPN or VNC over SSH.

From a trusted qube that has a VNC client installed, such as remmina, bind the port 6000 to the port 5900 listening on sys-gui-vnc:

qvm-connnect-tcp 6000::5900

On the VNC client application, set connection protocol to VNC and host to 127.0.0.1:6000.

The login credentials are the same used in dom0, the first user in the qubes group and the corresponding password.

Uninstallation

Set Global preference default_guivm to dom0 and disable autostart of sys-gui-vnc:

sudo qubesctl state.apply sys-gui-vnc.cancel

You must also revert exposing the VNC server to other qubes and remote hosts:

  • Delete or deny calls to Qrexec policy rules allowing qubes to connect with qubes.ConnectTCP to sys-gui-vnc; and
  • Close firewall ports and disable services that expose the VNC client qube to external hosts.