2.7 KiB
sys-gui
VNC GUI domain in Qubes OS.
Table of Contents
Description
Setup a VNC GUI domain named "sys-gui-vnc". The qube spawns a VNC server and you can connect from other qubes to it. It is primarily intended for remote administration.
Installation
WARNING: unfinished formula.
- Top:
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl top.enable sys-gui-vnc
sudo qubesctl --targets=tpl-sys-gui,sys-gui-vnc state.apply
sudo qubesctl top.disable sys-gui-vnc
sudo qubesctl state.apply sys-gui-vnc.prefs
- State:
sudo qubesctl top.enable qvm.sys-gui pillar=True
sudo qubesctl state.apply sys-gui-vnc.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-vnc.install
sudo qubesctl --skip-dom0 --targets=sys-gui-vnc state.apply sys-gui-vnc.configure
sudo qubesctl state.apply sys-gui-vnc.prefs
Shutdown all your running qubes as the global property default_guivm
has
changed to sys-gui-vnc
.
Access control
Default policy: any qube
is denied
to connected to any other qube.
Allow qube sys-remote
to connect sys-gui-vnc
on port 5900
:
qubes.ConnectTCP +5900 sys-remote @default allow target=sys-gui-vnc
qubes.ConnectTCP * sys-remote @anyvm deny
Usage
Qubes that have their guivm
preference set to sys-gui-vnc
, will use it as
the GUI domain.
It unnecessary to have a netvm
set for the VNC client qube for testing, but
it is necessary to make the VNC server accessible from remote computers. If
you plan to expose sys-gui-vnc
to the network, it must have another
authenticated transport such as a VPN
or VNC over SSH
.
From a trusted qube that has a VNC client installed, such as
remmina, bind the port 6000
to the port 5900
listening on sys-gui-vnc
:
qvm-connnect-tcp 6000::5900
On the VNC client application, set connection protocol to VNC
and host to
127.0.0.1:6000
.
The login credentials are the same used in dom0
, the first user in the
qubes
group and the corresponding password.
Uninstallation
Set Global preference default_guivm
to dom0
and disable autostart
of
sys-gui-vnc
:
sudo qubesctl state.apply sys-gui-vnc.cancel
You must also revert exposing the VNC server to other qubes and remote hosts:
- Delete or deny calls to Qrexec policy rules allowing qubes to connect with
qubes.ConnectTCP
tosys-gui-vnc
; and - Close firewall ports and disable services that expose the VNC client qube to external hosts.