qubes Guide to installing Qbuntu (Ubuntu 16.04 - Xenial) TemplateVM in Qubes 4.0.2-rc1

[buzzkillb]

Guide to installing Qbuntu (Ubuntu 16.04 - Xenial) TemplateVM in Qubes 4.0.2-rc1
fedora-30 as of this writing, I did this on a fresh Qubes install on a Lenovo t450 i7, 8gb ram, 256gb samsung ssd ($280 - ebay)

https://www.qubes-os.org/

Some of the initial setup below doesn't work for me as of this writing.

• Import the Qubes master key

  gpg --import /usr/share/qubes/qubes-master-key.asc

   

• Verify its fingerprint, set as ‘trusted’. This is described here.
• Download the Qubes developers’ keys.

  wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc
  gpg --import qubes-developers-keys.asc

   

• Download the latest stable qubes-builder repository:

  git clone https://github.com/QubesOS/qubes-builder.git /home/user/qubes-builder/

   

• Verify the integrity of the downloaded repository. The last line should read gpg: Good signature from…

  cd /home/user/qubes-builder/
  git tag -v $(git describe)

   

• Install the remaining dependencies

  make install-deps

   

Run the ‘setup’ script located in ‘/home/user/qubes-builder/’ Make sure you are in directory ‘qubes-builder’

cd /home/user/qubes-builder/
./setup

Basic Idea (but does not work, don't even bother trying to decipher their ubuntu guide as its for someone who somehow knows how to do this already)
https://www.qubes-os.org/doc/building-archlinux-template/

Reddit Guide (copying some of the steps from this old guide with some edits to work on Qubes 4.0 as this was written for Qubes 3.2)

https://www.reddit.com/r/Qubes/comments/5vzg04/idiots_guide_to_installing_qbuntu_ubuntu_1604/

#gpg stuff from qubes themselves
reference: https://wiki.qubes.rocks/Security/VerifyingSignatures

Lets Begin

Clone your fedora-30 vanilla template into a temporary 'builder' we will use to create Ubuntu templates.
[[email protected] ~]$ qvm-clone fedora-30 ubuntu-builder
Edit the VM Settings for the newly created template 'ubuntu-builder' (via Qubes Manager GUI), enable 'Allow network access' & increase 'Private storage max size' to 30GB, then start a terminal in ubuntu-builder and initialize GPG
[[email protected] ~]$ gpg
Break out of "type your message..." with CTRL+C, import Qubes master key
[[email protected] ~]$ gpg --recv-keys 0x36879494
Set trust level for qubes master key
[[email protected] ~]$ gpg --edit-key 36879494
gpg> trust
>Your decision? 5
>Do you really want to set this key to ultimate trust? Y
gpg> quit
Now retrieve and import Qubes developer keys
[[email protected] ~]$ wget http://keys.qubes-os.org/keys/qubes-developers-keys.asc
[[email protected] ~]$ gpg --import qubes-developers-keys.asc

#install nano
[[email protected] ~]$ sudo dnf install nano

Install the packages we need to retrieve and run qubes-builder
[[email protected] ~]$ sudo dnf install git createrepo rpm-build rpm-sign make python-sh rpmdevtools rpm-sign dialog
Retrieve the qubes-builder from GIT repository
[[email protected] ~]$ git clone https://github.com/QubesOS/qubes-builder
[[email protected] ~]$ cd qubes-builder
Edit default config to enable debian_builder only in setup script (example used VI but you can use text editor of your choice, like nano installed above)
[[email protected] qubes-builder]$ vi example-configs/qubes-os-r4.0.conf
(to check our current version installed, go to Qube Manager -> About -> Qubes OS)
Change these lines to look like this

DIST_DOM0 ?= fc30
DISTS_VM ?=

hint: DOM0 distro being fc30 in this Qubes install, & remove "fc30 buster" from above
save and exit (shift-z-z if using vi)

Setup qubes-builder and compile the template

Run the qubes-builder setup script
[[email protected] qubes-builder]$ ./setup
Y to add whats missing
then yes to add missing keys
this failed on me the first time, I ctrl+c and reran ./setup again, did Y again, and it found the keys that were missing after selecting YES, had to even shutdown the qube and try again as it kept glitching out trying to retrieve keys
select 4.0

stable

dont select current or current-testing (wtf? is this madness)

yes (to only build the template)

select xenial+desktop with spacebar and push enter

select Builder-rpm builder-debian only, nothing else. (I was using the guide to test installing Bionic 18.04 for screenshots)

#now you are back at the command prompt and type these in, one by one. The last 2 will take some time so go to Denarius discord and chat with us while waiting. https://discord.gg/7zcwXJN

make install-deps
make get-sources
make qubes-vm
make template

We have our Ubuntu 16.04 template, now to install it!

Qubes-builder should have created an install script, let's make sure it exists:
[[email protected] qubes-builder]$ ls -altr qubes-src/linux-template-builder/rpm
You should see an 'install-template.sh' file there. Now switch back to your dom0 terminal, and install the template:
[[email protected] ~]$ qvm-run --pass-io ubuntu-builder 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh
Make the copied script executable and run it
[[email protected] ~]$ chmod +x install-templates.sh
[[email protected] ~]$ ./install-templates.sh

#make template (clone) just for denarius, why not
in dom0 terminal emulator

qvm-clone xenial-desktop denarius-crypto

goto qubes-settings for denarius-crypto qube and add your network (I used sys-whonix running tor), run terminal and start to compile the wallet
I am choosing color purple background to break out any crypto stuff so I know be careful
ignore any errors (pulse audio)

#compile denarius QT in template: denarius-crypto

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install -y git unzip build-essential libssl-dev libdb++-dev libboost-all-dev libqrencode-dev libminiupnpc-dev libevent-dev autogen automake  libtool libqt5gui5 libqt5core5a libqt5dbus5 qttools5-dev qttools5-dev-tools qt5-default
git clone https://github.com/carsenk/denarius
cd denarius
git checkout master
git pull
qmake "USE_QRCODE=1" "USE_UPNP=1" denarius-qt.pro
make -j2
sudo cp Denarius /usr/local/bin

#setup appvm with name
reference: https://www.qubes-os.org/doc/managing-appvm-shortcuts/

sudo nano /usr/share/applications/denarius.desktop

[Desktop Entry]
Version=3.3.9.2
Type=Application
Terminal=false
Icon=/home/user/denarius/src/qt/res/icons/denarius-256.png
Name=Denarius
GenericName=wallet
Comment=Denarius
Categories=crypto;cryptocurrency;
Exec=Denarius

in dom0 run qvm-sync-appmenus denarius-crypto
now you can add Denarius to your app selection list in the template

select denarius from your template: denarius-crypto and start syncing eet

 

[buzzkillb]

Create AppVM (This is where you run your app, store the blockchain and wallet.dat)

Go to Qube Manager -> Qube -> Create new qube

Name: Denarius-QT
Type: Qube based on a template (AppVM)
Template:  denarius-crypto
networking: default (sys-firewall) or sys-whonix
checkmark: launch settings after creation
Give this a color

After creation in settings, go to Applications and bring Denarius into this Qube so you can run the QT from here, I also gave this 6gb of private storage space as the blockchain is currently over 2gb.

Then I ran a new terminal from this Qube and recloned and compiled the QT again to run from here.

The idea is to keep breaking everything down to separate out right? Lets see how much more I can separate out the wallet and wallet.dat from the internet.

[buzzkillb]

Thought Process Area so I don't clog chat

I compile the denariusd wallet daemon into the denarius-crypto template. I then can run denariusd using sys-whonix and give this the network service tag AppVM. Then I run the QT and use that denarius service as the network and basically block everything except port 33369 and 9999 and in denarius.conf have connect=The denariusd Qube IP so the QT only see the daemon which has internet access.

[buzzkillb]

adding images where I think it matters

[buzzkillb]

To connect to tor nodes.

Look at the IP address of your sys-whonix in Qube Manager. Go into denarius.conf and put tor=10.137.0.x:9050 and now you might be connecting to any onion nodes. Replace that IP obviously with the correct one.

[buzzkillb]

How I added an Appimage wallet from another coin (VRSC)

 

[buzzkillb]

Setup VPN AppVM Specifically for PIA VPN.

Based on https://github.com/tasket/Qubes-vpn-support

#go into Debian 10 template and install openvpn
#open debian 10 terminal

sudo apt update
sudo apt install openvpn

#shutdown debian 10 template
reference: https://www.qubes-os.org/doc/software-update-vm/

#create new Qube AppVM
Name and Label: VPN
Type: Qubes Based on a template (AppVM)
Template: Debian 10
Networking: sys-net
checkmark: provides network
checkmark: launch settings after creation

Next, add vpn-handler-openvpn to the ProxyVM's Settings / Services tab by typing it into the top line and clicking the plus icon. Do not add other network services such as Network Manager.

open up a terminal in this AppVM

sudo mkdir -p /rw/config/vpn
cd /rw/config/vpn
sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip
sudo cp 'US West.ovpn' vpn-client.conf

cd ~
git clone https://github.com/tasket/Qubes-vpn-support
cd Qubes-vpn-support
#can either use the master branch or
(git checkout 1.4.3)
(git pull)
sudo bash ./install

Enter PIA username/password when prompted

this is saved to /rw/config/vpn/userpassword.txt

restart the AppVM and it should show the link is up in top right corner. Then connect an AppVM to this new VPN AppVM

[buzzkillb]

If you get this error

RAN: /usr/bin/gpg --keyserver pgp.mit.edu --recv-keys 0064428F455451B3EBE78A7F063938BA42CFA724
STDOUT:

Change the server in the setup file.

nano setup

GPG_KEY_SERVER = 'ha.pool.sks-keyservers.net '

[buzzkillb]

Install Denarius snap in an appVM

clone debian-10 to debian-10-crypto
go to debarian-10-crypto terminal
sudo apt update
sudo apt install snapd qubes-snapd-helper
sudo shutdown -h now

close the terminal and shutdown the qube
go to qube settings->applications
click refresh applications and Denarius will pop up, click apply and ok

Create AppVM (This is where you run your app, store the blockchain and wallet.dat)

Go to Qube Manager -> Qube -> Create new qube

Name: Denarius-QT
Type: Qube based on a template (AppVM)
Template:  debian-10-crypto
networking: default (sys-firewall) or sys-whonix
checkmark: launch settings after creation
Give this a color

After creation in settings, go to terminal and

sudo snap install denarius

then go to Applications and bring Denarius into this Qube so you can run the QT from here, I also gave this 10gb of private storage space as the blockchain is currently over 4gb.

If you want to run the daemon just go into the Denarius appVM and run denarius.daemon, otherwith the QT is now on the menu.

NOTE: If up sudo apt upgrade debian, the snap list of apps goes away, do the refresh applications and re-add Denarius again like above to debian-10-crypto and then Denarius appVM. Nothing gets lost, it just loses the easy click menu button.

NOTE2: If you use sys-whonix, its gonna take a long time to find peers and start syncing. Download chaindata.zip which has the peers.dat in there and the whole process is a lot faster.

[buzzkillb]

To use sudo https://www.qubes-os.org/doc/templates/minimal/

example in dom0

qvm-run -u root <vm-name> xterm

like

qvm-run -u root denarius-crypto xterm

 

[buzzkillb]

To make the user passwordless like typical, not sure when this changed. Use this https://www.reddit.com/r/Qubes/comments/e39r8l/ubuntu_1804_lts_template_password/

dom0 terminal (change xenial desktop and newpassword)

qvm-run -a --user root xenial-desktop "echo \"user:newpassword\"|chpasswd"

dom0 terminal

qvm-run -a --user root xenial-desktop "sudo usermod -a -G sudo user"

shutdown your xenial-desktop and now try

sudo apt update

 

[buzzkillb]

Setup VPN AppVM Specifically for Proton VPN.

Based on https://github.com/tasket/Qubes-vpn-support

#go into Debian 10 template and install openvpn
#open debian 10 terminal

sudo apt update
sudo apt install openvpn

#shutdown debian 10 template
reference: https://www.qubes-os.org/doc/software-update-vm/

#create new Qube AppVM

• Name and Label: VPN
• Type: Qubes Based on a template (AppVM)
• Template: Debian 10
• Networking: sys-net
• checkmark: provides network
• checkmark: launch settings after creation

Next, add vpn-handler-openvpn to the ProxyVM's Settings / Services tab by typing it into the top line and clicking the plus icon. Do not add other network services such as Network Manager.

We need the Proton VPN openvpn file, we can't wget the file like PIA

open up a Qube like personal to Download the openvpn file we will use for ProtonVPN
login to protonvpn and on the left side click Downloads
Select Platform GNU/Linux, UDP, Secure Core configs and a Country
click Download to get the file
Once that's done go to your Qube you used to download the file and send to the VPN qube, right click copy to other AppVM

open up a terminal in the VPN AppVM

sudo mkdir -p /rw/config/vpn
cd /rw/config/vpn

go to QubesIncoming folder and find the file you moved in and rename to vpn-client.conf and copy this into /rw/config/vpn (hint: use terminal), then

cd ~
git clone https://github.com/tasket/Qubes-vpn-support
cd Qubes-vpn-support
#can either use the master branch or
(git checkout 1.4.3)
(git pull)
sudo bash ./install

Enter ProtonVPN username/password when prompted

this is saved to /rw/config/vpn/userpassword.txt

restart the AppVM and it should show the link is up in top right corner. Then connect an AppVM to this new VPN AppVM. After connecting a Qube to the new protonvpn VPN AppVM, check ipleak.net using Firefox.