How to navigate qubes OS and segment your internet uses

Some glossary

For Qubes OS there are something you need to know, otherwise you will be really confused when using the OS

0.Xen: Everything that Qubes OS built on this, a type 2 hyervisor

1.qube: That is basically a vm, each qube is intended to do a single task for isolation. But it is not quite like the common vm you used to see on vmware or virtualbox

2.dom0: This is the admin vm, it is still a vm, but it is very special vm with all the tools to control the entire machine. It never connects to the network and no files from other qubes should touch it, once it gets compromised you are done

3.Template VM: Template VM is like the concept of "class" in programming language, you will install all the applications you like in template vm, and appvm will simply share the root partition with the template vm, so appvm only needs to keep its own /home directory, this greatly saves disk space and time you spent on software update.

Template VM do not connect to network by default for safety, since if they are compromised all the app vm spawned by them are also done. Updates are conducted through a special proxy so attack surface is minimized

4.App VM: Lightweight VM spawned from template VM, any changes done to root partition will not persist across boot, it is meant to only use software installed from template VM and save your work in /home

5.PVH: a para virtualization mode, which means some costly actions are not performed in the vm, instead they are done in the host through a special interface to make vm runs faster

Most qubes will run under PVH mode

6.HVM: Full virtualization, no host assistance. Only used in situation where PCI passthrough is required, or you installed your own special qube like windows

7.Disposable VM: This is a special App VM, it is spawned from a disposable VM template every time when needed, but is destroyed immediately after the task without anything being saved. Ideal for performing some known dangerous activities

8.PCI passthrough: By default qubes OS qube do not touch any peripheral devices for example usb or network card, if you want some qube to do something with the hardware, you need to do a PCI passthrough. For example if you want to setup a network qube you need to pass through the network adapter

9.Standalone qube: These are the qubes that do not depend on template vm, you either copied it from a template or installed it yourself

This is all the basic concepts you need to know, now we start our exploration

Network blueprint

Qubes already comes with many default qubes, you can find them inside the qubes manager

On the desktop, right click and choose "Open terminal here", you will get a terminal in dom0

Input "qubes-qube-manager", and click enter you will get the qubes manager

Now we are going to explain these default qubes

0.Template qubes

Qubes with the name "debian-12-xfce", "fedora-40-xfce", "whonix*" are template vms, you can install software in these template qubes, and use them in the app qubes

1.sys-usb

A qube that did not connect to network, and is responsible for providing usb service only, if you have usb keyboard or mouse it might also proxy the input for you. In some circumstances when you have an usb wifi dongle it also becomes the factual network qube

This is installed by default and is a disposable vm

1.sys-net

This is where everything starts, you need to passthrough your Ethernet adapter(wired or wireless) to a qube, and that qube will be used to as a first part in the network chain

Since it is directly in contact with network adapter and the routers, it should be considered as untrusted because it is exposed to a lot of uncertain stuff

It is installed by default and only intended to be used as a basic router and nothing else

2.sys-firewall

The qube that separate the rest of your network chain from the sys-net for better security, and it is also the qube that enforces firewall rules if you have vpn qube directly behind it.

If you have any public identity it is best to directly connect it to sys-firewall, for example online banking

Each qube can select its own network qube, if none is selected it will not have internet at all. sys-firewall here set sys-net as its network qube

And any qube provides network service need to enable provides network in advanced tab below "Run in debug mode"

Any qube directly connect to sys-firewall will have your home isp ip address, best suited for public activity, for example online banking

3.vpn qube

A qube setup with vpn profile, redirect all the traffic to your designated vpn server. Ideal for providing a pseudonymous identity. If applied with firewall rules it can be guaranteed leakproof

Qubes OS works fine with wireguard and openvpn cli programs, but for vpn vendor's own gui there might be problems, sometimes those apps break the dns setup in qubes

Mullvad has a very detailed tutorial on how to setup a vpn qube https://mullvad.net/en/help/wireguard-on-qubes-os. However, iptables mentioned in it is already deprecated by Qubes, but it still works without DNS hijack config.

If you have any pseudonymous activities it is best to connect behind vpn qube, for example torrenting

4.whonix qubes

Whonix is the best part of qubes, it makes tor very easy to use. Whonix qubes consists of two parts, first is whonix gateway, which onionize all the network traffic behind it. Whonix workstation is a workstation specifically tuned for anonymity, and is usually disposable for increased security

You can also hook up other non workstation qubes behind whonix gateway in rare circumstances, for example a windows qube, but you should be careful and should have a specialized gateway qube only for this.

This is the ideal place for all the high risk activities like all the darknet stuff

You might choose to whether or not to put whonix gateway behind a vpn

Setup the vm according to network blueprint

Now we are about to setup the qubes according to the previous network blueprint, we are about to setup a banking vm, torrent vm, and darknet vm

And they fit in different places of our network identity threat model obviously

Public Use: Banking VM

In a public use setup, you can run closed source software, or access service that is directly tied to your real life identity.

Let's go back to our qubes manager, click "New qube" in the top left corner

First name it as "banking", and we assign it with Yellow tag, since it is for banking identities, so yellow is a medium trust score for me. Color tag is a very important feature of qubes, every qube has its own color tag for avoiding you accidentally type something sensitive in a insecure vm. Dom0 always has the special White tag

For Type and Template I just leave it as AppVM and fedora-40-xfce, since this is exactly what I want

For networking, I choose "sys-firewall", since I want my bank to see my home ip address instead of my vpn ip and get my account banned

Now click ok and the qube will be created, you can find your qube app menu on the top left Q icon, then we can open firefox and start banking

Private use: Torrent VM

In a private use setup, you should only use FOSS software, and use a vpn service for hiding your home ip

First we start a template vm, for example debian in this case, and install transmission

After installation enter "sudo poweroff" to shut down the qube, make sure it is shutdown, since your changes in template qube only get reflected when it is shutdown at least once!

Next go back to qubes manager, and create a new qube called torrent, I assume you already set up a vpn qube according to the mullvad tutorial mentioned above

First give it a name called "torrent", and I personally think this qube has a medium trust score, so it is given a yellow tag.

We still leave it as appvm, and choose template as debian, since this is the template we just installed transmission

Most importantly set the networking to vpn qube you just setup, if you do not want DMCA notice get sent to your home. Then click ok, and the qube will be created

For accessing transmission app easily, we will add the transmission app into our "Q" menu which is in the top left corner

Right click the torrent qube in the manager, choose "settings", and choose "application"

Find "Transmission" on the left, click it, and click the ">" icon in the middle, then click ok. Now transmission will be visible in the app menu

Now happy torrenting

Anonymous use: Darknet VM

Same as private setup, but you should use tor instead of vpn

Here we use whonix workstation to access dread for exploring the darknet

If you follow the default setting during the installation config, you should have disposable whonix workstation installed by default, which means we do not need to create anything

Try to find something named "whonix-workstation-17-dvm" in the qubes Q menu, click "Tor Browser(AnonDist)", and you will get a disposable vm running tor browser. This is great since anything happen inside this vm get destroyed after you shut down the browser

If you see something as disp on the vm windows title, then you are on a disposable vm, congrats!

Tips

There are some tricky problems about qube, like how to copy and paste text between qubes, and how to transfer files, or how to use usb.

For copy text, there is a master pasteboard in dom0, once you copy some text normally inside a qube, click shift+ctrl+c, then the text get transferred to the master pasteboard, and go to the vm you want to paste, click shift+ctrl+v, then the text is inside the clipboard of your destination vm