In this tutorial we will set up the environment for public, private and anonymous online identities, and how to use qubes os.
If you are still not familiar with the identity model please check this link Theories about building up your online identities
Sidenote: Help us improve this tutorial by letting us know if there's anything missing or incorrect on this git issue directly!
For Qubes OS there are something you need to know, otherwise you will be really confused when using the OS
0.Xen: Everything that Qubes OS built on this, a type 2 hyervisor
1.qube: That is basically a vm, each qube is intended to do a single task for isolation. But it is not quite like the common vm you used to see on vmware or virtualbox
2.dom0: This is the admin vm, it is still a vm, but it is very special vm with all the tools to control the entire machine. It never connects to the network and no files from other qubes should touch it, once it gets compromised you are done
3.Template VM: Template VM is like the concept of "class" in programming language, you will install all the applications you like in template vm, and appvm will simply share the root partition with the template vm, so appvm only needs to keep its own /home directory, this greatly saves disk space and time you spent on software update.
Template VM do not connect to network by default for safety, since if they are compromised all the app vm spawned by them are also done. Updates are conducted through a special proxy so attack surface is minimized
4.App VM: Lightweight VM spawned from template VM, any changes done to root partition will not persist across boot, it is meant to only use software installed from template VM and save your work in /home
5.PVH: a para virtualization mode, which means some costly actions are not performed in the vm, instead they are done in the host through a special interface to make vm runs faster
Most qubes will run under PVH mode
6.HVM: Full virtualization, no host assistance. Only used in situation where PCI passthrough is required, or you installed your own special qube like windows
7.Disposable VM: This is a special App VM, it is spawned from a disposable VM template every time when needed, but is destroyed immediately after the task without anything being saved. Ideal for performing some known dangerous activities
8.PCI passthrough: By default qubes OS qube do not touch any peripheral devices for example usb or network card, if you want some qube to do something with the hardware, you need to do a PCI passthrough. For example if you want to setup a network qube you need to pass through the network adapter
9.Standalone qube: These are the qubes that do not depend on template vm, you either copied it from a template or installed it yourself
This is all the basic concepts you need to know, now we start our exploration
Qubes already comes with many default qubes, you can find them inside the qubes manager
On the desktop, right click and choose "Open terminal here", you will get a terminal in dom0
Input "qubes-qube-manager", and click enter you will get the qubes manager
Now we are going to explain these default qubes
0.Template qubes
Qubes with the name "debian-12-xfce", "fedora-40-xfce", "whonix*" are template vms, you can install software in these template qubes, and use them in the app qubes
1.sys-usb
A qube that did not connect to network, and is responsible for providing usb service only, if you have usb keyboard or mouse it might also proxy the input for you. In some circumstances when you have an usb wifi dongle it also becomes the factual network qube
This is installed by default and is a disposable vm
1.sys-net
This is where everything starts, you need to passthrough your Ethernet adapter(wired or wireless) to a qube, and that qube will be used to as a first part in the network chain
Since it is directly in contact with network adapter and the routers, it should be considered as untrusted because it is exposed to a lot of uncertain stuff
It is installed by default and only intended to be used as a basic router and nothing else
2.sys-firewall
The qube that separate the rest of your network chain from the sys-net for better security, and it is also the qube that enforces firewall rules if you have vpn qube directly behind it.
If you have any public identity it is best to directly connect it to sys-firewall, for example online banking
Each qube can select its own network qube, if none is selected it will not have internet at all. sys-firewall here set sys-net as its network qube
And any qube provides network service need to enable provides network in advanced tab below "Run in debug mode"
Any qube directly connect to sys-firewall will have your home isp ip address, best suited for public activity, for example online banking
3.vpn qube
A qube setup with vpn profile, redirect all the traffic to your designated vpn server. Ideal for providing a pseudonymous identity. If applied with firewall rules it can be guaranteed leakproof
Qubes OS works fine with wireguard and openvpn cli programs, but for vpn vendor's own gui there might be problems, sometimes those apps break the dns setup in qubes
Mullvad has a very detailed tutorial on how to setup a vpn qube https://mullvad.net/en/help/wireguard-on-qubes-os. However, iptables mentioned in it is already deprecated by Qubes, but it still works without DNS hijack config.
If you have any pseudonymous activities it is best to connect behind vpn qube, for example torrenting
4.whonix qubes
Whonix is the best part of qubes, it makes tor very easy to use. Whonix qubes consists of two parts, first is whonix gateway, which onionize all the network traffic behind it. Whonix workstation is a workstation specifically tuned for anonymity, and is usually disposable for increased security
You can also hook up other non workstation qubes behind whonix gateway in rare circumstances, for example a windows qube, but you should be careful and should have a specialized gateway qube only for this.
This is the ideal place for all the high risk activities like all the darknet stuff
You might choose to whether or not to put whonix gateway behind a vpn
Now we are about to setup the qubes according to the previous network blueprint, we are about to setup a banking vm, torrent vm, and darknet vm
And they fit in different places of our network identity threat model obviously
Public Use: Banking VM
In a public use setup, you can run closed source software, or access service that is directly tied to your real life identity.
Let's go back to our qubes manager, click "New qube" in the top left corner
First name it as "banking", and we assign it with Yellow tag, since it is for banking identities, so yellow is a medium trust score for me. Color tag is a very important feature of qubes, every qube has its own color tag for avoiding you accidentally type something sensitive in a insecure vm. Dom0 always has the special White tag
For Type and Template I just leave it as AppVM and fedora-40-xfce, since this is exactly what I want
For networking, I choose "sys-firewall", since I want my bank to see my home ip address instead of my vpn ip and get my account banned
Now click ok and the qube will be created, you can find your qube app menu on the top left Q icon, then we can open firefox and start banking
Private use: Torrent VM
In a private use setup, you should only use FOSS software, and use a vpn service for hiding your home ip
First we start a template vm, for example debian in this case, and install transmission
After installation enter "sudo poweroff" to shut down the qube, make sure it is shutdown, since your changes in template qube only get reflected when it is shutdown at least once!
Next go back to qubes manager, and create a new qube called torrent, I assume you already set up a vpn qube according to the mullvad tutorial mentioned above
First give it a name called "torrent", and I personally think this qube has a medium trust score, so it is given a yellow tag.
We still leave it as appvm, and choose template as debian, since this is the template we just installed transmission
Most importantly set the networking to vpn qube you just setup, if you do not want DMCA notice get sent to your home. Then click ok, and the qube will be created
For accessing transmission app easily, we will add the transmission app into our "Q" menu which is in the top left corner
Right click the torrent qube in the manager, choose "settings", and choose "application"
Find "Transmission" on the left, click it, and click the ">" icon in the middle, then click ok. Now transmission will be visible in the app menu
Now happy torrenting
Anonymous use: Darknet VM
Same as private setup, but you should use tor instead of vpn
Here we use whonix workstation to access dread for exploring the darknet
If you follow the default setting during the installation config, you should have disposable whonix workstation installed by default, which means we do not need to create anything
Try to find something named "whonix-workstation-17-dvm" in the qubes Q menu, click "Tor Browser(AnonDist)", and you will get a disposable vm running tor browser. This is great since anything happen inside this vm get destroyed after you shut down the browser
If you see something as disp on the vm windows title, then you are on a disposable vm, congrats!
There are some tricky problems about qube, like how to copy and paste text between qubes, and how to transfer files, or how to use usb.
For copy text, there is a master pasteboard in dom0, once you copy some text normally inside a qube, click shift+ctrl+c, then the text get transferred to the master pasteboard, and go to the vm you want to paste, click shift+ctrl+v, then the text is inside the clipboard of your destination vm
For example you first copy some text inside a vm, then click SHIFT+CTRL+C
Then you will see a message about Global Clipboard
Go to your destination vm and click CTRL+SHIFT+V, then you will see a message says Global Clipboard wiped
Then just paste as normal
For copying file between vm you need to use qvm-copy command inside the vm
First we created a test file called "new_file"
Then we use "qvm-copy" command, and choose "banking" vm in the dom0 prompt.
qvm-copy new_file
Then you can see the new_file in banking vm
Files from other VM are all located inside ~/QubesIncoming
Other stuff are inside the official document, no need to rebuild the wheels again
Shatter the big brother.
Creative Commons Zero: No Rights Reserved
Donate XMR: 87iB34vdFvNULrAjyfVAZ7jMXc8vbq9tLGMLjo6WC8N9Xo2JFaa8Vkp6dwXBt8rK12Xpz5z1rTa9jSfgyRbNNjswHKTzFVh
Contact: prismbreaker@waifu.club (PGP)