LoserNakahara, all about Linux, Qubes OS and Touhou.
The Idea: I have sys-opensnitch, which is acting as main GUI server. And the Nodes, are personal and gatherbox qube. personal and gatherbox are running opensnitchd as service without GUI. sys-opensnitch running the GUI server that can configurate all the Nodes that connected to it.
Step 1: Install debian-12-xfce
templateVM in Qubes Template Manager if you don't have it (I prefer debian)
Step 2: Start & Update debian-12-xfce
templateVM in Qube Manager
Step 3: Start debian-12-xfce
templateVM and install these packages using apt-get
via Xfce Terminal
opensnitch
python3-opensnitch-ui
Step 4: After installing two packages, run this below commands to stop and disable opensnitchd by default
systemctl stop opensnitch
systemctl disable opensnitch
Step 5: Shutdown templateVM, go to Qube Manager > Create a new qube
Basic Tab
Name and Label: sys-opensnitch
Color: any you want (I choose orange)
Type: AppVM
Template: debian-12-xfce
Networking: sys-firewall
Launch settings after creation: Checked
Advanced Tab
Provides network access to other qubes: checked
Other settings on Advanced tab are left by default, and then press OK
Step 6: Wait until settings window appears, then follow this below configuration
Basic Tab
Private storage max size: 2.0 GB
Advanced Tab
Initial memory: 600 MB
VCPUs: 2
Include in memory balancing: Unchecked
Applications Tab
Add these applications to the right side:
OpenSnitch
Xfce Terminal
Click Apply and OK to close settings window
Step 7: Start sys-opensnitch
and launch Xfce Terminal
Step 8: Open /rw/config/rc.local as root and add below line, then save
nft add rule qubes custom-input tcp dport "50051" accept
Step 9: Make OpenSnitch GUI launch on startup by creating .desktop symlink to /home/user/.config/autostart by using this below commands
mkdir -p /home/user/.config/autostart
ln -s /usr/share/applications/opensnitch_ui.desktop /home/user/.config/autostart/opensnitch_ui.desktop
Step 10: Remember sys-opensnitch
qube IP, will be used in rc.local and opensnitchd config file
Step 11: Shutdown sys-opensnitch
Step 12: Start your personal qube or any qube you want to be connected with opensnitch
Step 13: Launch Xfce Terminal and open /rw/config/rc.local as root and add below lines, then save
systemctl start opensnitch
OS_PORT=50051
OS_DESTINATION=REPLACE THIS WITH SYS-OPENSNITCH QUBE IP
if ! nft -nn list table ip qubes | grep "chain nat {" ; then
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
fi
nft add rule qubes custom-input tcp dport "${OS_PORT}" accept
nft add rule qubes custom-forward tcp dport "${OS_PORT}" accept
nft add rule qubes nat iifname != "vif*" tcp dport "${OS_PORT}" dnat "${OS_DESTINATION}"
Step 14: Bind-dir /etc/opensnitchd/rules to save rules settings, using below commands
sudo mkdir /rw/config/qubes-bind-dirs.d/
sudo touch /rw/config/qubes-bind-dirs.d/50_user.conf
sudo echo 'binds+=( '/etc/opensnitchd/rules' )' > /rw/config/qubes-bind-dirs.d/50_user.conf
sudo mkdir -p /rw/bind-dirs/etc/opensnitchd/rules
Step 15: Shutdown your personal qube
Step 16: Change your netVM of your personal qube to sys-opensnitch
Step 17: Start up debian-12-xfce
templateVM again
Step 18: Launch Xfce Terminal and open /usr/share/applications/opensnitch_ui.desktop as root and edit below line, then save
Exec=/bin/sh -c 'pkill -15 opensnitch-ui; opensnitch-ui --socket "[::]:50051"'
Step 19: Open /etc/opensnitchd/default-config.json as root and use below configuration, then save
{
"Server":
{
"Address":"REPLACE WITH SYS-OPENSNITCH QUBE IP:50051",
"LogFile":"/var/log/opensnitchd.log"
},
"DefaultAction": "deny",
"DefaultDuration": "once",
"InterceptUnknown": false,
"ProcMonitorMethod": "proc",
"LogLevel": 2,
"Firewall": "nftables"
}
Step 20: Shutdown debian-12-xfce
templateVM
Step 21: To add new node (qube) to opensnitch GUI server, follow step 12 to step 16
That's all.