Update vpn.md doc

[tasket]

Qubes OS version:

R3.2 R4.0

General notes:

A simple checklist for updating the VPN configuration doc with necessary changes:

• [x] R4.0 compatibility. If tunnel support* is added to R4.0 this can be a small separate section.
• [x] R3.2 scripts: change startup to use systemd-run
• [x] R3.2 override openvpn group option
• [x] R3.2 override openvpn script options to eliminate unnecessary step (4)
• [ ] Apply user input for readability
• [x] Some level of anti-leak protection for Network Manager section
• [ ] Inclusion of qubes-tunnel code, issue #3503

---

Related issues:

ship Qubes VPN scripts by default #3503

[tasket]

Started work... https://github.com/tasket/qubes-doc/tree/tasket03

[tasket]

@adrelanos

[tasket]

Posted a 'tunnel' branch for a draft that assumes #3503 is included in both 3.2 and 4.0. It needs a bit of formatting and notes-tweaking, but should be 100% functional now:

https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md

There is still the other draft (also works) that contains revised cut-and-paste scripts.

[awokd]

@tasket Can we say the bulk of this work is done, apart from ongoing fine-tuning? Would like to check it off the list of 4.0 docs.

[tasket]

@awokd I think its >98pct done. Its in a testing phase now.

I submitted a doc PR adding only a notice pointing to tasket/qubes-tunnel project, but there's a question how/if such a notice will be added: https://github.com/QubesOS/qubes-doc/pull/637

[erikw]

Hey,

please take a look at an issue about the VPN docs I just posted @ https://github.com/QubesOS/qubes-issues/issues/3888

[awokd]

Bumping- what's needed to wrap up, a decision on whether this will be included as "official" Qubes code? I could just delete it from my list of 4.0 documents needing updates so I can close, but that would be cheating!

[tasket]

@awokd I'm not 100% sure. Its dependent on completing issue #3503, and we've had users testing the code per @adrelanos request. As far as I can tell, it needs review from Patrick or other Qubes dev before it can be added to Qubes. Once that's done, the new instructions will be usable.

[andrewdavidwong]

If this is going to be a package contribution, then this is the procedure:

https://www.qubes-os.org/doc/package-contributions/#contribution-procedure

[tasket]

@andrewdavidwong I think I've met most (all?) of the criteria, although issue 3503 isn't titled with '[Contribution]' which I cannot change myself. Alternative would be to create another issue to satisfy the subject requirement, but that seems excessive to have 3 issues to update the VPN procedures. Otherwise I've created the github repo and the commits are signed.

FWIW, although the docs mention "package" from time to time, they don't state a requirement to supply rpm/deb packages, for example. If that's what's needed then the documentation should be clarified. Even without Qubes factored-in, package building can be rather confusing... most guides for Debian assume you wish to start with an existing tar.gz C/C++ source "package" and transform it, and there is scant documentation hinting at what a tar "package" even consists of. I've been able to create a working Makefile (a bit absurd for .service and sh files) only to discover that dh_make and debuild ignore it.

Also, what bits of workflow can be gleaned from the "workflow" document appear to be for modifying existing Qubes repositories where QubesOS/* is upstream and the rest appear to be a collection of tips about modifying Linux kernels.

[andrewdavidwong]

although issue 3503 isn't titled with '[Contribution]' which I cannot change myself

I skimmed #3503, and it looked like the relevant package name was qubes-tunnel, so I changed the title of #3503 to [Contribution] qubes-tunnel. But then I skimmed it some more, and it looked like Qubes-vpn-support was actually the main package for that issue, so I renamed it to [Contribution] Qubes-vpn-support. Still not sure which one you intended.

FWIW, although the docs mention "package" from time to time, they don't state a requirement to supply rpm/deb packages, for example. If that's what's needed then the documentation should be clarified. Even without Qubes factored-in, package building can be rather confusing... most guides for Debian assume you wish to start with an existing tar.gz C/C++ source "package" and transform it, and there is scant documentation hinting at what a tar "package" even consists of. I've been able to create a working Makefile (a bit absurd for .service and sh files) only to discover that dh_make and debuild ignore it.

Also, what bits of workflow can be gleaned from the "workflow" document appear to be for modifying existing Qubes repositories where QubesOS/* is upstream and the rest appear to be a collection of tips about modifying Linux kernels.

@marmarek, can you help to clarify any of this?

[tasket]

See comment in 3503 (title should be "qubes-tunnel").

[marmarek]

FWIW, although the docs mention "package" from time to time, they don't state a requirement to supply rpm/deb packages, for example.

To upload anything to the repository, it needs to be packaged. But don't worry, I can add it. It would be helpful if install script allow to specify target directory instead of /. In makefiles it's common to use $DESTDIR variable if present, so for example cp -a $tunfiles -t /usr/lib/qubes becomes cp -a $tunfiles -t $DESTDIR/usr/lib/qubes.

BTW, super-short introduction to packaging:

• Fedora - open new PACKAGE_NAME.spec file, vim comes with helpful template, fill fields; important part is %install to place files in $RPM_BUILD_ROOT, and %files where you list them
• Debian - run dh_make in source directory and check created files - all are heavily commented After that, create Makefile.builder with:

  RPM_SPEC_FILES = PACKAGE_NAME.spec
  DEBIAN_BUILD_DIRS = debian

  And point qubes-builder at it using COMPONENTS setting, it will handle the rest (including creating a tarball).

[tasket]

I've added the requested debian/ and rpm spec files. I'm going to test them in builder now (cross fingers).

[tasket]

@marmarek I think I'm missing some detail... I've put the folder for qubes-tunnel inside './qubes-builder/qubes-src' and run make qubes-vm but it did not create packages that I can see (no pkgs subfolder).

[marmarek]

Have you added qubes-tunnel to COMPONENTS in builder.conf?

[tasket]

Yes. I didn't see where COMPONENTS was defined (seems to come from 'someplace') in builder.conf, so I added it like this (last line):

# Put all the enabled plugins into components to download them. But avoid
# duplicates
_temp_components := $(COMPONENTS)
COMPONENTS += $(filter-out $(_temp_components), $(BUILDER_PLUGINS))
COMPONENTS += qubes-tunnel

[tasket]

Current attempt at Makefile and rpm .spec is located in the packaging branch: https://github.com/tasket/qubes-tunnel/tree/packaging

[marmarek]

Rename .spec to .spec.in (but keep Makefile.builder unchanged) - then builder-rpm plugin will automatically create the tarball. In .spec.in you can also use @VERSION@ instead of actual version, to be filled based on version file.

744 mode for files? Shouldn't that be 755? Also unit files should be 644 (add -m 644 to install command).

[marmarek]

After that change, rpm builds fine for me.

[tasket]

Re 754 I was thinking "who runs this?" not about the convention. I removed this from the spec and added -m flags to the Makefile... I think that's more correct?

[tasket]

Currently I can't get builder to build fc26, it only does stretch (and skips qubes-tunnel). I tried deleting builder.conf and using setup to select fedora + debian but it doesn't change. There are no fedora-related errors, but when I try to select fedora-only I get debian errors.

The trial and error involved with builder is also VERY time consuming given the long delays between tries, having to remember to check back an hour later, and my train of thought disappearing each cycle.

[marmarek]

Don't worry, I'm on it.

[tasket]

FWIW... I got make qubes-vm to work with fedora only, but it still didn't pick up qubes-tunnel which I had placed in qubes-src and added to COMPONENTS var as mentioned above.