Jump to content
Sign in to follow this  

Guide to installing Qbuntu (Ubuntu 16.04 - Xenial) TemplateVM in Qubes 4.0.2-rc1

Recommended Posts

Guide to installing Qbuntu (Ubuntu 16.04 - Xenial) TemplateVM in Qubes 4.0.2-rc1
fedora-30 as of this writing, I did this on a fresh Qubes install on a Lenovo t450 i7, 8gb ram, 256gb samsung ssd ($280 - ebay)


Basic Idea (but does not work, don't even bother trying to decipher their ubuntu guide as its for someone who somehow knows how to do this already)

Reddit Guide (copying some of the steps from this old guide with some edits to work on Qubes 4.0 as this was written for Qubes 3.2)


#gpg stuff from qubes themselves
reference: https://wiki.qubes.rocks/Security/VerifyingSignatures

Lets Begin

Clone your fedora-30 vanilla template into a temporary 'builder' we will use to create Ubuntu templates.
[[email protected] ~]$ qvm-clone fedora-30 ubuntu-builder
Edit the VM Settings for the newly created template 'ubuntu-builder' (via Qubes Manager GUI), enable 'Allow network access' & increase 'Private storage max size' to 30GB, then start a terminal in ubuntu-builder and initialize GPG
[[email protected] ~]$ gpg
Break out of "type your message..." with CTRL+C, import Qubes master key
[[email protected] ~]$ gpg --recv-keys 0x36879494
Set trust level for qubes master key
[[email protected] ~]$ gpg --edit-key 36879494
gpg> trust
>Your decision? 5
>Do you really want to set this key to ultimate trust? Y
gpg> quit
Now retrieve and import Qubes developer keys
[[email protected] ~]$ wget http://keys.qubes-os.org/keys/qubes-developers-keys.asc
[[email protected] ~]$ gpg --import qubes-developers-keys.asc

#install nano
[[email protected] ~]$ sudo dnf install nano

Install the packages we need to retrieve and run qubes-builder
[[email protected] ~]$ sudo dnf install git createrepo rpm-build rpm-sign make python-sh rpmdevtools rpm-sign dialog
Retrieve the qubes-builder from GIT repository
[[email protected] ~]$ git clone https://github.com/QubesOS/qubes-builder
[[email protected] ~]$ cd qubes-builder
Edit default config to enable debian_builder only in setup script (example used VI but you can use text editor of your choice, like nano installed above)
[[email protected] qubes-builder]$ vi example-configs/qubes-os-r4.0.conf
(to check our current version installed, go to Qube Manager -> About -> Qubes OS)
Change these lines to look like this

DIST_DOM0 ?= fc30

hint: DOM0 distro being fc30 in this Qubes install, & remove "fc30 buster" from above
save and exit (shift-z-z if using vi)

Setup qubes-builder and compile the template

Run the qubes-builder setup script
[[email protected] qubes-builder]$ ./setup
Y to add whats missing
then yes to add missing keys
this failed on me the first time, I ctrl+c and reran ./setup again, did Y again, and it found the keys that were missing after selecting YES, had to even shutdown the qube and try again as it kept glitching out trying to retrieve keys
select 4.0




dont select current or current-testing (wtf? is this madness)


yes (to only build the template)


select xenial+desktop with spacebar and push enter


select Builder-rpm builder-debian only, nothing else. (I was using the guide to test installing Bionic 18.04 for screenshots)


#now you are back at the command prompt and type these in, one by one. The last 2 will take some time so go to Denarius discord and chat with us while waiting. https://discord.gg/7zcwXJN


make install-deps
make get-sources
make qubes-vm
make template

We have our Ubuntu 16.04 template, now to install it!

Qubes-builder should have created an install script, let's make sure it exists:
[[email protected] qubes-builder]$ ls -altr qubes-src/linux-template-builder/rpm
You should see an 'install-template.sh' file there. Now switch back to your dom0 terminal, and install the template:
[[email protected] ~]$ qvm-run --pass-io ubuntu-builder 'cat /home/user/qubes-builder/qubes-src/linux-template-builder/rpm/install-templates.sh' > install-templates.sh
Make the copied script executable and run it
[[email protected] ~]$ chmod +x install-templates.sh
[[email protected] ~]$ ./install-templates.sh

#make template (clone) just for denarius, why not
in dom0 terminal emulator

qvm-clone xenial-desktop denarius-crypto

goto qubes-settings for denarius-crypto qube and add your network (I used sys-whonix running tor), run terminal and start to compile the wallet
I am choosing color purple background to break out any crypto stuff so I know be careful
ignore any errors (pulse audio)

#compile denarius QT in template: denarius-crypto

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install -y git unzip build-essential libssl-dev libdb++-dev libboost-all-dev libqrencode-dev libminiupnpc-dev libevent-dev autogen automake  libtool libqt5gui5 libqt5core5a libqt5dbus5 qttools5-dev qttools5-dev-tools qt5-default
git clone https://github.com/carsenk/denarius
cd denarius
git checkout master
git pull
qmake "USE_QRCODE=1" "USE_UPNP=1" denarius-qt.pro
make -j2
sudo cp Denarius /usr/local/bin

#setup appvm with name
reference: https://www.qubes-os.org/doc/managing-appvm-shortcuts/

sudo nano /usr/share/applications/denarius.desktop
[Desktop Entry]

in dom0 run qvm-sync-appmenus denarius-crypto
now you can add Denarius to your app selection list in the template

select denarius from your template: denarius-crypto and start syncing eet



  • Like 2

Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post

Link to post
Share on other sites

Create AppVM (This is where you run your app, store the blockchain and wallet.dat)

Go to Qube Manager -> Qube -> Create new qube

Name: Denarius-QT
Type: Qube based on a template (AppVM)
Template:  denarius-crypto
networking: default (sys-firewall) or sys-whonix
checkmark: launch settings after creation
Give this a color

After creation in settings, go to Applications and bring Denarius into this Qube so you can run the QT from here, I also gave this 6gb of private storage space as the blockchain is currently over 2gb.

Then I ran a new terminal from this Qube and recloned and compiled the QT again to run from here.

The idea is to keep breaking everything down to separate out right? Lets see how much more I can separate out the wallet and wallet.dat from the internet.

  • Like 1

Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post

Link to post
Share on other sites

Thought Process Area so I don't clog chat

I compile the denariusd wallet daemon into the denarius-crypto template. I then can run denariusd using sys-whonix and give this the network service tag AppVM. Then I run the QT and use that denarius service as the network and basically block everything except port 33369 and 9999 and in denarius.conf have connect=The denariusd Qube IP so the QT only see the daemon which has internet access.

  • Like 1

Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post

Link to post
Share on other sites

Setup VPN AppVM Specifically for PIA VPN.

Based on https://github.com/tasket/Qubes-vpn-support

#go into Debian 10 template and install openvpn
#open debian 10 terminal

sudo apt update
sudo apt install openvpn

#shutdown debian 10 template
reference: https://www.qubes-os.org/doc/software-update-vm/

#create new Qube AppVM
Name and Label: VPN
Type: Qubes Based on a template (AppVM)
Template: Debian 10
Networking: sys-net
checkmark: provides network
checkmark: launch settings after creation

Next, add vpn-handler-openvpn to the ProxyVM's Settings / Services tab by typing it into the top line and clicking the plus icon. Do not add other network services such as Network Manager.

open up a terminal in this AppVM

sudo mkdir -p /rw/config/vpn
cd /rw/config/vpn
sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip
sudo cp 'US West.ovpn' vpn-client.conf
cd ~
git clone https://github.com/tasket/Qubes-vpn-support
cd Qubes-vpn-support
#can either use the master branch or
(git checkout 1.4.3)
(git pull)
sudo bash ./install

Enter PIA username/password when prompted

this is saved to /rw/config/vpn/userpassword.txt

restart the AppVM and it should show the link is up in top right corner. Then connect an AppVM to this new VPN AppVM

  • Like 1

Join Denarius Discord - https://discord.gg/JQEmXwb

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Create New...