Kicksecure Network Configuration

Please update me on what you decided so I can apply the changes and put out a new release that works.

Still same as Kicksecure Network Configuration - #6 by Patrick

Patches welcome.

That would require a working implementation which doesn’t exist and which don’t look will be existing soonish.

Alright so I will add dhcpcanon here:

comment out staitc settings and comment in dynamic address support here:

https://github.com/Whonix/kicksecure-network-conf/blob/master/etc/network/interfaces.d/30_kicksecure

Does that sound good?

I didn’t quite understand how VBox could be affected though since they have a DHCP server. Can you please test if having a dhcp client and enabling interface dhcp support doesn’t break?

Is that all that is required to make dhcpcanon work?

This might even work since we had that in Whonix 9 (not sure when we stopped DHCP for Whonix).

https://github.com/Whonix/whonix-gw-network-conf/blob/Whonix9/etc/network/interfaces.whonix

Yes.

• I guess could make Kicksecure KVM work and if we’re lucky doesn’t break Kicksecure VirtualBox.
• And I guess that also doesn’t block a later complete Kicksecure host network configuration (network manager…).

Works? Doesn’t break DNS either? Tested?

I hope this is going to be easy and not require any changes in https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm because then could take time until this is figured out.

Pretty much

Connections work normally.

11 posts were split to a new topic: Selecting Secure Packages from packages.debian.org

Split the discussion on the security of dhcpcanon and the more general question of which packages from packages.debian.org are suitable and if it would be possible to have a better policy to a separate forum thread, see:

Merged. Not yet tested.

Is this project dead? · Issue #32 · juga0/dhcpcanon · GitHub

Anyone up to implement host / network manager / WiFi support too?

I will take a crack at it though I have no means to test the end result on baremetal so I’ll enlist our onion in shining armor @onion_knight to help us out here. Maybe all we’ll need is a USB WIfi stick to test this in a VM.

I believe all that’s needed is network-manager-gnome for it to work? (I assume we’ll be shipping a kernel with the required wifi modules and firmware included) Just checked and it pulls in wifi related stuff like wpasupplicant.

Yes, for now standard Debian kernel.

Dunno. But one thing… Please always assume --no-install-recommends.

sudo apt install --no-install-recommends network-manager-gnome

with no-install-recommends:

The following NEW packages will be installed:
  libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
  libbluetooth3 libdbusmenu-glib4 libdbusmenu-gtk3-4 libgck-1-0
  libgcr-base-3-1 libjansson4 libmm-glib0 libndp0 libnl-3-200 libnl-genl-3-200
  libnl-route-3-200 libnm0 libnma0 libpcsclite1 libteamdctl0 network-manager
  network-manager-gnome wpasupplicant

Without:
The following NEW packages will be installed:
crda dns-root-data dnsmasq-base gcr gnome-keyring gnome-keyring-pkcs11 iw
libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
libbluetooth3 libdbusmenu-glib4 libdbusmenu-gtk3-4 libgck-1-0
libgcr-base-3-1 libgcr-ui-3-1 libjansson4 libjim0.77 libmbim-glib4
libmbim-proxy libmm-glib0 libndp0 libnl-3-200 libnl-genl-3-200
libnl-route-3-200 libnm0 libnma0 libpam-gnome-keyring libpcap0.8
libpcsclite1 libqmi-glib5 libqmi-proxy libteamdctl0
mobile-broadband-provider-info modemmanager network-manager
network-manager-gnome p11-kit p11-kit-modules pinentry-gnome3 ppp
usb-modeswitch usb-modeswitch-data wireless-regdb wpasupplicant

I think we should be OK. The main wifi barebones stuff is included either way. I don’t if dhcpcanon will run into problems without support from the GUI, though it is started automatically anyway and I’ve never seen any simple users playing with DHCP settings let alone know what it is.

Btw… Generally…

apt-cache show network-manager-gnome

Look for:

Recommends: notification-daemon, gnome-keyring, mobile-broadband-provider-info, iso-codes

and/or Debian -- Details of package network-manager-gnome in buster rec:

I learn something new everyday

Does this belong in the kicksecure-network-conf package too?

For now, yes.

(I will later create a kicksecure-network-conf-gui package to refactor that out but that has time.)

Let me know when you have a buildable branch with these changes. New releases are overdue with Tor’s new DoS fixes

Maybe this could help you; this is a list of required dependencies and recommendations from this exact package on an Ubuntu system I maintain:

network-manager-gnome (requirements and recommendations)

Required Dependencies:
libappindicator3-1
libatk1.0-0
libc6
libcairo2
libgdk-pixbuf2.0-0
libglib2.0-0
libgtk-3-0
libjansson4 (various versions depending on distro)
libmm-glib0 (various versions depending on distro)
libnm0
linnma0
libnotify4
libpango-1.0-0
libpangocairo1.0-0
libsecret
libselinux
dconf-settings-backend, gsettings-backend
network-manager
policykit-1-gnome
dbus-session-bus

recommends:
notification-daemon
gnome-keyring
mobile-broadband-provider-info
iso-codes

dhcpcanon systemd unit fails at boot due to missing debhelper apparmor integration
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956626