Creating ProxyVM should auto-add network-manager service by default

[mfc]

Qubes OS version (e.g., R3.1):

R3.1

Affected TemplateVMs (e.g., fedora-23, if applicable):

Qubes VM Manager / ProxyVM creation

---

When a user is creating a ProxyVM, they are doing so to do something related to the network (like proxy network traffic...).

They should not have to read the Documentation (e.g. VPN) to realize that they also need to add the network-manager service in order to be able to use the network-manager for their new proxyvm.

If there is some reason for someone to create a proxyvm without the network-manager service, then that can be documented as an opt-out option.

[marmarek]

There are many more possible use cases for additional ProxyVM than just VPN, for example:

• firewall traffic before whonix-gw (because currently whonix-gw doesn't support it)
• log/analyze traffic

And having Network Manger enabled by default, means additional NM icon, which may be confusing, especially because it will only differ in 1-pixel frame (or in case of the same label - not even this).

On the other hand, it may be useful to add "network-manager" entry to services tab by default. But have it disabled. It will be much easier to find it.

[marmarek]

There are many more possible use cases for additional ProxyVM than just VPN, for example:

• firewall traffic before whonix-gw (because currently whonix-gw doesn't support it)
• log/analyze traffic

And having Network Manger enabled by default, means additional NM icon, which may be confusing, especially because it will only differ in 1-pixel frame (or in case of the same label - not even this).

On the other hand, it may be useful to add "network-manager" entry to services tab by default. But have it disabled. It will be much easier to find it.

[mfc]

given that the network manager is installed already by default but not functional without the added service, users are not going to realize they need to add the network-manager service without looking at documentation. they will see the Network Connections app and not understand why it doesn't work (see this recent example).

For both of those alternative usecases, those are power-users usecases and they can go to the Services section and uncheck network-manager as they desire.

[mfc]

given that the network manager is installed already by default but not functional without the added service, users are not going to realize they need to add the network-manager service without looking at documentation. they will see the Network Connections app and not understand why it doesn't work (see this recent example).

For both of those alternative usecases, those are power-users usecases and they can go to the Services section and uncheck network-manager as they desire.

[marmarek]

The example you've given is exactly why it is not a good idea to enable it by default. Enabling NetworkManager in Whonix gateway will most likely break Whonix network/firewall settings, maybe even causing leaks (for example DNS).

[marmarek]

The example you've given is exactly why it is not a good idea to enable it by default. Enabling NetworkManager in Whonix gateway will most likely break Whonix network/firewall settings, maybe even causing leaks (for example DNS).

[mfc]

the use-case where I encountered this UX issue was Fedora-23 and Debian-8 templates. I guess the linked thread was a bad example, I agree folks should not be creating VPNs etc using whonix-gw since that is built for a separate purpose.

so let us say the proposed logic would autocreate for Fedora and Debian-based proxyvms only.

[mfc]

the use-case where I encountered this UX issue was Fedora-23 and Debian-8 templates. I guess the linked thread was a bad example, I agree folks should not be creating VPNs etc using whonix-gw since that is built for a separate purpose.

so let us say the proposed logic would autocreate for Fedora and Debian-based proxyvms only.

[andrewdavidwong]

given that the network manager is installed already by default but not functional without the added service, users are not going to realize they need to add the network-manager service without looking at documentation.

One thing to keep in mind here is that some users base ProxyVMs on minimal templates in which NetworkManager is not installed.

[andrewdavidwong]

given that the network manager is installed already by default but not functional without the added service, users are not going to realize they need to add the network-manager service without looking at documentation.

One thing to keep in mind here is that some users base ProxyVMs on minimal templates in which NetworkManager is not installed.