💾 Archived View for perso.pw › blog › articles › qubes-os-network-scanner.gmi captured on 2023-07-22 at 16:17:23. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2023-11-04)

-=-=-=-=-=-=-

Easily use your remote scanner on Linux (Qubes OS guide)

on Mastodon

Introduction

Hi, this is a quick guide explaining how to use a network scanner on Qubes OS (or Linux/BSD in general).

I'll be using a network printer / scanner Brother MFC-1910W in the example.

Setup

Specific Qubes OS

For Qubes OS, the simplest way to proceed is to use the qube sys-net (which is UNTRUSTED) to proceed with the scanner operations. Scanning in it isn't less secure than having a dedicated qube as the network traffic isn't encrypted toward the scanner, this also ease a lot the network setup.

All the instructions below will be done in sys-net, with the root user.

Note that sys-net should be either an AppVM with persistent /home or a fully disposable system, so you will have to do all the commands every time you need your scanner. If you need it really often (I use mine once in a while), you may want to automate this in the template used by sys-net.

Instructions

We need to install the program `sane-airscan` used to discover network scanners, and also all the backends/drivers for devices. On Fedora, this can be done using the following command, the package list may differ for other systems.

# dnf install sane-airscan sane-backends sane-backends-drivers-cameras sane-backends-drivers-scanners

Make sure the service `avahi-daemon` is installed and running, the default Qubes OS templates have it, but not running. It is required for network devices discovery.

# systemctl start avahi-daemon

An extra step is required, avahi requires the port UDP/5353 to be opened on the system to receive discovery replies, if you don't do that, you won't find your network scanner (this is also required for printers).

You need to figure the network interface name of your network, open a console and type `ip -4 -br a | grep UP`, the first column is the interface name, the lines starting by vif can be discarded. Run the following command, and make sure to replace INTERFACE_NAME by the real name you just found.

# iptables -I INPUT 1 -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT

Now, we should be able to discover the scanner, the following command should output a line with a device name and network address:

# airscan-discover

For me, the output looks like this:

[devices]
  Brother MFC-1910W series = http://10.42.42.133:80/WebServices/ScannerService, WSD

If you have a similar output, this mean it's working, then you can use airscan-discover output to configure the detected scanner:

# airscan-discover | tee /etc/sane.d/home.conf

Now, your scanner should be usable!

Using the scanner

You can run the command `scanimage` as a regular user to use your remote scanner, by default, it selects the first device available, so if you have a single scanner, you don't need to specify its long and complicated name/address.

You can scan and save as a PDF file using this command:

$ scanimage --format pdf > my_document.pdf

On Qubes OS, you can open a file manager in sys-net and right-click on the file to move it to the qube where you want to keep the document.

Disabling avahi

If you are done with your scanner, you can remove the firewall rule allowing device discovery.

iptables -D INPUT -i INTERFACE_NAME -p udp --dport 5353 -j ACCEPT

Conclusion

Using a network scanner is quite easy when it's supported by SANE, but you need direct access to the network because of the avahi discovery requirement, which is not practical when you have a firewall or use virtual machines in sub networks.