Qubes-Whonix UpdatesProxy Settings

From Whonix
Jump to navigation Jump to search

Qubes dom0 Qubes-Whonix UpdatesProxy Settings.

Introduction[edit]

The following wiki pages have been updated in August 2023 for Qubes R4.1 and R4.2 and contain documentation on how to configure Qubes UpdatesProxy:

By following above wiki pages, there is no need to follow any steps on this wiki page. This wiki page is only needed for troubleshooting or when looking for additional information.

Qubes UpdatesProxy Setting[edit]

Qubes R4.1[edit]

Note: In Qubes dom0.

1. Locating the settings file.

In dom0 check file /etc/qubes-rpc/policy/qubes.UpdatesProxy settings.

2. View its contents.

cat /etc/qubes-rpc/policy/qubes.UpdatesProxy

3. Verify its default entry.

At the very top of that file, the following text should appear.

$tag:whonix-updatevm $default allow,target=sys-whonix

If that line is not there, add it.

4. Example.

To view the Qubes R4.1 default /etc/qubes-rpc/policy/qubes.UpdatesProxyarchive.org file (rawarchive.org).

## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Upgrade all Templates through sys-whonix. #$type:Template $default allow,target=sys-whonix # Upgrade Whonix Templates through sys-whonix. $tag:whonix-updatevm $default allow,target=sys-whonix # Deny Whonix Templates using UpdatesProxy of any other VM. $tag:whonix-updatevm $anyvm deny # Default rule for all Templates - direct the connection to sys-net $type:Template $default allow,target=sys-net $anyvm $anyvm deny

If Multiple Qubes-Whonix Templates are configured, like when the Whonix Template is cloned, follow instructions below.

1. Syntax.

Have a look at the syntax. Looks only. No editing.

Name-Of-Whonix-Template $default allow,target=Whonix-Gateway-TemplateBased-ProxyVM

2. Examples.

  • Example line entry for the Whonix-Gateway Template.
    • whonix-gateway-17 $default allow,target=sys-whonix
  • Example line entry for the Whonix-Workstation Template.
    • whonix-workstation-17 $default allow,target=sys-whonix

Qubes R4.2[edit]

Note: In Qubes dom0.

1. Locating the settings file.

In dom0 check file /etc/qubes/policy.d/50-config-updates.policy settings.

2. View its contents.

cat /etc/qubes/policy.d/50-config-updates.policy

3. Verify its default entries.

At the very top of that file, the following text should appear.

qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny

If these lines are not there, add it.

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

Qubes dom0 UpdateVM Setting[edit]

Qubes dom0 does not use Qubes UpdatesProxy.

Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy does not influence which VM will be used by dom0 for fetching updates.

For completeness sake, see below on how to configure the Qubes dom0 UpdateVM setting.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [1]

  • Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [2]

  • Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK

no torified Qubes updates proxy found warning[edit]

How to fix WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.?

If the following warning appears.

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If the warning message is transient, it can be safely ignored. Otherwise, try the following fix.

Works for both, Qubes R4.1 and Qubes R4.2.

In dom0.

1. Open a terminal.

2. Use qubesctl (Qubes salt) to setup dom0 settings. [3]

sudo qubesctl state.sls qvm.anon-whonix

In Whonix Template.

3. Next, check if the problem has been corrected.

Run the following command in Whonix Template.

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

4. Then try to update / use apt again.

sudo apt update

5. If there are still problems, try re-installation of Qubes-Whonix.

Additional Information for Advanced Users[edit]

Generally[edit]

The following Qubes-Whonix and Whonix GitHub development resources are recommended for interested readers:

Qubes R4.1[edit]

Qubes R4.2[edit]

  • Qubes R4.2 qrexec policy is configuration can be found in folder /etc/qubes/policy.d/.
  • Qubes defaults are configured in file /etc/qubes/policy.d/90-default.policyarchive.org.
    • Search this file for lines starting with: qubes.UpdatesProxy
    • The following comment on the top of this file explains the general principle. ## Do not modify this file, create a new policy file with a lower number in the ## filename instead. For example `30-user.policy`.
  • Check file /etc/qubes/policy.d/50-config-updates.policy
  • As per Qubes default, file /etc/qubes/policy.d/50-config-updates.policy is parsed before /etc/qubes/policy.d/90-default.policy.
  • In case of issues, see also qvm-tags verification.

Simulate torified UpdatesProxy check failed[edit]

Developers only.

In Template.

1. Simulate Qubes-Whonix UpdatesProxy check failed.

sudo rm /run/updatesproxycheck/whonix-secure-proxy

2. Run APT.

sudo apt update

3. Result.

WARNING: Execution of /usr/bin/apt prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.
Please make sure Whonix-Gateway (commonly called sys-whonix) is running.

Check your _dom0_ settings in the /etc/qubes/policy.d/ folder.

To see if it is fixed, try running in Whonix Template:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

For more help on this subject see:
[https://www.whonix.org/wiki/Qubes/UpdatesProxy https://www.whonix.org/wiki/Qubes/UpdatesProxy]

If this warning message is transient, it can be safely ignored.

Thanks to /etc/uwt.d/40_qubes.confarchive.org which checks if /run/updatesproxycheck/whonix-secure-proxy exists which only exist does if Qubes UpdatesProxy was reachable and the output of the test included tor proxy.

Simulate Broken Connectivity[edit]

1. Break networking.

Unplug the network cable, disable WiFi or power of the modem or router.

2. View qubes-updates-proxy.service logs.

In sys-whonix.

sudo journalctl --boot -u qubes-updates-proxy.service

3. Result.

Sep 05 13:24:22 host tinyproxy[33224]: opensock: Could not retrieve address info for deb.debian.org:443: Temporary failure in name resolution

Invalid response from proxy: HTTP/1.1 500 Unable to connect Server: tinyproxy[edit]

Understanding Tinyproxy Error Messages

The objective of this documentation is to understand and interpret error messages from Tinyproxy seen in APT output.

The APT error message:

HTTP/1.0 500 Unable to connect Server: tinyproxy/1.10.0 Content-Type: text/html Connection: close

is not necessarily indicative of a Tor connectivity issue or issue caused by Whonix.

reproduce that tinyproxy error by stopping Tor or unplug Network Cable[edit]

Developers only. For demonstration purposes.

Either stop Tor. Or unplug the network cable from the router or disable WiFi or similar.

To reproduce and test the origin of this error message:

1. Stop Tor.

In sys-whonix, execute:

sudo systemctl stop tor@default

2. Confirm in the journal log that the Tor service has indeed stopped.

3. Attempt an update.

Run the update command in `whonix-gateway-17` Template:

sudo apt update

4. Result.

Now Tor is stopped while attempting to run an apt update in the Template.

The expected result is:

Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

5. Restart Tor.

Optional.

6. Done.

reproduce the tinyproxy error by adding a Blocked Repository[edit]

Developers only. For demonstration purposes.

This example uses blocked.com and that website seems to block Tor traffic, which is useful for testing.

1. Mess up APT sources on purpose.

Add a blocked APT source to /etc/apt/sources.list.d/blocked.list.

deb tor+https://deb.blocked.com bookworm main

2. Update.

sudo apt update

3. Result.

When running an update, all APT sources will function except for `blocked.com`. The output will be:

Ign:1 tor+https://deb.blocked.com bookworm InRelease                                                                                                         
Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]
Reading package lists... Done
E: Failed to fetch tor+https://deb.blocked.com/dists/bookworm/InRelease  Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

tinyproxy Error interpretation[edit]

From the output provided by `apt` in the Template, based on the message from Tinyproxy, it is challenging to differentiate between:

  • A) Local connectivity issue: Tinyproxy's inability to connect to the destination domain name.
  • B) Blocked by remote server issue: A connection being blocked by a remote APT server.

The symptoms and output from both scenarios are identical.

Error Messages[edit]

Proxying refused on filtered domain "127.0.0.1"[edit]

In sys-whonix.

Oct 15 15:34:29 host tinyproxy[846]: Proxying refused on filtered domain "127.0.0.1"

This is a non-issue.

File /etc/tinyproxy/updates-blacklist (owned by package qubes-core-agent-networking) contains:

https://github.com/QubesOS/qubes-issues/issues/8606archive.org

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)[edit]

This issue applies to at least Debian and Qubes-Whonix Templates. It happens if the UpdatesProxy (in case of Qubes-Whonix most likely: sys-whonix) used by the Template has not been started yet.

To reproduce, in Template:

sudo systemctl stop qubes-updates-proxy-forwarder.socket

sudo apt update

Expected output:

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082][edit]

In sys-whonix:

sudo systemctl stop qubes-updates-proxy.service

In Template:

sudo apt update

Expected output:

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082]

Qubes UpdatesProxy running test[edit]

sudo systemctl --no-pager --full -l status qubes-updates-proxy-forwarder.socket

Qubes UpdatesProxy reachability test[edit]

In Template, use curl to check if Qubes Updates Proxy is running on IP 127.0.0.1, port 8082.

curl 127.0.0.1:8082

Expected output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>403 Filtered</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="application-name" content="tor proxy"/>
</head>

<body>

<h1>tor proxy</h1>

This customized file /usr/share/tinyproxy/default.html is stored on on a Tor proxy.

<h1>Filtered</h1>

<p>The request you made has been filtered</p>

<hr />

<p><em>Generated by <a href="https://tinyproxy.github.io/">tinyproxy</a> version 1.11.1.</em></p>

</body>

</html>

Footnotes[edit]

  1. Or manually set the torified UpdateVM in dom0 terminal. qubes-prefs updatevm sys-whonix
  2. To revert this change in dom0 terminal, run. qubes-prefs updatevm sys-firewall
  3. Dev/Qubes#salt

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!