Fixing dom0 Qubes-Whonix UpdatesProxy Settings

< Qubes

If you see the following warning...

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If this warning message is transient, it can be safely ignored. Otherwise try the fix below.

Update dom0[edit]

To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).


Upgrade Qubes dom0. [1]

sudo qubes-dom0-update

Salt Fix[edit]

Use salt for dom0 settings setup. [2]

sudo qubesctl state.sls qvm.anon-whonix

Try if it works now.

To see if it is fixed, try running in Whonix TemplateVM:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

If not fixed, try manual fix below.

Manual Fix[edit]

Please make sure Whonix-Gateway (commonly called sys-whonix) is running.

  • If you are using Qubes R3.2: The NetVM of this TemplateVM should be set to Whonix-Gateway (commonly called sys-whonix).
  • If you are using Qubes R4 or higher: Check your dom0 /etc/qubes-rpc/policy/qubes.UpdatesProxy settings.

At the very top of that file you should see the following.

$tag:whonix-updatevm $default allow,target=sys-whonix

If it is not there, add it.

If you like to see an example /etc/qubes-rpc/policy/qubes.UpdatesProxy please press on expand on the right.

/etc/qubes-rpc/policy/qubes.UpdatesProxy (raw):

## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

# Upgrade all TemplateVMs through sys-whonix.
#$type:TemplateVM $default allow,target=sys-whonix

# Upgrade Whonix TemplateVMs through sys-whonix.
$tag:whonix-updatevm $default allow,target=sys-whonix

# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
$tag:whonix-updatevm $anyvm deny

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

$anyvm $anyvm deny

If you are using Multiple Qubes-Whonix TemplateVMs (such as if you made a clone of a Whonix TemplateVM), please press on expand on the right site.

Should have the following syntax:

Name-Of-Whonix-TemplateVM $default allow,target=Whonix-Gateway-TemplateBased-ProxyVM

Example entry for Whonix-Gateway TemplateVM:

whonix-gw-14 $default allow,target=sys-whonix

Example entry for Whonix-Workstation TemplateVM:

whonix-ws-14 $default allow,target=sys-whonix

To see if it is fixed, try running in Whonix TemplateVM:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

Reinstall Fix[edit]

If it still does not work try to Qubes/Reinstall.

If still not fixed, ask for support in



  1. This is required to make sure a recent version of Qubes repository definition files, Qubes salt as well as qubes-core-admin-addon-whonix gets installed.
  2. Dev/Qubes#salt

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.