Qubes-Whonix ™ UpdatesProxy Settings

From Whonix

Qubesupdateproxy31231235.png

Qubes UpdatesProxy Setting[edit]

Note: In Qubes dom0.

1. Locating the settings file.

In dom0 check file /etc/qubes-rpc/policy/qubes.UpdatesProxy settings.

2. View its contents.

cat /etc/qubes-rpc/policy/qubes.UpdatesProxy

3. Verify its default entry.

At the very top of that file, the following text should appear.

$tag:whonix-updatevm $default allow,target=sys-whonix

If that line is not there, add it.

4. Example.

To view the Qubes default /etc/qubes-rpc/policy/qubes.UpdatesProxy file (raw).

## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Upgrade all Templates through sys-whonix. #$type:Template $default allow,target=sys-whonix # Upgrade Whonix ™ Templates through sys-whonix. $tag:whonix-updatevm $default allow,target=sys-whonix # Deny Whonix ™ Templates using UpdatesProxy of any other VM. $tag:whonix-updatevm $anyvm deny # Default rule for all Templates - direct the connection to sys-net $type:Template $default allow,target=sys-net $anyvm $anyvm deny

Multiple Qubes-Whonix ™ Templates[edit]

If Multiple Qubes-Whonix ™ Templates are configured -- like when the Whonix ™ Template is cloned, follow instructions below.

1. Syntax.

Have a look at the syntax. Looks only. No editing.

Name-Of-Whonix-Template $default allow,target=Whonix-Gateway-TemplateBased-ProxyVM

X. Examples.

  • Example line entry for the Whonix-Gateway ™ Template.
    • whonix-gw-16 $default allow,target=sys-whonix
  • Example line entry for the Whonix-Workstation ™ Template.
    • whonix-ws-16 $default allow,target=sys-whonix

Qubes dom0 UpdateVM Setting[edit]

Qubes dom0 does not use Qubes UpdatesProxy.

Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy does not influence which VM will be used by dom0 for fetching updates.

For completeness sake, see below on how to configure the Qubes dom0 UpdateVM setting.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [1]

  • Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [2]

  • Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK

Issues[edit]

no torified Qubes updates proxy found warning[edit]

How to fix "WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found."

If the following warning appears.

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If the warning message is transient, it can be safely ignored. Otherwise, try one of the fixes below.

Error Resolution Methods[edit]

The following fixes are listed in order of preference.

Salt Fix[edit]

In dom0.

Use qubesctl to setup dom0 settings. [3]

sudo qubesctl state.sls qvm.anon-whonix

Next, check if the problem has been corrected. Run the following command in Whonix ™ Template.

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt again.

If there are still problems, try the manual fix below.

Manual Fix[edit]

TODO

4. To test if it is fixed, run the following command in Whonix ™ Template.

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

5. Then try to update / use apt again.

Reinstallation Fix[edit]

If the salt and manual fix attempts both fail, then follow the steps to Reinstall Qubes-Whonix ™ Templates. If reinstallation also fails, then ask for support in the Whonix ™ forums.

Development[edit]

The following Qubes-Whonix ™ and Whonix ™ GitHub development resources are recommended for interested readers:

Footnotes[edit]

  1. Or manually set the torified UpdateVM in dom0 terminal.
    qubes-prefs updatevm sys-whonix
  2. To revert this change in dom0 terminal, run.
    qubes-prefs updatevm sys-firewall
  3. Dev/Qubes#salt