Qubes/Tor Browser Documentation Multiple Qubes-Whonix Templates Previous page: Qubes/Tor Browser Index page: Documentation Next page: Multiple Qubes-Whonix Templates Qubes-Whonix^™ UpdatesProxy Settings

Qubes dom0 Qubes-Whonix UpdatesProxy Settings.

Introduction[edit]

The following wiki pages have been updated in August 2023 for R4.2 and contain documentation on how to configure Qubes UpdatesProxy:

By following above wiki pages, there is no need to follow any steps on this wiki page. This wiki page is only needed for troubleshooting or when looking for additional information.

Qubes UpdatesProxy Setting[edit]

Note: In Qubes dom0.

1. Locating the settings file.

In dom0 check file /etc/qubes/policy.d/50-config-updates.policy settings.

2. View its contents.

cat /etc/qubes/policy.d/50-config-updates.policy

3. Verify its default entries.

At the very top of that file, the following text should appear.

qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny

If these lines are not there, add it.

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

Qubes dom0 UpdateVM Setting[edit]

Qubes dom0 does not use Qubes UpdatesProxy.

Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy does not influence which VM will be used by dom0 for fetching updates.

For completeness sake, see below on how to configure the Qubes dom0 UpdateVM setting.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. ^[1]

Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. ^[2]

Qubes Manager → System → Global Settings → Dom0 UpdateVM: sys-firewall → OK

no torified Qubes updates proxy found warning[edit]

How to fix WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.?

If the following warning appears.

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If the warning message is transient, it can be safely ignored. Otherwise, try the following fix.

In dom0.

1. Open a terminal.

2. Use qubesctl (Qubes salt) to setup dom0 settings. ^[3]

sudo qubesctl state.sls qvm.anon-whonix

In Whonix Template.

3. Next, check if the problem has been corrected.

Run the following command in Whonix Template.

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

4. Then try to update / use apt again.

sudo apt update

5. If there are still problems, try re-installation of Qubes-Whonix.

Reinstall Qubes-Whonix Templates.
If re-installation also fails, then ask for support in the Whonix forums.

Additional Information for Advanced Users[edit]

Generally[edit]

The following Qubes-Whonix and Whonix GitHub development resources are recommended for interested readers:

Qubes[edit]

Qubes qrexec policy is configuration can be found in folder /etc/qubes/policy.d/.
Qubes defaults are configured in file /etc/qubes/policy.d/90-default.policy.
- Search this file for lines starting with: qubes.UpdatesProxy
- The following comment on the top of this file explains the general principle. ## Do not modify this file, create a new policy file with a lower number in the ## filename instead. For example `30-user.policy`.
Check file /etc/qubes/policy.d/50-config-updates.policy
As per Qubes default, file /etc/qubes/policy.d/50-config-updates.policy is parsed before /etc/qubes/policy.d/90-default.policy.
In case of issues, see also qvm-tags verification.
- See if you can make head or tail of qvm-tags developer notes. If not, skip this step.

Simulate torified UpdatesProxy check failed[edit]

Developers only.

In Template.

1. Simulate Qubes-Whonix UpdatesProxy check failed.

sudo rm /run/updatesproxycheck/whonix-secure-proxy

2. Run APT.

sudo apt update

3. Result.

WARNING: Execution of /usr/bin/apt prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.
Please make sure Whonix-Gateway (commonly called sys-whonix) is running.

Check your _dom0_ settings in the /etc/qubes/policy.d/ folder.

To see if it is fixed, try running in Whonix Template:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

For more help on this subject see:
[https://www.whonix.org/wiki/Qubes/UpdatesProxy https://www.whonix.org/wiki/Qubes/UpdatesProxy]

If this warning message is transient, it can be safely ignored.

Thanks to /etc/uwt.d/40_qubes.conf which checks if /run/updatesproxycheck/whonix-secure-proxy exists which only exist does if Qubes UpdatesProxy was reachable and the output of the test included tor proxy.

Simulate Broken Connectivity[edit]

1. Break networking.

Unplug the network cable, disable WiFi or power of the modem or router.

2. View qubes-updates-proxy.service logs.

In sys-whonix.

sudo journalctl --boot -u qubes-updates-proxy.service

3. Result.

Sep 05 13:24:22 host tinyproxy[33224]: opensock: Could not retrieve address info for deb.debian.org:443: Temporary failure in name resolution

Invalid response from proxy: HTTP/1.1 500 Unable to connect Server: tinyproxy[edit]

Understanding Tinyproxy Error Messages

The objective of this documentation is to understand and interpret error messages from Tinyproxy seen in APT output.

The APT error message:

HTTP/1.0 500 Unable to connect Server: tinyproxy/1.10.0 Content-Type: text/html Connection: close

is not necessarily indicative of a Tor connectivity issue or issue caused by Whonix.

reproduce that tinyproxy error by stopping Tor or unplug Network Cable[edit]

Developers only. For demonstration purposes.

Either stop Tor. Or unplug the network cable from the router or disable WiFi or similar.

To reproduce and test the origin of this error message:

1. Stop Tor.

In sys-whonix, execute:

sudo systemctl stop tor@default

2. Confirm in the journal log that the Tor service has indeed stopped.

3. Attempt an update.

Run the update command in `whonix-gateway-17` Template:

sudo apt update

4. Result.

Now Tor is stopped while attempting to run an apt update in the Template.

The expected result is:

Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

5. Restart Tor.

Optional.

6. Done.

reproduce the tinyproxy error by adding a Blocked Repository[edit]

Developers only. For demonstration purposes.

This example uses blocked.com and that website seems to block Tor traffic, which is useful for testing.

1. Mess up APT sources on purpose.

Add a blocked APT source to /etc/apt/sources.list.d/blocked.list.

deb tor+https://deb.blocked.com bookworm main

2. Update.

sudo apt update

3. Result.

When running an update, all APT sources will function except for `blocked.com`. The output will be:

Ign:1 tor+https://deb.blocked.com bookworm InRelease                                                                                                         
Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]
Reading package lists... Done
E: Failed to fetch tor+https://deb.blocked.com/dists/bookworm/InRelease  Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

tinyproxy Error interpretation[edit]

From the output provided by `apt` in the Template, based on the message from Tinyproxy, it is challenging to differentiate between:

A) Local connectivity issue: Tinyproxy's inability to connect to the destination domain name.
B) Blocked by remote server issue: A connection being blocked by a remote APT server.

The symptoms and output from both scenarios are identical.

Error Messages[edit]

Proxying refused on filtered domain "127.0.0.1"[edit]

In sys-whonix.

Oct 15 15:34:29 host tinyproxy[846]: Proxying refused on filtered domain "127.0.0.1"

This is a non-issue.

File /etc/tinyproxy/updates-blacklist (owned by package qubes-core-agent-networking) contains:

https://github.com/QubesOS/qubes-core-agent-linux/blob/main/network/updates-blacklist

https://github.com/QubesOS/qubes-issues/issues/8606

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)[edit]

This issue applies to at least Debian and Qubes-Whonix Templates. It happens if the UpdatesProxy (in case of Qubes-Whonix most likely: sys-whonix) used by the Template has not been started yet.

To reproduce, in Template:

sudo systemctl stop qubes-updates-proxy-forwarder.socket

sudo apt update

Expected output:

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082][edit]

In sys-whonix:

sudo systemctl stop qubes-updates-proxy.service

In Template:

sudo apt update

Expected output:

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082]

Qubes UpdatesProxy running test[edit]

sudo systemctl --no-pager --full -l status qubes-updates-proxy-forwarder.socket

Qubes UpdatesProxy reachability test[edit]

In Template, use curl to check if Qubes Updates Proxy is running on IP 127.0.0.1, port 8082.

curl 127.0.0.1:8082

Expected output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>403 Filtered</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="application-name" content="tor proxy"/>
</head>

<body>

<h1>tor proxy</h1>

This customized file /usr/share/tinyproxy/default.html is stored on on a Tor proxy.

<h1>Filtered</h1>

<p>The request you made has been filtered</p>

<hr />

<p><em>Generated by <a href="https://tinyproxy.github.io/">tinyproxy</a> version 1.11.1.</em></p>

</body>

</html>

Qubes UpdatesProxy Stream Isolation[edit]

See Qubes UpdatesProxy Stream Isolation.

Footnotes[edit]

↑ Or manually set the torified UpdateVM in dom0 terminal. qubes-prefs updatevm sys-whonix
↑ To revert this change in dom0 terminal, run. qubes-prefs updatevm sys-firewall
↑ Dev/Qubes#salt

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Or manually set the torified UpdateVM in dom0 terminal. qubes-prefs updatevm sys-whonix

[2] To revert this change in dom0 terminal, run. qubes-prefs updatevm sys-firewall

[3] Dev/Qubes#salt

[1]

[2]

[3]

Qubes-Whonix^™ UpdatesProxy Settings

Contents

Introduction[edit]

Qubes UpdatesProxy Setting[edit]

Qubes dom0 UpdateVM Setting[edit]

no torified Qubes updates proxy found warning[edit]

Additional Information for Advanced Users[edit]

Generally[edit]

Qubes[edit]

Simulate torified UpdatesProxy check failed[edit]

Simulate Broken Connectivity[edit]

Invalid response from proxy: HTTP/1.1 500 Unable to connect Server: tinyproxy[edit]

reproduce that tinyproxy error by stopping Tor or unplug Network Cable[edit]

reproduce the tinyproxy error by adding a Blocked Repository[edit]

tinyproxy Error interpretation[edit]

Error Messages[edit]

Proxying refused on filtered domain "127.0.0.1"[edit]

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)[edit]

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082][edit]

Qubes UpdatesProxy running test[edit]

Qubes UpdatesProxy reachability test[edit]

Qubes UpdatesProxy Stream Isolation[edit]

Footnotes[edit]

Navigation menu

Qubes-Whonix™ UpdatesProxy Settings

Introduction[edit]

Qubes UpdatesProxy Setting[edit]

Qubes dom0 UpdateVM Setting[edit]

no torified Qubes updates proxy found warning[edit]

Additional Information for Advanced Users[edit]

Generally[edit]

Qubes[edit]

Simulate torified UpdatesProxy check failed[edit]

Simulate Broken Connectivity[edit]

Invalid response from proxy: HTTP/1.1 500 Unable to connect Server: tinyproxy[edit]

reproduce that tinyproxy error by stopping Tor or unplug Network Cable[edit]

reproduce the tinyproxy error by adding a Blocked Repository[edit]

tinyproxy Error interpretation[edit]

Error Messages[edit]

Proxying refused on filtered domain "127.0.0.1"[edit]

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)[edit]

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082][edit]

Qubes UpdatesProxy running test[edit]

Qubes UpdatesProxy reachability test[edit]

Qubes UpdatesProxy Stream Isolation[edit]

Footnotes[edit]

Navigation menu

Search

Qubes-Whonix^™ UpdatesProxy Settings