^™

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Qubes dom0 Qubes-Whonix UpdatesProxy Settings.

Introduction[edit]

Qubes UpdatesProxy Setting[edit]

Qubes R4.1[edit]

If Multiple Qubes-Whonix Templates are configured, like when the Whonix Template is cloned, follow instructions below.

Qubes R4.2[edit]

Qubes dom0 UpdateVM Setting[edit]

Qubes dom0 does not use Qubes UpdatesProxy.

Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy does not influence which VM will be used by dom0 for fetching updates.

For completeness sake, see below on how to configure the Qubes dom0 UpdateVM setting.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. ^[1]

• Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. ^[2]

• Qubes Manager → System → Global Settings → Dom0 UpdateVM: sys-firewall → OK

no torified Qubes updates proxy found warning[edit]

How to fix WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.?

If the following warning appears.

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If the warning message is transient, it can be safely ignored. Otherwise, try the following fix.

Works for both, Qubes R4.1 and Qubes R4.2.

Additional Information for Advanced Users[edit]

Generally[edit]

The following Qubes-Whonix and Whonix GitHub development resources are recommended for interested readers:

• /etc/uwt.d/40_qubes.conf
• /lib/systemd/system/qubes-whonix-torified-updates-proxy-check.service
• /usr/lib/qubes-whonix/init/torified-updates-proxy-check
• uwt

Qubes R4.1[edit]

• Qubes R4.1 /etc/qubes-rpc/policy/qubes.UpdatesProxy file (raw)

Qubes R4.2[edit]

• Qubes R4.2 qrexec policy is configuration can be found in folder /etc/qubes/policy.d/.
• Qubes defaults are configured in file /etc/qubes/policy.d/90-default.policy.
  • Search this file for lines starting with: qubes.UpdatesProxy
  • The following comment on the top of this file explains the general principle. ## Do not modify this file, create a new policy file with a lower number in the ## filename instead. For example `30-user.policy`.
• Check file /etc/qubes/policy.d/50-config-updates.policy
• As per Qubes default, file /etc/qubes/policy.d/50-config-updates.policy is parsed before /etc/qubes/policy.d/90-default.policy.
• In case of issues, see also qvm-tags verification.
  • See if you can make head or tail of qvm-tags developer notes. If not, skip this step.

Simulate torified UpdatesProxy check failed[edit]

Developers only.

In Template.

1. Simulate Qubes-Whonix UpdatesProxy check failed.

sudo rm /run/updatesproxycheck/whonix-secure-proxy

2. Run APT.

sudo apt update

3. Result.

WARNING: Execution of /usr/bin/apt prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.
Please make sure Whonix-Gateway (commonly called sys-whonix) is running.

Check your _dom0_ settings in the /etc/qubes/policy.d/ folder.

To see if it is fixed, try running in Whonix Template:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

For more help on this subject see:
[https://www.whonix.org/wiki/Qubes/UpdatesProxy https://www.whonix.org/wiki/Qubes/UpdatesProxy]

If this warning message is transient, it can be safely ignored.

Thanks to /etc/uwt.d/40_qubes.conf which checks if /run/updatesproxycheck/whonix-secure-proxy exists which only exist does if Qubes UpdatesProxy was reachable and the output of the test included tor proxy.

Simulate Broken Connectivity[edit]

1. Break networking.

Unplug the network cable, disable WiFi or power of the modem or router.

2. View qubes-updates-proxy.service logs.

In sys-whonix.

sudo journalctl --boot -u qubes-updates-proxy.service

3. Result.

Sep 05 13:24:22 host tinyproxy[33224]: opensock: Could not retrieve address info for deb.debian.org:443: Temporary failure in name resolution

Invalid response from proxy: HTTP/1.1 500 Unable to connect Server: tinyproxy[edit]

Understanding Tinyproxy Error Messages

The objective of this documentation is to understand and interpret error messages from Tinyproxy seen in APT output.

The APT error message:

HTTP/1.0 500 Unable to connect Server: tinyproxy/1.10.0 Content-Type: text/html Connection: close

is not necessarily indicative of a Tor connectivity issue or issue caused by Whonix.

reproduce that tinyproxy error by stopping Tor[edit]

Developers only. For demonstration purposes.

To reproduce and test the origin of this error message:

1. Stop Tor.

In sys-whonix, execute:

sudo systemctl stop tor@default

2. Confirm in the journal log that the Tor service has indeed stopped.

3. Attempt an update.

Run the update command in `whonix-gateway-17` Template:

sudo apt update

4. Result.

Now Tor is stopped while attempting to run an apt update in the Template.

The expected result is:

Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

5. Restart Tor.

Optional.

6. Done.

reproduce the tinyproxy error by adding a Blocked Repository[edit]

Developers only. For demonstration purposes.

1. Mess up APT sources on purpose.

Add a blocked APT source to /etc/apt/sources.list.d/blocked.list.

deb tor+https://deb.blocked.com bookworm main

2. Update.

sudo apt update

3. Result.

When running an update, all APT sources will function except for `blocked.com`. The output will be:

Ign:1 tor+https://deb.blocked.com bookworm InRelease                                                                                                         
Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]
Reading package lists... Done
E: Failed to fetch tor+https://deb.blocked.com/dists/bookworm/InRelease  Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

tinyproxy Error interpretation[edit]

From the output provided by `apt` in the Template, based on the message from Tinyproxy, it is challenging to differentiate between:

• A) Local connectivity issue: Tinyproxy's inability to connect to the destination domain name.
• B) Blocked by remote server issue: A connection being blocked by a remote APT server.

The symptoms and output from both scenarios are identical.

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint Whonix ENCRYPTED SUPPORT LP, 2023

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!