Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Qubes dom0 Qubes-Whonix UpdatesProxy Settings.

Introduction[edit]

Qubes UpdatesProxy Setting[edit]

qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny

Qubes dom0 UpdateVM Setting[edit]

Qubes dom0 does not use Qubes UpdatesProxy.

Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy does not influence which VM will be used by dom0 for fetching updates.

For completeness sake, see below on how to configure the Qubes dom0 UpdateVM setting.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. ^[1]

• Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. ^[2]

• Qubes Manager → System → Global Settings → Dom0 UpdateVM: sys-firewall → OK

no torified Qubes updates proxy found warning[edit]

How to fix WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.?

If the following warning appears.

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If the warning message is transient, it can be safely ignored. Otherwise, try the following fix.

Additional Information for Advanced Users[edit]

Generally[edit]

The following Qubes-Whonix and Whonix GitHub development resources are recommended for interested readers:

• /etc/uwt.d/40_qubes.conf
• /lib/systemd/system/qubes-whonix-torified-updates-proxy-check.service
• /usr/lib/qubes-whonix/init/torified-updates-proxy-check
• uwt

Qubes[edit]

• Qubes qrexec policy is configuration can be found in folder /etc/qubes/policy.d/.
• Qubes defaults are configured in file /etc/qubes/policy.d/90-default.policy.
  • Search this file for lines starting with: qubes.UpdatesProxy
  • The following comment on the top of this file explains the general principle. ## Do not modify this file, create a new policy file with a lower number in the ## filename instead. For example `30-user.policy`.
• Check file /etc/qubes/policy.d/50-config-updates.policy
• As per Qubes default, file /etc/qubes/policy.d/50-config-updates.policy is parsed before /etc/qubes/policy.d/90-default.policy.
• In case of issues, see also qvm-tags verification.
  • See if you can make head or tail of qvm-tags developer notes. If not, skip this step.

Simulate torified UpdatesProxy check failed[edit]

Developers only.

In Template.

1. Simulate Qubes-Whonix UpdatesProxy check failed.

sudo rm /run/updatesproxycheck/whonix-secure-proxy

2. Run APT.

sudo apt update

3. Result.

WARNING: Execution of /usr/bin/apt prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.
Please make sure Whonix-Gateway (commonly called sys-whonix) is running.

Check your _dom0_ settings in the /etc/qubes/policy.d/ folder.

To see if it is fixed, try running in Whonix Template:

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

For more help on this subject see:
[https://www.whonix.org/wiki/Qubes/UpdatesProxy https://www.whonix.org/wiki/Qubes/UpdatesProxy]

If this warning message is transient, it can be safely ignored.

Thanks to /etc/uwt.d/40_qubes.conf which checks if /run/updatesproxycheck/whonix-secure-proxy exists which only exist does if Qubes UpdatesProxy was reachable and the output of the test included tor proxy.

Simulate Broken Connectivity[edit]

1. Break networking.

Unplug the network cable, disable WiFi or power of the modem or router.

2. View qubes-updates-proxy.service logs.

In sys-whonix.

sudo journalctl --boot -u qubes-updates-proxy.service

3. Result.

Sep 05 13:24:22 host tinyproxy[33224]: opensock: Could not retrieve address info for deb.debian.org:443: Temporary failure in name resolution

Invalid response from proxy: HTTP/1.1 500 Unable to connect Server: tinyproxy[edit]

Understanding Tinyproxy Error Messages

The objective of this documentation is to understand and interpret error messages from Tinyproxy seen in APT output.

The APT error message:

HTTP/1.0 500 Unable to connect Server: tinyproxy/1.10.0 Content-Type: text/html Connection: close

is not necessarily indicative of a Tor connectivity issue or issue caused by Whonix.

reproduce that tinyproxy error by stopping Tor or unplug Network Cable[edit]

Developers only. For demonstration purposes.

Either stop Tor. Or unplug the network cable from the router or disable WiFi or similar.

To reproduce and test the origin of this error message:

1. Stop Tor.

In sys-whonix, execute:

sudo systemctl stop tor@default

2. Confirm in the journal log that the Tor service has indeed stopped.

3. Attempt an update.

Run the update command in `whonix-gateway-17` Template:

sudo apt update

4. Result.

Now Tor is stopped while attempting to run an apt update in the Template.

The expected result is:

Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

5. Restart Tor.

Optional.

6. Done.

reproduce the tinyproxy error by adding a Blocked Repository[edit]

Developers only. For demonstration purposes.

This example uses blocked.com and that website seems to block Tor traffic, which is useful for testing.

1. Mess up APT sources on purpose.

Add a blocked APT source to /etc/apt/sources.list.d/blocked.list.

deb tor+https://deb.blocked.com bookworm main

2. Update.

sudo apt update

3. Result.

When running an update, all APT sources will function except for `blocked.com`. The output will be:

Ign:1 tor+https://deb.blocked.com bookworm InRelease                                                                                                         
Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]
Reading package lists... Done
E: Failed to fetch tor+https://deb.blocked.com/dists/bookworm/InRelease  Invalid response from proxy: HTTP/1.1 500 Unable to connect  Server: tinyproxy/1.11.1  Content-Type: text/html  Connection: close [IP: 127.0.0.1 8082]

tinyproxy Error interpretation[edit]

From the output provided by `apt` in the Template, based on the message from Tinyproxy, it is challenging to differentiate between:

• A) Local connectivity issue: Tinyproxy's inability to connect to the destination domain name.
• B) Blocked by remote server issue: A connection being blocked by a remote APT server.

The symptoms and output from both scenarios are identical.

Error Messages[edit]

Proxying refused on filtered domain "127.0.0.1"[edit]

In sys-whonix.

Oct 15 15:34:29 host tinyproxy[846]: Proxying refused on filtered domain "127.0.0.1"

This is a non-issue.

File /etc/tinyproxy/updates-blacklist (owned by package qubes-core-agent-networking) contains:

• https://github.com/QubesOS/qubes-core-agent-linux/blob/main/network/updates-blacklist

https://github.com/QubesOS/qubes-issues/issues/8606

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)[edit]

This issue applies to at least Debian and Qubes-Whonix Templates. It happens if the UpdatesProxy (in case of Qubes-Whonix most likely: sys-whonix) used by the Template has not been started yet.

To reproduce, in Template:

sudo systemctl stop qubes-updates-proxy-forwarder.socket

sudo apt update

Expected output:

Could not connect to 127.0.0.1:8082 (127.0.0.1). - connect (113: No route to host)

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082][edit]

In sys-whonix:

sudo systemctl stop qubes-updates-proxy.service

In Template:

sudo apt update

Expected output:

Reading from proxy failed - read (11: Resource temporarily unavailable) [IP: 127.0.0.1 8082]

Qubes UpdatesProxy running test[edit]

sudo systemctl --no-pager --full -l status qubes-updates-proxy-forwarder.socket

Qubes UpdatesProxy reachability test[edit]

In Template, use curl to check if Qubes Updates Proxy is running on IP 127.0.0.1, port 8082.

curl 127.0.0.1:8082

Expected output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>403 Filtered</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="application-name" content="tor proxy"/>
</head>

<body>

<h1>tor proxy</h1>

This customized file /usr/share/tinyproxy/default.html is stored on on a Tor proxy.

<h1>Filtered</h1>

<p>The request you made has been filtered</p>

<hr />

<p><em>Generated by <a href="https://tinyproxy.github.io/">tinyproxy</a> version 1.11.1.</em></p>

</body>

</html>

Qubes UpdatesProxy Stream Isolation[edit]

See Qubes UpdatesProxy Stream Isolation.

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!