How-to: Fix dom0 Qubes-Whonix ™ UpdatesProxy Settings

From Whonix

< Qubes



If the following warning appears.

WARNING: Execution of /usr/bin/apt-get prevented by /etc/uwt.d/40_qubes.conf because no torified Qubes updates proxy found.

If the warning message is transient, it can be safely ignored. Otherwise, try one of the fixes below.

Update dom0[edit]

Launch a dom0 terminal.
Click the Qubes App Launcher (blue/grey "Q")Open the Terminal Emulator (Xfce Terminal)


Upgrade Qubes dom0. This step is mandatory. [1]

sudo qubes-dom0-update


Error Resolution Methods[edit]

The following fixes are listed in order of preference.

Salt Fix[edit]

Use salt to setup dom0 settings. [2]

sudo qubesctl state.sls qvm.anon-whonix

Next, check if the problem has been corrected. Run the following command in Whonix ™ Template.

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

Then try to update / use apt-get again.

If there are still problems, try the manual fix below.

Manual Fix[edit]

1. Make sure Whonix-Gateway ™ (sys-whonix) is running.

Check the dom0 /etc/qubes-rpc/policy/qubes.UpdatesProxy settings.

2. At the very top of that file, the following text should appear.

$tag:whonix-updatevm $default allow,target=sys-whonix

If it is not there, add it.

To view a complete example of the /etc/qubes-rpc/policy/qubes.UpdatesProxy file, please press on expand on the right.

/etc/qubes-rpc/policy/qubes.UpdatesProxy [archive] (raw [archive]):

## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect

## Please use a single # to start your custom comments

# Upgrade all TemplateVMs through sys-whonix.
#$type:TemplateVM $default allow,target=sys-whonix

# Upgrade {{project_name}} templateVMs through sys-whonix.
$tag:whonix-updatevm $default allow,target=sys-whonix

# Deny {{project_name}} templateVMs using UpdatesProxy of any other VM.
$tag:whonix-updatevm $anyvm deny

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

$anyvm $anyvm deny

3. If Multiple Qubes-Whonix ™ Templates are configured -- like when the Whonix ™ Template is cloned -- please press on expand on the right.

The following syntax should apply.

Name-Of-Whonix-TemplateVM $default allow,target=Whonix-Gateway-TemplateBased-ProxyVM

Example entry for Whonix-Gateway ™ Template.

whonix-gw-16 $default allow,target=sys-whonix

Example entry for Whonix-Workstation ™ Template.

whonix-ws-16 $default allow,target=sys-whonix

4. To test if it is fixed, run the following command in Whonix ™ Template.

sudo systemctl restart qubes-whonix-torified-updates-proxy-check

5. Then try to update / use apt-get again.

Reinstallation Fix[edit]

If the salt and manual fix attempts both fail, then follow the steps to Reinstall Qubes-Whonix ™ Templates. If reinstallation also fails, then ask for support in the Whonix ™ forums [archive].


Qubes dom0 does not use Qubes UpdatesProxy. [3] Therefore file /etc/qubes-rpc/policy/qubes.UpdatesProxy does not influence which VM will be used by dom0 for fetching updates.

For completeness sake, see below on how to configure the Qubes dom0 UpdateVM setting.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [4]

  • Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [5]

  • Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK


The following Qubes-Whonix ™ and Whonix ™ GitHub development resources are recommended for interested readers:


  1. This is required to make sure Older, similar references:
  2. Dev/Qubes#salt
  3. Qubes generally, not Whonix ™ specific implementation.
  4. Or manually set the torified UpdateVM in dom0 terminal.
    qubes-prefs updatevm sys-whonix

  5. To revert this change in dom0 terminal, run.
    qubes-prefs updatevm sys-firewall

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Interested in becoming an author for the Whonix ™ News Blog or writing about anonymity, privacy and security? Please get in touch!

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.