Can someone explain networking

Good morning,

So I have “templates” that update over TOR and a few appVM’s that use TOR as well and some other appVM’s that go out over Clearnet and of course Dom0/qubes updates over TOR.
When looking at the templates or appVM’s network in their qubes settings some of them have a “yellow triangle” and state that some data leak may happen as there is another network choosen for this appVM. Well I need this appVM to access Clearnet but yet the template updates over TOR. So my questions are…

-Is this OK that appVM has different network access then template. I need some appVM’s to access clearnet and others to access tor

-Should I really be concerned about it

-How could I fix this so that there is no “yellow triangle” with that warning

So my thinking is this or break down for qubes networking…
dom0/qubes >sys-whonix>sys-firewall>internet(tor)
template >sys-whonix>sys-firewall>internet(tor)
appVM>sys-net>internet (clearnet)

So I am trying to figure this out (template/appVM) networking layouts so I don’t run into any issues, data leaks. As state in one of my post… “this qubes was my test/learning build” and of late I have noticed that I may have broke networking as I keep getting the same tor exit node no matter what I do.

Any help or instructions would be greatly appreciated

Your templates should not be attached to any network.
Templates update using a proxy, and they connect to that proxy over
qrexec. There is never a need to attach a template to a netvm.

The proxy you use is set in this file:

dom0 has no network access at all.
dom0 updates using a proxy - that is controlled by the global setting
dom0 updateVM -either from Manager - System->Global Settings, or
qubes-prefs, where entry is called updatevm.

Does this help?

Seeing the same exit node all the time would be a Whonix issue. I cant
help there.

1 Like

How’s this with the software application in those templateVMs? Would this also download new applications through that proxy, so the apps will be available on the application list(s)?

All transactions in the template should take place through the proxy:
installing, updating, etc.

Any applications installed in the templates should be available to
qubes that use those templates.
To make them available in the Menu you will have to set this under
“Applications” in the Settings for that qube.

Very occasionally you may install an application that does not
generate a menu listing. This is a fault in the application, and not in
Take a look at for
how to deal with this case.

OK so, templates no network and appVM’s have network and that’s where in messed up I gave templates network…

sys-net is clearnet access???
sys-whomix is tor, I understand this

sys-firewall, what is it’s role in network access if both sys-net and sys-whonix go down two different paths to get internet. and they both use sys-firewall

sys-net is people outside home,
sys-firewall is a front door of your home,
sys-whonix is one of door inside your home,

you can build many door / room (we can call it a qube) .

take a look at this Partitioning my digital life into security domains | The Invisible Things

she build a good world, and that’s inspire me.

I’ve watched a presentation by Micah Lee on youtube, titled “Qubes OS: The Operating System That Can Protect You Even If You Get Hacked”. I think he mentioned that he made a route to a qube where the qube went to tor then to the internet by VPN (VPN over TOR?), so he didn’t get a torified address, but an address by his VPN provider. How can someone make something like this?

Okay, back to your questions:

OK so, templates no network and appVM’s have network and that’s where in
messed up I gave templates network…

Yes (for the first part) and for the second - have you tried to check, if the templates get updates (by doing this via right click of the template and “Update qube” or even by right click on the orange star in the taskbar and running the salted update function) when those templates don’t have sys-net as netVM ? It should work via proxy, unman mentioned…
And thats it! You don’t need more for running those templates.

sys-net is clearnet access???


sys-whomix is tor, I understand this


sys-firewall, what is it’s role in network access if both sys-net and
sys-whonix go down two different paths to get internet. and they both use sys-firewall

you more should understand it that way:
sys-net is clearnet/for all VMs which connects “clear” and sys-whonix is for the path to tor/for all VMs which needs to connect “tor”
AND sys-firewall is the shield for ALL VMs (the clearnet’s and the tor’s),

so the way out should be for all tor connections:
Your Tor cube (whonix-ws/anon-whonix) → sys-whonix → sys-firewall → sys-net → internet

and for all clearnet connections:
Your clearnet cube (work/personal/untrust) → sys-firewall → sys-net → internet

But you even can run a WORK cube → sys-whonix → sys-firewall → sys-net → internet
It depends on you and what you want to do.

thank you “The gardener”, yes I understand what you are saying… I understand this but in a template or appvm qube setting I can only chose 1 option (sys-net, sys-firewall, sys-whonix). That’s were I get confused. So if I need tor I would chose sys-whonix. if I want clearnet I would chose sys-net. So then or why would I chose sys-firewall? Or would I chose sys-firewall if the template or appvm needed no network/internet.

This the last thing I am trying to understand with qubes. And the “yellow triangle” next to networking drop down in qubes settings where I chose (sys-bet, sys-whonix, sys-firewall) that I have with some of these appvms where I changed networking. And what is the importance of these “yellow triangles” with that message.

Make sure you keep “none” for templates.


Unless you know what you are doing, don’t choose sys-net. Just use sys-firewall for clearnet. sys-firewall provides additional filtering capabilities if you want to limit services and IP addresses a qube can connect to. Though if you don’t use them, then maybe this doesn’t make any difference.

See this thread: Qube Settings Caution Bang: What's this mean?

as @ 427F11FD0FAA4B080123 said.

Template Vm never ever any kind of network access. Choose “none” in the qubes manager.

AppVM only to sys-firewall or sys-whonix but be careful here. If you set up an AppVM with a cloud account like Nextcloud,Seafile whatever or Email account or you’re normal browser with bookmarks and no hardening like disabling webrtc… you’re whole tor routing setup is useless. even worse it lets you stand out like a oiltank in the ocean. ^^ (unless your accounts where setup over tor than the other way around never ever connect to these accounts over clearnet )

So to make clear.

Sys-net is like your router

sys-firewall is like a firewall behind your router

firewall settings in the AppVM Qubes Manager is like your normal desktop firewall.

If sys-net gets compromised, you have your firewall as a second layer of protection and sys-firewall helps you to make firewall rules setup easier. Block everything outgoing you don’t need.

sys-whonix gateway. is like a router behind your firewall behind your router , that routes every connection throught tor.

choose wisely

thank all of you for such a detailed explanation on qubes networking… it really helps me out.

@dispuser5132…i fully understand what you are saying. I only access email via a disposable appVM. I don’t do ANY cloud services, “I fully control my data and don’t need anyone managing it”. But I do have bookmarks in my “anon-whonix” tor browserappVM… so this is a bad thing?

I’m not an expert but that tor vpn thing sounds not really useful. At the end its all in the same network which means he connects to the vpn provider from his ISP IP. I dont know what he tries to acomplish with that but from what i understand he tries to be clever and want to hide his IP from VPN Provider. As tor and vpn connection come from the same computer in the same network it will not work. Because everything is routet through sys-net. Sounds like a cool h4ck3r tutorial…

no I don’t have any VPN yet. I have read and heard they are not all what they are cracked up to be. But I am doing my own "vsp"build in qubes . Have to chose a template and build out , to a openvpn but that’s a few weeks away yet I think that is a better plan.
But going to install faster new ssd’s reimahe and build out from their for qubes now that I am fully understanding this OS better

bookmarks in “anon-whonix” is not really a problem. But remember every change you do to the tor browser could let you stand out. Browserfingerprinting…

Email through disp Vm… hm you can do that. I would prefer a standalone VM only for emailing with firewall rules setup for ports and domain and again, never switch them between tor and clearnet. That would rise a red flag on providers site. But of course it depends on the provider…

will not really email with disposable vm. LOL none of the settings stay and configs as well as email address. I have to keep re-entering everything… LOL
But hell it was worth a shot

What openvpn vsp in qubes os ?

So you want to build an appvm as your own vpn server ?

I hope i did not understand that right

well I am still researching it and it appears ot can be done…
You have to pick a OS “template” like Ubuntu and install config files and set it up somehow to link to the services. Like I said I am still researching it be looks very good to do. everything hosted on you own system and linked together

as for “fingerprinting”,i know so I need to come up with a way around this. Maybe ise disposal anon-whonix" appvm, something like that. Don’t know yet

ok i dont know if i misunderstood your project… but if i understand you right. that is a really bad idea. You want to host your own vpn server inside your qubes os and then connect to that “vpn” with your AppVMs?

1 Like