Cannot Update Template Through VPN Proxy

Hello,

I am new to Qubes and am trying to get my system setup so that I can start using it. I am having trouble updating my Debian 10 template through the qubes manager. I am using a VPN service, my setup is sys-net->sys-firewall->vpn->vpn-firewall. My qubes.UpdatesProxy files looks precisely like this for template VMs, spaces and all:

#Default rule for all TemplateVMs- direct the connection to sys-net
$type:TemplateVM $default allow,target=vpn-firewall

I deleted all my whonix vms and templates and commented out the rules for these. I do not trust Tor network for security.

I searched through a lot of previous posts on this matter and tried to enable tinyproxy and qubes-updates-proxy in the services tab of vpn-firewall. I also tried this on vpn qube itself, thinking maybe vpn- firewall was blocking it with no luck. Internet works fine through vpn-firewall.

I am using all Debian machines, I screwed up and connected my Fedora 32 template to the internet on accident and saw the symbol in the qubes manager that changes were made to the template, I had no idea what was changed since I did nothing so I treated it as compromised and switched everything to Debian. I proceeded to screw up again forgetting that a proxy is used for updates and connected my debian template to the internet, and saw this changes made symbol again even though I did not update. Once I fix this I will delete and reinstall my templates, since having had out of date templates connected to the internet makes me feel uneasy.

Thank you!

More detail on the error message: I get a Reading from proxy failed: 115 : Operation now in progress and a cannot connect to tinyproxy

When you start template you’ll already have changed files like logs etc so changes made symbol should be treated that you started and stopped template of running qube and you need to restart this qube if you did some changes in template and want to have them in your running qube.

1 Like

That would make sense, I will probably install newer version templates anyways. Great, I got that part figured out. I still need my updates proxy working to do this.

What error do you get if you run this command in your template? You can try to fetch any other link.
curl --proxy http://127.0.0.1:8082 https://zx2c4.com/ip
Did you change any settings in /etc/tinyproxy/ configs?
Is tinyproxy running in your vpn-firewall?
ps aux | grep tinyproxy

I ran it in vpn-firewall, got error: command curl not found.

Tried to install curl with apt in vpn-firewall. Got a bunch of errors like this:
Err1:Index of /debian buster/main amd64 libcurl4 amd64 7.64 0-4+deb10u1
404 Not Found [IP: 127.0.0.1 8082]

I did not change anything in etc/tinyproxy/. Only changed qubes.UpdatesProxy.

running the grep command showed many instances of tinyproxy.

Check with wget then in vpn-firewall:
wget -qO- -e use_proxy=yes -e http_proxy=127.0.0.1:8082 https://zx2c4.com/ip
And also without proxy:
wget -qO- https://zx2c4.com/ip

wget appeared to work both with and without the proxy.

Now open your TemplateVM and check if wget works there:
wget -qO- -e use_proxy=yes -e http_proxy=127.0.0.1:8082 https://zx2c4.com/ip

Nothing happens in the template VM

Try it like this:

 wget -qO- -e use_proxy=yes -e http_proxy=127.0.0.1:8082 -e https_proxy=127.0.0.1:8082 https://zx2c4.com/ip

Still nothing.

Then run this command without quite flag and paste the output here:

wget -O- -e use_proxy=yes -e http_proxy=127.0.0.1:8082 -e https_proxy=127.0.0.1:8082 https://zx2c4.com/ip

Connecting to 127.0.0.1… connected
Proxy Tunneling failed: Unable to connect Unable to establish SSL connection

What wget version do you have?
wget --version

UPD:
There was a problem with older versions of wget that didn’t support TLS1.2+:

But it’s not the case here as zx2c4.com does have TLS1 support so it should work and the problem is somewhere else.

I’ve tried it myself and it also didn’t work for me with sys-firewall based on debian template. I’ll install fedora template and will try with it.

1 Like

Ok, I’ve found the culprit.
Add the qubes-updates-proxy service in the Qubes Settings for your vpn-firewall.
It should be enabled for all VMs as stated here:

qubes-updates-proxy (and its deprecated name: qubes-yum-proxy) - a service providing a proxy for templates - by default enabled in NetVMs (especially: sys-net)

But it’s actually not for some case.

UPD:
But since you said that you enabled qubes-updates-proxy service for your vpn-firewall then there should be another issue for you.

What your 90-default.policy looks like?

As for wget I was using it with the official debian repository address. Maybe they don’t support TLS1, I read you should only use the proxy to contact official repositories, I don’t know what that website is.

I have qubes-updates-proxy enable, tinyproxy enabled and updates-proxy-setup enabled in vpn-firewall.

For 90-default.policy I cannot find this file. I checked here:
/etc/qubes/policy.d/90-default.policy
There is no policy.d file, only guid.conf and qmeman.conf when using ls -a

debian / fedora don’t support TLS1. You can check it with:
openssl s_client -connect deb.debian.org:443 -tls1

If you want to use only repos for a test then you can try with http:
wget -O- -e use_proxy=yes -e http_proxy=127.0.0.1:8082 -e https_proxy=127.0.0.1:8082 http://deb.debian.org

That’s just a wireguard developer website and it’s handy for me to test my IP address from terminal. You can use any other site.

This is config file for Qubes 4.1 so since you’re on Qubes 4.0 there are no policy files for you there.