Difficulties setting up apt-cacher-ng

EncryptedGiraffe · September 7, 2021, 3:04am

Trying to set up apt-cacher-ng, followed the instructions at both https://github.com/unman/notes/blob/master/apt-cacher-ng and https://github.com/behemothwerecat/deb-min/blob/main/instructions.md.
However, attempting to use apt in any template fails:
sudo apt update Err:1 http://HTTPS///deb.debian.org/debian bullseye InRelease Connection failed [IP: 127.0.0.1 8082]
...
W: Failed to fetch http://HTTPS///deb.debian.org/debian/dists/bullseye/InRelease Connection failed [IP: 127.0.0.1 8082]
I’m using R4.1, I can’t think of any reason that would be a problem. Does anyone have any advice for this?

Sven · September 7, 2021, 3:51am

Let’s start with the basics…

is apt-cacher-ng running? (sudo systemctl status apt-cacher-ng)
is the correct qube set in your qubes.UpdatesProxy?

EncryptedGiraffe · September 7, 2021, 6:23pm

Yup, it’s running. (in the appvm named “cache-test”)
My testing 30-user.policy file in /etc/qubes/policy.d/ reads:

# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy  *   @tag:whonix-updatevm    @default    allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
qubes.UpdatesProxy  *   @tag:whonix-updatevm    @anyvm      deny
# Default rule for all TemplateVMs
qubes.UpdatesProxy	*   @type:TemplateVM        @default    allow target=cache-test
qubes.UpdatesProxy	*   @anyvm                  @anyvm      deny

Sven · September 7, 2021, 7:07pm

Forgive me for asking, but just to make sure: cache-test is connected to a netvm?

Have you added the iptable rule in cache-test to allow port 8082?

Have you edited the port number in acng.conf to be 8082?

EncryptedGiraffe · September 7, 2021, 7:15pm

Yes, connected to sys-net.
Current iptables:

user@cache-test:~$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N QBS-FORWARD
-A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vif+ -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -j DROP

Yes, port is set.

Sven · September 7, 2021, 8:44pm

What happens if you do telnet 127.0.0.1 8082 in the template? Do you get Connected to 127.0.0.1?

EncryptedGiraffe · September 8, 2021, 11:14pm

Yes, and then immediately after, the templates started being able to connect. confusing…