Protecting Updatable Windows (11) template with a proxy

To set Windows 11 up properly you need some internet connection, and to update it you need a bit more.

Can anyone point me to the best way of setting up such a template? What I’ve tried so far is creating a VM running tinyproxy, and telling my Windows Template VM that it should use the proxy 10.0.137.21:8888. I didn’t get very far with that as I couldn’t seem to connect from windows (I’ve got it working from a Debian test qube). I’ll go back to troubleshooting it if this is an option but I wanted to check with those who know stuff before doing that.

The other possibility I entertained was making a new NetVM, (using Sys-FireWall as its NetVM) and providing network to just the Win 11 template. Presumably I could then configure this additional inteverving VM as a transparent proxy using something like Redsocks?

Any pointers gratefully received, thanks.

Can you be more clear about exactly what it is that you want?
What do you think the use of tinyproxy will achieve?

Have you correctly allocated the network settings from Qube Manager in
your Windows template, using a netmask of 255.0.0.0 ?

You could do this. Again, what is your aim?
When you set up a qube to provide networking, you do not need to take
extra steps to have it run as a transparent proxy.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Sorry, very unclear post.

I want my Windows 11 template to be connected to the net but only to the WSUS whitelist domains, a list of about 10 domains including:

windowsupdate.microsoft.com;
*.windowsupdate.microsoft.com;
*.delivery.mp.microsoft.com

– basically just the minimum to be able to log into my microsoft account and run windows updates. I just want my template to be up-to-date so that AppVMs spawned off it are ready to go.

When I create an AppVM off this template, I’d like it to have fewer network restrictions.

Thanks - that is very clear.

This is a useful guide to what might be considered for a windows 11 system.

I do not think you need to use tinyproxy or redsocks. Neither seems to
fit with your requirement.
You could try setting qubes firewall rules for the Windows template -
one issue is that many of those domains represent multiple IP addresses,
so that administration will be difficult (but not impossible).
Perhaps better would be to use the firewall on the netvm of the
Windows template, and configure that directly to restrict access - ie, your
redsocks idea but not using redsocks.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.