Qubes OS default network connections?

AnarSec · April 25, 2024, 3:06pm

I’m trying to understand what default connections Qubes OS makes (comparable to this list for GrapheneOS), to know whether all default network connections are forced through a VPN with the sys-vpn configuration specified in the AnarSec guide.

From what I understand, downloading repository metadata should be forced through the VPN because “It is the qubes that perform update checks and then notify dom0
accordingly.” (https://www.mail-archive.com/qubes-users@googlegroups.com/msg27567.html)

Any insight would be very appreciated

unman · April 25, 2024, 3:28pm

Default services - clock, update, (both for templates and dom0).
You need to actively intervene to have default ClockVM behind Tor/VPN
Likewise for dom0 update checks.
Template update checks are indeed performed by qubes

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

AnarSec · April 25, 2024, 3:38pm

Thanks! Is the following configuration what would be needed to force all network connections through a VPN or Tor, or am I missing something?

Qubes Global Settings:
- Clock qube: sys-vpn
- Dom0 update qube: sys-whonix (set by installation decision to do updates over Tor)
- net qube: sys-vpn
Template update checks: only sys-vpn has its net qube set to sys-firewall as described in the guide linked above.

apparatus · April 25, 2024, 4:00pm

There is also “Default update proxy” used for TemplateVM updates that you need to set.

You need to set the “Disable checking for updates for all existing qubes” and in “Except the following qubes, for which checking for updates will be enabled” you can set the qubes that will be used to check the updates.