The default is for updates to run in sys-net.
You need to change this by changing the policy - look in `/etc/qubes/policy.d/90-default.policy`
for the `qubes.UpdatesProxy` lines, and then create a new policy in
`/etc/qubes/policy.d/30-user.policy` like this:
`qubes.UpdatesProxy * @type:TemplateVM @default allow target=QUBE`
where QUBE is the name of the qube you want to use.
If you use Whonix you will need to copy the relevant Whonix lines also.
Set the netvm for QUBE to be your wireguard qube.