[qubes-users] Updating via a wireguard connection

I would like to configure Qubes to do its updates via a connection to a wireguard service I have set up.

I understand how to set up a wireguard enabled template and a qubes based on that template following this:


which works great, but I would like to force package updates to also use a wireguard connection. I’m not quite sure what to alter to do this. Any help would be much appreciated.


The default is for updates to run in sys-net.
You need to change this by changing the policy - look in `/etc/qubes/policy.d/90-default.policy`
for the `qubes.UpdatesProxy` lines, and then create a new policy in
`/etc/qubes/policy.d/30-user.policy` like this:
`qubes.UpdatesProxy * @type:TemplateVM @default allow target=QUBE`
where QUBE is the name of the qube you want to use.

If you use Whonix you will need to copy the relevant Whonix lines also.

Set the netvm for QUBE to be your wireguard qube.