Make sure to include -r when removing /etc/tinyproxy, as /etc/tinyproxy in the template root file system is a directory.
Otherwise the symlink command will create /etc/tinyproxy/tinyproxy and the tinyproxy daemon will not be looking at /rw/config/tinyproxy/tinyproxy.conf, but the default one, which doesn’t have any filtering.
rm -rf /etc/tinyproxy
@Rooftop, nice guide. Here are some further suggestions/tips:
You can add a service named “tinyproxy” to the Services tab of my-proxy so that /var/run/qubes-service/[input] is created automatically at qube boot.
You can further limit the ports my-qube will have access to on my-proxy over RPC by placing the dom0 RPC rule in the file /etc/qubes-rpc/qubes.ConnectTCP+8888.
Usage of bind-dirs will allow more seamless configuration for tinyproxy to avoid the rm -rf /etc/tinyproxy in rc.local. Configure /etc/tinyproxy as a bind dir, reboot, make all tinyproxy config / filtering changes in /etc/tinyproxy, and further reboots will keep the config.
@icequbes1, thanks for the tips. I’ve updated the instructions for missing -r in the rm in /rw/config/rc.local. This is almost certainly what is causing @oijawyuh’s problems!
I noticed that, but was a bit surprised that it didn’t actually start the service?
Did not know about this. I’ll add this when I update the first post.
You are right - this is probably a better way to do it. I’ll add this when when I update the first post.
@oijawyuh, as pointed out by @icequbes1, there is a mistake in my instructions (which is effectively causing tinyproxy to ignore your configuration files and just use it’s default settings).
Note the first line has changed!
Once you make that change to your proxy VM and reboot it, you should see something like the following in the tinyproxy log file:
CONNECT Jan 31 20:51:09 [636]: Request (file descriptor 7): CONNECT location.services.mozilla.com:443 HTTP/1.1
NOTICE Jan 31 20:51:09 [636]: Proxying refused on filtered domain "location.services.mozilla.com"
CONNECT Jan 31 20:51:09 [628]: Request (file descriptor 7): GET http://detectportal.firefox.com/success.txt?ipv4 HTTP/1.1
INFO Jan 31 20:51:09 [636]: no entity
NOTICE Jan 31 20:51:09 [628]: Proxying refused on filtered domain "detectportal.firefox.com"
I’m really sorry that such a stupid typo caused you so much trouble
Correct. Unfortunately it’s not as intuitive as it could be, but the “Services” job is to only signal if certain files should be created when the qube boots - it doesn’t actually start a service. Services such as tinyproxy are then configured to only start if the respective qubes-service file exists.
The other things I pointed out were mentioned only if you or others wanted to take further advantage of Qubes’ capabilities; what you have works and is a great solution.
I glanced over your post hoping to find something less cumbersome than using the qubes firewall GUI or qvm-firewall to individually whitelist websites and the resources they depend on, so this was kind of disappointing.
I’m not technical, so maybe I’m missing something–can someone explain to me what the difference between using tinyproxy and qubes firewall is in this context?
The main difference is that with tinyproxy you whitelist sites by hostname/domain name, whereas qubes firewall whitelists by IP address (you can enter a hostname, but it is converted to an IP address when the configuration is saved). This means that if the hostname can resolve to multiple IP addresses (which is the case for websites behind CDN’s or load balancers) then tinyproxy will work, whereas the qubes firewall may work, but may also fail intermittently.
Depending on the type of site you are whitelisting, it may not be that hard to work out the list of required domains. The tinyproxy log file will list every site which it blocks access to, so you can work out which ones need to be whitelisted.
Also, the tinyproxy whitelisting uses regular expressions, so you can easily whitelist entire domains.
Thank you @Rooftop and others for this very useful post. I’m currently testing the my-proxy VM and it’s mostly working. 10% of the times, it fails and I reboot both my-proxy and my-qube. Then it works.
How does one places the dom0 RPC rule in the file /etc/qubes-rpc/qubes.ConnectTCP+8888 ? I am not an IT guy. I’ve edited Dom0 files before, but I never encountered the ConnectTCP+8888 before. If dom0 RPC rule is edited, does this mean my-qube Firefox proxy edit is no longer requires?
Would you consider submitting the instruction for my-proxy AppVM be added to Qubes Documentation?
It’s just a change of the filename used in this step:
So you would create the file /etc/qubes-rpc/policy/qubes.ConnectTCP+8888 instead of editing etc/qubes-rpc/policy/qubes.ConnectTCP. I believe that all this change does is make the configuration a bit more secure by preventing my-qube from connecting to any ports on my-proxy other than 8888. You will still need the Firefox proxy edit.
It don’t see why it wouldn’t work - but I don’t have much experience with VPN’s (in general or in Qubes OS). Let me know if you get it working!
Thank you @Rooftop for your answers. I have one more question. Would you know how to setup Thunderbird in my-qube running, for example, Gmail IMAP (Ports 993 and 465, I believe)
You need to enable networking in my-qube (ie. set Networking to sys-firewall in Qube Settings) and then select Limit outgoing internet connections and add firewall rules to allow access the required addresses/hostnames for ports 993 and 465 (or whatever ports are required).
For a service like GMail that uses multiple IP addresses, you may need to set the address to * (if allowing connections on ports 993 and 465 to any host is acceptable to you).
Web browsing will still be forced to go via the proxy as you haven’t allowed ports 80/443 through the firewall.
Thank you for the reply. I tried the following and failed to get Thunderbird with a Gmail account to work. It failed to connect to the Internet. Would you know what I did wrong?
It just occurred to me that for Gmail, Thunderbird might need you to login in to your Google account via the web - try changing the connection settings in Thunderbird (under Preferences, scroll down to Network & Disk Space) to use localhost port 8888 as the HTTP/HTTPS proxy.
Thunderbird acts as if there’s no internet. That’s it. It cannot reach gmail.
I had tried that before asking you about Thunderbird. While the calendar provider did work via port 8888 and my-proxy (calendar is not google), the IMAP email failed to sync. It behave as if it was not connected to the internet.
).
can I simply do: