Set a sys-vpn as the update proxy

Hello Qubes Community !

I am trying to set up a ‘sys-vpn’ qube which works correctly as the update proxy instead of ‘sys-net’ to hide my IP when I update my Templates. I have activated the ‘qubes-updates-proxy’ service in sys-vpn, but it doesn’t seems to work.

When I tap the command

qubes-prefs updatevm

I have sys-vpn.
When I tap the commands

qvm-service -l sys-net
qvm-service -l sys-vpn

only sys-vpn has ‘qubes-update-proxy’ service on.

But when I close sys-vpn, I am still able to update my Templates. And if i close all my VM and I try to update a Template, it will only starts sys-net.

What I am missing ?

I am using wireguard as VPN, maybe it could help, but i don’t think so. I am on Qubes 4.1.

qvm-prefs is taking a qube name as an argument, do you mean you have a qube named update-vm? I can’t find a qvm-prefs attribute named update-vm either.

I didn’t try, but it seems the update proxy is defined in /etc/qubes/policy.d/90-default.policy in dom0, it defaults to sys-whonix for qubes tagged whonix, otherwise it’s sys-net.

The README file in this directory says that any change should be made in a custom file, like /etc/qubes/policy.d/30-user.policy to override the settings.

Something like this to use sys-vpn-wg:

qubes.UpdatesProxy      *   @type:TemplateVM        @default    allow target=sys-vpn-wg

And in sys-vpn-wg qube settings, in Services tab: enable the services qubes-updates-proxy, restart the qube, done!

I just made a guide as the knowledge is still fresh in my mind :smiley: : Use a custom qube proxy update