Update all Templates over Tor

How I can Update all Templates and Dom0 over Tor?

for dom0:
In global settings change UpdateVM from sys-firewall to sys-whonix

for templates :
The updates proxy uses RPC/qrexec. The proxy is configured in qrexec policy in dom0: /etc/qubes-rpc/policy/qubes.UpdatesProxy . By default this is set to sys-net and/or sys-whonix, depending on firstboot choices. This new design allows for templates to be updated even when they are not connected to any NetVM.

Example policy file in R4.0 (with Whonix installed, but not set as default UpdateVM for all templates):

# any VM with tag `whonix-updatevm` should use `sys-whonix`; this tag is added to `whonix-gw` and `whonix-ws` during installation and is preserved during template clone
@tag:whonix-updatevm @default allow,target=sys-whonix
@tag:whonix-updatevm @anyvm deny

# other templates use sys-net
@type:template @default allow,target=sys-net
@anyvm @anyvm deny

Simply change above sys-net to sys-whonix would update template over tor.

Just a hint regarding update checks:

On my system, by default, every VM has the service ‘qubes-update-check’ is enabled in settings. I don’t know, but I would guess this may be the reason.

I think this could be a problem if you rename sys-net like I did. I have sys-01-net-wired and sys-01-net-wireless. I’m now hesitant to rename anything else.

1 Like

I have all templates set up update over tor but when you do an terminal update, it doesn’t show Hit:1 tor+https://… It’s the usual Hit:1 https://. Also the speed doesn’t seem as slow as a tor update.

It’s not renaming a qube, it’s telling how qubes proxy to use sys-whonix instead of sys-net.

there’s really diferrence, using tor doesnt mean you cant access clearnet, it mean you still updating over tor network with https repository, and using tor+http would access onion repository, and using tor+http is preferable, indicating tor network is running.

but in qubes os, even your tor network is not running, i.e using sys-whonix, there’ll be a notification.
Even when your sys-whonix is running but tor doesn’t, your packet wouldn’t transmitted.

But if I rename sys-net, it seems like the instructions from the UpdatesProxy file won’t find it. I found if I rename sys-whonix, it cuts off all network connection.

Good to know. thanks

I understand what are you trying to tell but i think it should be a different topic but, yes renaming qube will lead to some problem.

Actually it only break qrexec policy, and for cutting off network connection is not right, because template vm is not having network at all. if you give network in template vm, even you break the qrexec policy, you can update your vm / browsing.

1 Like

how do I get to the qrexec policy in dom0? I don’t know how, because dom0 doesn’t have a file manager…

Dom0 has a terminal, in which you can do anything. For example with

nano path/to/file

you can edit any file.

1 Like


It have, just type nautilus / thunar in terminal.

sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy


and how i can edit it?

sudo = allow you to run security privileges, important things.
nano = is a text editor.
/etc/qubes-rpc/policy/qubes.UpdatesProxy = is a path where you need to change which service / network vm is used to be update template vm.

It’s better for you to learn linux first before configuring privacy / security.


the file is completely empty…

do I have to set something in global Settings so that it works?

okay back from start,
Are you using 4.1 / 4.0.4 ?

it will only work for dom0. for template vm it needed to be configured at first and fresh install qubes / edit policy.

Where can I see wich version I had?

In Qube Manager, you can click About / Qubes OS.