Let me see if I can try to help clarify.
If I understand correctly, you are asking about setting the NetVM of a template to sys-whonix
. That is not what @unman was saying, and you should not do that. Templates should remain on default (n/a)
as their NetVMs (which I understand to be the same as none
).
Rather, when @unman says:
He’s referring to setting the UpdatesProxy to route template updates over sys-whonix
rather than sys-net
. In other words, in /etc/qubes-rpc/policy/qubes.UpdatesProxy
in dom0, this line (or the functional equivalent, if your version uses different syntax) would be at the top (or at least not below any template sys-net
line):
# Upgrade all TemplateVMs through sys-whonix.
@type:TemplateVM @default allow,target=sys-whonix
Notice that the second line is uncommented. Again, this line should be above any sys-net
rule in qubes.UpdatesProxy
if you wish to route template updates over Tor (using sys-whonix
).
With this setup, you will be routing all template updates over Tor. However, if you have not changed any other defaults, you will probably still be using the normal clearnet repos over Tor, which is fine.
This is the further change that results in both routing template updates over Tor and using the onion repos.
To summarize, there are three possibilities:
- Route template updates over clearnet and use clearnet repos.
- Route template updates over Tor and use clearnet repos.
- Route template updates over Tor and use onion repos.
(Note 1: It’s not possible to route template updates over clearnet and use the onion repos, because the onion repos can be accessed only within the Tor network.)
(Note 2: I’m speaking only about template updates here – and not any other types of updates – to avoid muddying the waters.)