I'm having a hard time trying to figure out this. When I installed Qubes OS I think I chose Whonix as the default to update VMs, but eventually I ended up changing it after a couple of days and set the UpdateVM to "sys-firewall".
Now, everything seems to be fine, except for when I try to upgrade the Debian 8 template to Debian 9. No matter what I try, I keep getting this sort of error after running apt-get update && apt-get upgrade:
***************
E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082:
E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082:
***************
If you notice, it says it can't connect to that IP, which after debugging I've found out corresponds to the Whonix Gateway VM! So for some reason when I clone the current Debian 8 template and try to update it it tries to do it through Whonix, and not through the sys-firewall VM as I have it configured.
I've found something similar being described here: https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 . But in that case it is a Whonix VM suffering the issue, which makes more sense...
So, in short, any idea or tips on how to properly (re)configure a VM so the updates go through the sys-firewall VM and not through Whonix?!.
Cheers
Hi Chris,
Thanks for your response!.
I do have a VPN set up, but I have that configured as per the docs (ProxyVM as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't (purposely) modified anything in sys-firewall or sys-net.
I have tried to enable full internet access, but it didn't work either. The strange thing is that when I do that, I can ping let's say 8.8.8.8, or resolve any domain, i.e. Debian repos...
Cheers,
Hi guys,
Thanks for the tips, I will give it a go either tonight or over the weekend and see if I can figure it out.
I think the reason I may not have the qubes-updates-proxy service on sys-firewall is because when I first installed Qubes I chose the option of updating through Whonix, not enabling this service at all in the sys-firewall VM.
Off the top of my head, I remember going to the services tab in the sys-fw VM and not seeing such a service, then adding it, trying to start it through the console and the VM complaining that such service didn't exist at all
I finally had some time for testing, and still not working, although I got some more info.
So I checked and the 01qubes-proxy is in there in the template I'm trying to create for Kali. After that, I checked the sys-firewall VM and yeah, update proxy didn't seem to be enabled, so I tried to follow what the docs you pointed me to say:
(2) Firewall tab -> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked)
I rebooted and.. didn't work, the service (qubes-yum-proxy) had disappeared from the services tab! Once thing that may help clarify this is that every time I switch to the "Firewall" tab in sys-firewall, I keep getting the same error: "The sys-firewall AppVM is not network connected to a FirewallVM! You may edit the VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM"... I also verified on a terminal that there are no NAT rules associated to the updated proxy!!
So that error states something that is true, as the sys-firewall VM is network connected to sys-net, as it was after the initial installation, I haven't changed that! I'm guessing it is not the right configuration, but not sure how to set it up now... any ideas?
Thanks!
I have also tried using sys-net as the update proxy, but I still get the same error... I've checked and in sys-net there are NAT rules for "you should see a
redirect to local port 8028 for all traffic addressed to 10.137.255.254.", so no clue of what the issue may be now!
Cheers
I just tried, and same error.. this is driving me nuts!
This is the latest conf:
Kali2-Template NetVM: sys-firewall
UpdateVM: sys-net
Kali2-Template has "allow connections to Updated Proxy" ticked, and the "01qubes-proxy" file present.
sys-net has the qubes-update-proxy up and running, updating other templates works!
Still not working, but I have some more info based on your suggestions.
Current config:
System Update VM: sys-net
Kali2-Template NetVM: sys-firewall
Kali2-Template FW Rules: Allow connections to Update Proxy
Sys-firewall FW Rules: Allow connections to Update Proxy
Kali2-Template IP: 10.137.2.22
Sys-firewall IPtables:
-----------------------------
[user@sys-firewall ~]$ sudo iptables -L -nv
[...]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[...]
0 0 ACCEPT tcp -- * * 10.137.2.22 10.137.255.254 tcp dpt:8082
0 0 REJECT all -- * * 10.137.2.22 0.0.0.0/0 reject-with icmp-host-prohibited
[user@sys-firewall ~]$ sudo iptables -L -nv -t nat
[...]
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
26 1835 DNAT udp -- * * 0.0.0.0/0 10.137.2.1 udp dpt:53 to:10.137.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.137.2.1 tcp dpt:53 to:10.137.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.137.2.254 udp dpt:53 to:10.137.1.254
0 0 DNAT tcp -- * * 0.0.0.0/0 10.137.2.254 tcp dpt:53 to:10.137.1.254
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082
------------------------------------
So, I zeroed all the counters, then ran apt-get update from Kali2 template and failed with the same error:
W: Failed to fetch http://http.debian.net/debian/dists/stretch/non-free/binary-amd64/Packages Unable to connect to 10.137.255.254:8082:
From what I see after running apt-get update, the PR-QBS-SERVICES counter goes up to 3 packets, that's it. The FORWARD chain counter doesn't increment at all.
So the 2 problems I see:
- When using sys-firewall, sys-firewall is not forwarding properly traffic to sys-net
- When using sys-net, I don't have a clue what the issue is, it just doesn't work!