Default UpdateVM and Issues while updating VM

[adoni...@gmail.com]

Hi guys,

I'm having a hard time trying to figure out this. When I installed Qubes OS I think I chose Whonix as the default to update VMs, but eventually I ended up changing it after a couple of days and set the UpdateVM to "sys-firewall".

Now, everything seems to be fine, except for when I try to upgrade the Debian 8 template to Debian 9. No matter what I try, I keep getting this sort of error after running apt-get update && apt-get upgrade:

***************
E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082:
E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082:
***************

If you notice, it says it can't connect to that IP, which after debugging I've found out corresponds to the Whonix Gateway VM! So for some reason when I clone the current Debian 8 template and try to update it it tries to do it through Whonix, and not through the sys-firewall VM as I have it configured.

I've found something similar being described here: https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 . But in that case it is a Whonix VM suffering the issue, which makes more sense...

So, in short, any idea or tips on how to properly (re)configure a VM so the updates go through the sys-firewall VM and not through Whonix?!.

Cheers

[Chris Laprise]

What it sounds like is the new debian template VM is not making any
connection at all, and the IP you're seeing is coming from a cache. It
should resolve itself and go away if you manage to correct the
connection issue.

Sometimes when people configure VMs they inadvertently end up with
firewall settings that block everything. For a template VM, having "Deny
network access except" and "Allow connections to update proxy" are
normal. This works IF the sys-firewall and sys-net are basically default
and not configured with extra options like VPNs. You can also try
setting the debian VM to allow full access for 5 min. to see if that
allows it to connect during an update.

Chris

[adoni...@gmail.com]

On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote:

Hi Chris,

Thanks for your response!.

I do have a VPN set up, but I have that configured as per the docs (ProxyVM as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't (purposely) modified anything in sys-firewall or sys-net.

I have tried to enable full internet access, but it didn't work either. The strange thing is that when I do that, I can ping let's say 8.8.8.8, or resolve any domain, i.e. Debian repos...

Cheers,

[Unman]

The IP that you are seeing is NOT the IP of the Whonix Gateway - at least
not just the address of the Whonix gateway. It is also the address set for
the qubes update proxy.

Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard
Qubes proxy set-up.

If this is the case, then the problem you have would seem to be that
you do not have the update proxy enabled on sys-firewall.
You can check this by looking at the nat table: you should see a
redirect to local port 8028 for all traffic addressed to 10.137.255.254.

If that redirect is there then check that you have tinyproxy running.
If it isn't look at the page below and check your configuration on
sys-firewall, in particular that you have the qubes-updates-proxy
service enabled.

You should be able to watch the traffic on sys-firewall using IP tables
iptables -L -nv for normal and nat tables and seeing the counters
increment as you attempt to update.
If you don't see the counters going up then try resetting the debian-8
netvm again.

The relevant page is:
www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section.

[Chris Laprise]

IIRC the update proxy normally runs in sys-net, not proxy/firewall VMs.

If the VPN is between the template and sys-net, then the updates will be
blocked as described. The way around this is to setup a proxy VM
downstream from the VPN and have it run the update proxy.

But if its only template->sys-firewall->sys-net then it should be able
to connect.

Chris

[Unman]

Yes, but as adonis28850 said he configured this as per the instructions
he will have to have the service running on the firewall below the VPN,
and this is explicitly in the instructions, so it seems natural to look
there.

[adoni...@gmail.com]

On Thursday, January 19, 2017 at 7:27:23 PM UTC-5, Unman wrote:
> On Thu, Jan 19, 2017 at 07:01:56PM -0500, Chris Laprise wrote:
> > On 01/19/2017 05:46 PM, Unman wrote:

Hi guys,

Thanks for the tips, I will give it a go either tonight or over the weekend and see if I can figure it out.

I think the reason I may not have the qubes-updates-proxy service on sys-firewall is because when I first installed Qubes I chose the option of updating through Whonix, not enabling this service at all in the sys-firewall VM.

Off the top of my head, I remember going to the services tab in the sys-fw VM and not seeing such a service, then adding it, trying to start it through the console and the VM complaining that such service didn't exist at all

[adoni...@gmail.com]

Hi mate,

I finally had some time for testing, and still not working, although I got some more info.

So I checked and the 01qubes-proxy is in there in the template I'm trying to create for Kali. After that, I checked the sys-firewall VM and yeah, update proxy didn't seem to be enabled, so I tried to follow what the docs you pointed me to say:

(2) Firewall tab -> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked)

I rebooted and.. didn't work, the service (qubes-yum-proxy) had disappeared from the services tab! Once thing that may help clarify this is that every time I switch to the "Firewall" tab in sys-firewall, I keep getting the same error: "The sys-firewall AppVM is not network connected to a FirewallVM! You may edit the VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM"... I also verified on a terminal that there are no NAT rules associated to the updated proxy!!

So that error states something that is true, as the sys-firewall VM is network connected to sys-net, as it was after the initial installation, I haven't changed that! I'm guessing it is not the right configuration, but not sure how to set it up now... any ideas?

Thanks!

[Chris Laprise]

On 01/22/2017 12:13 AM, adoni...@gmail.com wrote:
> Hi mate,
>
> I finally had some time for testing, and still not working, although I got some more info.
>
> So I checked and the 01qubes-proxy is in there in the template I'm trying to create for Kali. After that, I checked the sys-firewall VM and yeah, update proxy didn't seem to be enabled, so I tried to follow what the docs you pointed me to say:
>
>
> (2) Firewall tab -> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked)
>
> I rebooted and.. didn't work, the service (qubes-yum-proxy) had disappeared from the services tab! Once thing that may help clarify this is that every time I switch to the "Firewall" tab in sys-firewall, I keep getting the same error: "The sys-firewall AppVM is not network connected to a FirewallVM! You may edit the VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM"... I also verified on a terminal that there are no NAT rules associated to the updated proxy!!

That fw tab error is normal, since sys-net (netVMs in general) don't
provide Qubes firewall services. You specify firewall rules on VMs that
are connected to proxyVMs such as sys-firewall.

>
> So that error states something that is true, as the sys-firewall VM is network connected to sys-net, as it was after the initial installation, I haven't changed that! I'm guessing it is not the right configuration, but not sure how to set it up now... any ideas?
>
> Thanks!

Is there a reason why you don't want the update proxy to work in
sys-net? That is the Qubes default.

Chris

[adoni...@gmail.com]

Hi Chris,

I have also tried using sys-net as the update proxy, but I still get the same error... I've checked and in sys-net there are NAT rules for "you should see a
redirect to local port 8028 for all traffic addressed to 10.137.255.254.", so no clue of what the issue may be now!

Cheers

[adoni...@gmail.com]

Hi Chris,

I just tried, and same error.. this is driving me nuts!

This is the latest conf:

Kali2-Template NetVM: sys-firewall
UpdateVM: sys-net

Kali2-Template has "allow connections to Updated Proxy" ticked, and the "01qubes-proxy" file present.

sys-net has the qubes-update-proxy up and running, updating other templates works!

[Unman]

So this sounds somewhat different from the setup I thought you described
before.
I'm assuming you have kali -- sys-firewall -- sys-net

Look at sys-firewall iptables.
You should see in the FORWARD chain a rule that allows traffic from the
Kali2 IP to port 8082 upstream.
This should be generated by the tickbox.

So, run 'iptables -L -nv' and 'iptables -L -nv -t nat' on sys-firewall
and see what you are doing there.

You can zero the counters by appending -Z. Then if you try an update you
should be able to quickly identify what is going wrong, by seeing where
the counters increment.

[adoni...@gmail.com]

Hi Unman,

Still not working, but I have some more info based on your suggestions.

Current config:

System Update VM: sys-net
Kali2-Template NetVM: sys-firewall
Kali2-Template FW Rules: Allow connections to Update Proxy
Sys-firewall FW Rules: Allow connections to Update Proxy

Kali2-Template IP: 10.137.2.22

Sys-firewall IPtables:

-----------------------------
[user@sys-firewall ~]$ sudo iptables -L -nv
[...]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[...]
0 0 ACCEPT tcp -- * * 10.137.2.22 10.137.255.254 tcp dpt:8082
0 0 REJECT all -- * * 10.137.2.22 0.0.0.0/0 reject-with icmp-host-prohibited

[user@sys-firewall ~]$ sudo iptables -L -nv -t nat
[...]
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
26 1835 DNAT udp -- * * 0.0.0.0/0 10.137.2.1 udp dpt:53 to:10.137.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.137.2.1 tcp dpt:53 to:10.137.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.137.2.254 udp dpt:53 to:10.137.1.254
0 0 DNAT tcp -- * * 0.0.0.0/0 10.137.2.254 tcp dpt:53 to:10.137.1.254

Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082

------------------------------------

So, I zeroed all the counters, then ran apt-get update from Kali2 template and failed with the same error:

W: Failed to fetch http://http.debian.net/debian/dists/stretch/non-free/binary-amd64/Packages Unable to connect to 10.137.255.254:8082:

From what I see after running apt-get update, the PR-QBS-SERVICES counter goes up to 3 packets, that's it. The FORWARD chain counter doesn't increment at all.

[adoni...@gmail.com]

Additionally, when I change Kali2-Template NetVM to sys-net, and run apt-get update, it works, however I get the error after running apt-get upgrade

So the 2 problems I see:

- When using sys-firewall, sys-firewall is not forwarding properly traffic to sys-net

- When using sys-net, I don't have a clue what the issue is, it just doesn't work!