System and Template updates over Tor

48 views
Skip to first unread message

duc...@disroot.org

unread,
Sep 16, 2019, 5:16:16 AM9/16/19
to qubes...@googlegroups.com
During the first-boot setup of R4.0.1, I chose to "Enable system and
template updates over the Tor anonymity network using Whonix". I left
all other settings at their defaults.

I rebooted, obtained an Internet connection and followed the prompts to
Configure Tor, which completed successfully.

Afterwards, I followed the advice on the Installation Guide page and
upgraded all the Debian and Whonix templateVMs using the supplied
commands in a Dom0 console.

During the download process, I noticed two things: first, the updates
were performed using sys-firewall as a template for an UpdateVM (as
described in the documentation); and the download speeds were much
quicker than I normally expect from a Tor connection (over 1.5Mbps).

This gave me some concern because sys-firewall is the last step before
sys-net, and from there to the Internet - where was the Whonix/Tor
stage? The download speeds also suggested I wasn't using Tor at all for
these updates.

Based on the settings I chose, should I have expected the
qubes-dom0-update commands to leverage a Tor connection? Does it seem
likely that they did in this case? In future, what steps can I take to
verify that performing similar updates will use Tor?


awokd

unread,
Sep 16, 2019, 6:26:06 AM9/16/19
to qubes...@googlegroups.com
duc...@disroot.org:

> Based on the settings I chose, should I have expected the
> qubes-dom0-update commands to leverage a Tor connection?

Yes.

> Does it seem
> likely that they did in this case?

No; agree it doesn't sound like it. Did you "sudo qubesctl state.sls
qvm.updates-via-whonix" as part of upgrading the Whonix templates? Seems
like it should have been unnecessary, though.

> In future, what steps can I take to
> verify that performing similar updates will use Tor?

Check Qubes Global Settings to make sure Dom0's UpdateVM is set to
sys-whonix. Also, double-check /etc/qubes-rpc/policy/qubes.UpdatesProxy
and make sure the first line says "$type:TemplateVM $default
allow,target=sys-whonix". You might want to
https://www.whonix.org/wiki/Onionizing_Repositories while you are at it.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

duc...@disroot.org

unread,
Sep 16, 2019, 4:48:03 PM9/16/19
to qubes...@googlegroups.com
'awokd' via qubes-users:
> duc...@disroot.org:
>
>> Based on the settings I chose, should I have expected the
>> qubes-dom0-update commands to leverage a Tor connection?
>
> Yes.
>
>> Does it seem
>> likely that they did in this case?
>
> No; agree it doesn't sound like it. Did you "sudo qubesctl state.sls
> qvm.updates-via-whonix" as part of upgrading the Whonix templates? Seems
> like it should have been unnecessary, though.
>

The only CLI tool I used was qubes-dom0-update, once for each template.

>> In future, what steps can I take to
>> verify that performing similar updates will use Tor?
>
> Check Qubes Global Settings to make sure Dom0's UpdateVM is set to
> sys-whonix. Also, double-check /etc/qubes-rpc/policy/qubes.UpdatesProxy
> and make sure the first line says "$type:TemplateVM $default
> allow,target=sys-whonix".

I'll check this and post back.

> You might want to
> https://www.whonix.org/wiki/Onionizing_Repositories while you are at it.
>

Thanks. I'll pull all the Whonix docs for reference, seems like a good idea.

Jackie

unread,
Sep 16, 2019, 6:58:54 PM9/16/19
to qubes...@googlegroups.com
duc...@disroot.org:
> 'awokd' via qubes-users:
>> You might want to
>> https://www.whonix.org/wiki/Onionizing_Repositories while you are at it.
>>
>
> Thanks. I'll pull all the Whonix docs for reference, seems like a good idea.

Using onion repos also provides a good visual confirmation that updates
really are going over tor (in addition to being more secure also), since
it won't even be able to connect to the .onion repos if it's not using tor.

duc...@disroot.org

unread,
Sep 19, 2019, 4:46:28 AM9/19/19
to qubes...@googlegroups.com
duc...@disroot.org:
> 'awokd' via qubes-users:
>> duc...@disroot.org:
>>
>>> Based on the settings I chose, should I have expected the
>>> qubes-dom0-update commands to leverage a Tor connection?
>>
>> Yes.
>>
>>> Does it seem
>>> likely that they did in this case?
>>
>> No; agree it doesn't sound like it. Did you "sudo qubesctl state.sls
>> qvm.updates-via-whonix" as part of upgrading the Whonix templates? Seems
>> like it should have been unnecessary, though.
>>
>
> The only CLI tool I used was qubes-dom0-update, once for each template.
>
>>> In future, what steps can I take to
>>> verify that performing similar updates will use Tor?
>>
>> Check Qubes Global Settings to make sure Dom0's UpdateVM is set to
>> sys-whonix. Also, double-check /etc/qubes-rpc/policy/qubes.UpdatesProxy
>> and make sure the first line says "$type:TemplateVM $default
>> allow,target=sys-whonix".
>
> I'll check this and post back.
>

You were right, these were incorrectly set. I had to manually change
the Dom0 UpdateVM to Sys-Whonix, and uncomment the $type:TemplateVM
$default allow,target=sys-whonix line. I'll be performing a fresh
install of Qubes R4.0.1 on a friend's device with the same settings, if
this happens with hers too I'll report a bug.

>> You might want to
>> https://www.whonix.org/wiki/Onionizing_Repositories while you are at it.
>>
>
> Thanks. I'll pull all the Whonix docs for reference, seems like a good idea.
>

I followed the Onionizing Repos guide, commented out the metalinks and
uncommented the onion lines. On first test (sudo qubes-dom0-update) I
got a 404 error:

> HTTP Error 404 - Not Found

> http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current/dom0/fc25/repodata/repomd.xml
> "Error: Cannot retrieve repository metadata for (repomd.xml) for repository: qubes-dom0-current"

The following text was in white instead of red, so it's possible the
other repos were successfully updated, but I'm not sure.

> Qubes OS Repository for Dom0 12 MB/s | 26kB 00:00

That was the end of the text echoed to the Console. Has that particular
file been moved and the yum.repos.d/qubes-dom0.repo file not been updated?


awokd

unread,
Sep 19, 2019, 8:52:12 AM9/19/19
to qubes...@googlegroups.com
duc...@disroot.org:

> I followed the Onionizing Repos guide, commented out the metalinks and
> uncommented the onion lines. On first test (sudo qubes-dom0-update) I
> got a 404 error:
>
>> HTTP Error 404 - Not Found
>
>> http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current/dom0/fc25/repodata/repomd.xml
>> "Error: Cannot retrieve repository metadata for (repomd.xml) for repository: qubes-dom0-current"

I think that's the old onion. If you hadn't ran dom0 updates since
installing, it might not have been corrected. Should now be showing this
one in your qubes-dom0.repo & qubes-templates.repo:

http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

duc...@disroot.org

unread,
Sep 22, 2019, 7:18:23 AM9/22/19
to qubes...@googlegroups.com
'awokd' via qubes-users:
> duc...@disroot.org:
>
>> I followed the Onionizing Repos guide, commented out the metalinks and
>> uncommented the onion lines. On first test (sudo qubes-dom0-update) I
>> got a 404 error:
>>
>>> HTTP Error 404 - Not Found
>>
>>> http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current/dom0/fc25/repodata/repomd.xml
>>> "Error: Cannot retrieve repository metadata for (repomd.xml) for repository: qubes-dom0-current"
>
> I think that's the old onion. If you hadn't ran dom0 updates since
> installing, it might not have been corrected. Should now be showing this
> one in your qubes-dom0.repo & qubes-templates.repo:
>
> http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
>

Fixed it now. Thanks.

signature.asc
Reply all
Reply to author
Forward
0 new messages