On 10/15/2016 08:07 AM, 4lef7a+2cmotzqtxu8g8 via qubes-users wrote:

I've followed this tutorial in order to force all traffic to go through the VPN 
- https://www.qubes-os.org/doc/vpn/ .
While this was successful I'm no longer able to do any updates on the 
templateVMs (except the whonix which are working fine), it seems that the 
traffic somehow is now blocked.
Anyone knows what rule should be added to iptables in order to have this 
working through the VPN?
I've dropped all forward traffic (either upstream or downstream) from the 
sys-fw as suggested:

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP

Should I need to allow the forwarding traffic to and from the subnet in order to have the updates working again?


The Qubes update proxy runs in sys-net by default. Since it intercepts requests, it has to be able to understand what the downstream VMs are requesting. Encrypting traffic with a VPN client means the proxy in sys-net can't update.


1. Have the templates use sys-firewall instead

If privacy during updates is an issue for you...

2. Turn on the update proxy in the VPN VM (or a downstream proxyVM)...


3. If you have sys-whonix setup, it will already have a running update proxy

4. Reconfigure the templates to not use the update proxy


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to