On Thu, Jan 19, 2017 at 07:01:56PM -0500, Chris Laprise wrote: > On 01/19/2017 05:46 PM, Unman wrote: > >On Thu, Jan 19, 2017 at 10:02:38AM -0800, adonis28...@gmail.com wrote: > >>On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: > >>>On 01/18/2017 09:32 PM, wrote: > >>>>Hi guys, > >>>> > >>>>I'm having a hard time trying to figure out this. When I installed Qubes > >>>>OS I think I chose Whonix as the default to update VMs, but eventually I > >>>>ended up changing it after a couple of days and set the UpdateVM to > >>>>"sys-firewall". > >>>> > >>>>Now, everything seems to be fine, except for when I try to upgrade the > >>>>Debian 8 template to Debian 9. No matter what I try, I keep getting this > >>>>sort of error after running apt-get update && apt-get upgrade: > >>>> > >>>>*************** > >>>>E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > >>>>E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > >>>>*************** > >>>> > >>>>If you notice, it says it can't connect to that IP, which after debugging > >>>>I've found out corresponds to the Whonix Gateway VM! So for some reason > >>>>when I clone the current Debian 8 template and try to update it it tries > >>>>to do it through Whonix, and not through the sys-firewall VM as I have it > >>>>configured. > >>>> > >>>>I've found something similar being described here: > >>>>https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 > >>>> . But in that case it is a Whonix VM suffering the issue, which makes > >>>>more sense... > >>>> > >>>>So, in short, any idea or tips on how to properly (re)configure a VM so > >>>>the updates go through the sys-firewall VM and not through Whonix?!. > >>>> > >>>>Cheers > >>>> > >>>What it sounds like is the new debian template VM is not making any > >>>connection at all, and the IP you're seeing is coming from a cache. It > >>>should resolve itself and go away if you manage to correct the > >>>connection issue. > >>> > >>>Sometimes when people configure VMs they inadvertently end up with > >>>firewall settings that block everything. For a template VM, having "Deny > >>>network access except" and "Allow connections to update proxy" are > >>>normal. This works IF the sys-firewall and sys-net are basically default > >>>and not configured with extra options like VPNs. You can also try > >>>setting the debian VM to allow full access for 5 min. to see if that > >>>allows it to connect during an update. > >>> > >>>Chris > >>Hi Chris, > >> > >>Thanks for your response!. > >> > >>I do have a VPN set up, but I have that configured as per the docs (ProxyVM > >>as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't > >>(purposely) modified anything in sys-firewall or sys-net. > >> > >>I have tried to enable full internet access, but it didn't work either. The > >>strange thing is that when I do that, I can ping let's say 8.8.8.8, or > >>resolve any domain, i.e. Debian repos... > >> > >>Cheers, > >> > >The IP that you are seeing is NOT the IP of the Whonix Gateway - at least > >not just the address of the Whonix gateway. It is also the address set for > >the qubes update proxy. > > > >Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard > >Qubes proxy set-up. > > > >If this is the case, then the problem you have would seem to be that > >you do not have the update proxy enabled on sys-firewall. > >You can check this by looking at the nat table: you should see a > >redirect to local port 8028 for all traffic addressed to 10.137.255.254. > > > >If that redirect is there then check that you have tinyproxy running. > >If it isn't look at the page below and check your configuration on > >sys-firewall, in particular that you have the qubes-updates-proxy > >service enabled. > > > >You should be able to watch the traffic on sys-firewall using IP tables > >iptables -L -nv for normal and nat tables and seeing the counters > >increment as you attempt to update. > >If you don't see the counters going up then try resetting the debian-8 > >netvm again. > > > >The relevant page is: > >www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section. > > IIRC the update proxy normally runs in sys-net, not proxy/firewall VMs. > > If the VPN is between the template and sys-net, then the updates will be > blocked as described. The way around this is to setup a proxy VM downstream > from the VPN and have it run the update proxy. > > But if its only template->sys-firewall->sys-net then it should be able to > connect. > > Chris
Yes, but as adonis28850 said he configured this as per the instructions he will have to have the service running on the firewall below the VPN, and this is explicitly in the instructions, so it seems natural to look there. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170120002722.GA21334%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
