On Thursday, January 19, 2017 at 7:27:23 PM UTC-5, Unman wrote: > On Thu, Jan 19, 2017 at 07:01:56PM -0500, Chris Laprise wrote: > > On 01/19/2017 05:46 PM, Unman wrote: > > >On Thu, Jan 19, 2017 at 10:02:38AM -0800, wrote: > > >>On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: > > >>>On 01/18/2017 09:32 PM, wrote: > > >>>>Hi guys, > > >>>> > > >>>>I'm having a hard time trying to figure out this. When I installed > > >>>>Qubes OS I think I chose Whonix as the default to update VMs, but > > >>>>eventually I ended up changing it after a couple of days and set the > > >>>>UpdateVM to "sys-firewall". > > >>>> > > >>>>Now, everything seems to be fine, except for when I try to upgrade the > > >>>>Debian 8 template to Debian 9. No matter what I try, I keep getting > > >>>>this sort of error after running apt-get update && apt-get upgrade: > > >>>> > > >>>>*************** > > >>>>E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > >>>>E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > >>>>*************** > > >>>> > > >>>>If you notice, it says it can't connect to that IP, which after > > >>>>debugging I've found out corresponds to the Whonix Gateway VM! So for > > >>>>some reason when I clone the current Debian 8 template and try to > > >>>>update it it tries to do it through Whonix, and not through the > > >>>>sys-firewall VM as I have it configured. > > >>>> > > >>>>I've found something similar being described here: > > >>>>https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 > > >>>> . But in that case it is a Whonix VM suffering the issue, which makes > > >>>>more sense... > > >>>> > > >>>>So, in short, any idea or tips on how to properly (re)configure a VM so > > >>>>the updates go through the sys-firewall VM and not through Whonix?!. > > >>>> > > >>>>Cheers > > >>>> > > >>>What it sounds like is the new debian template VM is not making any > > >>>connection at all, and the IP you're seeing is coming from a cache. It > > >>>should resolve itself and go away if you manage to correct the > > >>>connection issue. > > >>> > > >>>Sometimes when people configure VMs they inadvertently end up with > > >>>firewall settings that block everything. For a template VM, having "Deny > > >>>network access except" and "Allow connections to update proxy" are > > >>>normal. This works IF the sys-firewall and sys-net are basically default > > >>>and not configured with extra options like VPNs. You can also try > > >>>setting the debian VM to allow full access for 5 min. to see if that > > >>>allows it to connect during an update. > > >>> > > >>>Chris > > >>Hi Chris, > > >> > > >>Thanks for your response!. > > >> > > >>I do have a VPN set up, but I have that configured as per the docs > > >>(ProxyVM as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I > > >>didn't (purposely) modified anything in sys-firewall or sys-net. > > >> > > >>I have tried to enable full internet access, but it didn't work either. > > >>The strange thing is that when I do that, I can ping let's say 8.8.8.8, > > >>or resolve any domain, i.e. Debian repos... > > >> > > >>Cheers, > > >> > > >The IP that you are seeing is NOT the IP of the Whonix Gateway - at least > > >not just the address of the Whonix gateway. It is also the address set for > > >the qubes update proxy. > > > > > >Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard > > >Qubes proxy set-up. > > > > > >If this is the case, then the problem you have would seem to be that > > >you do not have the update proxy enabled on sys-firewall. > > >You can check this by looking at the nat table: you should see a > > >redirect to local port 8028 for all traffic addressed to 10.137.255.254. > > > > > >If that redirect is there then check that you have tinyproxy running. > > >If it isn't look at the page below and check your configuration on > > >sys-firewall, in particular that you have the qubes-updates-proxy > > >service enabled. > > > > > >You should be able to watch the traffic on sys-firewall using IP tables > > >iptables -L -nv for normal and nat tables and seeing the counters > > >increment as you attempt to update. > > >If you don't see the counters going up then try resetting the debian-8 > > >netvm again. > > > > > >The relevant page is: > > >www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section. > > > > IIRC the update proxy normally runs in sys-net, not proxy/firewall VMs. > > > > If the VPN is between the template and sys-net, then the updates will be > > blocked as described. The way around this is to setup a proxy VM downstream > > from the VPN and have it run the update proxy. > > > > But if its only template->sys-firewall->sys-net then it should be able to > > connect. > > > > Chris > > Yes, but as adonis28850 said he configured this as per the instructions > he will have to have the service running on the firewall below the VPN, > and this is explicitly in the instructions, so it seems natural to look > there.
Hi guys, Thanks for the tips, I will give it a go either tonight or over the weekend and see if I can figure it out. I think the reason I may not have the qubes-updates-proxy service on sys-firewall is because when I first installed Qubes I chose the option of updating through Whonix, not enabling this service at all in the sys-firewall VM. Off the top of my head, I remember going to the services tab in the sys-fw VM and not seeing such a service, then adding it, trying to start it through the console and the VM complaining that such service didn't exist at all -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b313ce3d-033a-4c53-ac31-b9ab0787e24a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
