On 2018-01-12 11:27, awokd wrote: > On Fri, January 12, 2018 8:03 am, pr0xy wrote: >> >> >> SUCCESS! >> >> >> Changing the /etc/apt/apt.conf.d in Debian and the /etc/dnf/dnf.conf in >> Fedora, AND allowing the proxy IP on the firewall of EACH TemplateVM >> finally allows me to update them via the sys-firewall. That's a huge speed >> improvement over sys-whonix. >> >> Now I'm wondering if my failure to set firewall rules was the reason I >> couldn't use your earlier IPtables examples. I might revisit that, but for >> now this solution allows me to use Qubes somewhat normally behind this >> corporate proxy. > > Glad to hear it! Sorry I couldn't help more. Would you mind providing a > detailed list of steps you had to do to get this set up behind a corporate > proxy? I know I'm a bit lost and it might help others in the future.
Thanks for jumping in with some ideas anyway awokd. The company is using a Squid transparent proxy for HTTP/HTTPS and another proxy for FTP (which I haven't completely figured out yet). The proxies are: HTTP PROXY http://proxy.example.com:8080 HTTPS PROXY http://proxy.example.com:8080 FTP PROXY http://proxy.example.com:10021 Step 1: Whonix Set the torrc so that Whonix can connect thru the proxy. Go to sys-whonix | Tor User Config and edit the torrc file to add these lines: DisableNetwork 0 HTTPproxy 10.0.0.1:8080 HTTPSproxy 10.0.0.1:8080 FascistFirewall 1 It's important here to use the IP address instead of the proxy name. I've confirmed this on the Whonix forums. Step 2: Set TemplateVM apps to use proxy As Marek stated above, you can set http_proxy and https_proxy variables in your template(s) and all app VMs based on them automatically will pick it up. Just create /etc/profile.d/proxy.sh and export appropriate variables from there. I added the following to /etc/profile.d/proxy.sh in Fedora and /etc/environment in Debian templates: export http_proxy=http://proxy.example.com:8080 export https_proxy=http://proxy.example.com:8080 export ftp_proxy=http://proxy.example.com:10021 export HTTP_PROXY=http://proxy.example.com:8080 export HTTPS_PROXY=http://proxy.example.com:8080 export FTP_PROXY=http://proxy.example.com:10021 Here I used the fully qualified domain names instead of the proxy IP. Step 3: Allow Qubes TemplateVMs to update via sys-firewall Don't do this on the Whonix templates. They update thru sys-whonix. Add the following to the bottom of /etc/apt/apt.conf.d in Debian, and /etc/dnf/dnf.conf in Fedora after ### QUBES END ###: (ex.) [user@fedora-26 ~]$ sudo gedit /etc/dnf/dnf.conf . . ### QUBES END ### proxy=http://10.0.0.1:8080 Again, here I had to use the IP of the proxy. I tested with the fully qualified name, and it didn't work. Finally, allow the proxy IP on the firewall of EACH TemplateVM >From the Qubes Manager (R3.2) | Firewall rules Address 10.0.0.1 Protocol "Any" That's working for me. I will try further experimentation with IPtables and a ProxyVM, as those seem like better solutions. However, in the meantime I have a working Qubes system and can actually do some work with it instead of messing around with settings...for now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fa0a1856ce806e02e49bb9c47100b4f4%40riseup.net. For more options, visit https://groups.google.com/d/optout.
