Re: [qubes-users] Default UpdateVM and Issues while updating VM
Additionally, when I change Kali2-Template NetVM to sys-net, and run apt-get update, it works, however I get the error after running apt-get upgrade So the 2 problems I see: - When using sys-firewall, sys-firewall is not forwarding properly traffic to sys-net - When using sys-net, I don't have a clue what the issue is, it just doesn't work! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/74dc6f17-f0c3-4869-b834-2bd2b774a966%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
Hi Unman, Still not working, but I have some more info based on your suggestions. Current config: System Update VM: sys-net Kali2-Template NetVM: sys-firewall Kali2-Template FW Rules: Allow connections to Update Proxy Sys-firewall FW Rules: Allow connections to Update Proxy Kali2-Template IP: 10.137.2.22 Sys-firewall IPtables: - [user@sys-firewall ~]$ sudo iptables -L -nv [...] Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [...] 0 0 ACCEPT tcp -- * * 10.137.2.22 10.137.255.254 tcp dpt:8082 0 0 REJECT all -- * * 10.137.2.22 0.0.0.0/0 reject-with icmp-host-prohibited [user@sys-firewall ~]$ sudo iptables -L -nv -t nat [...] Chain PR-QBS (1 references) pkts bytes target prot opt in out source destination 26 1835 DNAT udp -- * * 0.0.0.0/010.137.2.1 udp dpt:53 to:10.137.1.1 0 0 DNAT tcp -- * * 0.0.0.0/010.137.2.1 tcp dpt:53 to:10.137.1.1 0 0 DNAT udp -- * * 0.0.0.0/0 10.137.2.254 udp dpt:53 to:10.137.1.254 0 0 DNAT tcp -- * * 0.0.0.0/0 10.137.2.254 tcp dpt:53 to:10.137.1.254 Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 So, I zeroed all the counters, then ran apt-get update from Kali2 template and failed with the same error: W: Failed to fetch http://http.debian.net/debian/dists/stretch/non-free/binary-amd64/Packages Unable to connect to 10.137.255.254:8082: >From what I see after running apt-get update, the PR-QBS-SERVICES counter goes >up to 3 packets, that's it. The FORWARD chain counter doesn't increment at all. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a37b0bd-e35c-4d45-b32e-d5e1bf4d6f21%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On Mon, Jan 23, 2017 at 05:35:52PM -0800, adonis28...@gmail.com wrote: > Hi Chris, > > I just tried, and same error.. this is driving me nuts! > > This is the latest conf: > > Kali2-Template NetVM: sys-firewall > UpdateVM: sys-net > > Kali2-Template has "allow connections to Updated Proxy" ticked, and the > "01qubes-proxy" file present. > > sys-net has the qubes-update-proxy up and running, updating other templates > works! > So this sounds somewhat different from the setup I thought you described before. I'm assuming you have kali -- sys-firewall -- sys-net Look at sys-firewall iptables. You should see in the FORWARD chain a rule that allows traffic from the Kali2 IP to port 8082 upstream. This should be generated by the tickbox. So, run 'iptables -L -nv' and 'iptables -L -nv -t nat' on sys-firewall and see what you are doing there. You can zero the counters by appending -Z. Then if you try an update you should be able to quickly identify what is going wrong, by seeing where the counters increment. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170127001839.GC9439%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
Hi Chris, I just tried, and same error.. this is driving me nuts! This is the latest conf: Kali2-Template NetVM: sys-firewall UpdateVM: sys-net Kali2-Template has "allow connections to Updated Proxy" ticked, and the "01qubes-proxy" file present. sys-net has the qubes-update-proxy up and running, updating other templates works! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8aa8008f-9fe5-45e9-b4ad-5d4f804a2243%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
Hi Chris, I have also tried using sys-net as the update proxy, but I still get the same error... I've checked and in sys-net there are NAT rules for "you should see a redirect to local port 8028 for all traffic addressed to 10.137.255.254.", so no clue of what the issue may be now! Cheers -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4b47cfd7-0737-4afa-b2b6-b8172f79222a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On 01/22/2017 12:13 AM, adonis28...@gmail.com wrote: Hi mate, I finally had some time for testing, and still not working, although I got some more info. So I checked and the 01qubes-proxy is in there in the template I'm trying to create for Kali. After that, I checked the sys-firewall VM and yeah, update proxy didn't seem to be enabled, so I tried to follow what the docs you pointed me to say: (2) Firewall tab -> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked) I rebooted and.. didn't work, the service (qubes-yum-proxy) had disappeared from the services tab! Once thing that may help clarify this is that every time I switch to the "Firewall" tab in sys-firewall, I keep getting the same error: "The sys-firewall AppVM is not network connected to a FirewallVM! You may edit the VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM"... I also verified on a terminal that there are no NAT rules associated to the updated proxy!! That fw tab error is normal, since sys-net (netVMs in general) don't provide Qubes firewall services. You specify firewall rules on VMs that are connected to proxyVMs such as sys-firewall. So that error states something that is true, as the sys-firewall VM is network connected to sys-net, as it was after the initial installation, I haven't changed that! I'm guessing it is not the right configuration, but not sure how to set it up now... any ideas? Thanks! Is there a reason why you don't want the update proxy to work in sys-net? That is the Qubes default. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be436bff-fb82-1d71-8a91-fce167a8d9fd%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
Hi mate, I finally had some time for testing, and still not working, although I got some more info. So I checked and the 01qubes-proxy is in there in the template I'm trying to create for Kali. After that, I checked the sys-firewall VM and yeah, update proxy didn't seem to be enabled, so I tried to follow what the docs you pointed me to say: (2) Firewall tab -> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked) I rebooted and.. didn't work, the service (qubes-yum-proxy) had disappeared from the services tab! Once thing that may help clarify this is that every time I switch to the "Firewall" tab in sys-firewall, I keep getting the same error: "The sys-firewall AppVM is not network connected to a FirewallVM! You may edit the VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM"... I also verified on a terminal that there are no NAT rules associated to the updated proxy!! So that error states something that is true, as the sys-firewall VM is network connected to sys-net, as it was after the initial installation, I haven't changed that! I'm guessing it is not the right configuration, but not sure how to set it up now... any ideas? Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/910ab0bf-31f5-491b-94ef-402c165dabad%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On Thursday, January 19, 2017 at 7:27:23 PM UTC-5, Unman wrote: > On Thu, Jan 19, 2017 at 07:01:56PM -0500, Chris Laprise wrote: > > On 01/19/2017 05:46 PM, Unman wrote: > > >On Thu, Jan 19, 2017 at 10:02:38AM -0800, wrote: > > >>On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: > > >>>On 01/18/2017 09:32 PM, wrote: > > Hi guys, > > > > I'm having a hard time trying to figure out this. When I installed > > Qubes OS I think I chose Whonix as the default to update VMs, but > > eventually I ended up changing it after a couple of days and set the > > UpdateVM to "sys-firewall". > > > > Now, everything seems to be fine, except for when I try to upgrade the > > Debian 8 template to Debian 9. No matter what I try, I keep getting > > this sort of error after running apt-get update && apt-get upgrade: > > > > *** > > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > *** > > > > If you notice, it says it can't connect to that IP, which after > > debugging I've found out corresponds to the Whonix Gateway VM! So for > > some reason when I clone the current Debian 8 template and try to > > update it it tries to do it through Whonix, and not through the > > sys-firewall VM as I have it configured. > > > > I've found something similar being described here: > > https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 > > . But in that case it is a Whonix VM suffering the issue, which makes > > more sense... > > > > So, in short, any idea or tips on how to properly (re)configure a VM so > > the updates go through the sys-firewall VM and not through Whonix?!. > > > > Cheers > > > > >>>What it sounds like is the new debian template VM is not making any > > >>>connection at all, and the IP you're seeing is coming from a cache. It > > >>>should resolve itself and go away if you manage to correct the > > >>>connection issue. > > >>> > > >>>Sometimes when people configure VMs they inadvertently end up with > > >>>firewall settings that block everything. For a template VM, having "Deny > > >>>network access except" and "Allow connections to update proxy" are > > >>>normal. This works IF the sys-firewall and sys-net are basically default > > >>>and not configured with extra options like VPNs. You can also try > > >>>setting the debian VM to allow full access for 5 min. to see if that > > >>>allows it to connect during an update. > > >>> > > >>>Chris > > >>Hi Chris, > > >> > > >>Thanks for your response!. > > >> > > >>I do have a VPN set up, but I have that configured as per the docs > > >>(ProxyVM as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I > > >>didn't (purposely) modified anything in sys-firewall or sys-net. > > >> > > >>I have tried to enable full internet access, but it didn't work either. > > >>The strange thing is that when I do that, I can ping let's say 8.8.8.8, > > >>or resolve any domain, i.e. Debian repos... > > >> > > >>Cheers, > > >> > > >The IP that you are seeing is NOT the IP of the Whonix Gateway - at least > > >not just the address of the Whonix gateway. It is also the address set for > > >the qubes update proxy. > > > > > >Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard > > >Qubes proxy set-up. > > > > > >If this is the case, then the problem you have would seem to be that > > >you do not have the update proxy enabled on sys-firewall. > > >You can check this by looking at the nat table: you should see a > > >redirect to local port 8028 for all traffic addressed to 10.137.255.254. > > > > > >If that redirect is there then check that you have tinyproxy running. > > >If it isn't look at the page below and check your configuration on > > >sys-firewall, in particular that you have the qubes-updates-proxy > > >service enabled. > > > > > >You should be able to watch the traffic on sys-firewall using IP tables > > >iptables -L -nv for normal and nat tables and seeing the counters > > >increment as you attempt to update. > > >If you don't see the counters going up then try resetting the debian-8 > > >netvm again. > > > > > >The relevant page is: > > >www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section. > > > > IIRC the update proxy normally runs in sys-net, not proxy/firewall VMs. > > > > If the VPN is between the template and sys-net, then the updates will be > > blocked as described. The way around this is to setup a proxy VM downstream > > from the VPN and have it run the update proxy. > > > > But if its only template->sys-firewall->sys-net then it should be able to > > connect. > > > > Chris > > Yes, but as adonis28850 said he configured this as per the instructions > he will have to have the service running on the fir
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On Thu, Jan 19, 2017 at 07:01:56PM -0500, Chris Laprise wrote: > On 01/19/2017 05:46 PM, Unman wrote: > >On Thu, Jan 19, 2017 at 10:02:38AM -0800, adonis28...@gmail.com wrote: > >>On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: > >>>On 01/18/2017 09:32 PM, wrote: > Hi guys, > > I'm having a hard time trying to figure out this. When I installed Qubes > OS I think I chose Whonix as the default to update VMs, but eventually I > ended up changing it after a couple of days and set the UpdateVM to > "sys-firewall". > > Now, everything seems to be fine, except for when I try to upgrade the > Debian 8 template to Debian 9. No matter what I try, I keep getting this > sort of error after running apt-get update && apt-get upgrade: > > *** > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > *** > > If you notice, it says it can't connect to that IP, which after debugging > I've found out corresponds to the Whonix Gateway VM! So for some reason > when I clone the current Debian 8 template and try to update it it tries > to do it through Whonix, and not through the sys-firewall VM as I have it > configured. > > I've found something similar being described here: > https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 > . But in that case it is a Whonix VM suffering the issue, which makes > more sense... > > So, in short, any idea or tips on how to properly (re)configure a VM so > the updates go through the sys-firewall VM and not through Whonix?!. > > Cheers > > >>>What it sounds like is the new debian template VM is not making any > >>>connection at all, and the IP you're seeing is coming from a cache. It > >>>should resolve itself and go away if you manage to correct the > >>>connection issue. > >>> > >>>Sometimes when people configure VMs they inadvertently end up with > >>>firewall settings that block everything. For a template VM, having "Deny > >>>network access except" and "Allow connections to update proxy" are > >>>normal. This works IF the sys-firewall and sys-net are basically default > >>>and not configured with extra options like VPNs. You can also try > >>>setting the debian VM to allow full access for 5 min. to see if that > >>>allows it to connect during an update. > >>> > >>>Chris > >>Hi Chris, > >> > >>Thanks for your response!. > >> > >>I do have a VPN set up, but I have that configured as per the docs (ProxyVM > >>as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't > >>(purposely) modified anything in sys-firewall or sys-net. > >> > >>I have tried to enable full internet access, but it didn't work either. The > >>strange thing is that when I do that, I can ping let's say 8.8.8.8, or > >>resolve any domain, i.e. Debian repos... > >> > >>Cheers, > >> > >The IP that you are seeing is NOT the IP of the Whonix Gateway - at least > >not just the address of the Whonix gateway. It is also the address set for > >the qubes update proxy. > > > >Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard > >Qubes proxy set-up. > > > >If this is the case, then the problem you have would seem to be that > >you do not have the update proxy enabled on sys-firewall. > >You can check this by looking at the nat table: you should see a > >redirect to local port 8028 for all traffic addressed to 10.137.255.254. > > > >If that redirect is there then check that you have tinyproxy running. > >If it isn't look at the page below and check your configuration on > >sys-firewall, in particular that you have the qubes-updates-proxy > >service enabled. > > > >You should be able to watch the traffic on sys-firewall using IP tables > >iptables -L -nv for normal and nat tables and seeing the counters > >increment as you attempt to update. > >If you don't see the counters going up then try resetting the debian-8 > >netvm again. > > > >The relevant page is: > >www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section. > > IIRC the update proxy normally runs in sys-net, not proxy/firewall VMs. > > If the VPN is between the template and sys-net, then the updates will be > blocked as described. The way around this is to setup a proxy VM downstream > from the VPN and have it run the update proxy. > > But if its only template->sys-firewall->sys-net then it should be able to > connect. > > Chris Yes, but as adonis28850 said he configured this as per the instructions he will have to have the service running on the firewall below the VPN, and this is explicitly in the instructions, so it seems natural to look there. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On 01/19/2017 05:46 PM, Unman wrote: On Thu, Jan 19, 2017 at 10:02:38AM -0800, adonis28...@gmail.com wrote: On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: On 01/18/2017 09:32 PM, wrote: Hi guys, I'm having a hard time trying to figure out this. When I installed Qubes OS I think I chose Whonix as the default to update VMs, but eventually I ended up changing it after a couple of days and set the UpdateVM to "sys-firewall". Now, everything seems to be fine, except for when I try to upgrade the Debian 8 template to Debian 9. No matter what I try, I keep getting this sort of error after running apt-get update && apt-get upgrade: *** E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: *** If you notice, it says it can't connect to that IP, which after debugging I've found out corresponds to the Whonix Gateway VM! So for some reason when I clone the current Debian 8 template and try to update it it tries to do it through Whonix, and not through the sys-firewall VM as I have it configured. I've found something similar being described here: https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 . But in that case it is a Whonix VM suffering the issue, which makes more sense... So, in short, any idea or tips on how to properly (re)configure a VM so the updates go through the sys-firewall VM and not through Whonix?!. Cheers What it sounds like is the new debian template VM is not making any connection at all, and the IP you're seeing is coming from a cache. It should resolve itself and go away if you manage to correct the connection issue. Sometimes when people configure VMs they inadvertently end up with firewall settings that block everything. For a template VM, having "Deny network access except" and "Allow connections to update proxy" are normal. This works IF the sys-firewall and sys-net are basically default and not configured with extra options like VPNs. You can also try setting the debian VM to allow full access for 5 min. to see if that allows it to connect during an update. Chris Hi Chris, Thanks for your response!. I do have a VPN set up, but I have that configured as per the docs (ProxyVM as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't (purposely) modified anything in sys-firewall or sys-net. I have tried to enable full internet access, but it didn't work either. The strange thing is that when I do that, I can ping let's say 8.8.8.8, or resolve any domain, i.e. Debian repos... Cheers, The IP that you are seeing is NOT the IP of the Whonix Gateway - at least not just the address of the Whonix gateway. It is also the address set for the qubes update proxy. Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard Qubes proxy set-up. If this is the case, then the problem you have would seem to be that you do not have the update proxy enabled on sys-firewall. You can check this by looking at the nat table: you should see a redirect to local port 8028 for all traffic addressed to 10.137.255.254. If that redirect is there then check that you have tinyproxy running. If it isn't look at the page below and check your configuration on sys-firewall, in particular that you have the qubes-updates-proxy service enabled. You should be able to watch the traffic on sys-firewall using IP tables iptables -L -nv for normal and nat tables and seeing the counters increment as you attempt to update. If you don't see the counters going up then try resetting the debian-8 netvm again. The relevant page is: www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section. IIRC the update proxy normally runs in sys-net, not proxy/firewall VMs. If the VPN is between the template and sys-net, then the updates will be blocked as described. The way around this is to setup a proxy VM downstream from the VPN and have it run the update proxy. But if its only template->sys-firewall->sys-net then it should be able to connect. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/503230d2-064e-557a-dd9f-f68c4a4cff96%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On Thu, Jan 19, 2017 at 10:02:38AM -0800, adonis28...@gmail.com wrote: > On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: > > On 01/18/2017 09:32 PM, wrote: > > > Hi guys, > > > > > > I'm having a hard time trying to figure out this. When I installed Qubes > > > OS I think I chose Whonix as the default to update VMs, but eventually I > > > ended up changing it after a couple of days and set the UpdateVM to > > > "sys-firewall". > > > > > > Now, everything seems to be fine, except for when I try to upgrade the > > > Debian 8 template to Debian 9. No matter what I try, I keep getting this > > > sort of error after running apt-get update && apt-get upgrade: > > > > > > *** > > > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > > *** > > > > > > If you notice, it says it can't connect to that IP, which after debugging > > > I've found out corresponds to the Whonix Gateway VM! So for some reason > > > when I clone the current Debian 8 template and try to update it it tries > > > to do it through Whonix, and not through the sys-firewall VM as I have it > > > configured. > > > > > > I've found something similar being described here: > > > https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 > > > . But in that case it is a Whonix VM suffering the issue, which makes > > > more sense... > > > > > > So, in short, any idea or tips on how to properly (re)configure a VM so > > > the updates go through the sys-firewall VM and not through Whonix?!. > > > > > > Cheers > > > > > > > What it sounds like is the new debian template VM is not making any > > connection at all, and the IP you're seeing is coming from a cache. It > > should resolve itself and go away if you manage to correct the > > connection issue. > > > > Sometimes when people configure VMs they inadvertently end up with > > firewall settings that block everything. For a template VM, having "Deny > > network access except" and "Allow connections to update proxy" are > > normal. This works IF the sys-firewall and sys-net are basically default > > and not configured with extra options like VPNs. You can also try > > setting the debian VM to allow full access for 5 min. to see if that > > allows it to connect during an update. > > > > Chris > > Hi Chris, > > Thanks for your response!. > > I do have a VPN set up, but I have that configured as per the docs (ProxyVM > as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't (purposely) > modified anything in sys-firewall or sys-net. > > I have tried to enable full internet access, but it didn't work either. The > strange thing is that when I do that, I can ping let's say 8.8.8.8, or > resolve any domain, i.e. Debian repos... > > Cheers, > The IP that you are seeing is NOT the IP of the Whonix Gateway - at least not just the address of the Whonix gateway. It is also the address set for the qubes update proxy. Look in /etc/apt/apt.conf.d/01qubes-proxy, and you may find the standard Qubes proxy set-up. If this is the case, then the problem you have would seem to be that you do not have the update proxy enabled on sys-firewall. You can check this by looking at the nat table: you should see a redirect to local port 8028 for all traffic addressed to 10.137.255.254. If that redirect is there then check that you have tinyproxy running. If it isn't look at the page below and check your configuration on sys-firewall, in particular that you have the qubes-updates-proxy service enabled. You should be able to watch the traffic on sys-firewall using IP tables iptables -L -nv for normal and nat tables and seeing the counters increment as you attempt to update. If you don't see the counters going up then try resetting the debian-8 netvm again. The relevant page is: www.qubes-os.org/doc/software-update-vm/ in the Updates proxy section. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170119224630.GA20518%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On Thursday, January 19, 2017 at 12:22:35 PM UTC-5, Chris Laprise wrote: > On 01/18/2017 09:32 PM, wrote: > > Hi guys, > > > > I'm having a hard time trying to figure out this. When I installed Qubes OS > > I think I chose Whonix as the default to update VMs, but eventually I ended > > up changing it after a couple of days and set the UpdateVM to > > "sys-firewall". > > > > Now, everything seems to be fine, except for when I try to upgrade the > > Debian 8 template to Debian 9. No matter what I try, I keep getting this > > sort of error after running apt-get update && apt-get upgrade: > > > > *** > > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: > > *** > > > > If you notice, it says it can't connect to that IP, which after debugging > > I've found out corresponds to the Whonix Gateway VM! So for some reason > > when I clone the current Debian 8 template and try to update it it tries to > > do it through Whonix, and not through the sys-firewall VM as I have it > > configured. > > > > I've found something similar being described here: > > https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 > > . But in that case it is a Whonix VM suffering the issue, which makes more > > sense... > > > > So, in short, any idea or tips on how to properly (re)configure a VM so the > > updates go through the sys-firewall VM and not through Whonix?!. > > > > Cheers > > > > What it sounds like is the new debian template VM is not making any > connection at all, and the IP you're seeing is coming from a cache. It > should resolve itself and go away if you manage to correct the > connection issue. > > Sometimes when people configure VMs they inadvertently end up with > firewall settings that block everything. For a template VM, having "Deny > network access except" and "Allow connections to update proxy" are > normal. This works IF the sys-firewall and sys-net are basically default > and not configured with extra options like VPNs. You can also try > setting the debian VM to allow full access for 5 min. to see if that > allows it to connect during an update. > > Chris Hi Chris, Thanks for your response!. I do have a VPN set up, but I have that configured as per the docs (ProxyVM as a VPN gateway): https://www.qubes-os.org/doc/vpn/. So I didn't (purposely) modified anything in sys-firewall or sys-net. I have tried to enable full internet access, but it didn't work either. The strange thing is that when I do that, I can ping let's say 8.8.8.8, or resolve any domain, i.e. Debian repos... Cheers, -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39c2428c-84e3-418d-8353-f9dd88250a51%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default UpdateVM and Issues while updating VM
On 01/18/2017 09:32 PM, adonis28...@gmail.com wrote: Hi guys, I'm having a hard time trying to figure out this. When I installed Qubes OS I think I chose Whonix as the default to update VMs, but eventually I ended up changing it after a couple of days and set the UpdateVM to "sys-firewall". Now, everything seems to be fine, except for when I try to upgrade the Debian 8 template to Debian 9. No matter what I try, I keep getting this sort of error after running apt-get update && apt-get upgrade: *** E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: *** If you notice, it says it can't connect to that IP, which after debugging I've found out corresponds to the Whonix Gateway VM! So for some reason when I clone the current Debian 8 template and try to update it it tries to do it through Whonix, and not through the sys-firewall VM as I have it configured. I've found something similar being described here: https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 . But in that case it is a Whonix VM suffering the issue, which makes more sense... So, in short, any idea or tips on how to properly (re)configure a VM so the updates go through the sys-firewall VM and not through Whonix?!. Cheers What it sounds like is the new debian template VM is not making any connection at all, and the IP you're seeing is coming from a cache. It should resolve itself and go away if you manage to correct the connection issue. Sometimes when people configure VMs they inadvertently end up with firewall settings that block everything. For a template VM, having "Deny network access except" and "Allow connections to update proxy" are normal. This works IF the sys-firewall and sys-net are basically default and not configured with extra options like VPNs. You can also try setting the debian VM to allow full access for 5 min. to see if that allows it to connect during an update. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6892f2bb-280c-6b57-8e4b-dd841bdd3c1b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Default UpdateVM and Issues while updating VM
Hi guys, I'm having a hard time trying to figure out this. When I installed Qubes OS I think I chose Whonix as the default to update VMs, but eventually I ended up changing it after a couple of days and set the UpdateVM to "sys-firewall". Now, everything seems to be fine, except for when I try to upgrade the Debian 8 template to Debian 9. No matter what I try, I keep getting this sort of error after running apt-get update && apt-get upgrade: *** E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: *** If you notice, it says it can't connect to that IP, which after debugging I've found out corresponds to the Whonix Gateway VM! So for some reason when I clone the current Debian 8 template and try to update it it tries to do it through Whonix, and not through the sys-firewall VM as I have it configured. I've found something similar being described here: https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 . But in that case it is a Whonix VM suffering the issue, which makes more sense... So, in short, any idea or tips on how to properly (re)configure a VM so the updates go through the sys-firewall VM and not through Whonix?!. Cheers -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8c0be511-519d-4eee-b1d7-511d691b1a32%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.