On 10/15/2016 08:07 AM, 4lef7a+2cmotzqtxu8g8 via qubes-users wrote:
Hi,
I've followed this tutorial in order to force all traffic to go through the VPN
- https://www.qubes-os.org/doc/vpn/ .
While this was successful I'm no longer able to do any updates on the
templateVMs (except the whonix which are working fine), it seems that the
traffic somehow is now blocked.
Anyone knows what rule should be added to iptables in order to have this
working through the VPN?
I've dropped all forward traffic (either upstream or downstream) from the
sys-fw as suggested:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
Should I need to allow the forwarding traffic to and from the subnet
10.137.1.0/24 in order to have the updates working again?
Thanks
The Qubes update proxy runs in sys-net by default. Since it intercepts
requests, it has to be able to understand what the downstream VMs are
requesting. Encrypting traffic with a VPN client means the proxy in
sys-net can't update.
Workarounds:
1. Have the templates use sys-firewall instead
If privacy during updates is an issue for you...
2. Turn on the update proxy in the VPN VM (or a downstream proxyVM)...
https://www.qubes-os.org/doc/software-update-vm/#updates-proxy
3. If you have sys-whonix setup, it will already have a running update proxy
4. Reconfigure the templates to not use the update proxy
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c40844ff-77ac-80d6-fe1e-c2849c12856c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
