Templates incorrectly think they're not connected to a Whonix gateway.

Sometimes my Whonix templates think they are not being connected to a Whonix gateway when they are. Some Whonix templates (both gateway and workstation) will connect to the update VM just fine, but others will complain.

On the complaining template I am not able to use apt-get at all, but whonixcheck gives no errors up until checking for updates. Changing the NetVM to another Whonix gateway sometime fixes it, simply restarting sometimes fixes it, sometimes nothing seems to fix it.


System info:

  • Qubes 3.1 updated from qubes-dom0-current-testing

  • whonix-gateway-packages-dependencies 2.9-1

  • Whonix Build Version: 12.0.0.3.2 testers


Here is the error given:

Whonix-Gateway NetVM required for updates!

Please ensure that this TemplateVM has a Whonix-Gateway as its NetVM.

No updates are possible without an active (running) Whonix-Gateway VM.


Ran on Whonix-Gateway template:

user@host:~$ sudo apt-get update Ign http://security.debian.org jessie/updates InRelease Ign http://ftp.us.debian.org jessie InRelease Ign http://deb.qubes-os.org jessie InRelease Ign http://mirror.whonix.de testers InRelease Err http://security.debian.org jessie/updates Release.gpg Cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). - connect (111: Connection refused) Ign http://deb.torproject.org jessie InRelease Err http://deb.qubes-os.org jessie Release.gpg Cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). - connect (111: Connection refused) Err http://mirror.whonix.de testers Release.gpg Cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). - connect (111: Connection refused) Err http://ftp.us.debian.org jessie Release.gpg Cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). - connect (111: Connection refused) Err http://deb.torproject.org jessie Release.gpg Cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). - connect (111: Connection refused)


Ran on NetVM for Whonix-Gateway template, which is a Whonix-Gateway:

[code]user@host:~$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:20
inet addr:10.137.3.34 Bcast:10.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27838 errors:0 dropped:0 overruns:0 frame:0
TX packets:14421 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:34461845 (32.8 MiB) TX bytes:1973510 (1.8 MiB)

eth1 Link encap:Ethernet HWaddr 5e:b5:c0:4f:ad:d6
inet addr:10.137.12.1 Bcast:10.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:13226 errors:0 dropped:0 overruns:0 frame:0
TX packets:13226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:31350942 (29.8 MiB) TX bytes:31350942 (29.8 MiB)

vif20.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet addr:10.137.12.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1972 errors:0 dropped:0 overruns:0 frame:0
TX packets:1962 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:88501 (86.4 KiB) TX bytes:128300 (125.2 KiB)[/code]

Please let me know anything else needed for debugging. I’m getting this error almost ever time I do updates on at least one template.

1 Like

Here is the output of whonixcheck on a Whonix-Workstation template that is connected to a Whonix-Gateway, but thinks it is not.

[code]user@host:~$ whonixcheck
[INFO] [whonixcheck] w12-WS | Whonix-Workstation | TemplateVM | Fri Mar 25 00:51:00 UTC 2016
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Tor’s SocksPort…
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: 91.219.236.218
[INFO] [whonixcheck] TransPort Test: Testing Tor’s TransPort…
[INFO] [whonixcheck] TransPort Test Result: Connected to Tor. IP: 158.130.0.242
[INFO] [whonixcheck] Stream Isolation Test Result: Functional.
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updates…
[INFO] [whonixcheck] Whonix News Result:
√ Up to date: whonix-workstation-packages-dependencies 2.9-1
√ Up to date: Whonix Build Version: 12.0.0.3.2
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get… ( Documentation: Operating System Software and Updates - Kicksecure )
[WARNING] [whonixcheck] Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check inside this TemplateVM (‘w12-WS’).

  1. Open a terminal. (dom0 → Start Menu → Template: w12-WS → Terminal)
  2. Update. sudo apt-get update && sudo apt-get dist-upgrade
    [INFO] [whonixcheck] Whonix APT Repository: Enabled.
    When the Whonix team releases TESTERS updates,
    they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
    along with updated packages from the Debian team. Please
    read Placing Trust in Whonix ™ to understand the risk.
    If you want to change this, use:
    sudo whonix_repository[/code]

bash -x whonicheck: https://gist.githubusercontent.com/anonymous/04c35bc8fb2c50dc686f/raw/b5252d88140da06271ec12b533afcb1bf54e1d68/gistfile1.txt

@Patrick Is there a way to force the template to do apt-get when this error occurs? The problem is persisting to the point that I haven’t been able to check for updates on my gateways for 3 days and my main workstation for 24 hours now.

Confirmed.


Try this.

Workaround:

sudo touch /var/run/qubes-service/whonix-secure-proxy

Or.

sudo apt-get.anondist-orig ...

Try this.

Workaround:

sudo touch /var/run/qubes-service/whonix-secure-proxy

Or.

sudo apt-get.anondist-orig ...

Both options work. Thank you.

Related:

When this happens again, can you please also check if re-running…

sudo /usr/lib/qubes-whonix/init/enable-firewall

…fixes it?


Something note from my todo list that could be related:

In TemplateVM… If Tor is down in sys-whonix, it will show the ensure NetVM is set to sys-whonix popup by qubes-whonix.


Main related files here:


This could be a race condition. qubes-whonix-firewall.service is supposed to start before networking, which makes a lot sense for sys-whonix / anon-whonix VMs, so firewall gets load before networking is up. This however makes no sense at all to run the curl based test if we are connected to a torified updates proxy.

When this happens again, can you please also check if re-running…

sudo /usr/lib/qubes-whonix/init/enable-firewall

…fixes it?

Confirmed:

user@host:~$ ls /var/run/qubes-service/ cups meminfo-writer updates-proxy-setup whonix-template user@host:~$ sudo apt-get update Ign http://security.debian.org jessie/updates InRelease Ign http://ftp.us.debian.org jessie InRelease Ign http://deb.qubes-os.org jessie InRelease Ign http://deb.torproject.org jessie InRelease Err http://security.debian.org jessie/updates Release.gpg Cannot initiate the connection ... user@host:~$ sudo /usr/lib/qubes-whonix/init/enable-firewall user@host:~$ ls /var/run/qubes-service/ cups meminfo-writer updates-proxy-setup whonix-secure-proxy whonix-template user@host:~$ sudo apt-get update Hit http://security.debian.org jessie/updates InRelease Hit http://deb.qubes-os.org jessie InRelease Hit http://mirror.whonix.de testers InRelease ...

Thanks!

This will be fixed in Whonix 13.

Should anyone still be having issues with this…

Please check you are using Whonix 13 or upgraded to Whonix 13 (using instructions Release Upgrade - Whonix).

Please state your Whonix version.

Please run the following commands and post their output.

sudo service qubes-whonix-torified-updates-proxy-check status

ls -la /var/run/qubes-service/whonix-secure-proxy

sudo rm /var/run/qubes-service/whonix-secure-proxy

sudo bash -x /usr/lib/qubes-whonix/init/torified-updates-proxy-check

Still happening for me sporadically. Here are the outputs you requested from a gateway template:

Whonix 13 (upgraded from your instructions)

Qubes 3.1

[code]user@host:~$ sudo service qubes-whonix-torified-updates-proxy-check status
● qubes-whonix-torified-updates-proxy-check.service - Qubes Whonix Torified Updates Proxy Check
Loaded: loaded (/lib/systemd/system/qubes-whonix-torified-updates-proxy-check.service; enabled)
Active: active (exited) since Sun 2016-06-12 13:42:15 UTC; 52s ago
Process: 514 ExecStart=/usr/lib/qubes-whonix/init/torified-updates-proxy-check (code=exited, status=0/SUCCESS)
Main PID: 514 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/qubes-whonix-torified-updates-proxy-check.service

Jun 12 13:42:15 host systemd[1]: Started Qubes Whonix Torified Updates Proxy Check.
user@host:~$ ls -la /var/run/qubes-service/whonix-secure-proxy
ls: cannot access /var/run/qubes-service/whonix-secure-proxy: No such file or directory
user@host:~$ sudo rm /var/run/qubes-service/whonix-secure-proxy
rm: cannot remove ‘/var/run/qubes-service/whonix-secure-proxy’: No such file or directory
user@host:~$ sudo bash -x /usr/lib/qubes-whonix/init/torified-updates-proxy-check
++ qubesdb-read /qubes-vm-type

  • qubes_vm_type=TemplateVM
  • ‘[’ ‘!’ TemplateVM = TemplateVM ‘]’
  • ‘[’ -e /var/run/qubes-service/whonix-secure-proxy ‘]’
  • source /usr/lib/qubes-whonix/utility_functions.sh
    ++ PROXY_SERVER=http://10.137.255.254:8082/
    ++ PROXY_META=‘’
    ++ UWT_DEV_PASSTHROUGH=1
    ++ curl --silent --connect-timeout 10 http://10.137.255.254:8082/
  • curl_output='<?xml version="1.0" encoding="UTF-8" ?>
403 Filtered

Filtered

The request you made has been filtered


Generated by tinyproxy version 1.8.3.

' + echo '<?xml version="1.0" encoding="UTF-8" ?> 403 Filtered

Filtered

The request you made has been filtered


Generated by tinyproxy version 1.8.3.

' + grep -q '' + touch /var/run/qubes-service/whonix-secure-proxy user@host:~$[/code]

In whonix-gw TemplateVM, please edit /usr/lib/qubes-whonix/init/torified-updates-proxy-check with root rights.

kdesudo kwrite /usr/lib/qubes-whonix/init/torified-updates-proxy-check

Below

#!/bin/bash -e

Add.

set -x

Save.

Reboot.

Then when this happens next time, please run.

sudo journalctl -u qubes-whonix-torified-updates-proxy-check | cat

From gateway template:

user@host:~$ sudo journalctl -u qubes-whonix-torified-updates-proxy-check | cat -- Logs begin at Mon 2016-06-13 01:16:38 UTC, end at Mon 2016-06-13 01:17:47 UTC. -- Jun 13 01:16:27 host systemd[1]: Starting Qubes Whonix Torified Updates Proxy Check... Jun 13 01:16:27 host torified-updates-proxy-check[525]: ++ qubesdb-read /qubes-vm-type Jun 13 01:16:27 host torified-updates-proxy-check[525]: + qubes_vm_type=TemplateVM Jun 13 01:16:27 host torified-updates-proxy-check[525]: + '[' '!' TemplateVM = TemplateVM ']' Jun 13 01:16:27 host torified-updates-proxy-check[525]: + '[' -e /var/run/qubes-service/whonix-secure-proxy ']' Jun 13 01:16:27 host torified-updates-proxy-check[525]: + source /usr/lib/qubes-whonix/utility_functions.sh Jun 13 01:16:27 host torified-updates-proxy-check[525]: ++ PROXY_SERVER=http://10.137.255.254:8082/ Jun 13 01:16:27 host torified-updates-proxy-check[525]: ++ PROXY_META='<meta name="application-name" content="tor proxy"/>' Jun 13 01:16:27 host torified-updates-proxy-check[525]: ++ UWT_DEV_PASSTHROUGH=1 Jun 13 01:16:27 host torified-updates-proxy-check[525]: ++ curl --silent --connect-timeout 10 http://10.137.255.254:8082/ Jun 13 01:16:28 host torified-updates-proxy-check[525]: + curl_output= Jun 13 01:16:28 host torified-updates-proxy-check[525]: + true Jun 13 01:16:28 host torified-updates-proxy-check[525]: + echo '' Jun 13 01:16:28 host torified-updates-proxy-check[525]: + grep -q '<meta name="application-name" content="tor proxy"/>' Jun 13 01:16:28 host systemd[1]: Started Qubes Whonix Torified Updates Proxy Check.

Can you try in such situations if whonixcheck outputs any warnings or
errors please?

Gateway template (Whonix13/Qubes3.1).

Worth mentioning: I upgraded whonixcheck via apt-get to version 3:4.6.3-1 a few hours ago.

[code]user@host:~$ whonixcheck
[INFO] [whonixcheck] w13-gw | Whonix-Gateway | TemplateVM | Mon Jun 13 09:15:12 UTC 2016
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] SocksPort Test: Testing Tor’s SocksPort…
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: 65.19.167.132
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updates…
[INFO] [whonixcheck] Whonix News Result:
√ Up to date: whonix-gateway-packages-dependencies 3.4-1
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get… ( Documentation: Operating System Software and Updates - Kicksecure )
[WARNING] [whonixcheck] Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check inside this TemplateVM (‘w13-gw’).

  1. Open a terminal. (dom0 → Start Menu → Template: w13-gw → Terminal)
  2. Update. sudo apt-get update && sudo apt-get dist-upgrade
    [INFO] [whonixcheck] Whonix APT Repository: Enabled.
    When the Whonix team releases TESTERS updates,
    they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
    along with updated packages from the Debian team. Please
    read Placing Trust in Whonix ™ to understand the risk.
    If you want to change this, use:
    sudo whonix_repository[/code]

Output of bash -x whonixcheck: https://gist.githubusercontent.com/anonymous/df289788c9392b9e3285d663040b0cf1/raw/847a7c98e366e5cfd14ca03800492c3baf4c0d54/gistfile1.txt

Related:
https://github.com/Whonix/qubes-whonix/pull/2

I am off-and-on having this issue, and keep this thread around to remember how to resolve it.

However sudo /usr/lib/qubes-whonix/init/enable-firewall does not fix my issue. sudo touch /var/run/qubes-service/whonix-secure-proxy does, however.

Using Qubes R3.2 / Whonix 13?

Yes … Qubes R3.2 . Not sure how to check whonix release number.

I haven’t had this problem in a long time, but I always make sure to start sys-whonix separately and wait for the “Connected to Tor” message before starting a template.