Hello, I ran into the problem of updating my Qube AppVm via Tor. My task is to hide the use of Qubes.
I have configured updates of all TemplateVM and dom0 through Tor.
- Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK
- Replaced the standard repositories with the onion service for all TemplateVM. All lines from (deb) yum.qubes-os.org are commented out. Uncommented all the lines yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
I was also convinced that in /etc/qubes-rpc/policy/qubes.UpdatesProxy the first construct is without comment. ($ type: TemplateVM $ default permission, target = sys-whonix)
The problem is that when I try to update the AppVm or Standalone template, since Appvm is connected via clearnet, and the DNS server cannot recognize the Dns request, I get an error. It also creates a DNS leak when trying to update or install a program; DNS call for (deb) yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad. Analyzed through Wireshark. And therefore, the update itself can no longer work, since the home AppVm is not connected to Sys-whonix.
Yes, TemplateVm is updated normally, there are no errors or leaks in DNS, as I understand it, this is because TemplateVm does not have a network, and updates go through Tor using qubes-rpc-policy.
I will be happy with any help, as well as instructions on how to get the regular AppVM for updating and installing applications through Tor. And also, to avoid DNS leaks, so that only the update and installation traffic completely passes through Tor.
There is a question on a similar topic.
- Does Qube update request verification pass through Tor? If not, how can I check for updates via Tor. My problem here is mainly that when I uncheck (check for updates) in the settings of global qubes and install (disable checking for updates of all qubes) after a certain time, I still get a notification about the update of a specific qube.