Update (TemplateVM, dom0) over Tor / torify all of Qubes traffic

Hello, I ran into the problem of updating my Qube AppVm via Tor. My task is to hide the use of Qubes.

I have configured updates of all TemplateVM and dom0 through Tor.
My actions:

  1. Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK
  2. Replaced the standard repositories with the onion service for all TemplateVM. All lines from (deb) yum.qubes-os.org are commented out. Uncommented all the lines yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    I was also convinced that in /etc/qubes-rpc/policy/qubes.UpdatesProxy the first construct is without comment. ($ type: TemplateVM $ default permission, target = sys-whonix)

The problem is that when I try to update the AppVm or Standalone template, since Appvm is connected via clearnet, and the DNS server cannot recognize the Dns request, I get an error. It also creates a DNS leak when trying to update or install a program; DNS call for (deb) yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad. Analyzed through Wireshark. And therefore, the update itself can no longer work, since the home AppVm is not connected to Sys-whonix.

Yes, TemplateVm is updated normally, there are no errors or leaks in DNS, as I understand it, this is because TemplateVm does not have a network, and updates go through Tor using qubes-rpc-policy.

I will be happy with any help, as well as instructions on how to get the regular AppVM for updating and installing applications through Tor. And also, to avoid DNS leaks, so that only the update and installation traffic completely passes through Tor.

There is a question on a similar topic.

  1. Does Qube update request verification pass through Tor? If not, how can I check for updates via Tor. My problem here is mainly that when I uncheck (check for updates) in the settings of global qubes and install (disable checking for updates of all qubes) after a certain time, I still get a notification about the update of a specific qube.

Maybe I need to configure updates through a proxy.
Acquire :: http :: Proxy “http://127.0.0.1:8082/”;
Acquire :: tor :: proxy “http://127.0.0.1:8082/”;

But I did not find good documentation.

says closed but when you read the ticket it’s not actually fixed.

I am not trying to hide the use of Tor, but only the use of Qubes.

This ticket does not apply to my problem. I know Fedora is trying to call home.
I need to receive updates and installation of applications in AppVM and TemplateVM through Tor.
In TemplateVM, this is easy by setting UpdateVM to Sys-whonix. But AppVM will not be updated via Tor. I will be glad of any help.

kelman via Whonix Forum:

The problem is that when I try to update the AppVm or Standalone template, since Appvm is connected via clearnet, and the DNS server cannot recognize the Dns request, I get an error. It also creates a DNS leak when trying to update or install a program; DNS call for (deb) yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad. Analyzed through Wireshark. And therefore, the update itself can no longer work, since the home AppVm is not connected to Sys-whonix.

Not using sys-whonix… Doesn’t sound alike an issue caused by Whonix
then. This isn’t a general Qubes support forum. See:

kelman via Whonix Forum:

I am not trying to hide the use of Tor, but only the use of Qubes.

Good luck. I guess unless you don’t contribute to Qubes towards that
goal, it won’t e happening. While my above reference isn’t on topic
indeed it shows how difficult similar endeavors are.

Other issues for hiding Qubes from the top of my head:

  • Fedora phone home issue already mentioned
  • Qubes time sync (which likely differs from NTP on plain (non-Qubes)
    Debian host operating systems perhaps at least wrt when how/often it is
    being run)
  • Qubes update check as you already mentioned - even if torified, the
    timing mint hint at Qubes.
  • Not sure what else. Best to ask on Qubes mailing list and/or traffic
    analysis.