I use sys-whonix as the update proxy for all templates in Qubes. In the Kicksecure 18 template, the APT source files under /etc/apt/sources.list.d/ are configured with tor+https by default.
Does this create a Tor over Tor scenario?
No. Qubes Templates are non-networked by default. Tor doesn’t run inside Qubes Templates.
Technical information:
sudo systemctl status tor
â—‹ tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/usr/lib/systemd/system/tor.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/tor.service.d
└─30_qubes.conf
Active: inactive (dead)
Condition: start condition unmet
└─ ConditionPathExists=!/var/run/qubes/this-is-templatevm was not met
Similar for.
sudo systemctl status tor@default
1 Like
Thanks! That’s what I was looking for.
Is there a reason for using tor+https instead of just httpsfor the default APT sources in the Qubes template? Is it specifically to allow automatic qube updates (“Check for qube updates” in Qubes Global Config) to route over Tor?
Related background knowledge: Kicksecure torified updates
It’s just a “technical convenience”.
- Non-Qubes-Kicksecure uses the same
/etc/apt/sources.list.d/debian.sourcesfile. - Useful if
apt updateis run in App Qube (for example for testing), Standalone VM. Having the Template usehttpsbut App Qubes / Standalone VMs usetor+httpswould be technically complex, hence avoided.
No.
Although Whonix is a different project, there is a similar situation for Qubes-Whonix templates, see: Qubes UpdatesProxy Stream Isolation