This guide will explain how to change the update proxy qube that is used when updating templates, this may be useful if you want to download your updates through a VPN or a qube with some caching.
The default update proxy is defined in /etc/qubes/policy.d/90-default.policy in dom0, it defaults to sys-whonix for qubes tagged whonix (which are tor qubes), otherwise it's sys-net for all other templates.
It's became easy to change the update proxy settings thanks to the new GUI. You can choose the default update proxy and also add exceptions, and you make sure you won't break anything 👍
In this example, we will use a qube named sys-vpn as a proxy for the templates VMs:
In dom0, edit the file /etc/qubes/policy.d/30-user.policy (it shouldn't exist by default), it will override the default settings, add the following content to the file. Note that the Whonix lines are required if you plan to use whonix (qubes with tor).
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
# Your custom UpdateProxy
qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-vpn
In the settings of sys-vpn qube, go to the Services tab, in the drop down list select qubes-updates-proxy and then click on the [+ Add] button.
Restart the qube, done!