Use socks5 proxy on Whonix Gateway to fix onion urls resolution

marmarek · marmarek · commit 2e68781a195f · 2025-10-23T10:41:36.000+02:00
When sys-whonix is used as updatevm, with repositories set to onion addresses, DNF (or rather curl) refuse to resolve the addresses, even though it is talking to Tor. See curl/curl#11125 Fix this by setting socks proxy explicitly. Use socks5h:// protocol to really delegate hostname resolution to the server. Do the same in qvm-template-repo-query (qubes.TemplateSearch and qubes.TemplateDownload services), as they also use dnf. QubesOS/qubes-issues#10253
diff --git a/package-managers/qubes-download-dom0-updates.sh b/package-managers/qubes-download-dom0-updates.sh
@@ -64,6 +64,14 @@ while [ -n "$1" ]; do
     shift
 done
 
+if [ -e /run/qubes-service/whonix-gateway ]; then
+    # DNF (or rather curl) refuses to resolve onion addresses directly, use
+    # socks proxy to avoid the issue
+    OPTS+=( --setopt=proxy=socks5h://127.0.0.1:9050/ )
+    # for stream isolation
+    OPTS+=( --setopt=proxy_username=dom0updates --setopt=proxy_password=dom0updates )
+fi
+
 if [ -z "$UPDATE_ACTION" ]; then
     UPDATE_ACTION=upgrade
 fi
diff --git a/qubes-rpc/qvm-template-repo-query b/qubes-rpc/qvm-template-repo-query
@@ -57,6 +57,14 @@ fi
 
 OPTS+=(-y "--setopt=reposdir=${repodir}" --quiet)
 
+if [ -e /run/qubes-service/whonix-gateway ]; then
+    # DNF (or rather curl) refuses to resolve onion addresses directly, use
+    # socks proxy to avoid the issue
+    OPTS+=( --setopt=proxy=socks5h://127.0.0.1:9050/ )
+    # for stream isolation
+    OPTS+=( --setopt=proxy_username=dom0updates --setopt=proxy_password=dom0updates )
+fi
+
 if ! $DNF5; then
     # use vendored 'downloadurl' dnf-plugin (fork of 'download' plugin), to print
     # all mirrors
