diff --git a/Makefile b/Makefile
index 5e5a8d0..5a4476f 100644
--- a/Makefile
+++ b/Makefile
@@ -119,6 +119,7 @@ install-systemd: install-init
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} $(DESTDIR)$(LIBDIR)/qubes/init $(DESTDIR)$(SYSLIBDIR)/modules-load.d
 	install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+	install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
 	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
@@ -136,6 +137,7 @@ install-sysvinit: install-init
 	install vm-init.d/qubes-qrexec-agent $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
 	install vm-init.d/qubes-dvm $(DESTDIR)/etc/init.d/
+	install vm-init.d/qubes-updates-proxy-forwarder $(DESTDIR)/etc/init.d/
 	install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
 	install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
 	install network/qubes-iptables $(DESTDIR)/etc/init.d/
@@ -268,6 +270,7 @@ install-common:
 	install -m 0755 qubes-rpc/qubes.InstallUpdatesGUI $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.ResizeDisk $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.StartApp $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc
 
 	install -d $(DESTDIR)/etc/qubes/suspend-pre.d
 	install -m 0644 qubes-rpc/suspend-pre.README $(DESTDIR)/etc/qubes/suspend-pre.d/README
diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install
index 2f2c07e..7622fc6 100644
--- a/debian/qubes-core-agent.install
+++ b/debian/qubes-core-agent.install
@@ -30,6 +30,7 @@ etc/qubes-rpc/qubes.SuspendPostAll
 etc/qubes-rpc/qubes.SuspendPre
 etc/qubes-rpc/qubes.SuspendPreAll
 etc/qubes-rpc/qubes.SyncNtpClock
+etc/qubes-rpc/qubes.UpdatesProxy
 etc/qubes-rpc/qubes.VMShell
 etc/qubes-rpc/qubes.WaitForSession
 etc/qubes-suspend-module-blacklist
@@ -83,6 +84,8 @@ lib/systemd/system/qubes-sysinit.service
 lib/systemd/system/qubes-update-check.service
 lib/systemd/system/qubes-update-check.timer
 lib/systemd/system/qubes-updates-proxy.service
+lib/systemd/system/qubes-updates-proxy-forwarder@.service
+lib/systemd/system/qubes-updates-proxy-forwarder.socket
 lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf
 lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf
 lib/systemd/system/tmp.mount.d/30_qubes.conf
diff --git a/network/update-proxy-configs b/network/update-proxy-configs
index 328b2b0..c5c7e50 100755
--- a/network/update-proxy-configs
+++ b/network/update-proxy-configs
@@ -75,7 +75,7 @@ EOF
 
 # Determine whether the proxy should be used
 if qsvc yum-proxy-setup || qsvc updates-proxy-setup ; then
-    PROXY_ADDR="http://10.137.255.254:8082/"
+    PROXY_ADDR="http://127.0.0.1:8082/"
     PROXY_CONF_ENTRY="proxy=$PROXY_ADDR"
 else
     PROXY_ADDR=""
diff --git a/qubes-rpc/qubes.UpdatesProxy b/qubes-rpc/qubes.UpdatesProxy
new file mode 100755
index 0000000..072eba8
--- /dev/null
+++ b/qubes-rpc/qubes.UpdatesProxy
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec nc localhost 8082
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index 8f6d76d..6f97811 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -20,7 +20,7 @@
 #
 #
 
-%define qubes_services qubes-core qubes-core-netvm qubes-core-early qubes-firewall qubes-iptables qubes-updates-proxy qubes-qrexec-agent qubes-dvm
+%define qubes_services qubes-core qubes-core-netvm qubes-core-early qubes-firewall qubes-iptables qubes-updates-proxy qubes-qrexec-agent qubes-dvm qubes-updates-proxy-forwarder
 %define qubes_preset_file 75-qubes-vm.preset
 
 %{!?version: %define version %(cat version)}
@@ -124,6 +124,7 @@ Conflicts:  firewalld
 Requires:	xdg-utils
 Requires:   ethtool
 Requires:   tinyproxy
+Requires:   nmap-ncat
 Requires:   ntpdate
 Requires:   net-tools
 Requires:   qubes-utils >= 3.1.3
@@ -440,6 +441,7 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes-rpc/qubes.InstallUpdatesGUI
 %config(noreplace) /etc/qubes-rpc/qubes.ResizeDisk
 %config(noreplace) /etc/qubes-rpc/qubes.StartApp
+%config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
 %dir /etc/qubes/autostart
 /etc/qubes/autostart/README.txt
 %config /etc/qubes/autostart/*.desktop.d/30_qubes.conf
@@ -576,6 +578,7 @@ The Qubes core startup configuration for SysV init (or upstart).
 /etc/init.d/qubes-iptables
 /etc/init.d/qubes-updates-proxy
 /etc/init.d/qubes-qrexec-agent
+/etc/init.d/qubes-updates-proxy-forwarder
 /etc/sysconfig/modules/qubes-core.modules
 /etc/sysconfig/modules/qubes-misc.modules
 
@@ -650,6 +653,8 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/qubes-update-check.timer
 /lib/systemd/system/qubes-updates-proxy.service
 /lib/systemd/system/qubes-qrexec-agent.service
+/lib/systemd/system/qubes-updates-proxy-forwarder@.service
+/lib/systemd/system/qubes-updates-proxy-forwarder.socket
 /lib/systemd/system-preset/%qubes_preset_file
 /lib/modules-load.d/qubes-core.conf
 /lib/modules-load.d/qubes-misc.conf
diff --git a/vm-init.d/qubes-updates-proxy-forwarder b/vm-init.d/qubes-updates-proxy-forwarder
new file mode 100755
index 0000000..0c397ab
--- /dev/null
+++ b/vm-init.d/qubes-updates-proxy-forwarder
@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# Updates proxy forwarder     Startup script for the updates proxy forwarder
+#
+# chkconfig: 345 85 15
+# description: forwards connection to updates proxy over Qubes RPC
+#
+# processname: ncat
+# pidfile:     /var/run/qubes-updates-proxy-forwarder.pid
+#
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source Qubes library.
+. /usr/lib/qubes/init/functions
+
+# Source networking configuration.
+.  /etc/sysconfig/network
+
+# Check that networking is up.
+[ "$NETWORKING" = "no" ] && exit 0
+
+exec="/usr/bin/ncat"
+prog=$(basename $exec)
+pidfile="/var/run/qubes-updates-proxy-forwarder.pid"
+
+[ -e /etc/sysconfig/qubes-updates-proxy-forwarder ] && . /etc/sysconfig/qubes-updates-proxy-forwarder
+
+lockfile=/var/lock/subsys/qubes-updates-proxy-forwarder
+
+start() {
+    have_qubesdb || return
+
+    if ! qsvc updates-proxy-setup ; then
+        # updates proxy configuration disabled
+        exit 0
+    fi
+
+    if qsvc qubes-updates-proxy ; then
+        # updates proxy running here too, avoid looping traffic back to itself
+        exit 0
+    fi
+
+    [ -x $exec ] || exit 5
+
+    echo -n $"Starting $prog (as Qubes updates proxy forwarder): "
+    start-stop-daemon \
+        --exec $exec \
+        --pidfile "$pidfile" \
+        --make-pidfile \
+        --background \
+        --start \
+        -- \
+        -k -l -e 'qrexec-client-vm $default qubes.UpdatesProxy'
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc -p $pidfile $prog
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|force-reload}"
+        exit 2
+esac
+exit $?
+
diff --git a/vm-systemd/75-qubes-vm.preset b/vm-systemd/75-qubes-vm.preset
index b411609..b6850bd 100644
--- a/vm-systemd/75-qubes-vm.preset
+++ b/vm-systemd/75-qubes-vm.preset
@@ -90,6 +90,7 @@ enable qubes-mount-dirs.service
 enable qubes-firewall.service
 enable qubes-meminfo-writer.service
 enable qubes-iptables.service
+enable qubes-updates-proxy-forwarder.socket
 enable haveged.service
 enable chronyd.service
 enable xendriverdomain.service
diff --git a/vm-systemd/qubes-updates-proxy-forwarder.socket b/vm-systemd/qubes-updates-proxy-forwarder.socket
new file mode 100644
index 0000000..86f1e2b
--- /dev/null
+++ b/vm-systemd/qubes-updates-proxy-forwarder.socket
@@ -0,0 +1,14 @@
+[Unit]
+Description=Forward connection to updates proxy over Qubes RPC
+ConditionPathExists=/var/run/qubes-service/updates-proxy-setup
+# don't start the forwarder when updates proxy itself is also enabled here,
+# otherwise it would most likely loop back to itself
+ConditionPathExists=!/var/run/qubes-service/qubes-updates-proxy
+
+[Socket]
+ListenStream=127.0.0.1:8082
+BindToDevice=lo
+Accept=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/vm-systemd/qubes-updates-proxy-forwarder@.service b/vm-systemd/qubes-updates-proxy-forwarder@.service
new file mode 100644
index 0000000..01d0658
--- /dev/null
+++ b/vm-systemd/qubes-updates-proxy-forwarder@.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Forward connection to updates proxy over Qubes RPC
+
+[Service]
+ExecStart=/usr/bin/qrexec-client-vm '' qubes.UpdatesProxy
+StandardInput=socket
+StandardOutput=inherit