Connecting to Lantern before Tor/Testing
Note: This Page is for Testing Only![edit]
Please use the stable Connecting to Lantern before Tor Wiki page for Lantern configuration.
Advertisement:
Too difficult? Consider purchasing Premium Support.
User
→ Lantern
→ Tor
→ Internet
Introduction[edit]
Combining Tunnels with Tor[edit]
It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity.
The potential positive or negative effects on anonymity are being controversially debated.
The Whonix ™ project remains technologically neutral in the anonymity discussion. The improper combination of Tor and another service may actually degrade a user's security and anonymity. One such case is using a proxy to hide Tor network traffic from your ISP.
While proxies are a type of tunnel-link they should not be thought of as a replacement for a VPN and SSH in this configuration. This is because connections to proxies are unencrypted and therefore should not be used to hide Tor use. Proxies are ok for circumvention of censorship if that has been shown to work from the users location but are unsuitable for hiding Tor due to lack of encryption.
Combinations of tunnels-links with Tor are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix ™ users, using Tor in isolation – without a tunnel-link (VPN, proxy or SSH) – is the correct choice.
Tunnel-link before Tor use cases[edit]
User
→ tunnel-link
→ Tor
→ Internet
In this configuration network traffic will (1) enter the tunnel-link and pass through your ISP → (2) exit your tunnel-link server as encrypted Tor traffic→ (3) enter to the Tor network→ (4) exit the Tor network at a Tor exit node as normal internet traffic (encrypted or unencrypted).
Possible uses:
- You must connect to your tunnel-link to access the internet.
- Your ISP blocks Tor and Tor bridges but doesn’t block the tunnel-link.
- Fear of de-anonymizing attacks against the Tor network; belief that your tunnel-link is able to protect your identity in such case.
Warnings[edit]
Note: The following warnings are not Whonix ™ specific issues. They are general issues associated with combining Tor with tunnel-links.
Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor.
In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. [1]
Trusting Service Providers[edit]
A tunnel service provider that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.
Failed Closed Configurations[edit]
If your software configuration doesn’t block all traffic when your tunnel-link connection suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most tunnel configurations and not an issue specific to Whonix ™. [2]
Tunnel-links can Affect Anonymity[edit]
Using any extra tunnel, for example a VPN, proxy or SSH can can negatively affect anonymity under some circumstances. [3] [4]
To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.
Using the same Tunnel Provider in Multiple VMs at the same Time[edit]
Don't use the same tunnel provider / configuration in more than one place at the same time.
For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time.
Reusing Tunnel-links[edit]
Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. Doing so could tie any anonymous identities associated with the tunnel-link to the user's ISP assigned IP address.
Example:
In tunnel-chain 1, the ISP assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the users ISP assigned IP address was previously linked to that same tunnel-link, that anonymous identity can now be linked to the user actual IP address.
- Tunnel-chain 1: (
User
→Tunnel-link
[users IP address is linked] →Tor
→Internet
)
- Tunnel-chain 2: (
User
→Tor
→Tunnel-link
[anonymous activities linked] →Internet
)
The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. If this were done, all anonymous activities conducted with tunnel-chain 2 would then be link with the users ISP assigned IP address.
Qubes-Whonix ™ Templates[edit]
Qubes-Whonix ™ users note:
You probably do not want to run the tunnel software from within a Template. This is because the \{\{project_name_gateway_template\}\}
Template "is more like a workstation". It is behind sys-whonix
. It is not sys-whonix
itself.
(If you are using openvpn
inside Whonix-Gateway ™ (commonly called sys-whonix
) or Whonix-Workstation ™ (commonly called anon-whonix
) while following Whonix ™ documentation, openvpn
will not start inside the \{\{project_name_gateway_template\}\}
or whonix-ws-16
Template.) [5]
In Qubes R4 and above, the Templates's NetVM is purposely set to none
by Qubes default. (They are upgraded through the qrexec based updates proxy that will be running on
sys-whonix
.)
Hiding Tor Usage from ISPs[edit]
If using Tor is dangerous in your area, VPNs or SSH may not provide enough protection (due to software misconfiguration or sophisticated packet inspection).
Introduction to Lantern[edit]
Lantern is a censorship circumvention tool which can provide an alternative to Tor bridges. The design is similar to a VPN and encrypts all of a user's data through their servers and then proxies blocked sites. Note that Lantern in isolation is not an anonymity tool because it is technically possible to spy on user activity under this model. Another downside is that bandwidth limits also exist for non-subscribers: [6]
Lantern is designed to provide you with fast unfettered access to information online. Lantern is secure and encrypts your connection to blocked sites, but it is not an anonymity tool, so if you need or would like to be anonymous online, please use Tor. Otherwise, Lantern will give you faster access to blocked sites. ... To keep our free version running, we implemented a bandwidth limitation of 500 MB/ month. When the bandwidth limit is reached, the connection is slowed down and Free users are prompted to upgrade to Lantern Pro.
After bandwidth limits are reached the connection slows down to approximately 20KB/s, making Lantern virtually unusable. In order to remove this restriction, users must pay for the 'Lantern Pro' service. [7] The available options mean any payment is likely traceable, but this is not necessarily any more 'damaging' to privacy and/or anonymity than connecting to Lantern in the first place. [8] Interested readers can learn more at the Lantern forums and develeopers Q&A
.
Connecting to Lantern before Tor[edit]
Testers only! Qubes-Whonix ™ only! [9]
It is possible to configure Tor to use Lantern as a proxy to establish the following tunnel: User
→ Lantern
→ Tor
→ Internet
Before applying the following instructions, it is recommended to first read:
- Combining Tunnels with Tor
- Current limitations discussed in this blog post / forums discussion
.
1. Create a new standalone ProxyVM called Lantern-Gateway
based on the debian-11
template.
2. Unload all firewall rules in Lantern-Gateway
ProxyVM.
The iptables rules must be unloaded.
If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.
sudo systemctl mask qubes-iptables sudo systemctl stop qubes-iptables sudo systemctl mask qubes-firewall sudo systemctl stop qubes-firewall
Open file ~/fw-unload
in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad ~/fw-unload
If you are using a terminal, run. nano ~/fw-unload
Add.
#!/bin/bash ## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@whonix.org> ## See the file COPYING for copying conditions. set -o pipefail error_handler() { echo "ERROR!" >&2 exit 1 } trap "error_handler" ERR [ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait" [ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait" $iptables_cmd -P INPUT ACCEPT $iptables_cmd -P FORWARD ACCEPT $iptables_cmd -P OUTPUT ACCEPT $iptables_cmd -F $iptables_cmd -X $iptables_cmd -t nat -F $iptables_cmd -t nat -X $iptables_cmd -t mangle -F $iptables_cmd -t mangle -X $iptables_cmd -t raw -F $iptables_cmd -t raw -X $ip6tables_cmd -P INPUT ACCEPT $ip6tables_cmd -P OUTPUT ACCEPT $ip6tables_cmd -P FORWARD ACCEPT $ip6tables_cmd -F $ip6tables_cmd -X $ip6tables_cmd -t mangle -F $ip6tables_cmd -t mangle -X $ip6tables_cmd -t raw -F $ip6tables_cmd -t raw -X exit 0
Save.
Make ~/fw-unload executable.
chmod +x ~/fw-unload
Unload all iptables firewall rules.
sudo ~/fw-unload
After firewall unload, run the following command to see if all firewall rules are really unloaded.
sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'
The output should show.
*mangle :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *raw :PREROUTING ACCEPT [0,0] :OUTPUT ACCEPT [0,0] COMMIT *nat :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *filter :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] COMMIT
3. Disable IP Forwarding in the Lantern-Gateway
ProxyVM.
This should be disabled since it is not required.
sudo sysctl -w net.ipv4.ip_forward=0
4. Install a missing Lantern dependency. [10]
sudo apt install libappindicator3-1
5. Download and install Lantern.
Check if the path to the downloadable deb file is still correct. Navigate to https://getlantern.org/ and check for Linux desktop downloads.
curl --tlsv1.3 https://s3.amazonaws.com/lantern/lantern-installer-beta-64-bit.deb --output ~/lantern-installer-beta-64-bit.deb
Install Lantern. [11]
sudo dpkg -i ~/lantern-installer-beta-64-bit.deb
6. Launch Lantern and configure HTTP proxy requests.
Start Lantern while listening on all, not just the internal, network interfaces so it is reachable from sys-whonix
.
Let Lantern listen for HTTP proxy requests.
lantern -addr 0.0.0.0:8787
Or let Lantern listen for SOCKS5 proxy requests which is preferred.
lantern -socksaddr 0.0.0.0:8788
7. Change sys-whonix
NetVM settings.
Shut down sys-whonix
if it is running. Set the sys-whonix
NetVM to Lantern-Gateway
, then restart sys-whonix
.
It is also encouraged to run various Tor tests at this step; see footnote. [13]
8. Edit the Tor configuration file in sys-whonix
.
Open file /usr/local/etc/torrc.d/50_user.conf
in a text editor of your choice with
sudoedit
.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway ™, complete the following steps. sudoedit /usr/local/etc/torrc.d/50_user.conf
Depending on the proxy type configured at step 6, add the relevant setting below. [14] [15]
10.137.11.1
is just an example and it must be replaced with the IP of the Lantern-Gateway
ProxyVM. To discover the Lantern-Gateway
ProxyVM IP, run the following command in sys-whonix
:
qubesdb-read /qubes-gateway
HTTPSProxy 10.137.11.1:8787
Socks5Proxy 10.137.11.1:8788
9. Reload Tor.
Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf
and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')
→ Reload Tor
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ Reload Tor
If you are using a terminal-only Whonix-Gateway ™, click
HERE
for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
The procedure is complete and Tor will now use Lantern as a proxy.
Footnotes[edit]
- ↑ Users in China are unlikely to circumvent government censorship
with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
- ↑ For example, VPNs require a failed closed configuration to prevent DNS leaks.
- ↑
https://lists.torproject.org/pipermail/tor-talk/2016-July/041757.html
- ↑
research / document impact for tunnel users if Tor relays hosted at the same tunnel provider
- ↑
This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf
checks the following condition
ConditionPathExists=!/var/run/qubes-service/whonix-template
Which means, if file
/var/run/qubes-service/whonix-template
exists, which is the case in Whonix ™ templateVMs, the openvpn@openvpn service will not be started. - ↑ https://getlantern.org/en_US/faq.html
- ↑ In early-2019, this costs $32 (USD) for one year, or $48 (USD) for two years.
- ↑ This is because advanced adversaries can discover that a user connected to Lantern (via logs), and pluggable transports are incapable of successfully hiding Tor use in all cases. Therefore, a payment trail simply acts as another confirmation mechanism and is not necessarily 'worse' under the circumstances.
- ↑ Non-Qubes-Whonix ™ is unsupported at present.
- ↑
Lack of a dependency declaration when installing Lantern on Debian
- broken link.
- ↑
- Proper Debian deb package: https://github.com/getlantern/lantern/issues/4837
- Debian APT repository with Lantern: https://github.com/getlantern/lantern/issues/4837
- Add Lantern to official Debian repositories: https://github.com/getlantern/lantern/issues/4837
- Debian Lantern RFP (request for packaging)
: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828932
- Proper Debian deb package: https://github.com/getlantern/lantern/issues/4837
- ↑
In
Lantern-Gateway
, check if Lantern's HTTP port is functional. curl --tlsv1.3 --proxytunnel --proxy 127.0.0.1:8788 https://check.torproject.org InLantern-Gateway
, check if Lantern's SOCKS port is functional. curl --tlsv1.3 --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org - ↑
In
sys-whonix
, test if Tor is able to connect to the HTTP proxy that Lantern is providing. UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proxytunnel --proxy 10.137.11.1:8788 https://check.torproject.org Insys-whonix
, test if Tor is able to connect to the SOCKS proxy that Lantern is providing. UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --socks5-hostname socks5h://10.137.11.1:8788 https://check.torproject.org - ↑ SOCKS is considered to be better. According to this issue
, Lantern already has SOCKS support. Open issues: https://github.com/getlantern/lantern/issues/4838
Socks5Proxy 10.137.11.1:8788
- ↑
Setup should now be easier (less need for IP changes) because Qubes has implemented optional static IP addresses
.