Jump to: navigation, search

Corridor


Using corridor, a Tor traffic whitelisting gateway with Whonix


Introduction[edit]

corridor is a Tor traffic whitelisting gateway. It is a filtering gateway. Not a proxying gateway.

https://github.com/rustybird/corridor

It can also be used as a BridgeFirewall.

Connecting to corridor before Tor[edit]

Introduction[edit]

It is possible to configure Whonix-Gateway (sys-whonix) to use corridor as local proxy to establish the following tunnel:
User -> corridor -> Tor > Internet

This is not necessarily more anonymous. It is an additional fail-save Tor traffic whitelisting firewall that would protect from accidental clearnet leaks (hypothetical clearnet leak bugs in Whonix). As corridor's project description states, quote "it cannot prevent malware on a client computer from finding out your clearnet IP address". corridor is mostly useful for developers and auditors of Whonix, perhaps also for advanced users who would like to have an additional safety net. It cannot protect from hypothetical Qubes ProxyVM leak bugs either, a physically isolated, standalone corridor-Gateway would be better and could cover that.

It does not increase the tunnel length, i.e. it does not add more relays between you and the destination, if you are interested in that, see Tunnels/Introduction.

If you want to do this, apply the following instructions.

Qubes-Whonix only! Non-Qubes-Whonix is unsupported. [1]

Credits: The author of corridor is rustybird. The author of fork of corridor for Debian which will be used in this instructions is Patrick Schleizer.

The following instructions should be applied in a Qubes using a Debian template.

Warning[edit]

dom0 setup[edit]

Create a new standalone ProxyVM called sys-corridor based on Debian-8 template.

Qubes VM Manager -> Create AppVM -> enable 'Standalone' -> name: sys-corridor -> template: Debian-8 -> OK

Enable the corridor qvm service.

Qubes VM Manager -> click on sys-corridor -> right click -> VM settings -> services -> type in the field -> corridor -> press + -> press OK

sys-corridor setup[edit]

Start sys-corridor and open a terminal using Qubes start menu.

Inside sys-corridor...

Optional. If you want to use corridor as a BridgeFirewall, configure Tor to use bridges now. (The Whonix page about Bridges might help but it does not apply one to one.) Also if you want to do that, create folder /etc/corridor.d and configuration file /etc/corridor.d/21-bridges-user.conf now. Otherwise if you like to use Tor entry guards [2], you can skip that.

Note: Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.

Open /etc/corridor.d/21-bridges-user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/corridor.d/21-bridges-user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/corridor.d/21-bridges-user.conf

Add.

BRIDGES=`grep -Ei '^[[:space:]]*Bridge[[:space:]]' /etc/tor/torrc`

Save.

Get Whonix Signing Key.

gpg --keyserver keys.gnupg.net --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

Add Whonix's Signing Key to apt-key.

gpg --export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA | sudo apt-key add -

Add Whonix's APT repository. For default Whonix using Debian stable. (At time of writing: jessie)

echo "deb http://deb.whonix.org/ jessie main"  | sudo tee /etc/apt/sources.list.d/whonix.list

Update your package lists.

sudo apt-get update

Install corridor.

sudo apt-get install corridor

As long as this instructions are experimental, you are advised to run the following systemctl commands to check if everything is alright.

sudo systemctl status corridor-data
sudo systemctl status corridor-init-forwarding 
sudo systemctl status corridor-init-logged 
sudo systemctl status corridor-init-snat

Reboot sys-corridor.

test corridor[edit]

Run the above systemctl commands again.

Create (or use an appropriate existing one) AppVM called corridor-client or so and install / run either system-tor (from Debian or Fedora package sources) or the Tor Browser Bundle (TBB). Then set the NetVM of corridor-client to sys-corridor. Tor should be still able to connect.

To test system-tor, start watching Tor's log.

sudo tail -f /var/log/tor/log

See if it initially successfully connected.

Then restart Tor.

sudo service tor restart

See if Tor is still able to connect.

To test TBB, check if it is able to initially connect to the internet while NetVM is still set to sys-firewall. Then set the NetVM to sys-corridor and see if it is still able to connect. If so, that is a good sign. Finally, you could should attempt an un-torified connection by using an un-torified application such as the chromium or firefox browser. Un-torified applications should fail to connect to the internet.

test logging[edit]

Whenever you try something that gets blocked by corridor, such as the above #test corridor, it will appear in syslog. Examine /var/log/syslog.

Open /var/log/syslog in an editor.

If you are using a graphical environment, run:

kwrite /var/log/syslog

If you are using a terminal (Konsole), run:

nano /var/log/syslog

To check that run inside sys-corridor.

tail -f /var/log/syslog

If corridor blocked something, it will look like this.

Jul 19 00:58:27 localhost kernel: [  954.706833] corridor:

interpreting the results[edit]

It is probably best not to connect set other VMs than sys-whonix to use sys-corridor as NetVM. This is because qubes-update-check.service will and other stuff may try to use the internet without using Tor. Therefore shut down corridor-client.

configure sys-whonix[edit]

Set sys-whonix's NetVM to sys-corridor.

Qubes VM Manager -> one left click on sys-whonix -> right click -> VM-Settings -> NetVM -> sys-corridor -> OK

done[edit]

sys-whonix should now be using sys-corridor.

Debugging[edit]

In case you are having issues, this chapter contains snippets on how to gather useful information for debugging. Otherwise you can skip this chapter.

See if the corridor_relays ipset gets populated.

sudo ipset list corridor_relays

Please also install the usability-misc package from Whonix repository since it provides the iptables-save-deterministic command or get it from elsewhere.

sudo apt-get install usability-misc

Run iptables-save-deterministic.

sudo iptables-save-deterministic

Should look like this for Qubes.

*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:CORRIDOR_SNAT - [0,0]
-A POSTROUTING -j CORRIDOR_SNAT
-A CORRIDOR_SNAT -s 10.137.0.0/16 ! -d 10.137.0.0/16 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:CORRIDOR_FILTER - [0,0]
-A FORWARD -j CORRIDOR_FILTER
-A CORRIDOR_FILTER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A CORRIDOR_FILTER -m set --match-set corridor_relays dst,dst -j RETURN
-A CORRIDOR_FILTER -m set --match-set corridor_logged src -j LOG --log-prefix "corridor: reject " --log-macdecode
-A CORRIDOR_FILTER -j REJECT --reject-with icmp-host-prohibited
COMMIT

Footnotes[edit]

  1. Corridor for Whonix KVM ticket
  2. https://www.torproject.org/docs/faq.html.en#EntryGuards

Random News:

Want to make Whonix more safe and usable? We're looking for helping hands. Check out Open Issues and development forum.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.