Corridor
Contents
Introduction[edit]
corridor is a Tor traffic whitelisting gateway. It is a filtering gateway. Not a proxying gateway.
https://github.com/rustybird/corridor
It can also be used as a BridgeFirewall.
Connecting to corridor before Tor[edit]
Introduction[edit]
It is possible to configure Whonix-Gateway (sys-whonix) to use corridor as local proxy to establish the following tunnel:
User -> corridor -> Tor > Internet
This is not necessarily more anonymous. It is an additional fail-safe Tor traffic whitelisting firewall that would protect from accidental clearnet leaks (hypothetical clearnet leak bugs in Whonix). As corridor's project description states, quote "it cannot prevent malware on a client computer from finding out your clearnet IP address". corridor is mostly useful for developers and auditors of Whonix, perhaps also for advanced users who would like to have an additional safety net. It cannot protect from hypothetical Qubes ProxyVM leak bugs either, a physically isolated, standalone corridor-Gateway would be better and could cover that.
It does not increase the tunnel length, i.e. it does not add more relays between you and the destination, if you are interested in that, see Tunnels/Introduction.
If you want to do this, apply the following instructions.
Qubes-Whonix only! Non-Qubes-Whonix is unsupported. [1]
Credits: The author of corridor is rustybird. The author of fork of corridor for Debian which will be used in these instructions is Patrick Schleizer.
The following instructions should be applied in a Qubes using a Debian template.
Warning[edit]
 | The following instructions will result by default in:
|
dom0 setup[edit]
Create a new standalone ProxyVM called sys-corridor based on Debian-8 template.
Qubes VM Manager -> Create AppVM -> enable 'Standalone' -> name: sys-corridor -> template: Debian-8 -> OK
Enable the corridor qvm service.
Qubes VM Manager -> click on sys-corridor -> right click -> VM settings -> services -> type in the field -> corridor -> press + -> press OK
sys-corridor setup[edit]
Start sys-corridor and open a terminal using Qubes start menu.
Inside sys-corridor...
Optional. If you want to use corridor as a BridgeFirewall, configure Tor to use bridges now. (The Whonix page about Bridges might help but it does not apply one to one.) Also if you want to do that, create folder /etc/corridor.d and configuration file /etc/corridor.d/21-bridges-user.conf now. Otherwise if you like to use Tor entry guards [2], you can skip that.
Note: Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.
Open /etc/corridor.d/21-bridges-user.conf in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
If you are using a terminal-only Whonix, run.
Add. TODO: doesn't work
TODO: doesn't work BRIDGES=`grep -Ei '^[[:space:]]*Bridge[[:space:]]' /usr/local/etc/torrc.d/*`
Save.
WARNING: This tells your ISP that you use Whonix. You should set this up with Tor unless you have a reason not to.
Complete the follow steps to obtain the Whonix Signing Key.
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was stretch.
echo "deb http://deb.whonix.org stretch main" | sudo tee /etc/apt/sources.list.d/whonix.list
Update the package lists.
Install corridor.
As long as this instructions are experimental, you are advised to run the following systemctl commands to check if everything is alright.
sudo systemctl --no-pager status corridor-data sudo systemctl --no-pager status corridor-init-forwarding sudo systemctl --no-pager status corridor-init-logged sudo systemctl --no-pager status corridor-init-snat
Reboot sys-corridor.
test corridor[edit]
Run the above systemctl commands again.
Create (or use an appropriate existing one) AppVM called corridor-client or so and install / run either system-tor (from Debian or Fedora package sources) or Tor Browser. Then set the NetVM of corridor-client to sys-corridor. Tor should be still able to connect.
To test system-tor, start watching Tor's log.
See if it initially successfully connected.
Then restart Tor.
See if Tor is still able to connect.
To test Tor Browser, check if it is able to initially connect to the internet while NetVM is still set to sys-firewall. Then set the NetVM to sys-corridor and see if it is still able to connect. If so, that is a good sign. Finally, you could should attempt an un-torified connection by using an un-torified application such as the chromium or firefox browser. Un-torified applications should fail to connect to the internet.
test logging[edit]
Whenever you try something that gets blocked by corridor, such as the above #test corridor, it will appear in syslog. Examine /var/log/syslog.
Open /var/log/syslog in an editor.
If you are using a graphical environment, run.
If you are using a terminal (Konsole), run.
To check that run inside sys-corridor.
If corridor blocked something, it will look like this.
interpreting the results[edit]
It is probably best not to connect set other VMs than sys-whonix to use sys-corridor as NetVM. This is because qubes-update-check.service will and other stuff may try to use the internet without using Tor. Therefore shut down corridor-client.
configure sys-whonix[edit]
Set sys-whonix's NetVM to sys-corridor.
Qubes VM Manager -> one left click on sys-whonix -> right click -> VM-Settings -> NetVM -> sys-corridor -> OK
done[edit]
sys-whonix should now be using sys-corridor.
Debugging[edit]
In case you are having issues, this chapter contains snippets on how to gather useful information for debugging. Otherwise you can skip this chapter.
See if the corridor_relays ipset gets populated.
Please also install the usability-misc package from Whonix repository since it provides the iptables-save-deterministic command or get it from elsewhere.
Run iptables-save-deterministic.
Should look like this for Qubes.
*nat :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] :CORRIDOR_SNAT - [0,0] -A POSTROUTING -j CORRIDOR_SNAT -A CORRIDOR_SNAT -s 10.137.0.0/16 ! -d 10.137.0.0/16 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :CORRIDOR_FILTER - [0,0] -A FORWARD -j CORRIDOR_FILTER -A CORRIDOR_FILTER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -A CORRIDOR_FILTER -m set --match-set corridor_relays dst,dst -j RETURN -A CORRIDOR_FILTER -m set --match-set corridor_logged src -j LOG --log-prefix "corridor: reject " --log-macdecode -A CORRIDOR_FILTER -j REJECT --reject-with icmp-host-prohibited COMMIT
Footnotes[edit]
Please contribute by helping to answer Whonix questions.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)