corridor is a Tor traffic whitelisting gateway. It is a filtering gateway. Not a proxying gateway.
It can also be used as a BridgeFirewall.
Connecting to corridor before Tor
It is possible to configure Whonix-Gateway (sys-whonix) to use corridor as local proxy to establish the following tunnel:
User -> corridor -> Tor > Internet
This is not necessarily more anonymous. It is an additional fail-safe Tor traffic whitelisting firewall that would protect from accidental clearnet leaks (hypothetical clearnet leak bugs in Whonix). As corridor's project description states, quote "it cannot prevent malware on a client computer from finding out your clearnet IP address". corridor is mostly useful for developers and auditors of Whonix, perhaps also for advanced users who would like to have an additional safety net. It cannot protect from hypothetical Qubes ProxyVM leak bugs either, a physically isolated, standalone corridor-Gateway would be better and could cover that.
It does not increase the tunnel length, i.e. it does not add more relays between you and the destination, if you are interested in that, see Tunnels/Introduction.
If you want to do this, apply the following instructions.
|The following instructions will result by default in:
Create a new standalone ProxyVM called sys-corridor based on Debian-8 template.
Qubes VM Manager -> Create AppVM -> enable 'Standalone' -> name: sys-corridor -> template: Debian-8 -> OK
Enable the corridor qvm service.
Qubes VM Manager -> click on sys-corridor -> right click -> VM settings -> services -> type in the field -> corridor -> press + -> press OK
Start sys-corridor and open a terminal using Qubes start menu.
Optional. If you want to use corridor as a BridgeFirewall, configure Tor to use bridges now. (The Whonix page about Bridges might help but it does not apply one to one.) Also if you want to do that, create folder /etc/corridor.d and configuration file /etc/corridor.d/21-bridges-user.conf now. Otherwise if you like to use Tor entry guards , you can skip that.
Note: Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.
Open /etc/corridor.d/21-bridges-user.conf in an editor with root rights.
Add. TODO: doesn't work
TODO: doesn't work BRIDGES=`grep -Ei '^[[:space:]]*Bridge[[:space:]]' /usr/local/etc/torrc.d/*`
WARNING: This tells your ISP that you use Whonix. You should set this up with Tor unless you have a reason not to.
Complete the follow steps to obtain the Whonix Signing Key.
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was
echo "deb http://deb.whonix.org stretch main" | sudo tee /etc/apt/sources.list.d/whonix.list
Update the package lists.
sudo apt-get update
sudo apt-get install corridor
As long as this instructions are experimental, you are advised to run the following systemctl commands to check if everything is alright.
sudo systemctl --no-pager status corridor-data sudo systemctl --no-pager status corridor-init-forwarding sudo systemctl --no-pager status corridor-init-logged sudo systemctl --no-pager status corridor-init-snat
Run the above systemctl commands again.
Create (or use an appropriate existing one) AppVM called corridor-client or so and install / run either system-tor (from Debian or Fedora package sources) or Tor Browser. Then set the NetVM of corridor-client to sys-corridor. Tor should be still able to connect.
To test system-tor, start watching Tor's log.
sudo tail -f /var/log/tor/log
See if it initially successfully connected.
Then restart Tor.
sudo service tor restart
See if Tor is still able to connect.
To test Tor Browser, check if it is able to initially connect to the internet while NetVM is still set to sys-firewall. Then set the NetVM to sys-corridor and see if it is still able to connect. If so, that is a good sign. Finally, you could should attempt an un-torified connection by using an un-torified application such as the chromium or firefox browser. Un-torified applications should fail to connect to the internet.
Whenever you try something that gets blocked by corridor, such as the above #test corridor, it will appear in syslog. Examine /var/log/syslog.
Open /var/log/syslog in an editor.
To check that run inside sys-corridor.
sudo tail -f /var/log/syslog
If corridor blocked something, it will look like this.
Jul 19 00:58:27 localhost kernel: [ 954.706833] corridor:
interpreting the results
It is probably best not to connect set other VMs than sys-whonix to use sys-corridor as NetVM. This is because qubes-update-check.service will and other stuff may try to use the internet without using Tor. Therefore shut down corridor-client.
Set sys-whonix's NetVM to sys-corridor.
Qubes VM Manager -> one left click on sys-whonix -> right click -> VM-Settings -> NetVM -> sys-corridor -> OK
sys-whonix should now be using sys-corridor.
In case you are having issues, this chapter contains snippets on how to gather useful information for debugging. Otherwise you can skip this chapter.
See if the corridor_relays ipset gets populated.
sudo ipset list corridor_relays
Please also install the usability-misc package from Whonix repository since it provides the iptables-save-deterministic command or get it from elsewhere.
sudo apt-get install usability-misc
Should look like this for Qubes.
*nat :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] :CORRIDOR_SNAT - [0,0] -A POSTROUTING -j CORRIDOR_SNAT -A CORRIDOR_SNAT -s 10.137.0.0/16 ! -d 10.137.0.0/16 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :CORRIDOR_FILTER - [0,0] -A FORWARD -j CORRIDOR_FILTER -A CORRIDOR_FILTER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -A CORRIDOR_FILTER -m set --match-set corridor_relays dst,dst -j RETURN -A CORRIDOR_FILTER -m set --match-set corridor_logged src -j LOG --log-prefix "corridor: reject " --log-macdecode -A CORRIDOR_FILTER -j REJECT --reject-with icmp-host-prohibited COMMIT
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.