Introduction[edit]

corridor is a Tor traffic whitelisting gateway. It is a filtering gateway. Not a proxying gateway.

https://github.com/rustybird/corridor

It can also be used as a BridgeFirewall.

Connecting to corridor before Tor[edit]

Introduction[edit]

It is possible to configure Whonix-Gateway (sys-whonix) to use corridor as local proxy to establish the following tunnel:
User -> corridor -> Tor > Internet

This is not necessarily more anonymous. It is an additional fail-safe Tor traffic whitelisting firewall that would protect from accidental clearnet leaks (hypothetical clearnet leak bugs in Whonix). As corridor's project description states, quote "it cannot prevent malware on a client computer from finding out your clearnet IP address". corridor is mostly useful for developers and auditors of Whonix, perhaps also for advanced users who would like to have an additional safety net. It cannot protect from hypothetical Qubes ProxyVM leak bugs either, a physically isolated, standalone corridor-Gateway would be better and could cover that.

It does not increase the tunnel length, i.e. it does not add more relays between you and the destination, if you are interested in that, see Tunnels/Introduction.

If you want to do this, apply the following instructions.

Qubes-Whonix only! Non-Qubes-Whonix is unsupported. ^[1]

Credits: The author of corridor is rustybird. The author of fork of corridor for Debian which will be used in these instructions is Patrick Schleizer.

The following instructions should be applied in a Qubes using a Debian template.

Warning[edit]

The following instructions will result by default in: the Debian tor package being installed and thereby automatically connecting to the Tor public network. Downloading corridor from Whonix-APT-Repository. This may not be what you want if you want to hide Tor and Whonix from your ISP. If you are already using Whonix, which you are most likely doing when reading this page, in running a second instance of Tor which is independent from the one running inside Whonix-Gateway. From the perspective of your ISP you will have a different network Fingerprint. This should be no worse than running Tor Browser, or system-tor and Whonix at the same time.

dom0 setup[edit]

Create a new standalone ProxyVM called sys-corridor based on Debian-8 template.

Qubes VM Manager -> Create AppVM -> enable 'Standalone' -> name: sys-corridor -> template: Debian-8 -> OK

Enable the corridor qvm service.

Qubes VM Manager -> click on sys-corridor -> right click -> VM settings -> services -> type in the field -> corridor -> press + -> press OK

sys-corridor setup[edit]

Start sys-corridor and open a terminal using Qubes start menu.

Inside sys-corridor...

Optional. If you want to use corridor as a BridgeFirewall, configure Tor to use bridges now. (The Whonix page about Bridges might help but it does not apply one to one.) Also if you want to do that, create folder /etc/corridor.d and configuration file /etc/corridor.d/21-bridges-user.conf now. Otherwise if you like to use Tor entry guards ^[2], you can skip that.

Note: Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.

Open /etc/corridor.d/21-bridges-user.conf in an editor with root rights.

kdesudo kwrite /etc/corridor.d/21-bridges-user.conf

sudo nano /etc/corridor.d/21-bridges-user.conf

Add.

BRIDGES=`grep -Ei '^[[:space:]]*Bridge[[:space:]]' /etc/tor/torrc`

Save.

Download the Whonix Signing Key.

gpg --keyserver keys.gnupg.net --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

Add Whonix's Signing Key to apt-key.

gpg --export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA | sudo apt-key add -

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was Jessie.

echo "deb http://deb.whonix.org/ jessie main"  | sudo tee /etc/apt/sources.list.d/whonix.list

Update the package lists.

sudo apt-get update

Install corridor.

sudo apt-get install corridor

As long as this instructions are experimental, you are advised to run the following systemctl commands to check if everything is alright.

sudo systemctl status corridor-data
sudo systemctl status corridor-init-forwarding 
sudo systemctl status corridor-init-logged 
sudo systemctl status corridor-init-snat

Reboot sys-corridor.

test corridor[edit]

Run the above systemctl commands again.

Create (or use an appropriate existing one) AppVM called corridor-client or so and install / run either system-tor (from Debian or Fedora package sources) or Tor Browser. Then set the NetVM of corridor-client to sys-corridor. Tor should be still able to connect.

To test system-tor, start watching Tor's log.

sudo tail -f /var/log/tor/log

See if it initially successfully connected.

Then restart Tor.

sudo service tor restart

See if Tor is still able to connect.

To test Tor Browser, check if it is able to initially connect to the internet while NetVM is still set to sys-firewall. Then set the NetVM to sys-corridor and see if it is still able to connect. If so, that is a good sign. Finally, you could should attempt an un-torified connection by using an un-torified application such as the chromium or firefox browser. Un-torified applications should fail to connect to the internet.

test logging[edit]

Whenever you try something that gets blocked by corridor, such as the above #test corridor, it will appear in syslog. Examine /var/log/syslog.

Open /var/log/syslog in an editor.

kwrite /var/log/syslog

nano /var/log/syslog

To check that run inside sys-corridor.

tail -f /var/log/syslog

If corridor blocked something, it will look like this.

Jul 19 00:58:27 localhost kernel: [  954.706833] corridor:

interpreting the results[edit]

It is probably best not to connect set other VMs than sys-whonix to use sys-corridor as NetVM. This is because qubes-update-check.service will and other stuff may try to use the internet without using Tor. Therefore shut down corridor-client.

configure sys-whonix[edit]

Set sys-whonix's NetVM to sys-corridor.

Qubes VM Manager -> one left click on sys-whonix -> right click -> VM-Settings -> NetVM -> sys-corridor -> OK

done[edit]

sys-whonix should now be using sys-corridor.

Debugging[edit]

In case you are having issues, this chapter contains snippets on how to gather useful information for debugging. Otherwise you can skip this chapter.

See if the corridor_relays ipset gets populated.

sudo ipset list corridor_relays

Please also install the usability-misc package from Whonix repository since it provides the iptables-save-deterministic command or get it from elsewhere.

sudo apt-get install usability-misc

Run iptables-save-deterministic.

sudo iptables-save-deterministic

Should look like this for Qubes.

*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:CORRIDOR_SNAT - [0,0]
-A POSTROUTING -j CORRIDOR_SNAT
-A CORRIDOR_SNAT -s 10.137.0.0/16 ! -d 10.137.0.0/16 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:CORRIDOR_FILTER - [0,0]
-A FORWARD -j CORRIDOR_FILTER
-A CORRIDOR_FILTER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A CORRIDOR_FILTER -m set --match-set corridor_relays dst,dst -j RETURN
-A CORRIDOR_FILTER -m set --match-set corridor_logged src -j LOG --log-prefix "corridor: reject " --log-macdecode
-A CORRIDOR_FILTER -j REJECT --reject-with icmp-host-prohibited
COMMIT

Footnotes[edit]

1. ↑ Corridor for Whonix KVM ticket
2. ↑ https://www.torproject.org/docs/faq.html.en#EntryGuards

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)