Jump to: navigation, search

Deprecated

This page contains changes which are not marked for translation.

Contents

About this page[edit]

This is outdated documentation which no longer applies. Kept in case it will be required again in future.


TorChat[edit]

HowTo[edit]

Installation[edit]

EXPERIMENTAL
Experimental in that it is difficult to install. Only use it in case you trust TorChat. There shouldn't be any anonymity leaks and it should be as safe as other hidden services in general and in Whonix.

Learn about Hidden Services in Whonix first and learn how to set up the hidden webserver. This will ease following this guide.

On Whonix-Gateway[edit]

Step 1: open /etc/tor/torrc[edit]

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Step 2: edit /etc/tor/torrc[edit]

(all Whonix platforms)

Once inside /etc/tor/torrc, scroll all the way to the bottom, and copy-paste the following text:

Qubes-Whonix:

You need to replace IP-of-Qubes-Whonix-Workstation-AppVM with the actual IP. To find out the IP of the Qubes-Whonix-Workstation AppVM, you could run the following command within the Qubes-Whonix-Workstation AppVM: qubesdb-read /qubes-ip

HiddenServiceDir /var/lib/tor/torchat/
HiddenServicePort 11009 IP-of-Qubes-Whonix-Workstation-AppVM:11009

Non-Qubes-Whonix:

HiddenServiceDir /var/lib/tor/torchat/
HiddenServicePort 11009 10.152.152.11:11009

(all Whonix platforms)

Save.

Step 3: make changes to /etc/tor/torrc take effect[edit]

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Step 4: get your onion hostname[edit]

Find out your .onion hostname.

sudo cat /var/lib/tor/torchat/hostname

Step 5: backup your Tor hidden service private key[edit]

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and you require root to access it.

/var/lib/tor/torchat/private_key

Qubes-Whonix:

You can use the usual Qubes tools. The following example shows how to copy /var/lib/tor/torchat/private_key from your sys-whonix VM to your vault VM (should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/torchat/private_key

Using that exact example, you could then find the Tor hidden service private key in your vault VM in file.

/home/user/QubesIncoming/sys-whonix/private_key

Consider moving the file from QubesIncoming folder to a location of your choice.

You can then use the usual Qubes capabilities to backup your vault (and/or other) VMs. Can be conveniently done using QubesManager. Please refer to the Qubes documentation about backups on how to do that.

Non-Qubes-Whonix:

TODO document
See also, File Transfer.

On Whonix-Workstation[edit]

Step 1: Install TorChat[edit]

Update your package lists.

sudo apt-get update

Install TorChat.

sudo apt-get install torchat python-socksipy

Step 2: Configure TorChat[edit]

Open the torchat.ini which is in the hidden folder /home/user/.torchat/torchat.ini. The folder ~/.torchat/Tor can be ignored.

kwrite /home/user/.torchat/torchat.ini

Look for the following line.

own_hostname = <your onion hostname without the .onion ending>

Replace it with your onion hostname. For example if your onion hostname is idnxcnkne4qt76tg.onion replace it enter idnxcnkne4qt76tg, so it looks like this:

own_hostname = idnxcnkne4qt76tg

Save.

Step 3: Qubers users only[edit]

Qubes-Whonix users need an additional firewall exception, please press expand on the right side.
(Non-Qubes-Whonix users can skip this.)

Open firewall port access for your app between Whonix-Gateway and Whonix-Workstation.

sudo iptables -I INPUT 5 -p tcp --dport 11009 -m conntrack --ctstate NEW -j ACCEPT

If not setting up a web server, change the port number from 11009 to whatever your app requires.

To make the firewall rule persistent, add the rule to the rc.local file and make it executable.

Open /rw/config/rc.local:

kdesudo kwrite /rw/config/rc.local

Add the following in the rc.local file:

#!/bin/sh
sudo iptables -I INPUT 5 -p tcp --dport 11009 -m conntrack --ctstate NEW -j ACCEPT

Make the rc.local file executable.

sudo chmod +x /rw/config/rc.local

Step 4: Final Notes[edit]

Done.

Note, that it may take up to 30 minutes (or so?) until a fresh .onion domain gets reachable.

Starting[edit]

Qubes-Whonix:
Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named whonix) -> TorChat Instant Messenger

Non-Qubes-Whonix:
Start menu -> Applications -> Internet -> TorChat Instant Messenger

Uninstall[edit]

If you want to remove it...

On Whonix-Workstation.

sudo apt-get remove torchat

On Whonix-Gateway.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

And undo the changes in /etc/tor/torrc on Whonix-Gateway.

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Debugging[edit]

In case it won't work for you.

Test if Tor is reachable on 10.152.152.10:9119.

/usr/bin/wget.anondist-orig 10.152.152.10:9119

If it says.

--2013-02-13 13:49:47--  http://10.152.152.10:9119/
Connecting to 10.152.152.10:9119... connected.
HTTP request sent, awaiting response... 501 Tor is not an HTTP Proxy
2013-02-13 13:49:47 ERROR 501: Tor is not an HTTP Proxy.

It means, it's fine and the port is reachable.

Run torchat in a Terminal.

torchat

The following output is an example, how it looks when everything is fine.

~ $ torchat
(0) [config,470,main] python version 2.7.3 (default, Jan  2 2013, 16:53:07) [GCC 4.7.2]
(0) [config,477,main] script directory is /usr/share/torchat
(0) [config,478,main] data directory is /home/user/.torchat
./tor.sh: 6: ./tor.sh: tor: not found
(0) [tc_client,2083,startPortableTor] very strange: portable tor started but hostname could not be read
(0) [tc_client,2084,startPortableTor] will use section [tor] and not [tor_portable]

If you are using Multiple Whonix-Workstations, where the Workstation has another IP than 10.152.152.11 you must edit the following line in torchat.ini.

listen_interface = 10.152.152.11

Did the hidden webserver example from the Hidden Services page work for you? Try that first.

You also could try using the TorChat source package, which is still documented on the Deprecated page.

Technical Design[edit]

The Dev/anon-ws-disable-stacked-tor package prevents Tor over Tor.

Credits[edit]

Thanks to scarp for helping with the TorChat instructions!


OnionCat[edit]

Introduction[edit]

  • [[<tvar|173>OnionCat|</> OnionCat, GarliCat: Tunnel TCP, UDP, ICMP or any other protocol through Tor or I2P; IPv6, VPN-like, TAP/TUN tunneling device]]

Introduction to OnionCat:

Status[edit]

  • OnionCat (Tor) will work with Whonix. (Tested.)
  • GarliCat (I2P) might partially work with Whonix. (Untested.)

Over Tor[edit]

OnionCat transports any protocol between endpoints inside the Tor network. All involved peers need to run OnionCat. It gives IPv6 addresses to Onion Services, making many applications possible.

IPv6 is currently disabled on Whonix-Gateway, because Tor doesn't support IPv6 yet (except for bridges), and because no one developed more than rudimentary IPv6 firewall rules for Whonix-Gateway yet. Whonix-Gateway's firewall blocks all IPv6 traffic including local traffic by default. Anyway, that will not be an issue. IPv6 on Whonix-Workstation, where OnionCat will be running, is enabled. Since only OnionCat's underlying operating system requires IPv6, but not the Tor process there will be no problem. OnionCat on Whonix-Workstation will translate the IPv6 requests to IPv4 to the Tor process which is running on Whonix-Gateway. Therefore no IPv6 on Whonix-Gateway is required.

On your Whonix-Gateway.

If you want to read an introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add. [1]

HiddenServiceDir /var/lib/tor/onioncat/
HiddenServicePort 8060 10.152.152.11:8060

Save.

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/onioncat/hostname

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and you require root to access it.

/var/lib/tor/onionchat/private_key

Qubes-Whonix:

You can use the usual Qubes tools. The following example shows how to copy /var/lib/tor/onionchat/private_key from your sys-whonix VM to your vault VM (should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/onionchat/private_key

Using that exact example, you could then find the Tor hidden service private key in your vault VM in file.

/home/user/QubesIncoming/sys-whonix/private_key

Consider moving the file from QubesIncoming folder to a location of your choice.

You can then use the usual Qubes capabilities to backup your vault (and/or other) VMs. Can be conveniently done using QubesManager. Please refer to the Qubes documentation about backups on how to do that.

Non-Qubes-Whonix:

TODO document
See also, File Transfer.

On your Whonix-Workstation.

Update your package lists

sudo apt-get update

Install onioncat.

sudo apt-get install onioncat

Start onioncat. Replace address.onion with your actual hidden service url from above.

sudo ocat address.onion -l 10.152.152.11:8060

As of onioncat r555 (only applies to Jessie onwards) onioncat starts in unidirection 'client' mode by default. To accept incoming connections -U must be used. Mutual authentication is also available in this newer version which is needed to ensure that the identities of all endpoints engaged in a transaction are verified. [2]

sudo ocat address.onion -U -l 10.152.152.11:8060

Alternatively, if starting onioncat in 'client' mode run:

sudo ocat -R
At least one node has to run as a 'server' with a Hidden service configured for contact to occur.

To enumerate your onioncat IPv6 address run:

sudo ocat -i address.onion

Notes[edit]

Security[edit]

There are two possible ways to authenticate and control who is allowed to connect to you Onioncat instance and the applications running on top of it.

1. The simpler and more robust approach is to setup Tor to perform authentication of clients connecting to your Hidden Service. If they do not possess a certain randomly generated cryptographic secret, they cannot connect to your Hidden Service.

For information on how to do this see Hidden Services#Hidden Service Authentication.

2. The second approach does this process at the higher level through delegating authentication to Onioncat.

For official documentation on security read the reference at the end of this sentence. [3]

Onioncat Authentication Notes and Definitions:

  • Bi-directional mode is what was used for OC since the beginning. That means that one established circuit (TCP session through Tor) is being used to send AND transmit packets. Thus, it is called bi-directional.
  • Uni-directional mode means that there are two separate circuits: one for sending and one for receiving.

So what's the implications:
Circuits are established through Tor and are identified and authenticated by the network through the onion hostname (= OC IPv6 address). But this authentication is just one-ended. That means that the client (the one initiating the circuit) can authenticate the server but the server can't authenticate the client. As a consequence the client could spoof its IP address. In Tor/OnionCat context, IP spoofing means to use any IPv6 address but not the one which is associated to the onion ID (that's actually what -R does). Although this is technically no problem there's a security risk which could be that someone takes over the IPv6 address from someone else and could thereby attract (steal) packets. The risk is still very low.

Uni-directional mode addresses exactly that problem. It forces the server to not reuse an incoming connection but establish a new circuit to the supposed client. Thus spoofing is defeated because it requires for the client to own the private key as well.

Uni-directional mode is on by default since revision 556, but this change may be subject to change in future releases.

Uni-directional mode and -R (i.e. starting onioncat in 'client' mode) are incompatible! That means an OnionCat using -R will not be able to communicate with an OnionCat in uni-directional mode.

OnionCats with -R can only talk to bi-directional OnionCats having -U set as noted above.

Source / Credits of this chapter:
These are Onioncat dev, Bernhard Fischer's words with modifications by the Whonix team. All credit goes to him.

Tunneling IPv4[edit]

Many programs do not support IPv6 and so to use IPv4 with Onioncat, IPv4 will need to be tunneled over IPv6.[4] This option is preferred to Onioncat's native IPv4 forwarding designated by the -4 parameter, which is deprecated and could not have guaranteed the authenticity of the communicating endpoints as the tunneling method can.

Most operating systems should support IP-IP6 tunneling. IPv6 supports encapsulation of IPv4 or IPv6, hence, tunneling is not a big deal. An IP-IP6 tunnel is a point-to-point tunnel between two IPv6 nodes. The tunnel endpoints are virtual network interfaces. IP addresses are assigned to them and routing has to be set up as usual (as if those interfaces where ethernets). Before configuring a tunnel you need to know the two IPv6 addresses of the IPv6 nodes. Those will be the IPv6 OnionCat addresses. There are a few steps necessary on Linux. First insert the IPv6 tunneling kernel module, then setup the tunnel interface by connecting it to the two IPv6 addresses. Next configure the IPv4 addresses to the tunnel endpoints, bring them up and add the necessary routes (... and don't forget to update your firewall rules - but this is not needed with Whonix Workstation's default settings).

sudo su
modprobe ip6_tunnel
ip -6 tunnel add iptun0 mode ipip6 local fd87:d87e:eb43:1f53:c75:3b27:7adc:c9a5 remote fd87:d87e:eb43:8733:3338:21f6:a2b8:eebf
ifconfig iptun0 192.168.100.1 up
route add -net 192.168.100.0/24 dev iptun0

On the other end do the same thing except that you have to swap the two IPv6 addresses and use another IP address on the tunnel endpoint, e.g. 192.168.100.2. If Tor, OnionCat, and the tunnel is up on both ends you should be able to ping the remote end.

Useful Commands[edit]
  • Check connectivity between endpoints using ping:

ping6 onioncat-address

  • Replies should come immediately if everything is working.


  • To derive the OnionCat IPv6 address from your Hidden Service address run:

ocat -i onion.address


  • Running ifconfig can show helpful information on active network interfaces:

sudo ifconfig

Debugging[edit]

On your Whonix-Workstation.

To terminate onionat you could use.

sudo kill -sigint $(pgrep ocat)

Miscellaneous[edit]

To make Onioncat to autostart with the system using the parameters listed above. editing its configuration file:

sudo nano /etc/default/onioncat

Enable the autostart comment by removing '#':

ENABLED=yes

Add your settings:

DAEMON_OPTS="Paramters go here"

Over I2P[edit]

GarliCat over I2P might only work, if you use ip2 over Tor.

There was the idea to create an I2PBOX, but it never came to live due to lack of community interest, which means GarliCat directly over I2P will not be supported by Whonix.

As soon as I2P over Tor is working in Whonix-Workstation, you can probably follow the instructions on cryptoanarchy.org (webarchive; webcitation) without modifications.

General Debugging Hints[edit]

  • There at multiple sources for issues, you might stumble upon.
  • Therefore it's recommended, before you try using OnionCat with Whonix, if that doesn't endanger you, try first to successfully test OnionCat without Whonix.
  • As soon as you learnt that, it eliminated one source for possible issues (OnionCat) and can start learning how to use it with Whonix (which might introduce new issues, but enhanced security will be your reward).
  • You also have to learn first, how to use hidden services with Whonix, see hosting hidden services for reference.

Footnotes[edit]

  1. Arbitrary choice of port to avoid conflicts with custom onioncat setups.
  2. http://manpages.debian.org/cgi-bin/man.cgi?query=ocat&apropos=0&sektion=0&manpath=Debian+testing+jessie&format=html&locale=en
  3. https://www.cypherpunk.at/onioncat_trac/wiki/Security
  4. https://www.cypherpunk.at/onioncat_trac/wiki/IPv4

Random News:

Did you know that anyone can edit Whonix's wiki?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.

Tor Access[edit]

These instructions break sending emails to other domains that are not riseup.

Some email services provide access via Onion Service addresses. This provides better end to end security properties for authenticating to the server and conceals when you check your inbox.

In Icedove go to:

Settings -> Preferences -> Account Settings

Server Settings Tab, set the IMAP address to: imap.<address>.onion


Outgoing Server (SMTP) Tab, Edit: smtp.<address>.onion


The service providers may or may not enable TLS/STARTTLS connection security for their Onion domain since it is redundant. Its best to leave turned on by default and only disable it if problems arise.

Leave your Default Identity with the clearnet domain to avoid confusing recipients when replying to you.

Pidgin[edit]

For instant messaging in Whonix you can install the Pidgin[1] Instant Messenger. It is a multi-protocol client, so you could run MSN, ICQ, IRC, AIM, XMPP/Jabber and many other protocols at the same time, even with several instances of the same protocol.

All of these chat systems are unsafe if not used together with OTR. Even when used with OTR, expect to be exposing your social graph. Privacy hackers isolate parts of the social graph by running several accounts for groups of people on each popular server, thus avoiding the insecure XMPP federation (adding people on servers that isn't your own).

For more detailed documentation refer to the official Pidgin user guide.

You can install it using Start menu -> Applications -> System -> Terminal.

sudo apt-get update
sudo apt-get install pidgin

There is also a Torchat plugin available for pidgin official libpurple-torchat pidgin plugin, which could be implemented to allow p2p encrypted end-to-end communications although there is no known documentation on getting this done specifically in Whonix. It works seamless on standard pidgin/linux distro's with tor, the code is over a year without any changes/updates, hopefully because it simply works without any need for changes.

Some protocols that are problematic in context of privacy/anonymity are disabled by default. [2]

To get a list of those, you could run.

sudo dpkg-divert --list

To re-enable all of them, you could run.

sudo /var/lib/dpkg/info/pidgin-improved-privacy.prerm remove

After a restart of Pidgin, the protocols will be available.

OTR encryption[edit]

Of course the issue of end-to-end encryption arises again. As we mentioned earlier, we have Off-the-record messaging[3] (commonly called OTR) for instant messaging, and Pidgin and many other instant messengers have support for that. There are several resources on how it works and how to use it on their web site. Basically all you need to do is choose "Start private conversation" in the OTR menu and a key will be generated automatically if you do not have one already. After that OTR will establish a private conversation if the other end's instant messenger supports it.

If you didn't authenticate your partner with something like a shared secret there can be a man in the middle recording your chat, even if you are using the same server (the server or the TLS connection to the server may be corrupted).

OTR and other Pidgin plugins are enabled in the "Tools menu -> Plug-ins" section. Simply check the appropriate box for enabling any plugin you want, and possibly you might also want to configure it by pressing the "Configure Plug-in" button. When this is done for the OTR plugin a window that can be used to manage your keys will open. The use of OTR is recommended as many instant messaging protocols normally sends your messages in plaintext. Force your friends to migrate to clients with support for OTR!

NOTE: /me is not encrypted when used in a OTR private conversation! Also /msg in XMPP chatrooms isn't – it goes through the chatroom server!

Read also those various other resources about OTR.

You can install it using Start menu -> Applications -> System -> Terminal.

sudo apt-get update
sudo apt-get install pidgin-otr

Jitsi[edit]

Jacob Appelbaum (Tor researcher) recommends[4] Jitsi[5] (this applies if _not_ using Tor). It supports OTR encryption and ZRTP and is available in Debian Testing.

Jitsi supports push to talk.

Jitsi is the most feature-rich Free Software VoIP client. The team behind it is very innovative, constantly focusing on adding new functionality. It supports many protocols and advanced features like Multi-party video conferencing - in which someone's client will be running into server mode for that purpose because of latency management.[6]

Its stability leaves more to be desired however. Alpha stage clients are available for Android.

Unfortunately it is not usable with Tor, because the Tor network does not support UDP and because Jitsi does not support TCP for audio/video at time of writing (April 2014).

TODO: write a guide on how to connect to a free public server, having a secure ZRTP encrypted conversation with someone using the same client (note: impossible as of April 2014 without revealing the ip numbers of the corresponding parties to both eavesdroppers and the server).

sflphone[edit]

Nathan Freitas (Tor Orbot developer) likes[7] sflphone[8]. Can be installed from Debian package sources.

It does not support OTR. You would have to keep that in mind and use another way to exchange encrypted text. This isn't a reason, not to use it, if you are aware of that.

TODO: research, does sflphone support push to talk?

TODO: write a guide how to connect to a free public server, having a secure ZRTP encrypted conversation with someone using the same client.

OnionPhone[edit]

OnionPhone [9] is the successor to TOR Fone, improving the ciphers used among other problems[10]. Repo here [11]

The main improvement is that OnionPhone can now be used as a VoIP plugin that integrates it with with TorChat, using the Tor network to protect and anonymize your communication in this mode. It is also the only mode that makes sense in terns of usability because otherwise its a command line utility.

OnionPhone works on Linux and Windows, with Android support planned.

Other modes of operation include using the Tor network as a decentralized and secure alternative for SIP signalling. The call streams are then initiated directly using either TCP or UDP (for NAT traversal). Note that metadata is not concealed in that mode.

It can be run standalone with direct connections with OnionCat.

TODO: Encourage Debian Packaging TODO: Build, test and document usage instructions with TorChat

linphone[edit]

Introduction[edit]

Linphone is one of the most feature-rich Free Software clients available, second only to Jitsi in that respect, but second to none is stability and performance from testing. It can also support conferencing (audio only as of 2014).[12] Additionally it has fully developed clients for all desktop and mobile operating systems.

Should an Android port of Onioncat ever become a reality by the Guardian Project, Linphone can be used for anonymous VoIP between all combinations of device form factors. There is headway on that front.[13]

Setup with Whonix[edit]

Technically, only one member of the chat party needs to configure a Tor Hidden Service (be a callee). Others can run Onioncat in 'client' only mode (be ca caller).

Bidirectional communication can only be established after the client party (caller) connects to the one running a hidden service 'server' mode (callee), because the latter can accept incoming connections while the former cannot.

callee caller
Can make outgoing calls Yes Yes
Can initially receive incoming calls Yes No
Needs to host a Tor hidden service Yes No
Difficulty setup medium easy
Setup as Both, Callee or Caller[edit]

You only have to read this, if you want to use linphone as both, callee or caller. As a caller, you can only make outgoing calls. As a callee (that includes ability of being a caller), you can make outgoing calls and receive incoming calls. Only one of both calling parters has to follow these instructions. However, it doesn't matter if both calling partners follow these following instructions. If you are interested, click on Expand on the right.

On your Whonix-Gateway.

If you want to read and introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

Open your /etc/tor/torrc.

sudo nano /etc/tor/torrc

Add. [14]

HiddenServiceDir /var/lib/tor/linphone_service/
HiddenServicePort 64739 10.152.152.11 :64739

Reload Tor.

sudo service tor reload

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/linphone_service/hostname

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and need sudo to access it.

/var/lib/tor/linphone_service/private_key

On your Whonix-Workstation.

Update your package lists

sudo apt-get update

Install onioncat and linphone.

sudo apt-get install onioncat linphone

Start onioncat. Replace address.onion with your actual hidden service url from above.

sudo ocat address.onion -U -l 10.152.152.11 :64739

As of onioncat r555 (only applies to Jessie onwards) onioncat starts in unidirection 'client' mode by default. To accept incoming connections -U must be used. Mutual authentication is also available in this newer version which is needed to ensure that the identities of all endpoints engaged in a transaction are verified. [15]

Find out your onioncat IPv6 address.

ip addr show dev tun0

Open Linphone settings and select IPv6. Apply and restart Linphone.

Setup only as Caller[edit]

You only have to read this, if you want to use linphone caller only. As a caller, you can only make outgoing calls. Only one of both calling parters can follow these instructions. If both calling partners would follow these instructions, would not be able to call each other. If you are interested, click on Expand on the right.

On your Whonix-Workstation.

Update your package lists

sudo apt-get update

Install onioncat and linphone.

sudo apt-get install onioncat linphone

Start onioncat.

sudo ocat -R

Open Linphone settings and select IPv6. Apply and restart Linphone.

Calling[edit]

On your Whonix-Workstation.

At this point you should have exchanged IPv6 addresses of the callee. To call someone put in the call box. You can keep user. Must use brackets. Replace onioncat IPv6 address with the actual IPv6 of your calling partner.

user@[onioncat ipv6 address]
Debugging[edit]

On your Whonix-Workstation.

To terminate onioncat you could use.

sudo kill -sigint $(pgrep ocat)

Miscellaneous[edit]

To make Onioncat to autostart with the system using the parameters listed above. editing its configuration file:

sudo nano /etc/default/onioncat

Enable the autostart comment by removing '#':

ENABLED=yes

Add your settings:

DAEMON_OPTS="Paramters go here"
Credits[edit]

Credits go to HulaHoop for researching how to use Linphone with Tor for sharing instructions in Whonix User Forum.

Development Ideas[edit]

OnionCat[edit]

OnionCat could be useful if tunneling UDP and/or ICMP tunneling over Tor should be required. It should be avoided if possible, because it add complexity to the setup. Does it introduce more latency because connection always goes from hidden service to hidden service?

OpenBazaar[edit]

OpenBazaar supports both TCP and UDP. The latter was added to aid those using it on the clearnet that had difficulties connecting from behind their routers. [16] When using Tor you don't have to worry about that.

A community demo for OpenBazaar was done with Tor by hosting seed nodes as Hidden Services.

Hosting ANY Hidden Services[edit]

You can provide any server service, which relies on TCP, such as web servers, IRC servers, chat servers and so forth. UDP and IPv6 are not supported by the Tor network, but if required you could use OnionCat as a workaround.

OnionCat[edit]

See OnionCat.

[17]
[18]

[19]

Syncthing with OnionCat[edit]

Syncthing is a libre software solution for private file synchronization.

This section will cover file syncing with peers inside the Tor network.

TO-DO: Test Syncthing without OnionCat since SOCKS support was added recently.[20]

1. Set up OnionCat on Whonix Gateway. All parties involved will need to configure a Hidden Service with OnionCat because syncing is bidirectional. Make sure you can successfully ping all OnionCat addresses before proceeding.

2. Before adding the repo[21], fetch the key and verify[22] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  2048R/0xD26E6ED000654A3E 2014-12-29 Syncthing Release Management <release@syncthing.net>
      Key fingerprint = 37C8 4554 E7E0 A261 E4F7  6E1E D26E 6ED0 0065 4A3E

Download key with scurl to home folder.

scurl -o syncthing-pubkey.asc https://syncthing.net/release-key.txt

Check fingerprints/owners without importing anything.

gpg --with-fingerprint syncthing-pubkey.asc

If it looks good import into trusted.gpg.d.

gpg --no-default-keyring --keyring ./syncthing-pubkey.gpg --import syncthing-pubkey.asc
sudo cp syncthing-pubkey.gpg /etc/apt/trusted.gpg.d/syncthing-pubkey.gpg
sudo sh -c 'echo deb http://apt.syncthing.net/ syncthing release > /etc/apt/sources.list.d/syncthing-release.list'
sudo apt-get update -qq
sudo apt-get install syncthing

3. Launch Syncthing:

syncthing

Do not close the running terminal or Syncthing will shutdown. Answer 'No' if asked to 'Allow Anonymous Usage Reporting'.

Install FoxyProxy:

sudo apt-get install xul-ext-foxyproxy-standard

To access the proxy/local WebUI of the desired application, the FoxyProxy add-on and its configuration need to be made available to Tor Browser. Run:

ln -s /usr/share/xul-ext/foxyproxy-standard/ /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/foxyproxy@eric.h.jung

Make the tbb-foxyprox config file available to Tor Browser. [23]

cp /usr/share/usability-misc/tbb-foxyproxy/foxyproxy.xml /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/

Restart Tor Browser.

To reverse this action and restore Tor Browser's default fingerprint run:

rm /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/foxyproxy@eric.h.jung

Note: Tor Browser will soon ship with sandboxing as opt-in, unfortunately this feature's initial versions are incompatible with such configurations and must not be enabled.[24]

To open the WebGUI, open Tor Browser and paste:

http://127.0.0.1:8384/

4. At this point Syncthing back-end should have generated your unique Device ID. Go to:

Actions > Show ID

Share the Device ID along with your OnionCat address. As long as one side shares this information the other can add and find them.

5. Once ID information is exchanged, go to
Add Device
and paste the other endpoint's Device ID. Then under Addresses change dynamic to
[OnionCat-address]:22000

Note that you MUST write the OnionCat IPv6 address within brackets for it to work.

Select the default directory under Share Folders With Device.

6. Syncing more than two endpoints can quickly become tedious so select at least one node to be an Introducer by selecting the option. The Introducer node will inform the new device about all nodes attached to it.

7. Finally drag and drop any files you want to sync to the 'Sync' folder under your Home directory.

Done.

Note: No one can connect to your swarm without you adding them but you may still want to make your virtual network more private. This is done using HiddenServiceAuthorizeClient - a Tor feature.

Torrenting over OnionCat[edit]

This section will cover torrenting with anonymous peers inside the Tor network. This is a trackerless setup.

Seeding

1. Set up OnionCat on Whonix Gateway. All parties involved will need to configure a Hidden Service with OnionCat because torrenting is bidirectional.

2. Next install qBittorrent:

sudo apt-get install qbittorrent

3. Create your torrent:
Tools > Torrent creator
Add the file/folder you want to share. Leave the Tracker information boxes empty. Insert your OnionCat IPv6 IP into the Comment section.

Check Start seeding after creation then create and save the torrent file.

4. Share the torrent file on your personal Onion Site blog or some other channel as you normally would.

Downloading

1. Add the torrent file in qBittorrent

2. Select the the torrent from the list and go to the General tab. Copy the OnionCat IPv6 address from the Comment section.

3. Click the Peers tab and right-click into the empty tab. Click Add a new peer... and paste the IPv6 address. Note that the default listening port for incoming connections is set to 6881 and nothing needs to be done.

Done.

For a private sharing environment you will need to configure Tor to use the HiddenServiceAuthorizeClient option. More on that here.

Tunnel Freenet over OnionCat[edit]

Some Freenet users have successfully experimented with connecting over OnionCat. Note that all communicating parties need to set this up for this to work. Follow this guide to connect to other Darknet peers. No connections to the public datastore possible with this method.[25]

Whonix specific caveats to the above instructions.

Adjust OnionCat to connect to the Gateway with socat.

TO-DO: Create and add socat template to all relevant onion service guides

Pond[edit]

Removed because upstream dead.

Pond is a forward secure, asynchronous messaging system that uses Tor to conceal metadata. Pond messages not a record; they expire automatically a week after they are received.

Add Debian Experimental to repos sources lists.

sudo su -c "echo -e 'deb http://httpredir.debian.org/debian experimental main' > /etc/apt/sources.list.d/debian-experimental.list"

Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.

A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

Install Pond and its dependencies.

sudo apt-get update
sudo apt-get install golang libgtk-3-dev libgtkspell3-3-dev libtspi-dev
sudo apt-get -t experimental install pond

Run Pond.

cd
mkdir gopkg
export GOPATH=$HOME/gopkg
$GOPATH/usr/bin/pond-client

The server's file path: /usr/bin/pond-server


Optionally set a passphrase and keep the default server selected.

For usage instructions read help --all to understand the options.

HugePages[edit]

Huge memory pages improve performance for some virtualized workloads such as running databases. They are not enabled by default in Linux because the amount of memory to be allocated this way depends on the different needs from one user/admin to another. [26]

On the host you need to activate the nr_hugepages setting in the proc filesystem:

echo 1054 > /proc/sys/vm/nr_hugepages

NOTE: To make the above value persistent, you'd need to set:

echo "vm.nr_hugepages=1054" > /etc/sysctl.d/50_hugepages

Then, `grep` for the HugePages_Total:

grep -i HugePages_Total /proc/meminfo 

Should show.

HugePages_Total:    1054

The total system RAM allocated as hugepages can be calculated as:

2Mb * 1054 = 2108 ≈ 2GiB

Then, boot a libvirt virtual machine with 2 GB memory with appropriate XML setting as noted in the example below:

  <memory unit='KiB'>2000896</memory>
  <currentMemory unit='KiB'>2000000</currentMemory>
  <memoryBacking>
    <hugepages>
      <page size='2048' unit='KiB' nodeset='0'/>
    </hugepages>
  </memoryBacking>
  <vcpu placement='static'>8</vcpu>


Clipboard Sharing[edit]

SPICE allows accelerated graphics and clipboard sharing. The clipboard is disabled by default for security reasons [27] but could be enabled.

When editing using xml, search for.

<clipboard copypaste='no'/>

And change to.

<clipboard copypaste='yes'/>


KSM[edit]

The security assumptions about virtual environments is that each vm is a completely isolated instance that knows nothing about what's happening outside it. It posses a privacy problem for an isolated multi-workstation setup.

In a single workstation-to-gateway scenario, KSM isn't problematic because technically, nothing going on, on the gateway, even if known would endanger privacy. However should someone run multiple workstation vms, each with the intent that they are all separated - each with its own internal network for isolation for example, then with KSM all similar activities or processes running in the other vms, would register to an attacker who has compromised one of them. For example, information that the same website has been visited in another vm too. This would allow cross-vm activity correlation.

Its not really a weakness unique to KSM, but a common problem shared by using the equivalent feature on other hypervisors too (Xen's TPS - Transparent Page Sharing). [28]

Quote Memory Deduplication as a Threat to the Guest OS:

4.3 Detection of Downloaded Files

The memory disclosure attack can also be applied to find an opened file on a victim’s VM. We have tried to detect a logo file when Firefox shows a home page.

We confirmed that the Google logo file was detected if page caching is enabled on Firefox. When the page cache was set to 0, detection failed. If an attacker leads a victim to a malicious home page which includes an identifiable logo file, the attacker can detect the page view from the victim’s VM.

This disclosure attack is dangerous because it detects a page view even if the network is encrypted by TLS/SSL. Especially in a multi-tenant data center, this attack is serious, because it does not violate any SLA statements on cloud computing.


Wiping the storage used by a guest domain[edit]

A volume used by a domain can contain confidential data, hence it is necessary to wipe it before removal. Libvirt offers a helping hand for such cases:

virsh vol-wipe <volume>

which truncates and extends the volume to its original size. This in fact fills the file with zeroes. This ensures that data previously stored on volume is not accessible to reads anymore. After this, you can remove volume :

virsh vol-delete <volume>

Source [29]

Template:Install Backport[edit]

Upgrade your system as usual. [30]

Create a file /etc/apt/sources.list.d/user.list. Open /etc/apt/sources.list.d/user.list in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/user.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/user.list

Add the following content.

deb http://ftp.us.debian.org/debian jessie-backports main contrib non-free

Save.

Update your package lists.

sudo apt-get update

Install a package from jessie-backports. Example.

sudo apt-get install -t jessie-backports {{{package}}}

Note:

  • Don't forget the -t jessie-backports, which does the trick here.


Mounting Shared Folders in KVM Guests[edit]

Run the following command in terminal (Start Menu -> Applications -> System -> Terminal).

sudo mount -t 9p -o trans=virtio shared /mnt/shared -oversion=9p2000.L

To automatically mount this every time at boot, modify /etc/fstab.

Open /etc/fstab in an editor.

If you are using a graphical environment, run:

kwrite /etc/fstab

If you are using a terminal (Konsole), run:

nano /etc/fstab

Add.

shared /mnt/shared    9p  trans=virtio,version=9p2000.L,rw    0   0

Save.


SELinux[edit]

SELinux is more robust than Apparmor because its label based vs file-path based. But his comes at the expense of being difficult to write policies. The good news is if you are a KVM user and want to harden your GNU/Linux host, its as simple as enabling SELinux and libvirt will automatically take advantage of it without any further effort needed on your part.

These instructions apply to Whonix and could be easily replicated for your Debian host. First disable Apparmor if you are using it. Both MAC systems cannot be run simultaneously run. This is not supported by LSM and may also be a source of conflicts.

AppArmor is disabled, and the kernel module unloaded by entering the following[31]:

sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove

To enable SELinux follow these steps.[32] The cited guide also includes steps for writing custom policy for hardening.


    # aptitude install selinux-basics selinux-policy-default
    # selinux-activate
    # reboot

    # sudo nano /etc/default/grub

    Replace all mention of apparmor in settings for GRUB_CMDLINE_LINUX with selinux=1 and the enforcing=1 parameter to the Linux kernel. The audit=1 parameter enables SELinux logging which records all the denied operations.

    Remove the line under it that starts with: GRUB_CMDLINE_LINUX_DEFAULT

    # update-grub


Updating Tor[edit]

Tor was installed on Whonix according to official instructions for Ubuntu. You can update Tor (and the rest of the system) using apt-get update and apt-get dist-upgrade.

If you run in the following error message when running apt-get update on the Gateway...

W: GPG error: http://deb.torproject.org precise Inrelease: The following signature were invalid: Keyexpired 1346668560

...or into the following error message on the Gateway when running apt-get dist-upgrade:

Warning: The following packages cannot be authenticated!
deb.torproject.org-keyring tor
Install these packages without varification?

...please use the workaround below. Please do not install without verification for your own safety!

Temporary fix. Run these two commands. (Check if they are still current and genuine in official instructions for Ubuntu.)

gpg --keyserver keys.gnupg.net --recv 886DDD89

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

(If they fail for the first time, perhaps because you are on a slow network or slow Tor circuit, run them a few times until the succeed.)

,, Technical problem: The latest Whonix release is a few days ago and in meanwhile there is a new deb.torproject.org-keyring got renewed while the old torproject deb keys expired. Fixing the problem requires a new Whonix release. It will be fixed in 0.3.0.


Nymserver QuickSilver Mail How-To[edit]

This guide is for QuickSilver Lite, a Libre Software GUI for Mixmaster. QuickSilver Lite was written for Windows but is fully compatible with Wine. The paranoici Zax-type Nymserver is used for this example. Credit goes to Whonix user mirimir whose instructions this work is based on.[33][34]



## Generate your GPG keypair using KGpg. Fill in the nym you chose for the Email field. Use something likely not taken:
KGpg -> Keys -> Generate Key Pair... ->

Name: John Doe (or any alias of choice)
Email: yournym@nymphet.paranoici.org
Keysize: 4096 bits
    
OK -> Enter passphrase for key -> OK.


## Import Nymserver key from KGpg.
KGpg -> Open Keyserver Dialog -> Search for 'send@nymphet.paranoici.org' -> Import


## Always check the fingerprint for yourself. The output at the moment is:

pub  4096R/0x5CE8D7B97340F3A7 2013-01-06 Nymserver <send@nymphet.paranoici.org>
      Key fingerprint = B91A FAEE 998D 5134 5AFE  E104 5CE8 D7B9 7340 F3A7


## In KGpg, highlight your key, and set Trust level on Nymserver key to 'Marginal' and sign it with your own key.

Right-click on Nymserver key -> Key Properties

Owner Trust: Marginally

-> Apply -> OK


Right-click on Nymserver key -> Continue -> Select your nym's secret key to use for signing -> OK -> Enter passphrase



## Download QuickSilver's signing keys with scurl to home folder.
scurl -ko quicksilver.asc https://www.quicksilvermail.net/quicksilver.asc

## Check fingerprints/owners without importing anything. 
gpg --with-fingerprint quicksilver.asc

## Always check the fingerprint for yourself. The output at the moment is:

pub  4096R/0x1B04C05145FF11B1 2013-09-08 QuickSilver <admin@quicksilvermail.net>
      Key fingerprint = 6BC3 5E3D 7473 E416 F423  E845 1B04 C051 45FF 11B1

## Import key:
gpg --import quicksilver.asc

## To avoid ''unsafe ownership'' key warnings
gpg --fingerprint
chmod --recursive 700 ~/.gnupg



## Download archives.
wget -r --no-check-certificate --no-parent -A 'QSLite*.zip' https://www.quicksilvermail.net/qslite/
wget -r --no-check-certificate --no-parent -A 'QSLite*.zip.sig' https://www.quicksilvermail.net/qslite/
wget -r --no-check-certificate --no-parent -A 'QSAam*.zip' https://www.quicksilvermail.net/qsaam/
wget -r --no-check-certificate --no-parent -A 'QSAam*.zip.sig' https://www.quicksilvermail.net/qsaam/


## Move files into Home folder.
mv /home/user/www.quicksilvermail.net/qslite/QSLite*.zip /home/user
mv /home/user/www.quicksilvermail.net/qslite/QSLite*.zip.sig /home/user
mv /home/user/www.quicksilvermail.net/qsaam/QSAam*.zip /home/user
mv /home/user/www.quicksilvermail.net/qsaam/QSAam*.zip.sig /home/user


## Verify archive. Fingerprint should match the key above.
gpg --verify-options show-notations --verify QSLite*.zip.sig QSLite*.zip
gpg --verify-options show-notations --verify QSAam*.zip.sig QSAam*.zip


## Install Wine.
sudo apt-get install wine

## Run Wine to create its directories. Cancel Wine Mono Installer.
wine run

## Create folder for QS components and transfer them.
mkdir /home/user/.wine/drive_c/QS/
unzip QSLite*.zip -d /home/user/.wine/drive_c/QS/
unzip QSAam*.zip -d /home/user/.wine/drive_c/QS/

## Select 'Replace All' when prompted for duplicate files.
A

## Open Terminal and create links to allow QSL and QSA to use Debian gpg:
mkdir .wine/drive_c/QS/gpg-links
link '/home/user/.gnupg/pubring.gpg' '/home/user/.wine/drive_c/QS/gpg-links/pubring.gpg'
link '/home/user/.gnupg/secring.gpg' '/home/user/.wine/drive_c/QS/gpg-links/secring.gpg'

## Run QSL. This way is needed only for the initial run it applies to QSA too. Access QSL from the desktop shortcut afterwards.
cd /home/user/.wine/drive_c/QS
wine qsl.exe

## Setup QSL.
Setup -> Draw randomly in window until "OK" appears ... click "OK" -> Check: Create desktop shortcut | Email Address: yournym@nymphet.paranoici.org -> SMTP Server: gbhpq7eihle4btsn.onion -> Leave SMTP Proxy setings unchanged -> Leave HTTP Proxy setings unchanged -> Finish

(Note: Mixnym's SMTP Onion Service used. Tor Transport used - stream isolation unnecessary)


## Configure QSL.
Open Tools | Options.
...In General tab:
......Under "User Mode", check "Expert".
......Under "On Start-up", check "Open Template Dialog".
...In PGP tab:
......Check "PGP Public Key Encryption".
......For "Private Keyring", use "C:\QS\gpg-links\secring.gpg".
......For "Public Keyring", use "C:\QS\gpg-links\pubring.gpg".
......Click "Default key" and select it (will be just your new one).
......If desired, choose to cache private-key passphrases for five minutes or so.
...In Mix tab:
......Select "once a day" for "Update remailer stats".
...Click "Ok" to finish.
Open Tools | Stats manager.
...Click "Update".
...When you see "done!" click "Ok".
...If it stalls, there's something wrong with your Tor setup.
......Check with Firefox, and also check Tor config in Tools | Proxies.
Open Tools | Allpingers manager.
...Click "Update".
...When you see "done!" click "Ok".


Now you'll configure the message that QSL uses to create a Mixnym nym.
In the main compose pane, customize the message to look like the following:

Code:

Fcc: nyms
Host: gbhpq7eihle4btsn.onion
From: nobody@nowhere.net
Chain: *,*,*; copies=2;
To: send@nymphet.paranoici.org
Subject:

hsub: New Mail For Jude!

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFFP2l4BEACXJDUM6SxyjUk8K+MJ4fRJ5VMaE6hSsAD6n8eO04l9HMzSx26X
<snip>
wnOpR4sYYD9MFLura6+YiHWtT8ih
=ndP9
-----END PGP PUBLIC KEY BLOCK-----

~~

In the above:
...Replace "Jude" in "hsub: New Mail For Jude!" with your fake first name.
...Replace the public key block with your public key that you exported above. Get it by exporting it from KGpg then copy-paste the contents.
...Be very careful near line ends ... Unix vs DOS newline can be buggy here.
...The "~~" at the bottom, preceeded by two blank lines, is crucial!
Save as "nym create template".
...You can reuse it with edits for creating other nyms.
Click the PGP lock and signing icons.
......The mixnym server will only accept signed configuration requests.
Now click "Send" 
"PGP Enrypt to Recipients..." prompt will appear. 
...Choose the Nymserver key from the top pane then click "OK"
Enter your key passphrase when prompted to sign message.
After it finishes, you should see:

Code:

0 in message queue
0 in problem queue
2 sent

All mail sent!

If it worked, the next step is configuring QSA.
If it hangs, cancel out and go back through everything looking for errors.
Close QSL when you're done (and ignore the crash error that you may see).

You can't get a reply from the Nymserver until you configure QSA.


## Run QSA.
cd /home/user/.wine/drive_c/QS
wine qsa.exe

## Setup QSA.
Check: Create desktop shortcut... click "OK" 

If your Nymserver name and type is not listed you must add it first before you can add AAM subject lines encrypted to you.

Open Tools | Nymservers.
...New:
......Nymserver Domain: nymphet.paranoici.org.
......Type: Zax
...Click "OK" then "Done"
Open Tools | AAM Subject Lines.
...New:
...In AAM Subject Line Tab:
......Nym, select your nym's private-key".
......Subject (HSUB), use the one you set or "New Mail For Jude!" if you are following the example above.
...Click "OK" then "Done".
Only one AAM Subject Line can be configured to find your hsub. Be sure to enter it exactly as you did before or else QSA won't find it.
Click "Get Mail" from the main interface. Replies take a while.

## Clean-Up
rm -rf /home/user/www.quicksilvermail.net
rm QSLite*.zip
rm QSLite*.zip.sig
rm QSAam*.zip
rm QSAam*.zip.sig
rm /home/user/Desktop/"QuickSilver Lite.lnk"
rm /home/user/Desktop/"QuickSilver Aam.lnk"


From: Header Support[edit]

For a list of remailers that accept From: headers.[35]

http://pinger.mixmin.net/from.html


KVM GUI Instructions[edit]

No longer applies as we are now using vm xml templates for a standard configuration. The rest of the instructions for shared folders and spice have been moved into a readme file distributed with the images.

sudo apt-get update
sudo apt-get install virt-manager

Make sure folder /var/lib/libvirt/images/ exists.

sudo mkdir -p /var/lib/libvirt/images/

Do not use unxz! Extract the images using tar to /var/lib/libvirt/images/.

Before starting the new vm wizard we must create an internal isolated network that connects the workstation with the gateway.

Go to the VMM GUI --> Edit --> Connection Details --> Add button Choose whonix as network name Edit subnet range to 10.0.0.2/24 Uncheck the dhcpv4 option Ignore anything to do with ipv6 Keep the default option of: Isolated Virtual Network selected and click finish.

The next steps may need more work to customize vm devices and clock to safe defaults. Work in this area not final.

Create a Whonix Gateway vm first and choose to edit it before installation. Customize the first NIC that is included to be in default NAT mode. Click to add hardware and chose another NIC. This new NIC must have the newly created isolated virtual network 'whonix' selected as the network device. Finalize and launch. Must enable disk controller as SATA Must select qcow2 as storage format.

Create Whonix Workstation vm and make sure you select the isolated int. network for the only NIC this machine has. Launch. Disk Controller works only with IDE Must select qcow2 as storage format

Don't forget to take snapshot.

Done!

-SPICE is enabled for graphics by default but needs a vdagent to be installed in the guest vms for accelerated 2D in vm to happen. Not included in workstation install by default which impacts performance greatly.

http://www.linux-kvm.org/page/SPICE

It should be safe for use unless you Adrelanos determine otherwise. 2D and 3D in VBox have an insecure architecture and even the manuals admit to this. 2D in VBox is not even available for anything but windows guests which is not recommended and insecure of course. Everything Linux based is designed from the ground up with security considerations in mind.

Clock disabling for vms on host is recommended. Still haven't done it yet, and it seems to need command line.

Enabling SPICE[edit]

SPICE allows accelerated graphics and clipboard sharing. Its implications for security are an open question that needs a detailed answer rather than a vague clear cut one.

1. Enable SPICE by selecting it from the VMM GUI. (It is the default option if you decide not select VNC when creating the VM).

Not enabling SPICE from the beginning, will prevent the spice channel device from being added which impacts performance. To fix this add a channel device and select SPICE. This steps is not necessary if you leave the defaults as they are at the beginning.

2. QXL is the GPU model that should be attached.

3. Install vdagent in guest and reboot.

.qcow file size too big?[edit]

Short:
It won't really take up 101 GB. Just ~ 2.6 GB. This is an issue with file managers, not Whonix.

Long:
[36]

KVM Shared Folders[edit]

To move data between the guest and host follow these steps:

1. Set the following settings for shared folders in virt-manager:

The file sharing mode 'mapped' is just an example, using squash or passthrough is possible by selecting them from the drop down menu.

Driver:Default

Mode: Mapped


Source Path: [This is the path of the folder on the Host you are sharing with the Guest]

Target Path: [A custom tag for the shared directory that is used when running the mounting commands within the guest. for example: /tmpshare]


2. Run terminal as root in Guest then use the following command:

mount -t 9p -o trans=virtio [mount tag] [mount point] -oversion=9p2000.L

Mount tag is: /tmpshare

Mount point is the path of the directory that you will share in the Guest with the Host. If it doesn't exist you must create that folder.

Note: you replace the parentheses in the command, they are just a placeholder in this example and should not be typed in.

3. To automatically mount this every time at boot, add the following to your guest's /etc/fstab:

sudo nano /etc/fstab [mount tag] [mount point] 9p trans=virtio,version=9p2000.L,rw 0 0

Footnotes[edit]

[1] http://wiki.qemu.org/Documentation/9psetup#Starting_the_Guest_using_libvirt

  1. http://pidgin.im/
  2. By the https://github.com/Whonix/pidgin-improved-privacy package.
  3. https://otr.cypherpunks.ca/
  4. https://jitsi.org/Main/News
  5. https://jitsi.org/
  6. https://archive.fosdem.org/2013/schedule/event/hangout_conferences_with_jitsi/
  7. https://lists.torproject.org/pipermail/tor-talk/2013-February/027204.html
  8. http://sflphone.org/
  9. http://www.torfone.org/onionphone
  10. https://lists.torproject.org/pipermail/tor-talk/2013-February/027215.html
  11. https://github.com/gegel/onionphone
  12. http://www.linphone.org/docs/liblinphone/group__conferencing.html
  13. https://github.com/guardianproject/ChatSecureAndroid/issues/495
  14. Arbitrary choice of port to avoid conflicts with custom onioncat setups.
  15. http://manpages.debian.org/cgi-bin/man.cgi?query=ocat&apropos=0&sektion=0&manpath=Debian+testing+jessie&format=html&locale=en
  16. https://github.com/OpenBazaar/OpenBazaar/issues/795
  17. Note Note: IPv6 is not yet supported by Tor. Limited workaround: OnionCat
  18. Limited workaround: OnionCat
  19. Note Note: OnionCat
  20. These instructions for a Hidden Service do not mention OnionCat as being needed: https://sin.thecthulhu.com/library/Syncthing_instructions.txt
  21. apt.syncthing.net
  22. https://syncthing.net/security.html
  23. https://github.com/Whonix/usability-misc https://github.com/Whonix/usability-misc/blob/master/usr/share/usability-misc/tbb-foxyproxy/foxyproxy.xml
  24. https://lists.torproject.org/pipermail/tor-dev/2016-December/011733.html
  25. https://emu.freenetproject.org/pipermail/devl/2016-August/039267.html
  26. https://bugzilla.redhat.com/show_bug.cgi?id=1173218#c12
  27. So you don't accidentally copy for example a link to a website you visited anonymously to your non-anonymous host browser or vice versa.
  28. http://docs.openstack.org/security-guide/content/hypervisor-selection.html
  29. http://wiki.libvirt.org/page/VM_lifecycle#Wiping_the_storage_used_by_a_guest_domain
  30. This makes later installation from backports less likely to break the package management.
  31. https://help.ubuntu.com/12.04/serverguide/apparmor.html
  32. http://debian-handbook.info/browse/stable/sect.selinux.html
  33. http://www.wilderssecurity.com/threads/installing-quicksilver-lite-in-whonix-and-creating-a-mixmin-nym.344489/
  34. https://archive.is/bNFah
  35. https://www.quicksilvermail.net/links.html
  36. Don't get fooled by ls or usual GUI file managers. We're using sparse files. When you are using a reasonable modern file system - which you most likely do - it won't use up a lot space. You can check this for yourself.
    du -h --apparent-size Whonix-Gateway-8.2.qcow2
    101G    Whonix-Gateway-8.2.qcow2
    du -h Whonix-Gateway-8.2.qcow2
    2.6G    Whonix-Gateway-8.2.qcow2
    

    This is tested. If you don't have 500 GB free space, you can have 10 copies if Whonix-Gateway-8.2.qcow2.

VirtualBox Guest Additions[edit]

Introduction[edit]

Written and tested with Whonix 0.2.1 (Ubuntu precise). Many things can go wrong and none or the very least of them will be caused by Whonix. This has only limited support by the Whonix developers, because 1. it's not recommended for security reasons and 2. the guest additions related bugs and instructions are somewhat out of the scope of the Whonix project.

Installation is somewhat difficult and no packages exist. Just search the internet and you'll see, that loads of people having issues installing the VirtualBox guest additions. People having problems for years. VMware is of no alternative, people are also having trouble installing the VMware tools into Linux guests. The issue with the guest additions is ridiculous. For years no solution has been found. With each kernel update, recompilation is required, and quite often, due to some updates, complication becomes difficult or impossible for a long time.

Also see article, [VirtualBox Kernel Driver Is Tainted Crap].

If you are having trouble, than in most cases not because of Whonix. The Whonix setup is a regular Ubuntu Linux and VirtualBox. You can try asking the regular VirtualBox and Ubuntu resources if you have trouble.

TorChat source package[edit]

HowTo[edit]

EXPERIMENTAL Experimental as in it is difficult to install. Only use it in case you trust TorChat. There shouldn't be any anonymity leaks and it should be as safe as other hidden services in general and in Whonix.

Learn about Hidden Services in Whonix first and learn how to set up the hidden webserver. This will ease following this guide.

On Whonix-Gateway.

Open your /etc/tor/torrc.

sudo nano /etc/tor/torrc

Add.

HiddenServiceDir /var/lib/tor/torchat_service/
HiddenServicePort 11009 10.152.152.11:11009

Save. Reload Tor.

sudo service tor reload

On Whonix-Gateway.

Install dependencies.

sudo apt-get install python python-wxgtk2.8

Get your onion address.

nano /var/lib/tor/torchat_service/hostname

Backup your key, if you want to ever restore it one another machine, a newer Whonix-Workstation or after hdd failure.

/var/lib/tor/torchat_service/private_key

Download the latest Python version of TorChat source code, for example as time of writing torchat-source-0.9.9.553.zip - Python source code (classic standalone 0.9.9 version) from (https://github.com/prof7bit/TorChat/downloads) and store it in /home/user.

Unpack.

unzip torchat-source-0.9.9.553.zip

Get into the torchat source folder. For example.

cd /home/user/torchat-source-0.9.9.553/

Get into the src folder.

cd src

Get into the Tor folder.

cd Tor

Rename tor.sh.

mv tor.sh backup_tor.sh

Go back to the src folder.

cd ..

Create torchat.ini.

nano torchat.ini

Add the following content.

[client]
listen_interface = 10.152.152.11 
listen_port = 11009
own_hostname = <your onion hostname without .onion>

[tor]
tor_server = 10.152.152.10
tor_server_control_port = 9154
tor_server_socks_port = 9154

[tor_portable]
tor_server = 10.152.152.10
tor_server_control_port = 9154
tor_server_socks_port = 9154

Make torchat executable.

chmod +x torchat.py

Run torchat.

./torchat

Alternative[edit]

After installing the dependencies we could also force install the torchat deb package.

sudo dpkg -i --force-depends torchat-0.9.9.553.deb

And then configure the files inside /home/user/.torchat. I don't know if that may be the better way.

Mixmaster[edit]

MX capable DNS resolver[edit]

No longer required.

Mixmaster needs to resolve MX DNS records, while Tor does not support that. We have to install a DNS resolver capable of doing that. It still comes with caveats.

Required knowledge:

The Example with CZ.NIC Labs DNS resolver worked in this case.

Security considerations when replacing the system wide DNS resolver:

  • The third party DNS resolver traffic goes through its own circuit, which is good.
  • All (custom installed) applications not configured to use a SocksPort (see [Stream Isolation]), would resolve their DNS through the system wide DNS resolver, which would be the third party resolver, giving too much power to it, because it's always the same, only one service provider, not changing like Tor circuits but static. ## Install Postfix ##

    sudo apt-get install postfix ## configure postfix as sattelite system, default settings

Technical background: Mixmaster requires either - a) An (open) smtp server SMTPRELAY in /etc/mixmaster/remailer.conf. Unfortunately, I haven't found any open smtp server (search term: open relay). A mailserver where the user registers first would probably work, but this would defeat the original idea: sending e-mails without depending on registration. Or, - b) a mta (mail transfer agent), which speaks to the remailer directly. TODO: Are there enough Tor exit relays, which allow the SMTP port and does their ISP allow to speak SMTP? If there are too few servers, it could be bad for anonymity.

Open /etc/postfix/main.cf.

kdesudo kwrite /etc/postfix/main.cf

Replace the content with the following.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = host.localdomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = host, host.localdomain, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

relayhost = 1.1.1.1
#relayhost = 2.2.2.2

Debugging Postfix[edit]

Looking into the mail log.

tail -f /var/log/mail.info

Should contain something like this.

<date> <time> debian postfix/pickup[id]: id2: uid=1000 from=<user>
<date> <time> debian postfix/cleanup[id]: id2: message-id=<id3.id4@host.localdomain>
<date> <time> debian postfix/qmgr[id]: id2: from=<user@host.localdomain>, size=30000, nrcpt=1 (queue active)
<date> <time> debian postfix/smtp[300]: id2: to=<remailer@breaka.net>, relay=mail.breaka.net[202.75.54.8]:25, delay=30, delays=0.30/0.01/30/3.0, dsn=2.0.0, status=sent (250 OK id=id5-id6-id7)
<date> <time> debian postfix/qmgr[id]: id2: removed

Reading local mail.

## Either with cli tool mail.
mail

## Or using gui tool Icedove (Debian version of Mozilla Thunderbird)
## using movemail.

If all went well, there will be no local mail. Only error messages result in local mails.

Bugs[edit]

  • In Whonix 0.4.5, due to a Tor Browser upstream bug (they forgot to update the changelog) and because the keyserver is/was down, the torbrowser and whonixcheck script in Whonix can no longer find out which Tor Browser version is locally installed. (Whonix Bug Report) The Update Tor Browser chapter contains a workaround and a fix is available for testers.

Attack matrix in different order[edit]

<thead> </thead> <tbody> </tbody>
attack TBB TBB in a VM Tails Tails in a VM Whonix Standard Download version host+vm+vm Whonix Physical Isolation
(1) Protocol IP leak fail fail fail fail safe safe
(2) exploit + Unsafe Browser fail fail fail fail safe safe
(3) exploit + root exploit + Unsafe Browser fail fail fail fail safe safe
(4) root exploit + Unsafe Browser fail fail fail fail safe safe
(5) exploit + vm exploit + Unsafe Browser fail fail fail fail fail safe
(6) exploit + vm exploit + exploit against physically isolated Whonix-Gateway fail fail fail fail fail fail
(7) vm exploit safe fail safe fail fail safe
(8) vm exploit + exploit against physically isolated Whonix-Gateway safe fail safe fail fail fail
(9) exploit against Tor process fail fail fail fail fail fail
(10) attack against the Tor network fail fail fail fail fail fail

E-Mail Notification[edit]

Users, who have an (anonymous) sourceforge.net account, could go to the Whonix sf.net Project Page, scroll down to Update Notifications and hit the Subscribe to Updates button. They would receive notifications about new releases sent to their (anonymous) [E-Mail] address.

There is currently no way for users to subscribe to sf.net blogs or wiki, but such a feature has been requested.

Sourceforge.net E-Mail Notification[edit]

Didn't work reliable.

E-mail notification: For users having an account on sf.net, there is on sf.net git is an E-Mail subscribe button: M.

This is an example how such a mail could look like:

experimental: comment by adrelanos http://sourceforge.net/p/whonix/code/ci/a1740dfcd391cedfa625d72b990b2a587620df30/

experimental: Whonix-Workstation_packages: added gtk3-engines-oxygen by adrelanos http://sourceforge.net/p/whonix/code/ci/7375070a7986230028bf4e82a6ab3ecb420bfd60/

---

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/whonix/code/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/prefs/

Restrict Flash Settings[edit]

You can skip this chapter. It's no longer of use, because if you use BetterPrivacy as recommended above, you won't need this.

Flash applications can set cookies, so-called Local Shared Objects (LSO), independently of the browser's settings. These cookies are able to save data up to 100 Kb. Usually, they save settings but they may be used to track surfers as well.

In order to manage the settings of your Adobe Flash Player, Macromedia offers a Flash application on its website. There you may e.g. configure the rules concerning the data storage and the rights for using camera and microphone. The settings are spread over several flash applications. Deactivate all functions that allow sharing and saving of data. The storage of LSOs may be deactivated on the Global Storage Settings panel.

Hint: Only in case you previously deactivated JavaScript: You must have Javascript enabled for adobe.com and macromedia.com temporary to run the Flash application.

Flash1.png

Furthermore, the cookies already saved have to be deleted. This functionality may be found on the Website Storage Settings panel.

Flash2.png

Personal side note: you see how ridiculous that plugin is, if the usage of the Flash settings manager depends on their website being reachable.

Build Documentation dpkg-source commit[edit]

To dpkg commit changes, run the debian upstream tarball creation script.

./help-steps/make-debian-package-upstream-tarball

Then run.

dpkg-source --commit

When it asks "Enter the desired patch name:" just enter anything you wish, for example "buildconfig". In the following window, you don't have to fill out anything. Just save and close the editor. [1] You only have to do this once and won't be asked again to do this, unless you add another change which needs to be dpkg-source committed.

If you want to undo the dpkg-source committed change, check the contents of the .pc and the debian/patches folder and delete it.

Build Documentation - Override Whonix Version[edit]

Since the Whonix debian package version number is auto derived from git describe and used for Whonix News download, it is recommended to override it. [2] You could add a file to buildconfig.d, for example buildconfig.d/50_version and add for example.

temp="$WHONIX_BUILD_CLOSEST_GIT_TAG"

## Using `export`, so whonix_shared/usr/share/whonix/chroot-scripts-post.d/70_log_build_version can read it.
export WHONIX_BUILD_WHONIX_VERSION_NEW="$(echo "$temp" | sed 's/-/./g')"

echo "WHONIX_BUILD_WHONIX_VERSION_NEW: $WHONIX_BUILD_WHONIX_VERSION_NEW"

WHONIX_BUILD_NEW_CHANGELOG_VERSION=""$WHONIX_BUILD_WHONIX_VERSION_NEW""-debpackage""$WHONIX_BUILD_NEW_DEB_REVISION_VERSION""

echo "WHONIX_BUILD_NEW_CHANGELOG_VERSION: $WHONIX_BUILD_NEW_CHANGELOG_VERSION"

While building, check if WHONIX_BUILD_NEW_CHANGELOG_VERSION looks sane. [3]

If you added a new file to buildconfig.d, for example buildconfig.d/50_target_arch, those have to be dpkg-source committed before building Whonix. Otherwise you'll get an error message. (Which looks like this:[4]).

Whonix 0.5.6 Download Matrix[edit]

Version: 9

Note: You need to download both Gateway and Workstation virtual machine images.

Whonix-Gateway Whonix-Workstation Anonymous Download
possible [5]
Download Security
without Verification
Download Security
with Verification
HTTP.png <html><a href="http://sourceforge.net/projects/whonix/files/whonix-</html>9<html>/Whonix-Gateway.ova/download" target="_blank">Download</a></html> <html><a href="http://sourceforge.net/projects/whonix/files/whonix-</html>9<html>/Whonix-Workstation.ova/download" target="_blank">Download</a></html> Yes [5] Low [6] High [7]
Button sig.png <html><a href="/download/</html>9<html>-sig/Whonix-Gateway.ova.sig">OpenPGP Signature</a></html> <html><a href="/download/</html>9<html>-sig/Whonix-Workstation.ova.sig">OpenPGP Signature</a></html> Yes [5] - -
Crypto key.png Verify the images using the Signing Key Yes [5] - -
Btorrent-icon.png[8] <html><a href="/download/</html>9<html>-torrent/Whonix-Gateway.ova.torrent">Torrent Download</a></html> <html><a href="/download/</html>9<html>-torrent/Whonix-Workstation.ova.torrent">Torrent Download</a></html> No Medium [9] High [7]
Magnet icon.svg.png [10] <html><a href="magnet:?xt=urn:btih:fba5ace7a163afae54aa1677cf92540a38d5914c&dn=Whonix-Gateway.ova&tr=http%3A%2F%2Fannounce.torrentsmd.com%3A6969%2Fannounce&as=http%3A%2F%2Fwebseed.whonix.org%3A8008%2FWhonix-Gateway-0.5.6.ova">Magnet Link</a></html> <html><a href="magnet:?xt=urn:btih:7255075def146b6f5d7b6e23121e1e5a5bedf13d&dn=Whonix-Workstation.ova&tr=http%3A%2F%2Fannounce.torrentsmd.com%3A6969%2Fannounce&as=http%3A%2F%2Fwebseed.whonix.org%3A8008%2FWhonix-Workstation-0.5.6.ova">Magnet Link</a></html> No Medium [9] High [7]
Template source.png Build from source code See Build Anonymity Excellent [11]

XChat[edit]

All XChat plugins have been deactivated (hardening) and moved to /usr/lib/xchat/plugins.disabled. If you really need a plugin, such as perl for SASL, you can use the example below.

sudo mv /usr/lib/xchat/plugins.disabled/perl.so /usr/lib/xchat/plugins/

Manually updating Tor Browser (Whonix 0.5.6)[edit]

(1) Go to https://www.torproject.org/ and/or http://idnxcnkne4qt76tg.onion/ and download the Tor Browser Bundle for Linux 32 bit. Store it in /home/user/.

(2) Read https://www.torproject.org/docs/verifying-signatures.html.en and/or http://idnxcnkne4qt76tg.onion/docs/verifying-signatures.html.en and learn about gpg verification.

(3) Go to https://www.torproject.org/docs/signing-keys.html.en and/or http://idnxcnkne4qt76tg.onion/docs/signing-keys.html.en to get the gpg keys.

(4) Verify the Tor Browser Bundle download.

(5) Go into /home/user/ with the file manger. (Dolphin)

(6) Extract the Tor Browser Bundle. Right click on the downloaded archive -> extract -> extract archive here.

(7) In case you downloaded another version than en-US, rename the tor-browser_lang folder to tor-browser_en-US. This is important, because the paths in the following script are hardcoded.

(8) Go into the /home/user/tor-browser_en-US folder.

(9) Delete start-tor-browser or move it to the /home/user/tor-browser_en-US/Docs folder.

(10) Create a new file within the /home/user/tor-browser_en-US/ folder called start-tor-browser with the following content.

#!/bin/bash
## Whonix Tor Browser start script

export TOR_SKIP_LAUNCH=1
    
cd ~
~/tor-browser_en-US/App/Firefox/firefox --profile ~/tor-browser_en-US/Data/profile
    
## End of Whonix Tor Browser start script

(11) Make the start-tor-browser script executable. Right click on start-tor-browser -> Properties -> Permissions -> enable the Is executable box -> ok.

(12) Go to /home/user/tor-browser_en-US/Data/profile/ and create a file user.js with the following content.

## Begin of patched user.js.

## If you edit this file while Firefox is running, your changes will be
## overwritten, when you close Firefox.

## How to create the user.js network settings:
## 1. Make a backup of prefs.js.
## 1. Start Tor Browser with the patched start script.
## 2. Apply proxy settings using the Tor Button settings dialog..
## 3. Make a diff from the old and the new pref.js.
## 4. Copy the relevant changes to user.js.

## network settings
## (Are now set in /etc/environment - or not...)
## (See /etc/environment.)
user_pref("extensions.torbutton.use_privoxy", false);
user_pref("extensions.torbutton.settings_method", "custom");
user_pref("extensions.torbutton.socks_host", "10.152.152.10");
user_pref("extensions.torbutton.socks_port", 9100);
user_pref("network.proxy.socks", "10.152.152.10");
user_pref("network.proxy.socks_port", 9100);
user_pref("extensions.torbutton.custom.socks_host", "10.152.152.10");
user_pref("extensions.torbutton.custom.socks_port", 9100);

## End of Whonix user.js.

(13) If you want to make 100% sure you never have Tor over Tor, you must shut down Whonix-Gateway while doing the following.

(14) Delete /home/user/my_tor-browser_en-US/App/tor.

(15) If there is no green Vidalia icon in the task bar, everything is fine.

(16) Start Tor Browser and run

ps aux | grep tor

If you see something like.

109 /usr/sbin/tor

Or.

/home/user/my_tor-browser_en-US/App/tor

Something went wrong and you're running Tor over Tor, which is recommended against.

(17) If the tests results are as expected, everything went fine.

(18) Don't forget to restart Whonix-Gateway, if you shut it down in step (13).

(19) Done.

DummyTor[edit]

Introduction[edit]

Whonix-Workstation has an empty Tor package installed by default, called Dummy Tor package. It contains no files, besides some default files[12], which are required to create a dummy package. Debian packages are standard Unix ar archives, auditors can unpack and check them.

The reason for installing the Dummy Tor package inside Whonix-Workstation is to prevent installing the Tor package from the upstream (Debian or The Tor Project) repository, to prevent running Tor over Tor. This allows installation of packages, which depend on Tor, such as TorChat and parcimonie on Whonix-Workstation.

To prevent the package from upgrading

echo "tor hold" | sudo dpkg --set-selections

has been run while building Whonix from source code.

To check the status an auditor could run.

dpkg --get-selections | grep tor

To undo holding the packing a user could run.

echo "tor install" | sudo dpkg --set-selections

Implementation[edit]

  • Everything is inside the whonix_workstation/usr/local/share/whonix/dummytor/ folder in Whonix source code
  • and subsequently in /usr/local/share/whonix/dummytor/ in Whoix-Workstation.
  • .deb package format
  • /usr/local/share/whonix/dummytor/tor is the control file
  • /usr/local/share/whonix/dummytor/tor_1.0_all.deb is the package which was installed using dpkg by whonix_workstation/usr/local/share/whonix_internal_install_script.
  • whonix_workstation/usr/local/share/whonix/dummytor/dummytor is the "build script" for the package, which is actually only a single "equivs-build ./tor" command.

How it would look...[edit]

...if a Tor version higher than 1.0 was released.

sudo apt-get dist-upgrade

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  tor

Tor Browser[edit]

Remove Proxy Settings - Whonix 0.5.6[edit]

It's best to get a fresh copy of Tor Browser, which has never been started before.

Whonix modifies user.js as documented in the Tor Browser chapter.

Open /home/user/tor-browser_en-US_my/Data/profile/user.js.

kwrite /home/user/tor-browser_en-US_my/Data/profile/user.js

Comment out all network settings.[13] [14]

## network settings
#user_pref("extensions.torbutton.use_privoxy", false);
#user_pref("extensions.torbutton.settings_method", "custom");
#user_pref("extensions.torbutton.socks_host", "10.152.152.10");
#user_pref("extensions.torbutton.socks_port", 9100);
#user_pref("network.proxy.socks", "10.152.152.10");
#user_pref("network.proxy.socks_port", 9100);
#user_pref("extensions.torbutton.custom.socks_host", "10.152.152.10");
#user_pref("extensions.torbutton.custom.socks_port", 9100);

You could use Tor Button's settings dialog to set it to any other proxy or transparent torification. The latter means "no proxy", which will result in Tor Browser using whatever the operating system provides and if you don't have a VPN installed inside Whonix-Workstation, it will go through Tor's TransPort.

If you are using the transparent torification option in Tor Button, you could point a socksifier to start-tor-browser and it should work as usual.

If you are having problems, it's most likely a problem with Tor Browser / Tor Button's proxy settings. In Tor Browser open the pseudo url "about:config" and search for "network.proxy" and check if these settings are sane.

Warning[edit]

There are various update mechanisms. Not all are equally secure. Whonix recommends against using Tor Browser's internal updater for security reasons. [15] Using Tor Browser Updater (Whonix) is recommended. To enable you to distinguish them, here are some screenshots of the various updaters.

Forum Help Thread

Warning2[edit]

Language[edit]

Method 4 - Command Line Parameter Method[edit]

Whonix-Workstation ONLY!

Currently broken. Will be fixed in Whonix 10.

Not a good method, because tb-starter would miss this setting.

Please TEST and leave feedback.

Available languages as in May 2014:

ar
de
en-US
es-ES
fa
fr
it
ko
nl
pl
pt-PT
ru
tr
vi
zh-CN

To check if further languages are supported visit https://www.torproject.org/dist/torbrowser/ or http://idnxcnkne4qt76tg.onion/dist/torbrowser/.

Syntax.

update-torbrowser --update --language <language code>

Example.

update-torbrowser --update --language vi

Replace "vi" with "zh-CN" for Chinese and so on.

Whonix 0.5.6 Disable Auto Login[edit]

OPTIONAL. Only in case you want to do that.

If you aren't using Physical Isolation, i.e. if you use the Default-Download-Version (Virtual Machines), it's probably better to use the desktop locking mechanism of your host operating system.

These features are inherited from Debian and its packages.

1. On Whonix-Gateway and Whonix-Workstation

Open /etc/inittab:

sudo nano /etc/inittab

Look for:

## If you do not want this,
## comment in the next line and comment out the second one.

Below you'll see:

#1:2345:respawn:/sbin/getty 38400 tty1
1:2345:respawn:/sbin/getty --autologin user 38400 tty1

Change it to:

1:2345:respawn:/sbin/getty 38400 tty1
#1:2345:respawn:/sbin/getty --autologin user 38400 tty1

2. On Whonix-Workstation

Start Menu -> System Settings -> Login Screen -> Convenience -> Disable "Enable Auto Login"

Tor Browser in Whonix 0.5.6[edit]

Introduction[edit]

The regular Tor Browser Bundle and Tor Browser in Whonix slightly differ. Tor Browser has been slightly modified by Whonix to work behind the Whonix-Gateway. The network and browser fingerprint however, is the same.

Tor Browser's internal update check mechanism is untouched and works fine. Default homepage is untouched and still https://check.torproject.org.

New Identity Button[edit]

Note that, if you are using the Tor Browser, which comes with Whonix, that the New Identity button of Tor Button is defunct (greyed out). This is because Tor Button can not access Tor's control port. Due to Whonix Technical Design, Tor Browser and Tor are isolated from each other, which means there is no way to fix this without loosing the added security by Whonix.

When using the regular Tor Browser Bundle (not Whonix!), the New Identity button unlinks your old identity, changes your circuit (exit relay IP) and creates a fresh identity.

As a workaround close Tor Browser, change your circuit with Arm and start Tor Browser again.

This isn't a big issue, since the New Identity button isn't perfect yet anyway, there are open bugs.[16]

(New Identity Button will be fixed in Whonix 6 and above.)

Whonix Proxy Settings / user.js[edit]

When running torbrowser -update, the update script creates a user.js file, for example ~/tor-browser_en-US/Data/profile/user.js. User.js is used to override some Tor Button defaults, namely the SocksProxy settings and other minor misc settings. [17] See also the Tor Browser sub chapter on the Stream Isolation page.

More than one Tor Browser in Whonix[edit]

For better isolation of different identities. For advanced users. Moved to the Advanced Security Guide.

Manually updating Tor Browser[edit]

(1) Go to https://www.torproject.org/ and/or http://idnxcnkne4qt76tg.onion/ and download the Tor Browser Bundle for Linux 32 bit. Store it in /home/user/.

(2) Read https://www.torproject.org/docs/verifying-signatures.html.en and/or http://idnxcnkne4qt76tg.onion/docs/verifying-signatures.html.en and learn about gpg verification.

(3) Go to https://www.torproject.org/docs/signing-keys.html.en and/or http://idnxcnkne4qt76tg.onion/docs/signing-keys.html.en to get the gpg keys.

(4) Verify the Tor Browser Bundle download.

(5) Go into /home/user/ with the file manger. (Dolphin)

(6) If you still have the old version of TBB opened (because you are probably reading this from the old TBB), close it. (copy the next steps to Kwrite if necessary)

(7) Rename your old TBB /home/user/tor-browser_en-US to something else.

(8) Extract the Tor Browser Bundle. Right click on the downloaded archive -> extract -> extract archive here.

(9) In case you downloaded another version than en-US, rename the tor-browser_lang folder to tor-browser_en-US. This is important, because the paths in the following script are hardcoded.

(10) Go into the /home/user/tor-browser_en-US folder.

(11) Delete start-tor-browser or move it to the /home/user/tor-browser_en-US/Docs folder.

(12) Create a new file within the /home/user/tor-browser_en-US/ folder called start-tor-browser with the following content.

#!/bin/bash
## Whonix Tor Browser start script

export TOR_SKIP_LAUNCH=1
    
cd ~
~/tor-browser_en-US/App/Firefox/firefox --profile ~/tor-browser_en-US/Data/profile
    
## End of Whonix Tor Browser start script

(13) Make the start-tor-browser script executable. Right click on start-tor-browser -> Properties -> Permissions -> enable the Is executable box -> ok.

(14) If you want to make 100% sure you never have Tor over Tor, you must shut down Whonix-Gateway while doing the following.

(15) Delete /home/user/my_tor-browser_en-US/App/tor.

(16) If there is no green Vidalia icon in the task bar, everything is fine.

(17) Start Tor Browser and run

ps aux | grep tor

If you see something like.

109 /usr/sbin/tor

Or.

/home/user/my_tor-browser_en-US/App/tor

Something went wrong and you're running Tor over Tor, which is recommended against.

(18) If the tests results are as expected, everything went fine.

(19) Don't forget to restart Whonix-Gateway, if you shut it down in step (13).

(20) Done.

More than one Tor Browser in Whonix[edit]

WARNING: "More than one Tor Browser in Whonix" instructions have not been updated for TBB 3.x yet!

As the Warning page stated, Whonix doesn't magically separate your different contextual identities and since Tor Browser and Tor Button do not yet solve this, for further separation of identities you could use Multiple Whonix-Workstations, which would be more secure.

Alternatively, less secure than Multiple Whonix-Workstations, you could start multiple instances of Tor Browser and run them through different SocksPorts. The instructions in the Manually Downloading Tor Browser article need minimal changes.

Instead of

#!/bin/bash
## Whonix Tor Browser start script

~/tor-browser_en-US/App/Firefox/firefox --profile ~/tor-browser_en-US/Data/profile

## End of Whonix Tor Browser start script

Use

#!/bin/bash
## Whonix Tor Browser start script

## Adjust the path!
~/tor-browser_2/App/Firefox/firefox --profile ~/tor-browser_2/Data/profile -no-remote

## End of Whonix Tor Browser start script

Only -no-remote was added to the start script. Otherwise Tor Browser would connect to the already running Tor Browser and this isn't what you want. And don't forget to adjust the path to the other Tor Browser.

You also have to use a different SocksPort, see Change/Remove Proxy Settings. (See Stream Isolation page for explanation why you should use different SocksPorts.)

Trusting the key[edit]

Download the key from multiple sources[edit]

A simple technique to increase the trust you can put in the Whonix signing key would be to download it several times, from several locations, several computers, possibly several countries, etc.

You could also use this technique to compare keys downloaded by your friends or other people you trust.

Downloading the key from the same server only lowers the possibility of a man-in-the-middle attack for a part of the route. The following figure illustrates that best:

user <-> user ISP <-> internet <-> sourceforge.net ISP <-> sourceforge.net server
MITM less likely for this route |  no help for this route

For this reasons adrelanos' homepage, which describes and contains adrelanos' OpenPGP key is mirrored at six different places. Download adrelanos' key from all those places and store it as adrelanos1.asc, adrelanos2.asc, adrelanos3.asc, etc.

1. adrelanos' homepage on github; (key download)

Github.com is accessible over SSL. [18]

2. adrelanos' key page on sourceforge; (key download)

SSL available for users logged into sourceforge.net. [18]

3. adrelanos' homepage on gitorious; (key download)

Gitorious.org is accessible over SSL. [18]

4. adrelanos' homepage on torproject.org wiki

SSL available. [18] Anyone can edit the torproject.org wiki and exchange content with malicious one. Therefore check the history feature. Obviously, I do trust Tor and torproject.org. My wiki account "proper" should be genuine, therefore changes by "proper" should be legit.

5. adrelanos OpenPGP key mirror on savannah.gnu.org profile page

SSL available. [18] The following command is recommended to enforce downloading the key over SSL:

## Not forced through Tor, unless you are using Whonix, torsocks or similar.
curl --tlsv1.2 --proto =https --output adrelanos.asc.4 https://savannah.gnu.org/people/viewgpg.php?user_id=89289

6. adrelanos' OpenPGP key mirror on OpenPGP keyserver

No SSL. Should really be only used as a mirror.

## Not forced through Tor, unless you are using Whonix, torsocks or similar.
gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-key 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

7. adrelanos' OpenPGP key in Whonix 6 and above

gpg --import /usr/share/whonix/keys/whonix-keys.d/adrelanos.asc

Verify:

gpg --recv-key 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

Should show.

pub   4096R/2EEACCDA 2014-01-16 [expires: 2015-01-16]
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
uid                 [ unknown] Patrick Schleizer <adrelanos@riseup.net>
sub   4096R/0x3B1E6942CE998547 2014-01-16 [expires: 2015-01-16]
sub   4096R/0x10FDAC53119B3FD6 2014-01-16 [expires: 2015-01-16]
sub   4096R/0xCB8D50BB77BB3C48 2014-01-16 [expires: 2015-01-16]

Each time you re-import the key from a different source:

gpg --import adrelanos.asc 
gpg --import adrelanos1.asc 
gpg --import adrelanos2.asc 
...

It should always show:

gpg: key 2EEACCDA: "Patrick Schleizer <adrelanos@riseup.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

And:

gpg --fingerprint

Should always show the same fingerprint and only contain: (Besides keys you imported knowingly earlier, perhaps your friends keys.)

pub   4096R/0x8D66066A2EEACCDA 2014-01-16 [expires: 2015-01-16]
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
uid                 [ unknown] Patrick Schleizer <adrelanos@riseup.net>
sub   4096R/0x3B1E6942CE998547 2014-01-16 [expires: 2015-01-16]
sub   4096R/0x10FDAC53119B3FD6 2014-01-16 [expires: 2015-01-16]
sub   4096R/0xCB8D50BB77BB3C48 2014-01-16 [expires: 2015-01-16]

Unless the new key is signed with the old key, something fishy is going on.

Whonix 7 Download Table (Deprecated)[edit]

Version: 9

Note: You need to download both Gateway and Workstation virtual machine images.

Whonix-Gateway
(1.2 GiB)
Whonix-Workstation
(1.3 GiB)
Anonymous Download
possible [5]
Download Security
without Verification
Download Security
with Verification
HTTP.png <html><a href="http://mirror.whonix.org/Whonix-</html>9<html>/Whonix-Gateway-</html>9<html>.ova" target="_blank">Download</a></html> <html><a href="http://mirror.whonix.org/Whonix-</html>9<html>/Whonix-Workstation-</html>9<html>.ova" target="_blank">Download</a></html> Yes [5] Very Low [19] High [7]
HTTP.png <html><a href="http://sourceforge.net/projects/whonix/files/current/</html>9<html>/Whonix-Gateway-</html>9<html>.ova/download" target="_blank">Download</a></html> <html><a href="http://sourceforge.net/projects/whonix/files/current/</html>9<html>/Whonix-Workstation-</html>9<html>.ova/download" target="_blank">Download</a></html> Yes [5] Very Low [20] High [7]
SSL Symbol.png <html><a href="https://jhcloos.com/whonix/7/Whonix-Gateway-7.ova" target="_blank">Download</a></html> <html><a href="https://jhcloos.com/whonix/7/Whonix-Workstation-7.ova" target="_blank">Download</a></html> Yes [5] Low [21] High [7]
Button sig.png <html><a href="/download/current/</html>9<html>-sig/Whonix-Gateway-</html>9<html>.ova.asc">OpenPGP Signature</a></html> <html><a href="/download/current/</html>9<html>-sig/Whonix-Workstation-</html>9<html>.ova.asc">OpenPGP Signature</a></html> Yes [5] - -
Crypto key.png Verify the images using the Signing Key Yes [5] - -
Btorrent-icon.png[22] <html><a href="/download/</html>9<html>-torrent/Whonix-Gateway-</html>9<html>.ova.torrent">Torrent Download</a></html> <html><a href="/download/</html>9<html>-torrent/Whonix-Workstation-</html>9<html>.ova.torrent">Torrent Download</a></html> No Medium [9] High [7]
Magnet icon.svg.png [23] <html><a href="magnet:?xt=urn:btih:405e051b5309fb66fd7ba9a04066936de64ce478&dn=Whonix-Gateway-7.ova&tr=http%3A%2F%2Fannounce.torrentsmd.com%3A6969%2Fannounce&as=http%3A%2F%2Fwebseed.whonix.org%3A8008%2FWhonix-Gateway-7.ova">Magnet Link</a></html> <html><a href="magnet:?xt=urn:btih:13ec8c33dd9b58fe4e5120002dad7b4c683c2b78&dn=Whonix-Workstation-7.ova&tr=http%3A%2F%2Fannounce.torrentsmd.com%3A6969%2Fannounce&as=http%3A%2F%2Fwebseed.whonix.org%3A8008%2FWhonix-Workstation-7.ova">Magnet Link</a></html> No Medium [9] High [7]
Template source.png Build from source code See Build Anonymity Very High [24] Best [24] [25]

Whonix 7 OLD Known Issues[edit]

Connection Issues - Tor stops working after an Upgrade and needs a Workaround[edit]

When upgrading to Tor 0.2.4.19-1~d79.jessie+1 (using sudo apt-get dist-upgrade), your Tor connection may go down. There is a temporary workaround.

Open /etc/default/tor.

## If you are using a graphical Whonix-Gateway, use:
kdesudo kate /etc/default/tor

<!--T:76-->
## Or alternatively, if you are using a terminal-only Whonix-Gateway, use:
sudo nano /etc/default/tor

Scroll down, near bottom comment in (by removing the # in front of it).

USE_AA_EXEC="no"

Then try:

sudo service tor restart

You should keep that in mind and undo that change when Whonix or Tor fixes that bug. We'll keep you posted. (See Download#Stay_tuned and Security_Guide#Recommendation_to_install_latest_security_updates_on_all_systems.)

Forum help thread: Special:AWCforum/st/id287/new_tor_and_debian_updates_today....html

Virtual Box Shared Folder Issues[edit]

Shared Folders aren’t working with the latest Linux kernel. (This is a Debian/Virtual Box issue, not caused by Whonix. Has already been reported to upstream by a Debian user.)

Possible workarounds, more information, etc. can be found in the Whonix User Help Forum discussion thread: Special:AWCforum/st/id261/VirtualBox_shared_directories_on....html

Tor Browser Starter (Whonix)[edit]

After manually upgrading Tor Browser (see above)... To start Tor Browser, got to your /home/user/tor-browser_en-US folder and double click start-tor-browser. Or type in terminal (Konsole).

/home/user/tor-browser_en-US/start-tor-browser

Tor Browser Updater (Whonix)[edit]

Currently broken due to changes by torproject.org. You have to manually update Tor Browser in meanwhile.

Forum help thread: Special:AWCforum/st/id262/updating_TOR_browser_error...html

Enigmail Encryption[edit]

When using OpenPGP encryption in Icedove / Enigmail you might get "encryption command failed".

Icedove has been updated in Debian Testing in meanwhile. Upgrade it.

sudo apt-get update
sudo apt-get dist-upgrade

You should then install enigmail as usual:

sudo apt-get install enigmail

Defunct Desktop Shortcuts[edit]

The desktop shortcuts Tor Browser, Contribute, Forum, Documentation, Donate won't work until there is an upgrade of Whonix. Please manually visit these pages. How to start Tor Browser has already been explained above.

Whonix-Gateway: Err: http://deb.torproject.org tor-0.2.4.x-jessie/main i386 Packages 404 Not Found[edit]

Short answer:
Update and upgrade your underlying Debian system (Whonix is a derivative of Debian).

sudo apt-get update
sudo apt-get dist-upgrade

See also Security_Guide#Recommendation_to_install_latest_security_updates_on_all_systems. This bug will be fixed with next Whonix upgrade (will take some time). No other action strictly required for now.

Long answer:
This is because torproject deprecated that repository. That was to be expected. The repository we're using now is already preconfigured (in /etc/apt/sources.list.d/torproject.list).

Taking action isn't important at this stage. You can comment it out (by putting a # in front of it) in /etc/apt/sources.list.d/torproject.list if you want. (kdesudo kate /etc/apt/sources.list.d/torproject.list for graphical Whonix-Gateway or sudo nano /etc/apt/sources.list.d/torproject.list for terminal-only Whonix-Gateway) If you don't do it, it will be auto fixed with next upgrade of Whonix.


apt-get Hash Sum mismatch[edit]

If you get a hash sum mismatch when updating through sudo apt-get update then deleting the package lists should solve it. A hash sum mismatch can look like:

W: Failed to fetch http://ftp.us.debian.org/debian/dists/testing/contrib/i18n/Translation-enIndex  Hash Sum mismatch

To delete the package lists, run:

sudo rm -fR /var/lib/apt/lists/*

To make sure everything works like it should, update your package lists and upgrade your distro. Chances are that your previous update/upgrade attempts have failed due to the mismatch.

sudo apt-get update && apt-get dist-upgrade

(Source [26])

There is no public key available for the following key IDs[edit]

The message "There is no public key available for the following key IDs" is not necessarily an error. It might be just a warning/information.

sudo apt-get update
...
Reading package lists... Done
...
W: There is no public key available for the following key IDs:
9C131AD3713AAEEF

Check the exit code of apt-get.

echo $?
0

When it's 0, there is no problem. This is due to key transition, because Whonix's repository is currently signed with the old and the new signing key.

Reasons for Staying Anonymous Developer[edit]

Security and trust shouldn't depend on showing a face:

KVM[edit]

Convert[edit]

Converting is only required if you want to use the stable version of Whonix. No longer required for testers-only versions, see:
https://www.whonix.org/blog/category/testers-wanted/

1. Extract the downloaded Whonix ova images to obtain the VMDK virtual storage files.

tar -xvf ~/Whonix.ova

As of now, VMDK files cannot be directly used by KVM or converted to a file type supported by KVM.

VBoxManage clonehd --format VDI vmdk_file vdi_file

(You need to adjust the names vmdk_file and vdi_file.)

2. Use qemu-img to convert the vdi to qcow2. Why qcow2? Because it supports snapshotting, which is very useful for reverting Whonix-Workstation to a known clean state. You must not revert gateway snapshots of the gateway vm as that will change your guard nodes which is not good for anonymity. This would increase your chances of having a rogue guard node and exit.

qemu-img convert -p -O qcow2 ~/whonix.vdi ~/whonix.qcow2

System Requirements[edit]

      • Lucid has been reported, not to work. Since it's only supported until 2013-04 it won't be fixed.

Mirror[edit]

<!--T:10-->
| {{GrayBackground}}| [[File:SSL_Symbol.png|40px]] {{Anchor|Whonix_signature}}
| <html><a href="https://jhcloos.com/whonix/Whonix-</html>{{VersionNew}}<html>/Whonix-Gateway-</html>{{VersionNew}}<html>.ova" target="_blank">Download</a></html>
| <html><a href="https://jhcloos.com/whonix/Whonix-</html>{{VersionNew}}<html>/Whonix-Workstation-</html>{{VersionNew}}<html>.ova" target="_blank">Download</a></html>
|{{Yes}} <ref name=anonymousdownload />
| style="background-color: {{Red}}"| Low <ref>[[Warning#Man-in-the-middle_attacks|Man-in-the-middle attacks]] could poison the download.</ref>
| style="background-color: {{Green}}"| High <ref name=openpgpverification>It does not matter if you did the bulk download over an insecure channel, if you use OpenPGP verification at the end.</ref>
|- style="height: 47px"

Magnet Link[edit]

<!--T:14-->
| {{GrayBackground}}| [[File:Magnet_icon.svg.png|20px]] <ref>Magnet link clients known to work: gtk-gnutella. Check this [https://en.wikipedia.org/wiki/Magnet_URI_scheme#Clients_table clients table]. If nobody is [http://wiki.answers.com/Q/What_are_seeders_and_leechers seeding] at the time, only clients with the [https://en.wikipedia.org/wiki/Magnet_URI_scheme#Normal_.28as.29 "as"] feature can be used, because we are providing a [https://en.wikipedia.org/wiki/BitTorrent#Web_seeding webseed].</ref>
| <html><a href="magnet:?xt=urn:btih:b8969f87015c994f2c4dd93b3ed7c62861c27477&dn=Whonix-Gateway-8.ova&tr=http%3A%2F%2Fannounce.torrentsmd.com%3A6969%2Fannounce&as=http%3A%2F%2Fwebseed.whonix.org%3A8008%2FWhonix-Gateway-8.ova">Magnet Link</a></html>
| <html><a href="magnet:?xt=urn:btih:7a6a5294ebebef5e5edcb05aa2caf66ebaeaf300&dn=Whonix-Workstation-8.ova&tr=http%3A%2F%2Fannounce.torrentsmd.com%3A6969%2Fannounce&as=http%3A%2F%2Fwebseed.whonix.org%3A8008%2FWhonix-Workstation-8.ova">Magnet Link</a></html>
|{{No}}
| style="background-color: {{Yellow}}"| Medium <ref name=atleastssl />
| style="background-color: {{Green}}"| High <ref name=openpgpverification />
|- style="height: 47px"

Download / Snapshot[edit]

  • Take a snapshot for both Whonix-Gateway and Whonix-Workstation on VirtualBox. So you can easily restore the original snapshot whenever you need a clean state.

Mediawiki Install[edit]

Get and install the mediawiki web app.

sudo su
cd /var/www
wget http://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.3.tar.gz
tar -xvzf mediawiki-1.22.3.tar.gz
mv mediawiki-1.22.3 wiki

Start iceweasel.

Setup mediawiki. Go to http://127.0.0.1/wiki/mw-config/index.php.

Use the following settings.

Database name: wiki
Datebase password: what you remembered above
No more questions.
Otherwise use the defaults.
Name of wiki:
Whonix

Download LocalSettings.php, safe as /home/user/LocalSettings.php.

Tor Browser Recommended[edit]

When you start Tor Browser Recommended, there is a shortcut on the desktop, see Tor Browser Recommend Icon<, it will open both Whonix News Blogs in a privacy friendly way.

I2P[edit]

Clock Skew Issues

Whonix 9:
Should have no issues.

In Whonix 8:
I2P-0.9.11 this doesn't work - I2P complains about clock skews even after disabling both sdwdate and bootclockrandomization.

sudo service sdwdate stop
sudo chmod -x /etc/init.d/sdwdate

It is still possible to fix the clock manually. For example, if I2P reports a clock skew of 60 seconds at startup, use this command to change system time:

sudo date -s now-60sec

then restart I2P.

However, time sync management in Whonix is a complex issue, so before changing the default way of time management in Whonix, make sure to read Dev/TimeSync and understand the implications.

old known issues[edit]

gpg keyserver unreachable[edit]

Open gpg.conf.

kwrite ~/.gnupg/gpg.conf

Search for all instances of "keyserver". And comment them out, i.e.

#keyserver ...

Add a functional keyerver at the bottom. In Whonix 9 we will be using the following one as default.

keyserver hkp://qdigse2yzvuglcix.onion

libtorsocks Warning[edit]

During running apt-get dist-upgrade, you may see a warning similar to the following one.

15:36:37 libtorsocks(12225): sendmsg: Connection is a UDP or ICMP stream, may be a DNS request or other form of leak: rejecting.
Cannot talk to rtnetlink: No such file or directory
acpid: error talking to the kernel via netlink

Sounds scary, but is of no concern. See footnote for technical explanation. [27]

No Network after Upgrade to Whonix 12[edit]

If whonixcheck fails with "tor.pid does not exist" after upgrade from Whonix 11 to Whonix 12...

On your Whonix-Gateway. And on your Whonix-Workstation.

Make sure /etc/network/interfaces looks like this.

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

(The comments starting with # are actually not important. You can skip them if you wish.)

Open /etc/network/interfaces in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/network/interfaces

If you are using a terminal-only Whonix, run:

sudo nano /etc/network/interfaces

Then make sure /etc/network/interfaces.d/30_non-qubes-whonix looks like this:

Forum discussion:
whonixcheck fail: tor.pid does not exist after upgrade from Whonix 11 to Whonix 12

Upgrade from Testers repository[edit]

Whonix's testers-only repository contains a fix. If you like to volunteer as a tester, see Whonix-APT-Repository on how to enable it, so this change can move soon into Whonix's stable repository. After enabling it, upgrade.

VirtualBox spoof the initial virtual hardware clock offset[edit]

Moved back to Advanced_Security_Guide#Spoof_the_Initial_Virtual_Hardware_Clock_Offset.

Physical Isolation[edit]

Install Basic Packages[edit]

This step is only required up to and including Whonix 8. Versions higher than Whonix 8 do not require this manual step anymore.

Make sure you have all packages installed which are listed in the file grml_packages. You can do that using the following command.

sudo apt-get install $(grep -vE "^\s*#" grml_packages | tr "\n" " ")

Why was Whonix 7 based on Debian Testing, not Debian Stable?[edit]

  • Contains python-stem, which is a Tor controller library. It is in use to ask for Tor's bootstrap status. This is required for whonixcheck (diagnosing connection issues) and TimeSync (TimeSync starts as soon as Tor is bootstrapped). See this ticket for more details. The alternative, uploading python-stem to Whonix's APT Repository isn't doable given Whonix's contributor size. (It would require keeping up with the original package and updating when they update. And implementing the feature, allowing builders to build Whonix from source code without touching Whonix's APT repository for Trust reasons would also have been more difficult.)
  • Being based on stable and incorporating a few packages from testing is difficult, see this ticket for details.
  • Contains build dependency config-package-dev with debhelper support. (We could probably build on stable and just get the config-package-dev with debhelper support elsewhere, but it's simpler just to require Debian testing as build operating system.
  • Stable (Wheezy) contains only obfs2 (obfsproxy 0.1.4), while Testing (Jessie) contains obfs3 (obfsproxy 0.2.3), and obfsproxy has been recently removed from torproject's apt repository.

Whonix 9 OLD Issues[edit]

KEYEXPIRED Error[edit]

You might see this error when attempting to update existing Whonix versions (build version 9.4 and below.)

W: GPG error: http://sourceforge.net wheezy Release: The following signatures were invalid: KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659

To fix this issue, open a terminal

fpr="916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA"
gpg --recv-keys "$fpr"
gpg --fingerprint "$fpr" 
gpg --export "$fpr" | sudo apt-key add -

Then update your system as usual.

After that you will be able to update Tor Browser as well.

It will be fixed out of the box in Whonix 9.6 and above.

Forum support thread:
https://forums.whonix.org/t/issue-t100-error-signatures-were-invalid-keyexpired-1421449064/810

Tor Browser Startup Issues[edit]

This has been fixed out of the box in Whonix 9.3 and above.

After the upgrade to Tor Browser 4.x, it can be no longer started.

Whonix's stable repository contains a fix. Upgrade. After upgrading, reboot is required. [28]

Forum discussion:
https://forums.whonix.org/t/after-updating-to-tor-browser-4-0-browser-doesnt-start/599

Connection Issues - Tor stops working after an Upgrade and needs a Workaround[edit]

This is fixed in Whonix 9.2 above.

In Whonix 9... When upgrading to Tor 0.2.5.8-rc-1~d70.wheezy+1 (using sudo apt-get dist-upgrade) in Whonix 9, your Tor connection may go down. There is a workaround.

Open /etc/apparmor.d/local/system_tor.

## If you are using a graphical Whonix-Gateway, use:
kdesudo kate /etc/apparmor.d/local/system_tor

## Or alternatively, if you are using a terminal-only Whonix-Gateway, use:
sudo nano /etc/apparmor.d/local/system_tor

Scroll down until you see.

/usr/bin/obfsproxy rix,

Comment out (by adding a # in front of it).

#/usr/bin/obfsproxy rix,

Then reboot.

sudo reboot

You should keep that in mind. When Whonix fixes that bug, you'll get an interactive dpkg conflict resolution dialog. This is explained in Security Guide#Updates. Just choose to install the new /etc/apparmor.d/local/system_tor file then.

Forum discussion:
https://forums.whonix.org/t/after-last-apt-get-upgrade-gateway-doesnt-connect-to-tor-anymore/532

AppArmor Warning during Boot[edit]

If you wonder during boot about following warning.

Warning /etc/apparmor.d/... network rules not enforced.

Apparmor warning.png

This is not a security issue. Whonix installs AppArmor and the apparmor-profiles package by default, but does not enforce AppArmor by default. We are not there yet and Debian also does not enforce AppArmor by default yet either. The apparmor-profiles package gets installed by default for better usability, to make enforcing AppArmor easier. This warning only reflects, that the profile is not enforced by default.

Forum discussion dovecot:
https://forums.whonix.org/t/apparmor-errors-functional-/628

Debian bug report:
please provide an option to hide or deactivate all the noisy, scary warnings during boot

VirtualBox Guest Additions[edit]

New Instructions for Debian Wheezy[edit]

Installation from Debian apt repository[edit]

Inside your VirtualBox virtual machine.

Very simple.

Searching[29] for Debian packages containing VirtualBox was a wise thing. In past it was sometimes a real pain to install the guest additions. The search brought up, that honorable people created a debian package with the tools.

1. Update your operating system.

2. Install. Easy:

sudo apt-get install virtualbox-guest-x11

Advanced security? See footnote or skip: [30]

3. Reboot.

4. NOTE: Sometimes after reboot the Workstation guest fails to pick up a new resolution. Try to change the screen resolution manually a few times, from KDE settings. Once it succeeds to change to fullscreen, the change will stay persistent across reboots.

Installing using VirtualBox Instructions[edit]

Alternatively, above #Installation from Debian apt repository fails, which should not, you could also refer to the upstream documentation, VirtualBox: Chapter 4. Guest Additions.

Instructions for Debian Jessie[edit]

Whonix 10 is based on Debian Wheezy. So unless you are using a Whonix-Custom-Workstation based on Debian Jessie, you most likely want to use above instructions. Otherwise press expand on the right side.

Not sure if the jessie instructions are still up to date. Maybe the ones for wheezy also work for jessie just fine.

Inside your VirtualBox virtual machine.

This version is difficult to get working with guest additions and vbox shares. Debian Jessie has the issue that Whonix installs with Kernel 3.10 and the distro is at 3.12, and the 3.10 headers are not available. Therefore, it is dangerous (and unsafe) to get the Kernel headers on a different repository. Additionally, there are reports that updating the kernel can cause issues (and is also unsafe).

Noteː It has been reported that reverting Virtualbox 2 versions back with 3.10 can also solve issues. Update this wiki with your results.

Build Warnings[edit]

  • Short: Don't install apt-listchanges as custom package during VM image builds or don't have it installed during --target root builds.

Long: Because likely might change the build process from a non-interactive one to an interactive one. You're better off purging apt-listchanges.

sudo apt-get purge apt-listchanges

Alternatively, you could use a non-interactive frontend for apt-listchanges such as text. To do so, you would have to edit /etc/apt/listchanges.conf.

sudo nano /etc/apt/listchanges.conf
[apt]
frontend=text

After Whonix has been build, you're free to reinstall apt-listchanges.


Tor Browser[edit]

Change/Remove Proxy Settings[edit]

This is an advanced topic. You most likely only need it for advanced tunneling scenarios.

You could either:

  • Use Tor Button's -> Preferences to set it to any other proxy or no proxy. Transparent Torification means, "no proxy" or in other words it means "use whatever the system provides".

1) Click on Tor Button. Tor Button.png
2) Click on Preferences.
Tor Button Settings Menu.png
3) Choose Transparent Torification.
Tor Button Settings.png
4) Click OK.

  • For an alternative method, setting Transparent Torification which does not involve Tor Button's graphical user interface, see footnote [31].
  • Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[32]

Grub Fix[edit]

Introduction[edit]

The following instructions differ for 686-pae and 486 kernel users.

Are you are 686-pae kernel kernel or 486 kernel user?

686-pae Kernel Users[edit]

Remove the 486 and 586 kernel meta packages.

sudo apt-get remove linux-image-*-486 linux-image-*-586

Remove the 486 and 586 kernel packages.

sudo apt-get remove linux-image-3.*-486 linux-image-3.*-586

Make sure a kernel is installed.

sudo apt-get install linux-image-686-pae

Proceed with #Install Grub chapter!

486 Kernel Users[edit]

Remove the 686-pae kernel meta packages.

sudo apt-get remove linux-image-686-pae

Remove the 686-pae kernel packages.

sudo apt-get remove linux-image-3.*-686-pae

Make sure a kernel is installed.

sudo apt-get install linux-image-486

Proceed with #Install Grub chapter!

Stream Isolation[edit]

Limited workarounds for Tor Browser[edit]

Possible[edit]

1. Weakest: On Tor Browser, click on the Torbutton and then click on "New Identity". However your current browser session will be lost.

2. Better: Install a second browser and configure it to use its own SocksPort, see More than one Tor Browser in Whonix.

3. Even better: Use multiple Whonix-Workstations.

IsolateDestAddr and IsolateDestPort for Tor Browser (Recommended against!)[edit]

(Recommended against!) If you are interested anyway, see footnote [33].

Qubes[edit]

Torified dom0 Updates[edit]

Now in Qubes wiki.

Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.

Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix

[34] [35]

Qubes-Whonix Gnome Workstation[edit]

OR, to install Workstation with complete Gnome applications that are installed in Qubes Fedora templates:
For Gnome, read security notes on Other Desktop Environments.

  • Input command:
    sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-ws-gnome

2. Increase Update Size

The Gnome version of the Whonix-Workstation TemplateVM may be too large and will you need to increase the allowed update size to accommodate installing it.

In Dom0 -> Terminal:

  • Input command:
    export UPDATES_MAX_BYTES=$[ 4 * 1024 ** 3 ]

AppArmor[edit]

At the moment, if you want to use this, you must apply these settings to the TemplateVMs as well as the TemplateBasedVMs. Once Qubes Q3 gets released, TemplateBasedVMs will inherit the kernelopts setting of their TemplateVM.

Edit Firewall Rules[edit]

2. Edit Whonix-Workstation Firewall Rules

In Dom0 » Qubes VM Manager:

  • Select Whonix-Workstation AppVM:
    • Edit VM firewall rules:
      • Select: Deny network access except...
      • Disable: Allow ICMP traffic
      • Disable: Allow DNS queries
      • Disable: Allow connections to Updates Proxy
      • Press: OK

Misc[edit]

This guide will create a new instance of a Whonix-Gateway ProxyVM, which routes all internet traffic through Tor, that you can then connect your Whonix-Workstation AppVMs to.

You can repeat this guide multiple times and create as many Whonix-Gateway ProxyVM instances as you need, for greater Tor isolation. Note that using multiple Whonix-Gateway ProxyVMs simultaneously will reveal a pattern of connecting to multiple sets of Tor guard nodes, which may or may not be a unique usage indicator.

This guide will create a new instance of a Whonix-Workstation AppVM, which serves as an AnonVM application environment, that you connect to Tor through a Whonix-Gateway ProxyVM of yours.

You can repeat this guide multiple times and create as many Whonix-Workstation AppVM instances as you need, for greater Tor and data isolation. You can connect multiple Whonix-Workstation AppVMs to the same or different instances of Whonix-Gateway ProxyVMs.

If connecting this AppVM to the internet, you will need an existing Whonix-Gateway ProxyVM instance to connect to. You may need to create a Whonix-Gateway ProxyVM before proceeding.

If you wish to keep your version of Whonix up-to-date you should also enable the Whonix Repository. You should apply this process to all of your Whonix TemplateVMs. In otherwords, make sure you follow these directions for both your Whonix-Gateway (commonly called whonix-gw) and Whonix-Workstation (commonly called whonix-ws).

When running the Whonix, Whonixcheck will automatically tell you if Debian package updates are available (Debian is the version of Linux that Whonix is built upon).

3. Enable Whonix repository

When first running a Whonix TemplateVM, a window called "Whonix Setup Wizard" should automatically pop up.

In Whonix Setup Wizard:

* Select "Yes. Automatically install updates from the Whonix team"
* Click <Next>
* Choose which Whonix Repository (recommended: Whonix Stable Repository)
* Click <Next> 
* Click <Finish>

To Manually Restart Whonix Repository Tool

You may also manually start the Whonix Repository Tool to change your settings in the future by doing the following from your respective Whonix TemplateVMs (i.e. Whonix-Worstation, Whonix-Gateway, etc.)

In a terminal:

sudo whonix_repository

Or by running:

Start Menu -> Applications -> System -> Whonix Repository.

You may need to first create a Whonix-Gateway ProxyVM to use, if one does not exist yet.

Note: If you are installing Whonix on top of Qubes OS, you do not need to worry about disabling ICMP timestamps at this stage. You will do that after you install the Whonix-Gateway and Whonix-Workstation TemplateVMs when you create your Whonix VMs (done through the Qubes VM Manger). For more information on this, refer to the links provided under the Next Steps section (point's a and b) in the Install Guide for installing Whonix onto Qubes.

Whonix 10 TemplateVM Update[edit]


With the advent of Whonix 11, the update guide for Whonix 10 is now deprecated If you are still using Whonix 10, you are advised to install Whonix 11 If you are still interested in updating Whonix 10, click on Expand on the right.

This guide explains how to update your Whonix TemplateVMs using the update repositories.

You should regularly apply this update process to all of your Whonix-Gateway and Whonix-Workstation TemplateVMs.


1. Attach Whonix TemplateVM to a Whonix-Gateway ProxyVM (commonly called sys-whonix)

You may need to first create a Whonix-Gateway ProxyVM to use, if one does not exist yet.

In Dom0 » Qubes VM Manager:

  • Select Whonix TemplateVM » VM Settings » Basic tab » NetVM:
    • Choose an existing Whonix-Gateway ProxyVM from the NetVM list for downloading updates.


2. Start Whonix TemplateVM

In Dom0 » Qubes VM Manager:

  • Select Whonix TemplateVM:
    • Start selected VM


3. Launch TemplateVM Terminal

In Dom0 » Application Launcher Menu:

  • For your Whonix TemplateVM's launcher menu, click on the "Terminal" app to launch it.


4. Enable Whonix Repository

Qubes and Debian updates install by default. If you would also like to install Whonix updates this way, then ensure you have the Whonix repository enabled -- (or disabled if you prefer). This setting will remain in your TemplateVM for later. On first run of template you will be presented with the Whonix repository options, but you may change them at any time.

In Whonix TemplateVM » Terminal:

  • Input command: sudo whonix-setup-wizard repository
    • Choose: Yes. Automatically install updates from the Whonix team.
    • Press: OK
    • Choose: Whonix Stable Repository (unless you are a tester or developer and understand what you are doing).
    • Press: OK


5. Check and Install Updates

In Whonix TemplateVM » Terminal:

  • Input command: sudo apt-get update && sudo apt-get dist-upgrade -y
  • OR, You can right click the Whonix templateVM in Qubes Manager and select Update


6. Clear Terminal History

In Whonix TemplateVM » Terminal:

  • Input command: history -cw


7. Shutdown Whonix TemplateVM

In Dom0 » Qubes VM Manager:

  • Select Whonix TemplateVM:
    • Shutdown selected VM


8. Restart/Update Whonix VMs

If new updates were available and installed, you will need to either simply restart your running Whonix-Gateway ProxyVMs and running Whonix-Workstation AppVMs for them to be updated -- or alternatively apply this same update process again to your running VMs if not wanting to restart them right away.

Before installing[edit]

First you need to have the Qubes OS installed on your system. A helpful Installation Guide for Qubes OS 3.0 is found here

However, before installing Qubes OS on your system, after you have downloaded the Qubes ISO, make sure that you follow the Qubes OS security advice for verifying the signatures of the Qubes ISO found here

After you have Qubes OS up and running on your system, before you install Whonix you must next

Read and apply the Pre Installation Security Advice.

Enigmail / gpg / keyserver[edit]

Since enigmail just calls gpg. And since everything is torified in Whonix anyway, and since gpg is stream isolated (by uwt wrapper) anyhow, there is no need for this setting in Whonix.

(Minor security notice: [36])

Source Code Verification Wheezy[edit]

git tag -v {{VersionNew}}-stable
git log --show-signature -1 "$(git rev-list --max-count 1 {{VersionNew}}-stable)"

Using Tor / Pluggable Transports from the Tor Browser Bundle[edit]

Untested!

Unfinished!

TODO:
Figure out and document below here how to use TBB as "system Tor" inside Whonix-Gateway. (ticket)

Install the Tor Browser Updater by Whonix developers (tb-updater). [37] [38] [39]

sudo apt-get install --no-install-recommends tb-updater

Create a new home folder for user debian-tor.

sudo mkdir /home/user/debian-tor

Fix permissions.

sudo chown --recursive debian-tor:debian-tor /home/user/debian-tor

Allow login as user debian-tor by modifying it's default shell false to /bin/bash.

sudo usermod debian-tor -s /bin/bash

Login as user debian-tor.

sudo su debian-tor

Change directory into /home/debian-tor. (Do not use ~. [40])

cd /home/debian-tor

Download and install Tor Browser.

update-torbrowser

Security warning: Do not start Tor Browser on Whonix-Gateway for any purpose other than configuring Tor. Use Whonix-Workstation to browse the web using Tor Browser.

Apply Whonix's Tor config to TBB.

cp /usr/share/tor/tor-service-defaults-torrc /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults

TODO for developers:

  • Install tb-updater by default on Whonix-Gateway?
  • Install Tor Browser by default on Whonix-Gateway?

mv /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults /home/user/debian-tor

Eventual apparmor issues? Copy is better?

ln -s /usr/share/tor/tor-service-defaults-torrc /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults

Future work:
Simplify this setup for users by installing this by default. Ticket: make TBB usable as "system Tor", so latest pluggable transports and the tor-launcher graphical user interface can be used in Whonix

Footer[edit]

https | Mirror | Mirror |

Infrastructure[edit]

File Hosting[edit]

Files are still hosted on sourceforge.net.

Negative:

  • No direct download links (hotlinking).
  • No SSL.
  • Advertisements.

Positive:

Bug / Feature Request Tracker[edit]

Now hosted on github: https://github.com/Whonix/Whonix/issues

A bit suboptimal, since people have to create a second account just for github and it probably won't scale well enough in long term. Positive points are, that it works for many big projects such as Bitcoin and attracts a lot pull requests (for them). So let's see how that works.

Old Criteria and Plan for Web Hosting[edit]

Requirements for Good Hosting[edit]

Requirements[edit]

  • Some webspace and sufficient traffic.
  • Needs a wiki, a forum, a blog, a mailing list.
  • We can either use free project hosting or own hosting.
  • Tor friendly.
  • No tracking scripts. (Google analytics etc.)
  • Permit to sign up and to use the page exclusively over Tor.
  • A wiki on that site (media wiki). (And spoilers.) (And flagged revisions.)
  • A free SSL certificate.
  • All parts off the website reachable over SSL without any warnings.
    • sourceforge.net does not offer that (SSL warnings).
    • startssl.com offers free SSL certificates. You simply have to prove, that you have control over the domain - but that's not possible with subdomains.
  • Hosting and domain.
    • Censor resistant in sense of "Whonix will not get deleted."
    • Free - if that is possible. No one is willing to pay and in the beginning there are no donations.
  • We allow guest/anonymous postings (bug report, feedback, etc.) and moderate it very non-restrictive. (Allow any critique. Only delete off topic talk such as warez.)
    • It's still desired to have the less critical parts of the wiki open for guest edits.
    • Where no random trolls/crackers can modify anything important.
    • A wiki where guest edits are allowed only works when having a feature for Flagged revisions Sighted versions, where admins review changes and manually make the edited version the default visible page for everyone. To my knowledge, only mediawiki has such a feature.

Answered Questions[edit]

  • Is there a free project hosting fulfilling all requirements?
    • Last time checked, no.

Links, that may be helpful[edit]

Ideal Hosting offers additionally...[edit]

  • We better don't choose something based in non-free countries, such as US.
  • Fully accessible by text mode browsers.
  • Fully accessible without JavaScript.
  • Optionally reachable by a hidden service.

Reviewed Hosting Services[edit]

sourceforge.net[edit]

In past, all components of Whonix were hosted on sourceforge.net. Whonix still uses sourceforge.net as primary bulk file download service. Unfortunately, sourceforge does not provide direct download links (hotlinking).

The internal wiki, forum and the mailing list and download mirrors provided by sf.net provide unlimited traffic, which is very good.

The forum provided by sourceforge.net was not very well suited for Whonix. Most users are expected to post to the forums over Tor. sourceforge.net doesn't handle changing IP's very well. Registered users often had to post twice until their message got stored. And if they haven't stored their draft beforehand it was lost, which was really annoying. Positive points were, that the forum was viewable over SSL, but only for registered users. Let's say user's managed to successfully post a message, then it was still confusing because the message had to be manually moderated due to automatic spam scripts targeting Whonix forum. Sourceforges wiki was unfortunately not viewable over SSL, which was very bad.

sf.net generally provides two different categories of hosting. Allura with "some" SSL, i.e. the wiki, forum, mailing list, download mirrors on the other hand project web.

Project web (no SSL) has somewhat low limited traffic, but according to their support will be manually increased.

One of the major issues with sf.net is, that is does not support SSL everywhere. In past, the Contribute page contained a Vote chapter and one of the votes users are encouraged to, was Idea #721: Allow SSL for SourceForge pages whenever possible. Unfortunately, very few users voted.

A very strong point for sf.net is, that big files (virtual machine images) and unlimited traffic are allowed. Another strong one of course is, that sf.net allows Whonix to be hosted on sf.net.

Sourceforge.net blocks users from "Cuba, Iran, North Korea, Sudan, Syria".

Other severe usability bugs:

Google Code[edit]

  • Google Code blocks users from "Cuba, Iran, North Korea, Sudan, Syria".
  • No file downloads.

wikimedia / wikpedia[edit]

Last time we checked wikipedia (wikimedia) derivatives and wikia weren't Tor friendly.

savannah[edit]

  • https://savannah.nongnu.org (with SSL) looked promising and they are expected to be gone soon or to do any other stupid stuff (banning countries etc.).
  • They offer homepages, for example http://www.nongnu.org/qwe/ but seems like there are no subdomains (qwe.nongnu.org) with SSL (for nongnu.org). That's the minimum requirement.
  • Support direct download links (hotlinking).
  • Can't provide file hosting for Whonix, because it would cause too much traffic. [41]

github[edit]

  • Already using github as main git repository.
  • github.com offers sub domains, but they are not reachable over SSL.
  • github triggers a scary, error message. After either many pages trigger that error so it doesn't matter any more or until this message gets fixed in Tor Browser, we shouldn't use the github as issue tracker or website to avoid FUD. When that got somehow a non-problem, we could think about using github as issue tracker.
  • How autocreate table of contents using markdown on github? But...
  • Github also supports mediawiki syntax.
    • Seems it automatically creates a table of contents, good!
    • Bug: Mediawiki Pictures now shown in Github Wiki, unless this bug gets fixed, we could think about using the github source code hosting as website, see example.
    • We haven't found out yet how to use \[\[include ref=WikiHeader\]\] for github mediawiki pages. It's an important feature for Whonix pages.
    • Looks like mediawiki support is just a gimmick. More advanced formatting like font size, syntax highlighting and so on doesn't work.
  • No file hosting service.

gitorious[edit]

  • Nice as a git mirror. In use as a git mirror.
  • SSL for the whole page including the wiki.
  • The wiki supports less features, no html (not that important) and no tables. The side bar takes too much space and leaves too less page for the wiki. The wiki is more suited for smaller documentation but not as a whole website replacement like Whonix needs.
  • No file hosting service.

self hosted hidden service[edit]

  • Adrelanos is not willing to do it.

free onion hosting service[edit]

  • We could host a website on third party (free) hidden service webspace service.
  • Risky, because those services can go away any time without notice. - Looks like a valid risk, two just went down. [42]
  • Can they handle the load when we release a new version? Not talking about bandwidth. Just about page views.
  • Clearnet users could only access them through onion.to and tor2web.

mirror.fsf.org[edit]

  • http://mirror.fsf.org/
  • Providing direct download links (hotlinking).
  • Probably it will not be possible. They have a quite firm policy (Guidelines for Free System Distributions) and if Debian didn't manage to fulfill it, surely Whonix can't either.
  • In theory, an option could be to base Whonix on a distribution which is on their list already, but that might not be doable for technical reasons. (Questions open up, such as: Are they in sync with Debian unstable? Are they in sync with Debian testing? How long does it take until they deploy updates from security.debian.org? How up to date are their packages? How are they different from Debian?)
  • Whonix contacted FSF to be their list. Thes declined, because Whonix is not standalone. (Does not fulfill point "Complete Distros", since physical isolation users have to install Debian first.)

seul.org[edit]

  • Sent registration request for seul.org. They don't accept new registrations, but Roger Dingledine (surprise, surprise) said in private mail, he's seeding Tails already and would volunteer to seed Whonix, if there was an announcement mailing list or if we mailed him new releases. Doing this.

Conclusion[edit]

In summary there where no open source hosting sites, which offer SSL everywhere and unlimited download of big files. An open source hosting facility providing free webspace and SSL everywhere would be much desirable, but doesn't exist.

Hosting Services to be reviewed[edit]

General Questions[edit]

  • Download traffic?
  • Quota?
  • Direct download links (hotlinking) possible?
  • Optional: SSL downloads?

Mirror Providers[edit]

There are a few lists

of mirror providers. We could contact them and ask if there were willing to provide direct download links (hotlinking) (+SSL) for Whonix.

When they are able to sponsor sourceforge, in comparison, sponsoring Whonix would be only peanuts to them. The question is, if they provide service for individual requests.

codeplex[edit]

bitbucket[edit]

autistici[edit]

https://vpn.autistici.org could be asked, if they were willing to act as webseed.

alioth[edit]

http://alioth.debian.org could be asked, if they accepted Whonix as a new project, related enough to Debian, then they might be used as webseed.

Links, that may be helpful[edit]

Asked[edit]

  • http://linux.psu.ru/ linux at psu.ru
    • November 2013: wants to test Whonix for a few months and then decide
  • November 2013: mirror.aarnet.edu.au
    • asked where their sourceforge folder is
    • and if they tell us: asked if we may use them as master mirror for other mirrors
  • November 2013: mirrorservice.org
    • asked if we are allowed to directly download from them
    • asked if we may use them as master mirror for other mirrors

Answer:

We have no problem with you direct linking to us or you suggesting other
sites using us to mirror from (we offer rsync too).

But bear in mind that the data in that mirror is controlled by
SourceForge. They don't ship all files to all mirrors - each mirror
specifies how much data it can take, and they put stuff on up to that
limit based on popularity (presumably). Their delivery mechanism knows
which files are on which mirrors, so end users don't get pointed at a
mirror that doesn't contain the file they're after.

So it's possible that we may not have a complete copy of all your files,
and it may change in the future without any intervention from us.

If you're happy with that situation then go ahead and link to us.

Answer to follow up email:

We don't have any upload facilities I'm afraid. We only offer downloads.

One solution is to run a private rsync server yourselves that only
certain mirrors can access. It doesn't have to be that quick.

You may find other mirrors do offer an upload facility though.
  • November 2013: switch.ch
    • asked for an upload account
    • asked for master rsync capabilities

Answer:

Dear Sir 

Thank you for your e-mail of 25th November 2013 regarding Whonix. 

Sorry, we are not interested in your offer.

Forum Header[edit]

<center><b>Welcome to the new Whonix forums!</b></center>
<center><b>As part of the transition, everyone will have to reset their passwords, as they didn't come over in the transisition process. (<a href=https://forums.whonix.org/t/discourse-bug-report-thread/1612>forum thread</a>)</b></center>

Whonix APT Repository URI Sourceforge[edit]

To use the sourceforge location uri rather than mirror.whonix.de uri, use the following command line switch. Example.

sudo whonix_repository --baseuri http://sourceforge.net/projects/whonixdevelopermetafiles/files/internal/ --repository testers --enable

XChat[edit]

All HexChat plugins have been deactivated (hardening) and deactivated using dpkg-divert. To re-enable them, use one of the following commands depending on which plugin you need.

Open a terminal.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Konsole

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> System -> Konsole

sudo dpkg-divert --rename --remove /usr/lib/xchat/plugins/python.so
sudo dpkg-divert --rename --remove /usr/lib/xchat/plugins/tcl.so
sudo dpkg-divert --rename --remove /usr/lib/xchat/plugins/perl.so

Those commands are reverted when Whonix Debian Packages get updated. TODO: Document how to prevent that.

VPN sysvinit[edit]

sysvinit: (Legacy. Prefer the systemd method below.) [43]

Repository Location URI[edit]

There are two repository location URI's.

  • mirror.whonix.de
    • Default: yes. [44]
    • Download speed: fast.
    • Agility: After uploading new packages, it takes ~1 hour until all mirrors on the mirror.whonix.de mirror system upgraded.
    • Target audience: most users.
  • sourceforge
    • Default: no. [45]
    • Download speed: slow.
    • Agility: After uploading new packages, packages are available almost instantly.
    • Target audience: developers, perhaps testers.

To use the whonix.org location uri rather than mirror.whonix.de uri, use the following command line switch. Example.

VPN DNS Configuration[edit]

Currently only manual.

Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/resolv.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/resolv.conf

Comment out.

#nameserver 10.152.152.10

Add.

## Riseup.net OpenVPN DNS server
nameserver 172.27.100.1

If you are not using riseup, you need to replace 172.27.100.1 and enter the virtual LAN IP address of your VPN providers DNS server. You might be able to obtain it from your VPN provider. You can also try to infer it after successfully connecting to the VPN from running "sudo route". The first destination default gateway should function as DNS server also.

Save.

If you want to be sure, that /etc/resolv.conf does not get overwritten by other packages. (Such as DHCP or resolvconf.)

sudo chattr +i /etc/resolv.conf

If you ever want to remove it, use -i.

(A more usable way is TODO research, help welcome. As possible starting point, see footnote. [46])

merged chroot-scripts[edit]

anon-shared-build-apt-sources-tpo[edit]

./packages/anon-shared-build-apt-sources-tpo/usr/lib/anon-dist/chroot-scripts-post.d/40_add_torprojects_key
./packages/anon-shared-build-apt-sources-tpo/usr/lib/anon-dist/chroot-scripts-post.d/50_update_tpo_package_list
./packages/anon-shared-build-apt-sources-tpo/usr/lib/anon-dist/chroot-scripts-post.d/60_install_deb.torproject.org-keyring

anon-gw-build-upgrade-tor[edit]

./packages/anon-gw-build-upgrade-tor/usr/lib/anon-dist/chroot-scripts-post.d/70_update_tor_and_obfsproxy

anon-shared-build-upgrade-torsocks[edit]

./packages/anon-shared-build-upgrade-torsocks/usr/lib/anon-dist/chroot-scripts-post.d/70_update_torsocks

anon-shared-build-ban-nonfree[edit]

./packages/anon-shared-build-ban-nonfree/usr/lib/anon-dist/chroot-scripts-post.d/75_vrms

anon-shared-build-inst-tb[edit]

./packages/anon-shared-build-inst-tb/usr/lib/anon-dist/chroot-scripts-post.d/70_torbrowser

anon-shared-build-log-build-version[edit]

./packages/anon-shared-build-log-build-version/usr/lib/anon-dist/chroot-scripts-post.d/70_log_build_version

flashproxy[edit]

Untested!
Might work. In short: just forget about it. [47]

Flash Proxy Bridges. This has NOTHING to do with Adobe Flash.

If you would like to see the unfinished documentation, please press on expand on the right.

Should work in Whonix-Gateway as well, but require some fiddling. See also Forum topic.

1. Set up a Port Forwarding from your Router to your Computer

https://trac.torproject.org/projects/tor/wiki/FlashProxyHowto#Settingupportforwarding

2. Enable port forwarding from your host operating system to Whonix-Gateway. Enter this command in a terminal on the host.

Qubes:

TODO

part of the solution might be:
https://www.qubes-os.org/doc/qubes-firewall/#tocAnchor-1-1-5

KVM:

TODO

VirtualBox:

VBoxManage modifyvm "Whonix-Gateway" --natpf1 "9000",tcp,127.0.0.1,9000,,9000

3. Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix User Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

4. Add the following content.

GATEWAY_ALLOW_INCOMING_FLASHPROXY=1
FLASHPROXY_PORT=9000

5. Save.

6. Reload Whonix-Gateway Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run:

sudo whonix_firewall

7. Install flashproxy. [48]

sudo apt-get install flashproxy-client

8. Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

9. Add. [49]

UseBridges 1

# The address and port are ignored by the client transport plugin.
Bridge flashproxy 0.0.1.0:1 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD
Bridge flashproxy 0.0.1.0:2 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD
Bridge flashproxy 0.0.1.0:3 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD
Bridge flashproxy 0.0.1.0:4 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD
Bridge flashproxy 0.0.1.0:5 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD

# Change the second number here (9000) to the number of a port that can
# receive connections from the Internet (the port for which you
# configured port forwarding).
ClientTransportPlugin flashproxy exec /usr/bin/flashproxy-client --register :0 :9000

10. Save.

11. Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

12. Done.

scramblesuit[edit]

Quote intrigeri (Tails developer):

On tor-talk we've been told "You shouldn't prioritise ScrambleSuit because it's superseded by obfs4", and there are now pressing plans in the Tor Project to deprecate obfs2 and obfs3 in favour of obfs4. Hence rejecting this ticket, and focusing on #7980 [obfs4 support] instead.

Also see Tor Announcement under heading "obfs4 and scramblesuit"

ClientTransportPlugin obfs2,obfs3,scramblesuit exec /usr/bin/obfsproxy managed
Bridge scramblesuit 141.201.27.48:420 gliberish password=more-gliberish

AppArmor issue. Probably not been reported anywhere yet.

audit: type=1400 audit(1439818522.818:9): apparmor="DENIED" operation="mkdir" profile="/usr/bin/obfsproxy" name="/var/lib/tor/pt_state/scramblesuit/" pid=11163 comm="obfsproxy" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

Bridges[edit]

obfs3[edit]

Example of using obfs3 bridges: You cannot use the example bridge 141.201.27.48:420 below, because it's only an example. You still need to find your own bridges as explained in the section above, titled Finding a bridge and choosing the right protocol.

UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
bridge obfs3 141.201.27.48:420 4352e58420e68f5e40bf7c74faddccd9d1349413

obfs4[edit]

Example using obfs4 bridges.

You cannot use the example bridge 141.201.27.48:420 below, because it's only an example. You still need to find your own bridges as explained in the section above, titled Finding a bridge and choosing the right protocol.

UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
bridge obfs4 161.217.177.95:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0

Dev/Mirrors[edit]

Original discussion: https://github.com/Whonix/Whonix/issues/96

List of all mirrors.

dig mirror.whonix.de ANY +noall +answer

Test.

curl -H 'Host: mirror.whonix.de' -k http://109.230.212.53/whonixdevelopermetafiles/internal/news_v4/whonix_news.tar.xz.asc

issues

Moving away from mirror network to whonix.org:
https://www.whonix.org/blog/upcoming-usability

Footnotes[edit]

  1. This will create a Debian quilt patch.
  2. Alternatively, you could deactivate or override Whonix News in the whonixcheck script and manually stay on top of news.
  3. For example WHONIX_BUILD_NEW_CHANGELOG_VERSION: 2:6.13.g4218c564e556cb68a3f18dc4040db5353690706c does not look sane, but WHONIX_BUILD_NEW_CHANGELOG_VERSION: 2:6-debpackage1 looks sane.
  4.  dpkg-source -b Whonix
    dpkg-source: info: using source format `3.0 (quilt)'
    dpkg-source: info: building whonix using existing ./whonix_138adretemp.4.gd3d4f5fa9e18fddafdf5b09b428ba04dfb2a6d1e.orig.tar.gz
    dpkg-source: info: local changes detected, the modified files are:
     Whonix/buildconfig.d/50_target_arch
    dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/whonix_138adretemp.4.gd3d4f5fa9e18fddafdf5b09b428ba04dfb2a6d1e-debpackage1.diff.fIiBKC
    dpkg-source: info: you can integrate the local changes with dpkg-source --commit
    dpkg-buildpackage: error: dpkg-source -b Whonix gave error exit status 2
    debuild: fatal error at line 1361:
    dpkg-buildpackage -rfakeroot -D -us -uc -sa failed
    ++ error_handler_general
    ++ local return_code=29
    ++ rm --force /etc/apt/sources.list.d/whonixtestingtemp.list
    ++ rm --force /etc/apt/apt.conf.d/90whonix-build-confold
    +++ caller
    ++ echo '
    BASH_COMMAND: sudo -E -u user debuild -p"gpg             --no-default-keyring             --homedir "$WHONIX_LOCAL_SIGNING_KEY_FOLDER"             --default-key "$DEBEMAIL"
                " -sa
    return_code: 29
    ERROR ./build-steps.d/1200_create-debian-packages: | caller: 173 ./build-steps.d/1200_create-debian-packages
    '
    
    BASH_COMMAND: sudo -E -u user debuild -p"gpg             --no-default-keyring             --homedir "$WHONIX_LOCAL_SIGNING_KEY_FOLDER"             --default-key "$DEBEMAIL"
                " -sa
    return_code: 29
    ERROR ./build-steps.d/1200_create-debian-packages: | caller: 173 ./build-steps.d/1200_create-debian-packages
    
    ++ exit 1
    
  5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 By using the Tor Browser Bundle (TBB). For an introduction, see Tor Browser. See also Hide Tor and Whonix from your ISP.
  6. Man-in-the-middle attacks could poison the download.
  7. 7.0 7.1 7.2 7.3 7.4 7.5 7.6 7.7 It does not matter if you did the bulk download over an insecure channel, if you use OpenPGP verification at the end.
  8. Torrent clients known to work: transmission, Vuze, Deluge. Check this clients table. If nobody is seeding at the time, only clients with the "as" feature can be used, because we are providing a webseed.
  9. 9.0 9.1 9.2 9.3 It's at least as secure as SSL and SHA-1, better than plain http. This is because you get the torrent file or magnet link over https and the torrent/magnet client checks the SHA-1 checksum at the end. Using OpenPGP verification would be safer.
  10. Magnet link clients known to work: gtk-gnutella. Check this clients table. If nobody is seeding at the time, only clients with the "as" feature can be used, because we are providing a webseed.
  11. When you build from source code, audit the source code for being non-malicious and reasonably bug free, you do not have to Trust the developers, the website or the SSL certificate authorities.
  12. changelog.gz copyright README.Debian control control.tar.gz data.tar.gz debian-binary md5sums
  13. These steps are required to remove proxy settings.
  14. TOR_SOCKS_HOST and TOR_SOCKS_PORT were set for Stream Isolation.
  15. Updates are unsigned. The Tor Project trac ticket: https://trac.torproject.org/projects/tor/ticket/13379
    This is dangerous over clearnet, but it is especially dangerous when updating over Tor, because a Man-in-the-middle attack could happen.
    Forum Development Discussion
    Forum Help Thread
  16. See tbb-linkability and tbb-fingerprinting.
  17. If you are curious which these are in details, or for reviewers or auditors, see torbrowser script and user.js on github.
  18. 18.0 18.1 18.2 18.3 18.4 See SSL for comments on SSL (in)security.
  19. Man-in-the-middle attacks could poison the download.
  20. Man-in-the-middle attacks could poison the download.
  21. Man-in-the-middle attacks could poison the download.
  22. Torrent clients known to work: transmission, Vuze, Deluge. Check this clients table. If nobody is seeding at the time, only clients with the "as" feature can be used, because we are providing a webseed.
  23. Magnet link clients known to work: gtk-gnutella. Check this clients table. If nobody is seeding at the time, only clients with the "as" feature can be used, because we are providing a webseed.
  24. 24.0 24.1 When you build from source code, audit the source code for being non-malicious and reasonably bug free, you do not have to Trust the developers, the website or the SSL certificate authorities.
  25. By additional verification that you got the source code from the original authors and by ensuring you're using the same source code as others you get better security.
  26. http://askubuntu.com/questions/41605/trouble-downloading-updates-due-to-hash-sum-mismatch-error
  27. This is because in order to implement Stream Isolation, Whonix's apt-get uwt wrapper forces apt-get through torsocks. Unfortunately, not only apt-get is forced through Tor, but also sysvinit and subsequently all daemons sysvinit is restarting. acpi_fakekey daemon uses local connections. Those will be rejected by torsocks. The worst that can happen is that acpi_fakekey won't operate until manually restarted. This is a bigger issue for web servers and alike, because those may not function until manually restarted. This will likely be fixed as soon Whonix will be based on Debian jessie, because that uses systemd, that is not affected by this as well as torsocks 2.0 may solve this.
  28. So anon-ws-disable-stacked-tor environment variables changes take effect to fix the ControlPort quotes warning.
  29. http://packages.debian.org/search?searchon=names&keywords=virtualbox
  30. If you only want Shared Folder, mouse integration, for improved security, you can try using only the next line, but not the line after next. You need kernel headers to be able to compile the kernel module.
    sudo apt-get install --no-install-recommends virtualbox-guest-dkms virtualbox-guest-utils
    

    If you want all features, such as dynamic resolution and shared clipboard

    sudo apt-get install virtualbox-guest-x11
    
  31. If you want to set it to no proxy, you could either:
    • additionally add in ~/tor-browser_en-US/start-tor-browser below "#!/bin/sh".
    export TOR_TRANSPROXY=1
    • Or add to /etc/environment
    TOR_TRANSPROXY=1

    and reboot.

  32. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc. Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)
  33. (Recommended against!) As a workaround you could enable IsolateDestAddr and IsolateDestPort for the Tor Browser. This comes at great performance costs, especially for websites with lots of 3rd party content. It will not isolate connections to different websites on a shared server and it will create new circuits for every IP address you connect to (e.g. it will isolate subdomains if they use different IPs). It will also let you stand out more from other Tor Browser users, because almost no one is using it that way. Generally, for these reasons you should not enable this feature. Instead close the browser and get a "new identity" through arm on the gateway if you want to separate activities inside Tor Browser. If you want to do this anyway, follow the following instructions. On Whonix-Gateway open /etc/tor/torrc'.
    sudo nano /etc/tor/torrc
    

    Add.

    SocksPort 10.152.152.10:9150 IsolateDestAddr IsolateDestPort
    

    Save.

    Reload Tor.

    sudo service tor reload
    

    Done.

  34. implement dom0 -> right click -> VM settings / easy way to configure updatevm setting:
    https://github.com/QubesOS/qubes-issues/issues/1165
  35. Or by cli:
    qubes-prefs --get updatevm
    
    qubes-prefs --set updatevm sys-whonix
    
  36. It will not be perfectly stream isolated. DNS might go through Tor's TransPort. If this matters to you, you could theoretically... UNTESTED
    • Install a http to socks converter (such as polipo) listening on 127.0.0.1:8118 and forwarding to <Whonix-Gateway IP>:9102.
    • Apply the following setting every time you restart icedove.
    Icedove -> Enigmail (from menu bar) -> Preferences -> Display Expert Settings and Menus -> Advanced -> Additional Parameters -> replace http-proxy=http://127.0.0.1:8118 with socks5://<Whonix-Gateway IP>:9102 -> OK
  37. https://github.com/Whonix/tb-updater
  38. Tor Browser
  39. Using --no-install-recommends to prevent installing tb-starter and tb-default-browser.
  40. Because that is set to /var/lib/tor for user debian-tor.
  41. https://lists.gnu.org/archive/html/savannah-hackers-public/2013-09/msg00015.html
    • OnionHosting (DOWN)
      • Price 5 BTC of "life time".
      • Seems like it's a legit service. The Administrator is hosting many services in onionland for a long time. - Turns out this wasn't true
      • We don't have 5 BTC to open an account. (Written long time before bitcoin skyrocketed.)
    • torhost (DOWN)
      • I don't know for how long it will stay.
      • I have a sponsored account, which has the same features as the fair paid account.
  42. To improve this situation, if you are using OpenVPN and Debian's init script to automatically start it, add an insserv override to wait for openvpn being started. 1. Create a new file /etc/insserv/overrides/tor. Open /etc/insserv/overrides/tor in an editor with root rights.

    If you are using a graphical Whonix or Qubes-Whonix, run:

    kdesudo kwrite /etc/insserv/overrides/tor

    If you are using a terminal-only Whonix, run:

    sudo nano /etc/insserv/overrides/tor

    2. Add the following content.

    ### BEGIN INIT INFO
    # Provides:          tor
    # Required-Start:    $local_fs $remote_fs $network $named $time
    # Required-Stop:     $local_fs $remote_fs $network $named $time
    # Should-Start:      $syslog openvpn
    # Should-Stop:       $syslog
    # Default-Start:     2 3 4 5
    # Default-Stop:      0 1 6
    # Short-Description: Starts The Onion Router daemon processes
    # Description:       Start The Onion Router, a TCP overlay
    #                    network client that provides anonymous
    #                    transport.
    ### END INIT INFO
    

    3. Then apply these changes by running.

    sudo update-rc.d tor defaults

  43. Since Whonix 10.
  44. Was the default up to Whonix 9.
  45. Possibly Install Packages. But would have to happen much earlier before changing Whonix firewall rules. (Because then Tor-only apt will no longer work.) Update package lists.
    sudo apt-get update
    

    Install resolvconf. Since this is used by /etc/openvpn/update-resolv-conf. We probably better should not install it by default since it is not needed for Whonix generally but may introduce new issues.

    sudo apt-get install resolvconf
    

    Possibly /etc/openvpn/openvpn.conf changes.

    up "/usr/bin/sudo script_type=up dev=tun0 /etc/openvpn/update-resolv-conf"
    down "/usr/bin/sudo script_type=down dev=tun0 /etc/openvpn/update-resolv-conf"
    

    Possibly /etc/sudoers.d/tunnel_unpriv additions.

    tunnel ALL=(ALL) NOPASSWD: /etc/openvpn/update-resolv-conf *
    Defaults:tunnel env_keep += script_type
    Defaults:tunnel env_keep += dev
    
  46. Flashproxy has been removed from TBB. Therefore it can be considered deprecated.
  47. Will be installed by default in Whonix 13 and above:
    https://forums.whonix.org/t/ideas-topics-related-to-chaining-pluggable-transports/348/8
  48. Source:
    /usr/share/doc/flashproxy-client/torrc

Random News:

Did you know that anyone can edit Whonix's wiki?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.