Outdated, Deprecated, Archived Whonix ™ Documentation.

From Whonix
Jump to navigation Jump to search

One VM Whonix ™ Configuration[edit]

Ambox warning pn.svg.png Warning: The one VM Whonix ™ configuration has been deprecated because there is no contributor. Use at your own risk!

This platform was developed and tested successfully for Whonix ™ v0.1.3.

Basically, it is possible to use one VM instead of two, with Tor running on the host OS and a single client VM routing activities via Tor. This configuration has several advantages and disadvantages relating to security and other matters. For further information, see OneVM.

lightdm[edit]

[1]

Debugging lightdm[edit]

Configure systemd to start lightdm in debug mode[edit]

1. Make sure folder /lib/systemd/system/lightdm.service.d exists.

sudo mkdir -p /lib/systemd/system/lightdm.service.d

2. Create a file /lib/systemd/system/lightdm.service.d/40_debug-misc.conf. [2]

3. Open file /lib/systemd/system/lightdm.service.d/40_debug-misc.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /lib/systemd/system/lightdm.service.d/40_debug-misc.conf

4. Paste the following contents. [3]

[Service] ExecStart= ExecStart=/usr/sbin/lightdm --debug

Save.

Debug[edit]

Use lightdm restart method or reboot method.

lightdm restart method[edit]

1. Switch to another virtual console.

2. Stop lightdm.

sudo systemctl stop lightdm

3. Restart lightdm.

sudo systemctl restart lightdm

4. Check lightdm log.

Check Systemd Journal Log of Current Boot for lightdm.

For convenient reading of the log, it can be dumped to file. For example, the following command would write the log to file ~/lightdm-log.

sudo journalctl -b -u lightdm > ~/lightdm-log

reboot method[edit]

Alternatively it is possible to reboot, but first you need to Enable Persistent Systemd Journal Log.

Check Systemd Journal Log of Previous Boot

sudo journalctl -b -1 -u lightdm

httpsdnsd by JonDos[edit]

Introduction[edit]

Source: anonymous-proxy-servers.net and also use it as a more verbose tutorial, but keep in mind that their tutorial is JonDonym specific, while this tutorial is Tor specific.

These instructions have not been tested for years. There might be no reasons to use these instructions. Above DNSCrypt might do everything that is required.

Installation[edit]

Everything inside your Whonix-Workstation ™.

Install dependencies.

sudo apt install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl

Download httpsdnsd. (See source above in case download link changed.)

scurl --remote-name https://anonymous-proxy-servers.net/downloads/httpsdnsd.tar.bz2

Or manually run curl with these parameters. [4]

curl --tlsv1.3 --proto =https --remote-name https://anonymous-proxy-servers.net/downloads/httpsdnsd.tar.bz2


Unpack. 

.

Go into the httpsdnsd folder.

cd httpsdnsd

Install httpsdnsd. [5]

sudo install.sh

Add a new user for httpsdnsd.

sudo adduser --system --disabled-password --group httpsdns_daemon

Editing /etc/resolv.conf is not required. (You still could out comment everything against DNS leaks.)

Create a firewall script.

nano dns-fw.sh

Insert these firewall rules.

# Flush old rules iptables -F iptables -t nat -F iptables -X # Redirect DNS traffic to httpdnsd. iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 53 -j REDIRECT --to-ports 4053 # Accept connections to the httpdnsd. iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 4053 -j ACCEPT # Reject all other traffic for anonuser. iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT

Install Privoxy. [6]

sudo apt install privoxy

Open the privoxy configuration file.

nano /etc/privoxy/config

Add the following to your privoxy configuration file.

# Theoretically you can tunnel through any # http or socks proxy. Local or remote proxy. # Inside Whonix-Workstation ™, due to design, # everything will be tunneled through Tor first. # Using Tor's socks5 proxy, running on Whonix-Gateway ™. # Change the port, see above... forward-socks5 / 10.152.152.10:9112 . # Another example using a http proxy. # (In this case, JonDo running on localhost.) # forward / 127.0.0.1:4001

Restart privoxy to enable the changes.

sudo /etc/init.d/privoxy restart

Privoxy is now listening on 127.0.0.1:8118. [7]

Starting[edit]

Run httpsdnsd. [8] [9] [10] [11]

sudo httpsdnsd --https_proxy_port=8118 --runasdaemon

Activate the firewall. Shouldn't show any errors.

sudo ./dns-fw.sh

Using[edit]

Open a console and switch to anonuser.

su anonuser

Resolve DNS.

nslookup check.torproject.org


History[edit]

Cleared this wiki page. Still available in wiki history:

https://www.whonix.org/w/index.php?title=Deprecated&oldid=69089

Reason:

https://forums.whonix.org/t/long-wiki-edits-thread/3477/2158

monero-wallet-ws VM Setup[edit]

Data vchan connection failed anon-ws-disable-stacked-tor socat-unix-sockets runs under user debian-tor but would need to run as root for this.

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws).

1. Create folder /usr/local/lib/systemd/system/.

sudo mkdir -p /usr/local/etc/anon-ws-disable-stacked-tor.d/

2. Create file /usr/local/etc/anon-ws-disable-stacked-tor.d/50_user.conf.

Open file /usr/local/etc/anon-ws-disable-stacked-tor.d/50_user.conf in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run.

mousepad /usr/local/etc/anon-ws-disable-stacked-tor.d/50_user.conf

If you are using a terminal, run.

nano /usr/local/etc/anon-ws-disable-stacked-tor.d/50_user.conf

3. Paste the following contents.

socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod" &

4. Save.

5. Restart anon-ws-disable-stacked-tor systemd system instance.

sudo systemctl restart anon-ws-disable-stacked-tor

6. Done.

Automatically starting the socat process has been completed.

Xfce Disable Autologin[edit]

For lightdm display manager.

Not very useful inside VMs, see also Login Screen.

[12]

sudo rm -f /etc/lightdm/lightdm.conf.d/whonix.conf

[12]

sudo rm -f /etc/lightdm/lightdm.conf.d/whonix-autologin.conf

[13]

sudo rm -f /etc/lightdm/lightdm.conf.d/30_autologin.conf

  1. Example debug log 
    sudo journalctl -b -u lightdm -o cat
Condition check resulted in Light Display Manager being skipped.
Starting Light Display Manager...
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.26.0, UID=0 PID=933
[+0.00s] DEBUG: Loading configuration dirs from /usr/share/lightdm/lightdm.conf.d
[+0.00s] DEBUG: Loading configuration from /usr/share/lightdm/lightdm.conf.d/01_debian.conf
[+0.00s] DEBUG: Loading configuration dirs from /usr/local/share/lightdm/lightdm.conf.d
[+0.00s] DEBUG: Loading configuration dirs from /etc/xdg/lightdm/lightdm.conf.d
[+0.00s] DEBUG: Loading configuration from /etc/lightdm/lightdm.conf.d/autologin.conf
[+0.00s] DEBUG: Loading configuration from /etc/lightdm/lightdm.conf.d/whonix-autologin.conf
[+0.00s] DEBUG:   [SeatDefaults] is now called [Seat:*], please update this configuration
[+0.00s] DEBUG: Loading configuration from /etc/lightdm/lightdm.conf
[+0.00s] DEBUG: Registered seat module local
[+0.00s] DEBUG: Registered seat module xremote
[+0.00s] DEBUG: Registered seat module unity
[+0.00s] DEBUG: Using D-Bus name org.freedesktop.DisplayManager
[+0.01s] DEBUG: Monitoring logind for seats
[+0.01s] DEBUG: New seat added from logind: seat0
[+0.01s] DEBUG: Seat seat0: Loading properties from config section Seat:*
[+0.01s] DEBUG: Seat seat0: Starting
[+0.01s] DEBUG: Seat seat0: Creating user session
[+0.01s] WARNING: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .ser
[+0.01s] DEBUG: Loading user config from /etc/lightdm/users.conf
[+0.01s] DEBUG: User user added
[+0.01s] DEBUG: Seat seat0: Creating display server of type x
[+0.01s] DEBUG: posix_spawn avoided (fd close requested)
[+0.02s] DEBUG: Could not run plymouth --ping: Failed to execute child process ?plymouth? (No such file or directory)
[+0.02s] DEBUG: Using VT 7
[+0.02s] DEBUG: Seat seat0: Starting local X display on VT 7
[+0.02s] DEBUG: XServer 0: Logging to /var/log/lightdm/x-0.log
[+0.02s] DEBUG: XServer 0: Writing X server authority to /var/run/lightdm/root/:0
[+0.02s] DEBUG: XServer 0: Launching X Server
[+0.02s] DEBUG: Launching process 941: /usr/bin/X :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
[+0.02s] DEBUG: XServer 0: Waiting for ready signal from X server :0
[+0.02s] DEBUG: Acquired bus name org.freedesktop.DisplayManager
[+0.02s] DEBUG: Registering seat with bus path /org/freedesktop/DisplayManager/Seat0
Started Light Display Manager.
[+0.98s] DEBUG: Got signal 10 from process 941
[+0.98s] DEBUG: XServer 0: Got signal from X server :0
[+0.98s] DEBUG: XServer 0: Connecting to XServer :0
[+0.99s] DEBUG: posix_spawn avoided (fd close requested) (child_setup specified)
[+0.99s] DEBUG: Seat seat0: Display server ready, starting session authentication
[+0.99s] DEBUG: Session pid=970: Started with service 'lightdm-autologin', username 'user'
Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files
[+1.01s] DEBUG: Session pid=970: Authentication complete with return value 0: Success
[+1.01s] DEBUG: Seat seat0: Session authenticated, running command
[+1.01s] DEBUG: Registering session with bus path /org/freedesktop/DisplayManager/Session0
[+1.01s] DEBUG: posix_spawn avoided (fd close requested) (child_setup specified)
[+1.02s] DEBUG: Session pid=970: Running command /etc/X11/Xsession startxfce4
[+1.02s] DEBUG: Creating shared data directory /var/lib/lightdm/data/user
[+1.02s] DEBUG: Session pid=970: Logging to .xsession-errors
pam_unix(lightdm-autologin:session): session opened for user user by (uid=0)
pam_exec(lightdm-autologin:session): Calling /usr/libexec/security-misc/permission-lockdown ...
[+1.23s] DEBUG: Activating VT 7
[+1.23s] DEBUG: Activating login1 session 1
[+1.23s] DEBUG: Seat seat0 changes active session to 1
[+1.23s] DEBUG: Session 1 is already active
[+839.74s] DEBUG: Seat seat0 changes active session to
[+842.35s] DEBUG: Seat seat0 changes active session to 3
[+852.02s] DEBUG: Got signal 15 from process 1
[+852.02s] DEBUG: Caught Terminated signal, shutting down
[+852.02s] DEBUG: Stopping display manager
[+852.02s] DEBUG: Seat seat0: Stopping
[+852.02s] DEBUG: Seat seat0: Stopping display server
[+852.02s] DEBUG: Sending signal 15 to process 941
[+852.02s] DEBUG: Seat seat0: Stopping session
[+852.02s] DEBUG: Terminating login1 session 1
Stopping Light Display Manager...
[+852.05s] DEBUG: Session pid=970: Sending SIGTERM
[+852.05s] DEBUG: Session pid=970: Exited with return value 0
[+852.05s] DEBUG: Seat seat0: Session stopped
[+852.05s] DEBUG: Process 941 exited with return value 0
[+852.05s] DEBUG: XServer 0: X server stopped
[+852.05s] DEBUG: Releasing VT 7
[+852.05s] DEBUG: XServer 0: Removing X server authority /var/run/lightdm/root/:0
[+852.05s] DEBUG: Seat seat0: Display server stopped
[+852.05s] DEBUG: Seat seat0: Stopped
[+852.05s] DEBUG: Display manager stopped
[+852.05s] DEBUG: Stopping daemon
[+852.05s] DEBUG: Exiting with return value 0
lightdm.service: Succeeded.
Stopped Light Display Manager.
  2. echo " [Service] ExecStart= ExecStart=/usr/sbin/lightdm --debug " | sudo tee /lib/systemd/system/lightdm.service.d/40_debug-misc.conf
  3. ExecStart= is required to clear the original ExecStart= so it can be overwritten by ExecStart=/usr/sbin/lightdm --debug.
  4. This has the same effect as the scurl command above.
  5. It contains also a uninstall.sh, if you want to uninstall it later.
  6. torproject.org Wiki Version 95 of this site contains a working example using Polipo. Changed later to Privoxy, because Privoxy can be useful for other tasks as well. (Incoming: TransPort, http proxy; forwarding: http and socks.)
  7. For debugging you can enter this IP/port into Tor Browser as http proxy and try if you can still reach check.torproject.org. Deactivate after testing.
  8. For debugging, kill httpsdnsd and drop the --runasdaemon.
  9. Run httpsdnsd --help or man httpsdnsd for help.
  10. Httpsdnsd will by default listen on localhost port 4053 for DNS queries.
  11. --https_proxy_port=8118 will redirect traffic to port 8118, where Privoxy is listening. This is necessary because Tor offers a socks proxy and httpsdnsd requires a http proxy. Privoxy translates from http to socks.
  12. 12.0 12.1 legacy
Retrieved from "https://www.whonix.org/w/index.php?title=Deprecated&oldid=83460"