Dev/Dante

From Whonix
< Dev
Jump to navigation Jump to search

Debugging Dante. Used in context of Template:Tor_Browser_Remove_Proxy_Settings.

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

General Connectivity Test[edit]

1. Check if TCP is functional.

  • without DNS:
    • The following command uses an IP address 116.202.120.181.
    • UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https -H 'Host: check.torproject.org' -k https://116.202.120.181/api/ip

2. Check if DNS + TCP is functional.

  • with DNS:
    • The following command uses a hostname check.torproject.org.
    • UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https https://check.torproject.org/api/ip

Dante Connectivity Test[edit]

1. Check dante socks server without authentication using curl (non-uwt version).

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https --proxy socks5h://127.0.0.1:9150 https://check.torproject.org/api/ip

2. Check dante socks server with authentication using curl (non-uwt version).

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https --proxy socks5h://x:y@127.0.0.1:9150 https://check.torproject.org/api/ip

Both commands are functional. It seems that curl negotiates socks authentication method none even if given a socks username and password.

DNS[edit]

/etc/resolv.conf[edit]

Maybe issue. Maybe not.

vpn-ed-anon-whonix /etc/resolv.conf might require same DNS settings as sys-vpn (Qubes VPN-Gateway) /etc/resolv.conf.

1. Look at /etc/resolv.conf in sys-vpn

2. Use the same config for /etc/resolv.conf in vpn-ed-whonix-gw-16 Template.

Tor Browser Error Messages[edit]

Hmm. We’re having trouble finding that site.

Indicates broken DNS.

Dante[edit]

Check Dante Log for DNS Issues[edit]

sudo journalctl -u danted | grep -i DNS-resolve

Why is a Modification of Dante required?[edit]

Tor Browser however does not seem to negotiate at the socks protocol level.

sudo journalctl -f --output cat | grep --invert-match kernel

Sep 25 22:35:49 (1664145349.839004) danted[5755]: debug: recv_clientrequest(): initiating negotiation with client at 127.0.0.1.47726 which connected to us on 127.0.0.1.9150
Sep 25 22:35:49 (1664145349.839025) danted[5755]: debug: recv_methods(): client 127.0.0.1.47726 offered 1 authentication method: 0x2 (username)
Sep 25 22:35:49 (1664145349.839029) danted[5755]: debug: recv_methods(): socksmethod to use not set, selecting amongst the following 1 method: none
Sep 25 22:35:49 (1664145349.839031) danted[5755]: debug: recv_methods(): sending authentication reply: VER: 5 METHOD: 255 (<no acceptable method>)
Sep 25 22:35:49 (1664145349.839092) danted[5755]: debug: run_negotiate(): recv_clientrequest() from client 127.0.0.1.47726 returned 1, errno is 0 (no error)

When using socksmethod: none username:

Sep 25 22:44:38 (1664145878.640687) danted[7218]: debug: accesscheck(): no match for authentication: could not access user "torproject.org"'s records in the system password file: no system error

Tor Browser does not seem to fall back to using no socks user name. While dante would allow using the socks proxy without authentication, dante still prohibits Tor Browser because Tor Browser unnecessarily attempts to to set a socks user name.

(Tor Browser by default sets the top level domain name as socks user name for the purpose of stream isolation (IsolateSOCKSAuth).)

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!