This page documents the differences between Debian and Whonix related to networking.

Debian installer and or various desktop environments (GNOME etc.) might be using systemd-networkd and/or network manager (GUI) to set up networking. This might differ depending on Debian flavors and/or Debian installer options.

The Debian base config assumed in this developer documentation is build-steps.d/*_create-raw-image our minimal (grml-)debootstrap created Debian image. These don’t come with any network configuration at all. Using our minimal base image would have no networking configuration to begin with.

Someone who wanted to build Whonix manually and from scratch would have to start with a minimal base Debian image. Not with for example a Debian LXQt installed with Debian installer DVD since that already comes with functional/different network configuration.

This page is manually written but contains auto generated code documentation from this wiki template.

Template:Dev/Project Networking

Do not bother editing anything below since these would be lost next time these are re-generated. Instead, modify the comments in Whonix source code on github.

https://forums.whonix.org/t/whonix-networking-implementation-developer-documentation-feedback-wanted/8274

• https://github.com/Whonix/anon-gw-anonymizer-config
• debian/control

Tor config file with distribution defaults (for stream isolation, etc.), example user configurations and other tweaks required. The Tor binary itself does not get modified.

Deactivates IPv4 forwarding using /etc/sysctl.d/ IPv4 forwarding is not required for a Tor based Anonymity Distribution Gateways. Deactivating it as defense in depth to prevent leaks.

Deactivates IPv6 using /etc/sysctl.d/ There are no IPv6 Anonymity Distribution Gateways featuring an IPv6 firewall yet. Therefore deactivating it to prevent leaks.

This package is produced independently of, and carries no guarantee from, The Tor Project.

• /etc/torrc.d/60_network.conf
• gateway only

Update: Tor is enabled by default nowadays. https://forums.whonix.org/t/connect-to-public-tor-network-by-default-avoid-anon-connection-wizard-acw-popup-at-first-boot/17848

Tor is disabled by default. Users are supposed to enable Tor through setup-dist which would create file /usr/local/etc/torrc.d/40_tor_control_panel.conf with "DisableNetwork 0" or by removing the hash ('#') in front of "DisableNetwork 0" in /usr/local/etc/torrc.d/40_tor_control_panel.conf

• #DisableNetwork 1

• DormantTimeoutEnabled 0

• VirtualAddrNetworkIPv4 10.192.0.0/10
• VirtualAddrNetworkIPv6 [fc00::]/7
• AutomapHostsOnResolve 1

• ClientUseIPv6 1
• ClientUseIPv4 1

• Log notice file /run/tor/log

• /etc/torrc.d/65_gateway.conf
• gateway only

Tor settings for Gateway: `ClientOnionAuthDir`, `SocksPort`s, `TransPort`, `DnsPort`, `HTTPTunnelPort`s and stream isolation settings.

• /usr/share/tor/tor-service-defaults-torrc.anondist.base
• gateway only

Tor settings for Workstation: `SocksPort`s, `TransPort`, `DnsPort`, `HTTPTunnelPort`s and stream isolation settings. IP HARDCODED unfortunately.

• https://github.com/Whonix/whonix-gw-network-conf
• debian/control

Includes etc/network/interfaces.d/30_non-qubes-whonix for Non-Qubes-Whonix-Gateway.

Sets up two network interfaces, an external one eth0 and an internal one eth1.

Provides /usr/share/whonix-gw-network-conf/network_internal_ip.txt.

DNS configuration Anonymity Linux Distribution Gateways

• Pointing /etc/resolv.conf to 127.0.0.1.
• Whether a Anonymity Linux Distribution Gateway supports system DNS for its

own traffic in the clear or anonymized mainly depends on the Gateway's firewall.

• Routing the workstation's system DNS through the anonymizer (also known as

Transparent DNS Proxy) or not is up to the Gateway's firewall as well.

• /debian/whonix-gw-network-conf.triggers
• gateway only
• Non-Qubes-Whonix only

Required for /etc/systemd/network/99-default.link to take effect as per 'zless /usr/share/doc/udev/README.Debian.gz'.

• activate-noawait update-initramfs

• /debian/whonix-gw-network-conf.links
• gateway only
• Non-Qubes-Whonix only

Disable Predictable Network Interface Names as these are problematic. https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4 Disabling them as per 'zless /usr/share/doc/udev/README.Debian.gz'.

• /dev/null /etc/systemd/network/99-default.link

• /etc/resolv.conf.whonix
• gateway only

No DNS configuration. Only comments. Whonix-Gateway by default does not have system default DNS. See https://www.whonix.org/wiki/Whonix-Gateway_Own_Traffic_Transparent_Proxy and footnotes.

• /etc/network/interfaces.d/30_non-qubes-whonix
• gateway only
• Non-Qubes-Whonix only

network interfaces configuration eth0 (external network interface) and eth1 (internal network interface)

static network configuration

IP HARDCODED below but comment only. No need to change. eth0

• #address 10.0.2.15
• #netmask 255.255.255.0
• #gateway 10.0.2.2

eth1

• #address 10.152.152.10
• #netmask 255.255.192.0

• /usr/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf
• gateway only
• Non-Qubes-Whonix only

onion-grater systemd unit file extension

Run /usr/lib/onion-grater-merger as root to avoid permission conflicts. ExecStartPre=+/usr/lib/onion-grater-merger

Reconfigure onion-grater to listen on network interface eth1.

• https://github.com/Whonix/anon-apps-config
• debian/control

Most settings take effect for newly created user account onlys, and not for existing user accounts.

Sets timezone to UTC.

Enables Menubar in Dolphin by default.

gnupg configuration for Anonymity Distributions:

• Sets `use-tor` in `/etc/skel/.gnupg/dirmngr.conf`.
• Ships Thunderbird torbirdy configuration file

`/etc/thunderbird/pref/30_whonix.js` that allows torified keyserver access.

• Deactivates KGpg's first run wizard. Disables tip of the day.

Disables KGpg's systray. Disables key server. Reference: "High-risk users should stop using the keyserver network immediately."

Double click instead of single click in KDE.

Deactivates maximize windows when moved to the top. In context of anonymity it might be better not to maximize the browser window (https://trac.torproject.org/projects/tor/ticket/7255). To prevent users from accidentally maximizing their browser window, it is better when KDE's feature to maximize windows when moved to the top is disabled.

Deactivates KDE's system sounds.

Disables KDE graphics effects. Disables some background processes.

Stream Isolation (proxy) settings for KDE apps for Anonymity Distributions Configures global proxy settings, which acts as a fallback if no other proxy settings are set, for KDE applications to socks 10.152.152.10:9122. IP HARDCODED above but no need to change since it is description only. Otherwise unconfigured KDE applications would use no proxy settings (Transparent Proxying) if the anonymity distribution features a transparent proxy. Useful to improve stream isolation. On the other hand, anonymity distributions not featuring transparent proxying should probably not install this package by default, because then unconfigured KDE applications should by default not be able to connect.

Sets Unlimited Scrollback in Konsole.

Disables klipper clipboard history.

Deactivates automatic updates for Package Manager APT and Apper Useful in context of networks with limited traffic quota, slow networks and anonymity distributions. In latter case, the default automatic updates interval would be too predictable (expectable amount of traffic every X), thus eventually be vulnerable for traffic fingerprinting. Disabling Apper automatic updates only takes effect for newly created user accounts. Not for existing user accounts. This is most useful to help Linux distribution maintainers setting divergent defaults.

Longer Timeouts for Package Manager APT Raising timeout and retries using configuration snippet. Useful in context of slow networks and anonymity distributions.

Ships a configuration file /etc/apt/apt.conf.d/90longer-timeouts to configure apt-get.

Ships a configuration file /etc/skel/.config/vlc/vlcrc to configure VLC to not ask for network policy at start. https://forums.whonix.org/t/disable-vlc-metadata-collection-by-default/18674

Disabled gajim update manager by default for better security since it does not verify software signatures by hiding file /usr/share/gajim/plugins/plugin_installer/__init__.py using 'config-package-dev' 'hide'.

Disables systemd-resolved during boot unless file /etc/dns-enable exists.

Disables systemd-resolved fallback DNS (which by default is set to Google).

Removes capabilities from `/bin/ping` if [security-misc](https://github.com/Whonix/security-misc) is installed as ping doesn't work with Tor anyway and its capabilities are just unneeded attack surface.

Create a dummy Tor binary '/home/user/.local/share/Bisq/btc_mainnet/tor/tor' to avoid Tor over Tor.

Improves HexChat Privacy Settings

• As per:

https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/XChat

• Moves the following files:

- `/usr/lib/xchat/plugins/python.so` - `/usr/lib/xchat/plugins/tcl.so` - `/usr/lib/xchat/plugins/perl.so` to `/usr/share/anon-apps-config`, so these plugins get disabled by default.

Due to technical limitations some settings only take effect for applications being started for the very first time, i.e. when the user config of that application in the user's home folder does not exist yet. Works best for new user accounts.

This package is most useful to help Linux distribution maintainers setting divergent defaults.

• /etc/skel/.config/hexchat/hexchat.conf

settings.

• /etc/skel/.xchat2/xchat.conf

settings.

• /etc/apt/apt.conf.d/90longer-timeouts

longer APT timeouts and more retires

• /usr/share/anon-apps-config/ksmserverrc

disable session saving https://forums.whonix.org/t/kdesudo-error-popup-window-sdwdate-gui

• loginMode=default

• /usr/share/anon-apps-config/kioslaverc

KDE stream isolation settings.

• [Proxy Settings]
• NoProxyFor=127.0.0.1
• ProxyType=1
• ReversedException=false

IP HARDCODED

• socksProxy=http://10.152.152.10 9122

• /usr/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf

Disable systemd-resolved unless file /etc/dns-enable exists.

• /usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf

do not default to using Google nameservers https://phabricator.whonix.org/T793 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658#216 https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html https://forums.whonix.org/t/os-generated-network-traffic

• [Resolve]
• FallbackDNS=

• https://github.com/Whonix/anon-ws-disable-stacked-tor
• debian/control

Supposed to be installed on Workstations, which prevents installing the real Tor package from upstream (ex: Debian, The Tor Project) APT repositories. Its purpose is to prevent, running Tor over Tor.

It allows installation of packages, which depend on Tor, such as TorChat, parcimonie and torbrowser-launcher.

This package uses the "Provides: tor" field[1], which should avoid any kinds of conflicts, in case upstream releases a higher version of Tor. This won't work for packages, which depend on an explicit version of Tor (such as TorChat). This is non-ideal, since for example the torchat package will install Tor, but still acceptable, because of the following additional implementations.

Binaries eventually installed (by the tor Debian package) /usr/bin/tor as well as /usr/sbin/tor are replaced with a dummy wrapper that does nothing (dpkg-diverted using config-package-dev).

systemd-socket-proxyd listens on Tor's default ports. system Tor's 127.0.0.1:9050, 127.0.0.1:9051 and TBB's 127.0.0.1:9150, 127.0.0.1:9051, which prevents the default Tor Browser Bundle or Tor package by The Tor Project from opening these default ports, which will result in Tor failing to open its listening port and therefore exiting, thus preventing Tor over Tor.

See also:

• https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor
• https://tor.stackexchange.com/questions/427/is-running-tor-over-tor-dangerous

[1] See "7.5 Virtual packages - Provides" on http://www.debian.org/doc/debian-policy/ch-relationships.html

This package is produced independently of, and carries no guarantee from, The Tor Project.

• /debian/anon-ws-disable-stacked-tor.postinst
• workstation only

/etc/X11/Xsession.d/ hook to source /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh

Add account "user" to the group "debian-tor", so account "user" can access Tor's control port. Account "user" already exists thanks to the dist-base-files package.

• adduser --quiet user debian-tor

• /debian/anon-ws-disable-stacked-tor.displace
• workstation only

config-package-dev displace the following files:

• /etc/default/tor.anondist
• /usr/bin/tor.anondist
• /usr/sbin/tor.anondist

• /etc/rsyslog.d/anon-ws-disable-stacked-tor.conf
• workstation only

rsyslog configuration drop-in snippet

No longer required since no longer using rinetd.

Workaround for: 'rinetd fills up the logs until disk is full up if it cannot bind' http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796235

• :msg, contains, "accept(0): Socket operation on non-socket" stop

• /etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf
• workstation only

systemd-unit-files-generator and socat-unix-sockets configuration examples.

• /etc/profile.d/20_torbrowser.sh
• workstation only

/etc/profile.d hook to source /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh

• /usr/sbin/tor.anondist
• workstation only

/usr/sbin/tor simply executes /usr/bin/tor.

• /usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator
• workstation only

Generates systemd unit files in /usr/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_* which listen on common local ports used by popular Tor applications such as Tor Browser.

Redirect Whonix-Workstation port 9050 to Whonix-Gateway port 9050 and so forth.

Create a unix domain socket files such as /run/anon-ws-disable-stacked-tor/127.0.0.1_9050.sock and forward those to $GATEWAY_IP:9150 etc. See also: https://phabricator.whonix.org/T192

system Tor default SocksSocket is /run/tor/socks redirect Whonix-Workstation unix domain socket file /run/tor/socks to Whonix-Gateway port 9050

Debian /usr/share/tor/tor-service-defaults-torrc uses '/run/tor/control' Tor ControlSocket Redirect Whonix-Workstation unix domain socket file /run/tor/control to Whonix-Gateway port 9051

• /usr/libexec/anon-ws-disable-stacked-tor/state-files
• workstation only

Emulates Tor by copying and chmodding the correct state files such as /run/tor/control.authcookie.

• /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh
• workstation only

Environment variables for Tor Browser integration.

Prevents Tor over Tor.

Deactivate tor-launcher, a Vidalia replacement as browser extension, to prevent running Tor over Tor. https://trac.torproject.org/projects/tor/ticket/6009 https://gitweb.torproject.org/tor-launcher.git

• export TOR_SKIP_LAUNCH=1

tor-launcher is deactivated above but the following is required to avoid "Firefox is offline" messages in Tor Browser 10.5a17 and above. https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27476 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40455 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40433 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/34345

• export TOR_USE_LEGACY_LAUNCHER=1

The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables do not work flawlessly, due to an upstream bug in Tor Button:

  "TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
  https://trac.torproject.org/projects/tor/ticket/8336

(As an alternative,

  /home/user/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

could be used.) Fortunately, this is not required for Whonix by default anymore, because systemd-socket-proxyd is configured to redirect Whonix-Workstation ports IP HARDCODED but no need to change since comment only. 127.0.0.1:9050 to Whonix-Gateway 10.152.152.10:9050 127.0.0.1:9051 to Whonix-Gateway 10.152.152.10:9051 127.0.0.1:9150 to Whonix-Gateway 10.152.152.10:9150 127.0.0.1:9151 to Whonix-Gateway 10.152.152.10:9151

• #export TOR_SOCKS_HOST="10.152.152.10"
• #export TOR_SOCKS_PORT="9150"
• #export TOR_CONTROL_HOST="127.0.0.1"
• #export TOR_CONTROL_PORT="9151"

this is to satisfy Tor Button just filled up with anything

• #export TOR_CONTROL_PASSWD='"password"'

We are not using TOR_TRANSPROXY=1 because that would break Tor Browser's per tab stream isolation. (Tor Browser talks to a Tor SocksPort and sets a socks user name and Tor is using IsolateSOCKSAuth by Tor default.)

• #export TOR_TRANSPROXY=1

Environment variable to configure Tor Browser to use a pre existing unix domain socket file instead of creating its own one to avoid Tor over Tor and to keep it being able to connect. systemd-socket-proxyd is being used for creation of unix domain socket file /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock and forwarding it to to Whonix-Gateway port 9150. https://phabricator.whonix.org/T192 https://trac.torproject.org/projects/tor/ticket/20111#comment:5 TODO: IPv6 - Networking and IPv6 might not be available when this runs. TODO: IPv6 - Needs testing.

• # if awk '{print $3}')" =~ inet6 ; then
• # export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/::1_9150.sock"
• # export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/::1_9151.sock"
• # else
• # export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
• # export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"
• # fi

Using simpler, known stable implementation. TODO: Remove this if implementing the above.

• export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
• export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"

environment variable to skip TorButton control port verification https://trac.torproject.org/projects/tor/ticket/13079

• export TOR_SKIP_CONTROLPORTTEST=1

Environment variable to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the Whonix-Gateway, which is for security reasons forbidden from the Whonix-Gateway. https://trac.torproject.org/projects/tor/ticket/14100 https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Open_Network_Settings

• export TOR_NO_DISPLAY_NETWORK_SETTINGS=1

• /usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets
• workstation only

socat-unix-sockets starter.

• /usr/lib/systemd/system/anon-ws-disable-stacked-tor.service
• workstation only

Runs /usr/libexec/anon-ws-disable-stacked-tor/state-files and /usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets.

• /usr/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf
• workstation only

Compatibility with system Tor package.

Overrides systemd unit file by system Tor package for compatibility so the dummy Tor binary /usr/bin/tor gets load instead.

Makes all systemctl restart reload status commands compatible with dummy Tor.

• /usr/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf
• workstation only

Qubes-Whonix:

Clear 'ConditionPathExists=' variables set by the qubes-whonix package, which are useful on the gateway but not on the workstation.

In effect the dummy Tor service will run on Whonix-Workstation.

• ConditionPathExists=

• /usr/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf
• workstation only

Make 'sudo service tor status' exit '0' for better compatibility.

• RemainAfterExit=yes

• /usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf
• workstation only

Create folder /run/anon-ws-disable-stacked-tor.

• d /run/anon-ws-disable-stacked-tor 0775 root root -
• Z /run/anon-ws-disable-stacked-tor/* 0666 root root -

• /usr/bin/tor.anondist
• workstation only

dummy Tor wrapper doing nothing but wait forever and

OnionShare support for configuration option "bundled Tor".

Bisq support.

• https://github.com/Kicksecure/bindp
• debian/control

This package is probably most useful for Anonymity Distributions.

This package is produced independently of, and carries no guarantee from, The Tor Project.

• /debian/bindp.postinst
• workstation only

Compiles /usr/lib/bindp.c to /usr/lib/libindp.so during package installation using gcc.

• https://github.com/Whonix/whonix-ws-network-conf
• debian/control

Includes /etc/network/interfaces for Whonix-Workstation.

Sets up an internal network interface eth0.

DNS configuration Anonymity Linux Distribution Workstations Whether a Anonymity Linux Distribution Gateway supports anonymized system DNS for Workstation's traffic (also known as Transparent DNS Proxy) mainly depends on the Gateway's firewall.

This package is simply installing /etc/resolv.conf which points to 10.152.152.10, where an Anon-Gateway is supposed to provide a DnsPort on port 53. IP HARDCODED but no need to change because only description.

Currently relevant for Non-Qubes-Whonix only.

• /debian/whonix-ws-network-conf.triggers
• workstation only
• Non-Qubes-Whonix only

Required for /etc/systemd/network/99-default.link to take effect as per 'zless /usr/share/doc/udev/README.Debian.gz'.

• activate-noawait update-initramfs

• /debian/whonix-ws-network-conf.links
• workstation only
• Non-Qubes-Whonix only

Disable Predictable Network Interface Names as these are problematic. https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4 Disabling them as per 'zless /usr/share/doc/udev/README.Debian.gz'.

• /dev/null /etc/systemd/network/99-default.link

• /etc/resolv.conf.whonix

set nameserver 10.152.152.10 This works different in Qubes-Whonix.

• /etc/network/interfaces.d/30_non-qubes-whonix
• workstation only
• Non-Qubes-Whonix only

network interfaces configuration eth0 to communicate with Whonix-Gateway

static network configuration

IP HARDCODED but not need to change since only comment.

• #address 10.152.152.11
• #netmask 255.255.192.0
• #gateway 10.152.152.10

• https://github.com/Kicksecure/anon-apt-sources-list
• debian/control

Configuring APT and Flatpak sources: - Includes Debian APT repositories (main, updates, backports, fasttrack, security) - Incorporates Debian APT components (main, contrib, non-free, non-free-firmware) - Integrates the Flathub repository (verified and floss subsets only)

Flatpak: - Official Flathub repository only. - Uses subset verified_floss, which means only verified applications and freedom software can be installed by default.

Provides configuration files: - /etc/apt/sources.list.d/debian.sources for APT sources - /etc/flatpak/remotes.d/flathub.flatpakrepo for Flatpak sources

A Discussion on Distribution Maintenance Strategies:

The more standard way would indeed be populating /etc/apt/sources.list at install or build time and leaving /etc/apt/sources.list.d alone.

The idea of managing /etc/apt/sources.list.d/debian.sources for the user is, the security-focused distribution maintainers can decide when it is a better "change stable to oldstable", "keep wheezy as long as needed to work out [eventual!] issues that would break during upgrade to jessie" and such.

• /etc/apt/sources.list.d/debian.sources

Debian APT repository sources

Configured to use tor+https.

Technical notes: - Why are sources (deb-src) disabled by default? Because those are not required by most users, to save time while running sudo apt update. - See also: https://www.debian.org/security/ - See also: /etc/apt/sources.list.d/ - Same format as https://onion.debian.org - https://fasttrack.debian.net/

• https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo
• debian/control

Comes with "deb http://deb.torproject.org/torproject.org stable main", The Tor Project's APT signing key.

This package is produced independently of, and carries no guarantee from, The Tor Project.

• /etc/apt/sources.list.d/torproject.sources
• Not installed by default.

Tor Project APT repository sources file

• https://github.com/Whonix/qubes-whonix
• debian/control

This package contains all the scripts and configuration options to be able to run Whonix-Gateway and Whonix-Workstation within a Qubes environment.

Whonix-Gateway should run as a ProxyVM.

Whonix-Workstation should run as an AppVM.

Template updates over Tor.

• /etc/qubes/protected-files.d/qubes-whonix.conf
• Qubes-Whonix only

Configure Qubes to not modify files shipped by Whonix:

• /etc/localtime
• /etc/timezone
• /etc/resolv.conf

• /etc/uwt.d/40_qubes.conf
• Qubes-Whonix only

uwt Qubes-Whonix Integration

Runs only inside Qubes TemplateVM.

This configuration snippets configures uwt to wait before running apt until status file /run/updatesproxycheck/whonix-secure-proxy or status file /run/updatesproxycheck/whonix-secure-proxy-check-done exists. It will timeout after 120 seconds.

This is to determine if torified Qubes updates proxy was detected.

If torified Qubes updates proxy detection fails, it will prevent running apt and show the following warning.

WARNING: Execution of apt prevented by @file_name@ because no torified Qubes updates proxy found.

If torified Qubes updates proxy detection succeeds, it will disable apt uwtwrapper. In other words, run apt normally. Run apt without torsocks. Because apt config file. /etc/apt/apt.conf.d/01qubes-proxy will already have http proxy settings for qrexec based Qubes updates proxy. Acquire::http::Proxy "http://127.0.0.1:8082/";

• https://github.com/Kicksecure/ro-mode-init
• debian/control

Allows booting the system in live mode. Meaning, no persistent modifications will be written to the disk. All changes stay in RAM.

No claims are made with regard to anti forensics.

• /debian/ro-mode-init.triggers
• workstation only
• Non-Qubes-Whonix only

Make changes by ro-mode-init take effect.

• activate-noawait update-initramfs

• https://github.com/Kicksecure/sdwdate
• debian/control

Time keeping is crucial for security, privacy, and anonymity. Sdwdate is a Tor friendly replacement for rdate and ntpdate that sets the system's clock by communicating via onion encrypted TCP with Tor onion webservers.

At randomized intervals, sdwdate connects to a variety of webservers and extracts the time stamps from http headers (RFC 2616). Using sclockadj option, time is gradually adjusted preventing bigger clock jumps that could confuse logs, servers, Tor, i2p, etc.

This package contains the sdwdate time fetcher and daemon. No installation on remote servers required. To avoid conflicts, this daemon should not be enabled together with ntp or tlsdated.

• /etc/qubes/suspend-pre.d/30_sdwdate.sh

hook to run /usr/libexec/sdwdate/suspend-pre in Qubes-Whonix.

• /etc/qubes/suspend-post.d/30_sdwdate.sh

hook to run /usr/libexec/sdwdate/suspend-post in Qubes-Whonix.

• https://github.com/Whonix/uwt
• debian/control

Can add "torsocks" and/or "timeprivacy" before invocation of applications when configured to do so. For example, when simply typing "apt-get" instead of "torsocks apt-get", "apt-get" can still be routed over Tor.

The uwt package comes with the following applications pre-configured to use uwtwrapper, Tor and stream isolation: - apt - apt-file - apt-get - aptitude-curses - curl - git - gpg - gpg2 - mixmaster-update - rawdog - ssh - wget - yum - yumdownloader - wormhole

To circumvent a uwt wrapper on a by case base, you append ".anondist-real" to the command, for example "apt-get.anondist-real". You can also deactivate specific or all uwt wrappers by using the stackable .d-style configuration folder /etc/uwt.d.

Uwt can only work only as good as torsocks. If torsocks is unable to route all of an application's traffic over Tor, ex. if there is an leak, there will also be one when using uwt. For that reason, it is recommended to use Anonymity Distributions, that prevent such leaks.

If an applications has native support for socks proxy settings, those should be preferred over uwt. Also refer to the TorifyHOWTO and your distribution's documentation.

Timeprivacy can keep your time private. You can create wrappers for applications and timeprivacy will feed those applications with a fake time, which obfuscates at which time you really used that applications (such as when you made the git commit or when you signed that document). It does NOT set your time zone to UTC.

This package is probably most useful for Anonymity Distributions.

This package is produced independently of, and carries no guarantee from, The Tor Project.

• /debian/uwt.displace

replace the following files with the uwt version

Using config-package-dev displace.

/etc/tor/torsocks configuration file

• /etc/tor/torsocks.conf.anondist

Replace apt, wget, curl, ssh, onionshare, ricochet, wormhole with uwt wrapper which then calls /usr/libexec/uwt/uwtwrapper.

• /usr/bin/apt.anondist
• /usr/bin/apt-file.anondist
• /usr/bin/apt-get.anondist
• /usr/bin/aptitude-curses.anondist
• /usr/bin/curl.anondist
• /usr/bin/git.anondist
• /usr/bin/gpg.anondist
• /usr/bin/gpg2.anondist
• /usr/bin/mixmaster-update.anondist
• /usr/bin/rawdog.anondist
• /usr/bin/ssh.anondist
• /usr/bin/wget.anondist
• /usr/bin/yum.anondist
• /usr/bin/yumdownloader.anondist
• /usr/bin/dnf-3.anondist
• /usr/bin/onionshare.anondist
• /usr/bin/onionshare-gui.anondist
• /usr/bin/ricochet.anondist
• /usr/bin/wormhole.anondist

• /etc/uwt.d/30_uwt_default.conf

uwt configuration

• /etc/profile.d/20_uwt.sh

/etc/profile.d hook to source /usr/libexec/uwt/uwt.sh

• /etc/sudoers.d/uwt

Disable torsocks warning spam such as. [May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165) https://forums.whonix.org/t/disable-torsocks-warning-spam/19084

No longer required.

• #Defaults:ALL env_keep += "TORSOCKS_LOG_LEVEL"

• /etc/tor/torsocks.conf.anondist

torsocks configuration

• AllowInbound 1
• AllowOutboundLocalhost 1
• IsolatePID 1

• /usr/libexec/uwt/uwtwrapper

When running uwt-wrapped applications (such as apt, wget, curl, onionshare, or others) automatically prepend torsocks or bindp, i.e.

When, for example, apt or curl is executed, what really happens is running torsocks apt or torsocks curl.

uwtwrappers and /usr/libexec/uwt/uwtwrapper are hacks to socksify applications that do not support native SOCKS proxy settings. Used to implement Stream Isolation. https://www.whonix.org/wiki/Stream_Isolation

In essence, uwtwrappers are installed so users can type commands like apt-get normally while transparently injecting torsocks, thereby stream isolating them.

To better understand how uwt wrappers function, you could, for example, open /usr/bin/apt-get.anondist in an editor.

Also useful to run: ls -la /usr/bin/apt-get*

You will see that /usr/bin/apt-get has been replaced with a symlink to /usr/bin/apt-get.anondist. (This was done using config-package-dev.)

/usr/bin/apt-get.anondist is a uwt wrapper.

/usr/bin/apt-get.anondist-orig is the original apt-get binary.

bindp is used to make applications which listen on the internal IP by default, such as onionshare (which is the right thing to do outside of Whonix), listen on the external IP instead. See also:

• https://github.com/Whonix/bindp
• https://forums.whonix.org/t/find-way-to-have-tor-ephermal-hidden-service-using-applications-in-whonix-workstation-bind-on-all-interfaces/18846

• /usr/libexec/uwt/uwtexec

This script is used by uwtwrapper as a workaround to preserve the zeroth argument when executing programs with other wrappers, such as faketime or torsocks.

• /usr/libexec/uwt/uwt.sh

Disable torsocks warning spam such as. [May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165) https://phabricator.whonix.org/T317

• export TORSOCKS_LOG_LEVEL=1

• /usr/bin/apt-get.anondist

uwt wrapped application

• /usr/bin/ricochet.anondist

uwt wrapped application

ricochet does not have unix domain socket file support, therefore it depends on the TOR_CONTROL_HOST and TOR_CONTROL_PORT environment variables being set. Otherwise it would try to start its own Tor instance. https://phabricator.whonix.org/T444

• TOR_CONTROL_HOST="127.0.0.1"
• TOR_CONTROL_PORT="9151"
• export TOR_CONTROL_HOST
• export TOR_CONTROL_PORT

• export uwtwrapper_parent="${BASH_SOURCE[0]}"
• exec /usr/libexec/uwt/uwtwrapper "$@"

• /usr/bin/apt-file.anondist

uwt wrapped application

• /usr/bin/rawdog.anondist

uwt wrapped application

• /usr/bin/wormhole.anondist

uwt wrapped application

• /usr/bin/apt.anondist

uwt wrapped application

• export uwtwrapper_parent="${BASH_SOURCE[0]}"
• exec /usr/libexec/uwt/uwtwrapper "$@"

• /usr/bin/wget.anondist

uwt wrapped application

• /usr/bin/ssh.anondist

uwt wrapped application

• /usr/bin/git.anondist

uwt wrapped application

• /usr/bin/gpg2.anondist

uwt wrapped application

• /usr/bin/aptitude-curses.anondist

uwt wrapped application

• /usr/bin/yumdownloader.anondist

uwt wrapped application

• /usr/bin/dnf-3.anondist

dnf tor wrapper

• /usr/bin/time_privacy

Undocumented.

• /usr/bin/curl.anondist

curl tor wrapper

• /usr/bin/yum.anondist

uwt wrapped application

• /usr/bin/mixmaster-update.anondist

uwt wrapped application

• /usr/bin/onionshare-gui.anondist

uwt wrapped application

• /usr/bin/uwt_settings_show

• echo "uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:"
• echo "uwt INFO: https://www.whonix.org/wiki/Stream_Isolation/Easy"

• https://github.com/Whonix/whonix-base-files
• debian/control

This package contains several important miscellaneous files, such as /etc/issue, /etc/motd, /etc/dpkg/origins/whonix, /usr/bin/whonix, and others.

Anonymized operating system user name `user`, `/etc/hostname`, `/etc/hosts`, `/etc/machine-id`, `/var/lib/dbus/machine-id`, which should be shared among all anonymity distributions. See also:

• https://mailman.boum.org/pipermail/tails-dev/2013-January/002457.html
• https://labs.riseup.net/code/issues/5655
• http://lists.autistici.org/message/20140627.215105.24023267.en.html

Sets the WHONIX environment variable to 1 as well.

Ships marker files:

• /usr/share/whonix/marker
• /usr/share/anon-dist/marker

• /etc/qubes/protected-files.d/whonix-base-files.conf
• Qubes-Whonix only

Configure Qubes to not modify files shipped by Whonix:

• /etc/hostname
• /etc/hosts

• /etc/hosts.whonix

Debian default /etc/hosts + Anonymity Distribution specific additions.

Currently only 127.0.0.1 host.localdomain host gets added.

• https://github.com/Whonix/whonix-firewall
• debian/control

nftables rules script and firewall configuration file for Whonix-Gateway and Whonix-Workstation.

Whonix-Gateway Firewall Features: - transparent proxying - stream isolation - reject invalid packages - fail closed mechanism - optional VPN-Firewall - optional isolating proxy - optional incoming flash proxy - optional Tor relay

Do not remove, unless you no longer wish to use Whonix.

• /debian/whonix-firewall.postinst

Creates linux user accounts used by firewall script clearnet tunnel notunnel systemcheck sdwdate updatesproxycheck.

Creates empty /etc/whonix_firewall.d/50_user.conf which is not owned by any package if not existing.

• /etc/whonix_firewall.d/30_whonix_workstation_default.conf
• workstation only

Whonix firewall configuration file

• /etc/whonix_firewall.d/30_whonix_host_default.conf

undocumented

• /etc/whonix_firewall.d/30_whonix_gateway_default.conf
• gateway only

Whonix firewall configuration file

• /usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test

stream isolation developer test script

• /usr/libexec/whonix-firewall/enable-firewall

Wrapper to start firewall and create failure status files on failure.

• /usr/lib/systemd/system/whonix-firewall.service

Runs /usr/libexec/whonix-firewall/enable-firewall.

On Whonix-Gateway or Whonix-Workstation (if /usr/share/anon-gw-base-files/gateway or /usr/share/anon-ws-base-files/workstation exists), loads Whonix Firewall.

(Does nothing inside Qubes TemplateVMs.)

If loading Whonix Firewall fails, creates /run/anon-firewall/failed.status.

• /usr/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf

Fail Closed Mechanism. When the Whonix firewall systemd service failed, do not bring up the network.

TODO: does not cover Qubes-Whonix since Qubes does not use networking.service. TODO: disabled, broken. Breaks networking on package upgrades. https://forums.whonix.org/t/fix-fail-closed-mechanism/18563

• #[Unit]
• #After=whonix-firewall.service
• #Requires=whonix-firewall.service

• /usr/bin/whonix-gateway-firewall

firewall script

• /usr/bin/whonix_firewall

firewall starter wrapper

• /usr/bin/whonix-workstation-firewall

firewall script