Jump to: navigation, search

Dev/Design-Workstation

< Dev



[edit]

Authoring Notes:

  • Start with a general description below each headline. Be as general as possible, trying to avoid even using such terms as 'Tor'.
  • Next, describe the Whonix Example Implementation, showing exactly how Whonix implements the goals stated above.


List of installed Packages[edit]

Whonix-Example-Implementation:

Files[edit]

Essential[edit]

Network Configuration[edit]

Configure the system resolver to use the Gateway to resolve DNS. (There can be no DNS leaks, because the Gateway firewall prevents that.) It shouldn't get used often, only for applications which are not configured to use Stream Isolation (SocksPort). Just as a general catch all for user installed applications to improve usability.

Whonix-Example-Implementation:

DummyTor[edit]

Since the anonymizer software runs on the Gateway, users could still accidental install the anonymizer software on the Workstation. This would lead into connecting to the anonymity network over the anonymity network itself. In best case it just doesn't work or is very slow and in worst case it leads to unknown consequences. Prevent that.

Whonix-Example-Implementation:

KDE / GNOME - application wide proxy settings[edit]

Whether KDE / GNOME will be used or not, in addition to stream isolation wrappers and other preconfigured applications for stream isolation, in addition it's useful to also configure KDE / GNOME - wide proxy settings. In case the user installs KDE or GNOME applications, which connect to the internet, which honor proxy settings, those won't go through Tor's TransPort, but through a dedicated SocksPort for further improved stream isolation. These settings are not system-wide, but KDE-wide / GNOME-wide.

Whonix-Example-Implementation:

Extra[edit]

second, optional, extra firewall[edit]

Optional.

Optional second, optional, extra firewall for advanced users as damage protection in case the Whonix-Gateway gets ever compromised (Tor exploit).

Whonix-Example-Implementation:

Usability[edit]

Swap[edit]

Let the kernel only swap if it is absolutely necessary.

Whonix-Example-Implementation:

Environment Variables[edit]

Optional.

It's useful to have an environment variable announcing "I am a Workstation", so applications such as TorButton and TorBirdy can act accordingly. (I.e. not starting Tor/Vidalia on the Workstation; not using 127.0.0.1 as proxy, but therefore the Gateway.)

Whonix-Example-Implementation:

apt.conf[edit]

Optional.

Whonix-Example-Implementation:

http to socks converter[edit]

Optional.

Some applications don't support socks, but http. It's useful to have a http to socks converter.

Whonix-Example-Implementation:

Sending e-mails without registration[edit]

Optional.

Install a tool, which can send e-mails without registration.

Whonix-Example-Implementation:

GnuPG Configuration[edit]

Optional.

Using more secure defaults for GnuPG.

Whonix-Example-Implementation:

Project News Notification[edit]

Optional.

Whonix-Example-Implementation:

TorChat Configuration[edit]

Optional.

Using TorChat on a already torified Workstation while preventing Tor over Tor isn't trivial. Therefore it's useful to ship required configuration files, preconfigured as much as possible by default to ease installation of TorChat.

Whonix-Example-Implementation:

IRC Client[edit]

Optional.

Secure IRC Client configuration and script for getting a new IRC identity.

Whonix-Example-Implementation:

Web Browser[edit]

Secure Web Browser, which doesn't suffer from likability and browser fingerprinting.

Whonix-Example-Implementation:

rinetd[edit]

Optional.

Whonix-Example-Implementation:

  • rinetd is configured to listen on local ports 9050 and 9150.
    • rinetd forwards port 127.0.0.1:9050 (Workstation) to 10.152.152.10:9050 (Gateway).
    • Forwards port 127.0.0.1:9150 (Workstation) to 10.152.152.10:9150 (Gateway).
    • https://github.com/Whonix/Whonix/blob/master/whonix_workstation/etc/rinetd.conf
    • This prevents Tor over Tor by just installing Tor or by using the complete Tor Browser Bundle, which starts Vidalia and Tor. This is because, it listens on port 9050 and 9150 and therefore lets a default Tor or TBB fail to start.
    • Should the Tor Browser update script ever break,
      • Whonix users can download (and verify) the stock Tor Browser Bundle (TBB) from torproject.org,
      • unpack to /home/user/tor-browser_en-US and
      • start it from the desktop menu shortcut or from the start menu.
      • As long as The Tor Project will still ship Vidalia with TBB: Starting with the stock startup script /home/user/tor-browser_en-US/start-tor-browser will fail closed. Vidalia will report, that Tor won't connect, because port 9150 is already blocked by rinetd. This will be fixed as soon as The Tor Project merges a proposed patch https://trac.torproject.org/projects/tor/ticket/5611 for the start-tor-browser startup script, which adds an optional environment variable, once set, only starts Tor Browser and not the bundled Tor/Vidalia.
      • As soon as The Tor Project moved to tor-launcher and drops Vidalia: Starting stock TBB inside Whonix should work out of the box, because https://github.com/Whonix/Whonix/blob/master/whonix_workstation/etc/profile.d/20_torbrowser.sh sets the required environment variables to deactivate tor-launcher.

Marker file[edit]

Optional.

Add a marker file so scripts you write can find out, whether they are running on the Gateway or inside the Workstation. There are probably different implementations possible to reach that goal.

Whonix-Example-Implementation:

Terminal Help[edit]

Optional.

Add a welcome and help message also to virtual terminals. (Those which can get started in graphical environments such as KDE and Konsole.)

Whonix-Example-Implementation:

Debugging[edit]

Leaktest script[edit]

Optional.

Have a script to try to produce a leak and check if there are any leaks.

Whonix-Example-Implementation:

Design-Shared[edit]

Changes from Dev/Design-Shared also have to be added to the Gateway.


Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.