Dev/anon-ws-disable-stacked-tor
From Whonix
< Dev(Redirected from Dev/Dummy Tor)
Why?[edit]
See DoNot#Prevent_Tor_over_Tor_scenarios.
Rationale on implementation details, SocksSocket vs TCP, environment variables vs settings file [archive]
Implementation[edit]
providing virtual Tor package[edit]
Implemented in anon-ws-disable-stacked-tor [archive], debian/control [archive]. The package uses the Provides: tor
field[1], which should avoid any kinds of conflicts, in case upstream releases a higher version of Tor. This won't work for packages, which depend on an explicit version of Tor (such as TorChat). This is non-ideal, since for example the torchat package will install Tor, but still acceptable, because of the following additional implementations.
Tor binary replacement[edit]
Tor's binary was replaced (dpkg-diverted using config-package-dev) with dummy executables, so even if the real tor package gets installed, it won't be automatically started.
- https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/bin/tor.anondist [archive]
- https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/sbin/tor.anondist [archive]
systemd-socket-proxyd listening port redirection[edit]
Listening [archive] using systemd-socket-proxyd
on the following listening ports:
- Tor's default listening ports. I.e.:
- system Tor's 127.0.0.1:9050, 127.0.0.1:9051 and,
- Tor Browser's 127.0.0.1:9150, 127.0.0.1:9051,
- Tor Messenger's 127.0.0.1:9152 (
SocksPort
) -> gatewaySocksPort
9153
, 127.0.0.1:9153ControlPort
-> gateway9051
ControlPort
(actually control port filter proxy, onion-grater)
- and others, see full list [archive]
- Those listening ports forwarded to Whonix-Gateway ™.
- This prevents the default Tor Browser, Tor Messenger and/or Tor package by The Tor Project from opening these default ports, which will result in Tor failing to open its listening port and therefore exiting, thus preventing Tor over Tor.
- Tor's default listening ports. I.e.:
TODO: describe
- systemd socket activation
- https://phabricator.whonix.org/T357 [archive]
Unix Domain Socket File Redirection[edit]
Since Tor Browser, OnionShare (screenshot [archive]) among more and more other applications require SocksSocket [archive] [2], anon-ws-disable-stacked-tor is also providing:
- Tor Control Unix Domain Socket file:
/var/run/tor/control
, which is redirected to Control Port Filter Proxy on Whonix-Gateway ™. - Tor Control Auth Cookie [archive]: a functional
/var/run/tor/control.authcookie
that works with Control Port Filter Proxy. - Tor Socks Unix Domain Socket file:
/var/run/tor/socks
that is redirected to Whonix-Gateway ™ Tor port9050
Tor state file creation[edit]
All required state files which Tor would normally create in /var/run/tor
and /var/lib/tor
are being created by /usr/lib/anon-ws-disable-stacked-tor/state-files [archive].
bindp[edit]
TODO: describe
socat[edit]
There are no socat
redirections by default in Whonix ™.
Advanced setups such as Monero CLI Wallet/Daemon Isolation with Qubes-Whonix ™ [archive] are using things like EXEC
. From that example.
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"
systemd-socket-proxyd
does not support EXEC
, hence socat
is useful here.
Debugging[edit]
Run.
echo "$TOR_SOCKS_IPC_PATH"
Should show the following.
/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
Run.
echo "$TOR_CONTROL_IPC_PATH"
Should show the following.
/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock
Also please run.
UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9150
Should show the following.
<html> <head> <title>Tor is not an HTTP Proxy</title> </head> <body> <h1>Tor is not an HTTP Proxy</h1> <p> It appears you have configured your web browser to use Tor as an HTTP proxy. This is not correct: Tor is a SOCKS proxy, not an HTTP proxy. Please configure your client accordingly. </p> <p> See <a href="https://www.torproject.org/documentation.html">https://www.torproject.org/documentation.html</a> for more information. <!-- Plus this comment, to make the body response more than 512 bytes, so IE will be willing to display it. Comment comment comment comment comment comment comment comment comment comment comment comment.--> </p> </body> </html
Run a similar command.
echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
Should show the same as above.
Next one to try.
UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9151
Should show the following.
510 Request filtered ...
Run a similar command.
echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock
Should show.
510 Request filtered
Debugging with curl[edit]
Trying to use curl
rather than curl.anondist-org
is a common mistake when debugging Whonix ™ network issues.
curl
is a symlink to curl.anondist-orig
. In turn, this symlinks to uwtwrapper
which runs curl
under torsocks
. torsocks
then forces Tor to run on localhost
for stream isolation.
To use curl[edit]
- The
uwt
steam isolation wrapper must be circumvented or disabled. - The command must be run under user
clearnet
In Whonix-Gateway ™ or sys-whonix
Qubes-Whonix ™
1. Change to user clearnet
sudo -su clearnet
2. Circumvent uwt
stream isolation wrapper by appending .anondist-orig
to curl
curl.anondist-orig <your_url>
Using curl in Whonix ™ 14[edit]
In the following examples, the exec
calls from the command output shows the difference between running curl
with the uwtwrapper
both enabled and disabled.
Example 1
curl
is run with the uwtwrapper
enabled.
uwtwrapper_verbose=1 curl <your_url>
This results in the following exec
calls. Only the latest (most recent) call matters which shows torsocks
is prepended before running curl
.
exec torsocks /usr/lib/uwtexec something <your_url> exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>
Example 2
curl
is run with the uwtwrapper
disabled.
uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>
This command results in the following exec
calls which show torsocks
does not get prepended before curl
. Since curl
does not run under torsocks
, local connections are not hindered and there is no stream isolation.
exec /usr/lib/uwtexec <your_url> exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>
The output from the previous commands establish the following.
/usr/bin/curl
is symbolically linked to/usr/bin/curl.anondist-orig
. This demonstrates/usr/bin/curl.anondist-orig
is the actual (real)curl
binary.
- When
/usr/bin/curl.anondist-orig
is run with theuwtwrapper
disabled alluwt
logic is circumvented.
Users can either circumvent the uwt
stream isolation wrapper or disabled it either permanently or temporary.
Links:
Application Developers[edit]
Dev/Whonix friendly applications best practices
See Also[edit]
Footnotes[edit]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Check out the Whonix ™ News Blog.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.