Why?[edit]

See DoNot#Prevent_Tor_over_Tor_scenarios.

Implementation[edit]

TODO:

needs update (moved to socat with Whonix 13 anon-ws-disable-stacked-tor 3:2.4-1 stable upgrade)
needs update (moved to systemd-socket-proxyd with Whonix 14)

Implemented in three ways on Whonix-Workstation.

Implemented in anon-ws-disable-stacked-tor, debian/control. The package uses the "Provides: tor" field^[1], which should avoid any kinds of conflicts, in case upstream releases a higher version of Tor. This won't work for packages, which depend on an explicit version of Tor (such as TorChat). This is non-ideal, since for example the torchat package will install Tor, but still acceptable, because of the following additional implementations.

Tor's autostart is disabled in /etc/default/tor (dpkg-diverted using config-package-dev), so even if the tor package gets installed, it won't be automatically started.

rinetd is configured by /etc/rinetd.conf to listen on
- Tor's default ports. I.e.
  - system Tor's 127.0.0.1:9050, 127.0.0.1:9051 and,
  - Tor Browser's 127.0.0.1:9150, 127.0.0.1:9051
  - Tor Messenger's 127.0.0.1:9152, 127.0.0.1:9153
- Those are forwarded to Whonix-Gateway.
- This prevents the default Tor Browser, Tor Messenger and/or Tor package by The Tor Project from opening these default ports, which will result in Tor failing to open its listening port and therefore exiting, thus preventing Tor over Tor.

https://forums.whonix.org/t/socat-running-on-ws-called-from/2225

https://www.whonix.org/wiki/Dev/Whonix_Packages#anon-ws-disable-stacked-tor

We mimic a functional Tor as well as possible.

anon-ws-disable-stacked-tor is also providing:

Tor Control Unix Domain Socket file: /var/run/tor/control, which is redirected to Control Port Filter Proxy on Whonix-Gateway.
Tor Control Auth Cookie: a functional /var/run/tor/control.authcookie that works with Control Port Filter Proxy.
Tor Socks Unix Domain Socket file: /var/run/tor/socks that is redirected to Whonix-Gateway Tor port 9050

https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf

Required for Tor Browser connectivity, SocksSocket:

https://cloud.githubusercontent.com/assets/156128/21556064/8ead0338-cdd2-11e6-918c-d4ca61724b52.png any should work.

TODO: describe

Debugging[edit]

onion-grater[edit]

Run.

[select code]

echo "$TOR_SOCKS_IPC_PATH"

echo "$TOR_SOCKS_IPC_PATH"

Should show the following.

/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock

Run.

[select code]

echo "$TOR_CONTROL_IPC_PATH"

echo "$TOR_CONTROL_IPC_PATH"

Should show the following.

/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock

Also please run.

[select code]

UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9150

UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9150

Should show the following.

<html>
<head>
<title>Tor is not an HTTP Proxy</title>
</head>
<body>
<h1>Tor is not an HTTP Proxy</h1>
<p>
It appears you have configured your web browser to use Tor as an HTTP proxy.
This is not correct: Tor is a SOCKS proxy, not an HTTP proxy.
Please configure your client accordingly.
</p>
<p>
See <a href="https://www.torproject.org/documentation.html">https://www.torproject.org/documentation.html</a> for more information.
<!-- Plus this comment, to make the body response more than 512 bytes, so      IE will be willing to display it. Comment comment comment comment      comment comment comment comment comment comment comment comment.-->
</p>
</body>
</html

Run a similar command.

echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock

Should show the same as above.

Next one to try.

[select code]

UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9151

UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9151

Should show the following.

510 Request filtered
...

Run a similar command.

echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock

Should show.

510 Request filtered

Debugging with curl[edit]

Trying to use curl rather than curl.anondist-org is a common mistake when debugging Whonix network issues.

curl is a symlink to curl.anondist-orig. In turn, this symlinks to uwtwrapper which runs curl under torsocks. torsocks then forces Tor to run on localhost for stream isolation.

To use curl[edit]

The uwt steam isolation wrapper must be circumvented or disabled.
The command must be run under user clearnet

In Whonix-Gateway or sys-whonix Qubes-Whonix

1. Change to user clearnet

[select code]

sudo su clearnet

sudo su clearnet

2. Circumvent uwt stream isolation wrapper by appending .anondist-orig to curl

[select code]

curl.anondist-orig <your_url>

curl.anondist-orig <your_url>

Using curl in Whonix 14[edit]

In the following examples, the exec calls from the command output shows the difference between running curl with the uwtwrapper both enabled and disabled.

Example 1

curl is run with the uwtwrapper enabled.

[select code]

uwtwrapper_verbose=1 curl <your_url>

uwtwrapper_verbose=1 curl <your_url>

This results in the following exec calls. Only the latest (most recent) call matters which shows torsocks is prepended before running curl.

exec torsocks /usr/lib/uwtexec something <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>

Example 2

curl is run with the uwtwrapper disabled.

[select code]

uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>

uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>

This command results in the following exec calls which show torsocks does not get prepended before curl. Since curl does not run under torsocks, local connections are not hindered and there is no stream isolation.

 exec /usr/lib/uwtexec <your_url>
 exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>

The output from the previous commands establish the following.

/usr/bin/curl is symbolically linked to /usr/bin/curl.anondist-orig. This demonstrates /usr/bin/curl.anondist-orig is the actual (real) curl binary.

When /usr/bin/curl.anondist-orig is run with the uwtwrapper disabled all uwt logic is circumvented.

Users can either circumvent the uwt stream isolation wrapper or disabled it either permanently or temporary.

Links:

Application Developers[edit]

Dev/Whonix friendly applications best practices

Footnotes[edit]

↑ See "7.5 Virtual packages - Provides" on http://www.debian.org/doc/debian-policy/ch-relationships.html

Random News:

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

[1] See "7.5 Virtual packages - Provides" on http://www.debian.org/doc/debian-policy/ch-relationships.html

[1]

Dev/anon-ws-disable-stacked-tor

< Dev(Redirected from Dev/Dummy Tor)

Contents

Why?[edit]

Implementation[edit]

Debugging[edit]

onion-grater[edit]

Debugging with curl[edit]

To use curl[edit]

Using curl in Whonix 14[edit]

Application Developers[edit]

Footnotes[edit]