How-to: "UnWhonix" - enable clearnet networking
Donate
Enable clearnet networking for Whonix-Gateway and/or Whonix-Workstation / Curl Clearnet Connectivity Test from Whonix-Gateway.
This is for developers only!
Curl Clearnet Connectivity Test from Whonix-Gateway[edit]
Warning: Not anonymous!
At time of writing IP 116.202.120.181 is check.torproject.org.
Using IP (116.202.120.181) rather than DNS (check.torproject.org) is required since Whonix-Gateway™ does not have a global DNS resolver enabled by default for its own traffic (details on page Whonix-Gateway System DNS).
sudo -u clearnet UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.3 --header 'Host: check.torproject.org' --insecure https://116.202.120.181
Enable Clearnet Networking[edit]
restore Whonix-Gateway clearnet networking[edit]
Instructions on how to remove Whonix Tor default networking for Whonix-Gateway. After applying these instructions, Whonix-Gateway will connect to clearnet.
This is possible because Whonix-Gateway is simplified "just a set of configurations". (And anything else would technically be pointless and a proprietary obfuscated software instead of a Freedom Software project. By reverting these configurations, it's possible to revert back to the same functionality that Debian has, which Whonix is based on. And Debian of course supports clearnet connectivity. This cannot happen by accident, see Dev/Technical_Introduction#Security_Overview.
Warning: Not anonymous!
Warning: This is for developers-only!
1. Inside Whonix-Gateway: Unload Whonix Firewall.
2. Inside Whonix-Gateway: Verify that the firewall rules have been unloaded. .
sudo iptables --list
Expected output:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
3. Find out DNS server IP address.
Choose either option A), B) or B).
- A) Use your router's IP address.
- B) Use a public DNS server. (Potential privacy issues!) ## Cloudflare nameserver 1.1.1.1 ## Google #nameserver 8.8.8.8
- C) Use the IP address provided by the DNS server IP address.
Inside any other VM, any non-Tor VM, any non-Whonix VM. Such as a Debian (based) VM that has functional internet.
Figure out its /etc/resolv.conf settings.
cat /etc/resolv.conf
4. Inside Whonix-Gateway: Delete /etc/resolv.conf.
sudo rm /etc/resolv.conf
5. Inside Whonix-Gateway: Use the same settings from the non-Tor VM.
Open file /etc/resolv.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/resolv.conf
6. Inside Whonix-Gateway: Deactivate all uwt wrappers globally.
The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.
For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.
1. Platform specific notice:
- Non-Qubes-Whonix™: No platform specific notice.
- Qubes-Whonix™: In Template. (
whonix-workstation-17) [1]
2. Open file /etc/uwt.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/uwt.d/50_user.conf
3. Add.
uwtwrapper_global="0"
4. Save and exit.
5. Check that the changes have taken effect. Run in terminal: uwt_settings_show
It should print
uwt INFO: disabled.
6. Done.
7. Inside Whonix-Gateway: Download https://check.torproject.org
scurl --remote-name https://check.torproject.org
Or manually run curl with these parameters. [2]
curl --tlsv1.3 --remote-name https://check.torproject.org
Open file index.html in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad index.html
If you are using a terminal, run. nano index.html
Should include.
Sorry. You are not using Tor.
8. Inside Whonix-Gateway: Untorify APT sources.
For all files in /etc/apt/sources.list.d folder, remove the tor+
prefix.
for file_name in /etc/apt/sources.list /etc/apt/sources.list.d/* ; do sudo str_replace "tor+" "" "$file_name" ; done
9. Done.
restore Whonix-Workstation clearnet networking[edit]
Undocumented. It would require at least:
- Configuration of the host virtualization software to use either:
- A) a different gateway VM or
- B) changing the network type form internal to "normal" (virtualizer specific, NAT for VirtualBox for example).
- Disabling Whonix-Workstation firewall.
- DNS configuration.
- Network configuration.
Untested but of course possible in theory. This is possible because Whonix-Workstation is also simplified "just a set of configurations". By reverting these configurations, it's possible to revert back to the same functionality that Debian has, which Whonix is based on. And Debian of course supports clearnet connectivity. This cannot happen by accident or malware running inside the VM, see Dev/Technical_Introduction#Security_Overview.
How to UnWhonix - Whonix package removal[edit]
TODO: document
Footnotes[edit]
The most watertight privacy operating system in the world.
At Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!