Jump to: navigation, search


< Dev

Tor Config Files[edit]

Current Implementation[edit]

The implementation is as it follows.

  • /etc/tor/torrc holds minimal content, so we don't have to update it ever again
  • Instructions in /etc/tor/torrc say "copy and paste from /etc/tor/torrc.examples".
  • We should never update /etc/tor/torrc because that would lead to an interactive dpkg conflict resolution dialog [1] [2], because that would be bad from an usability perspective. Such an interactive dpkg conflict resolution dialog confuses quite some users. Also from a security perspective, if the user chooses Y or I (install the package maintainer's version), the user may lose its (security) settings such for example its proxy and/or obfuscated bridges settings.
  • /etc/tor/torrc.examples contains configuration examples.
  • Whonix's Tor settings go into /usr/share/tor/tor-service-defaults-torrc.
  • Users will ignore /usr/share/tor/tor-service-defaults-torrc, because this file is barely advertised and barely popular.
  • /usr/share/tor/tor-service-defaults-torrc can be updated without any conflicts with user modifications.
  • https://github.com/Whonix/anon-gw-anonymizer-config

Rejected Alternatives[edit]

Only Two Config Files[edit]

  • Using only /usr/share/tor/tor-service-defaults-torrc and /etc/tor/torrc, not using /etc/tor/torrc.examples.
  • And having configuration examples (instructions) in /usr/share/tor/tor-service-defaults-torrc. Using a minimal /etc/tor/torrc to tell them to look into /usr/share/tor/tor-service-defaults-torrc for configuration examples.
  • This is a bad idea, because users get tempted comment in things in /usr/share/tor/tor-service-defaults-torrc.
  • When they do this, they settings would get lost and overwritten without asking next time they update anon-gw-anonymizer-config, because /usr/share/tor/tor-service-defaults-torrc is not a configuration file (since in /usr, not /etc folder).

Only One Config File[edit]

  • Using only /etc/tor/torrc, leaving /usr/share/tor/tor-service-defaults-torrc with defaults (from Debian), not using /etc/tor/torrc.examples.
  • Using /etc/tor/torrc for user examples, user's own modifications and Whonix's Tor settings.
  • This is bad, because when users have edited /etc/tor/torrc and anon-gw-anonymizer-config gets updated, it will throw an interactive dpkg conflict resolution dialog[1]. Users might decide to keep their old config file and will miss (security) improvements.

Missing /etc/tor.d/ Feature[edit]

Upstream feature request:
torrc.d-style configuration directories

Not having an /etc/tor.d/ style folder (similar to Whonix modular flexible .d style configuration folders) makes implementation of additional features that require additional Tor (/etc/tor/torrc) settings much harder. For example it would improve usability to provide a whonix-gw-hidden-webserver package, that automates the Whonix-Gateway specific instructions for Hidden Services. If there was a /etc/tor.d/ style folder, we could just drop the configuration snippet there, and if the feature gets disabled or the package installed, that configuration snippet gets purged. Adding additions to /etc/tor/torrc with a script is problematic, because those additions cannot be removed by a script if the user slightly modified those lines.

Maybe clearly marking the configuration snippet would help.

### BEGIN whonix-gw-hidden-webserver ###
## Add your modifications on top of BEGIN or below END.
## It is automatically generated by whonix-gw-hidden-webserver with settings
## from /etc/whonix.d folder. If you edit this section, removal by
## whonix-gw-hidden-webserver will fail. To remove this section, run:
## sudo whonix-hw
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80
### END whonix-gw-hidden-webserver ###

Tor Control[edit]

socat - UNIX-CONNECT:/var/run/tor/control

echo "AUTHENTICATE $(xxd -c 32 -g 0 /var/run/tor/control.authcookie | awk '{print $2}')"


  1. 1.0 1.1 interactive dpkg conflict resolution dialog exampleː
    Configuration file `/etc/tor/torrc'
     ==> Modified (by you or by a script) since installation.
     ==> Package distributor has shipped an updated version.
       What would you like to do about it ?  Your options are:
        Y or I  : install the package maintainer's version
        N or O  : keep your currently-installed version
          D     : show the differences between the versions
          Z     : background this process to examine the situation
     The default action is to keep your current version.
    *** interfaces (Y/I/N/O/D/Z) [default=N] ? N
  2. Because, /etc/tor/torrc comes with an out commented #DisableNetwork 0 which gets commented in by whonixsetup, i.e. whonixsetup changes that line to DisableNetwork 0, which dpkg will consider as user modification.

Random News:

Join us in testing our new AppArmor profiles for improved security! (forum discussion)

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)