Tor integration in Whonix ™ Development Notes

From Whonix
< Dev

Tor Version[edit]

According to the Tor release note, there are usually several different major versions of Tor supported by the Tor project. However, due to the the limited time the Tor packager has, only a few major versions are packaged and ready to be used.

For example, in December, 2017, five major versions of Tor were supported. Specifically:

  1. Debian stretch repository contained another LTS, which was version 0.2.9.
  2. deb.torproject.org, also known as Tor, Tor Project or TPO repository, had the latest stable Tor which was version 0.3.1.9.

A major consideration in choosing the most suitable Tor version for Whonix ™ is that the latest stable found in the TPO repository may lead to network breakage. [1] The reason is the "stable" tag indicates it is stable version of Tor, which does not necessarily match the "stable" Debian version that Whonix ™ is actually using. [2]

There are three primary Tor options for Whonix ™ developers and each of them has pros and cons:

1. Use the Tor LTS version from the official Debian package repository: packages.debian.org

  • Advantages: Minimal effort is required in Whonix ™.
  • Disadvantages: Misses the advantages of later versions (see below).

2. Use latest stable in TPO repository and allow testers to use the Tor nightly build in Whonix ™, with bug reporting bug to TPO

  • Advantages: Latest features, better security, improved Tor Browser compatibility (using SocksPort with flags and even better connectivity performance). [3]
  • Disadvantages:
    • From the Whonix ™ perspective, these packages are uploaded to deb.torproject.org at random times. These packages are not guaranteed to be compatible with Whonix ™. While there are no security concerns, these packages could break a system's APT package management (due to incompatible dependencies) or connectivity, in case Tor refuses to start. This can arise due to a configuration incompatibility in a newer version of Tor, or for other reasons such as systemd or apparmor related changes.
    • In May 2021 a transient repository issue broke Whonix ™ build process.
    • There is nothing similar to snapshot.debian.org. Keeps changing (newer versions being added). Hence, can introduce build issues such as above. Unsuitable for reproducible builds / Verifiable Builds.
    • Porting to other architectures issues.
      • Only available for the i386, amd64, arm64 architectures.
      • Introduces differences / issues such as for example for the ppc64el platform. [4]

3. Versions are downloaded from deb.torproject.org, verified to work, and then migrated to deb.whonix.org

  • Advantages: Flexibility in version selection, a guaranteed way to confirm that only stable Tor versions which are functional in Whonix ™ will be uploaded.
  • Disadvantages:
    • A few testers are needed, manual uploads are required, and Whonix ™ touches Tor.
    • Other issues from 2. above equally apply.

Whonix ™ developers have chosen the third method for now. [5] However, the comparison above suggests better security and compatibility is afforded by the second option. This approach requires a lot of active testers who can use the Tor nightly build and report bugs to the Tor project or Whonix ™. [6]

Tor Config Files[edit]

Rationale for Tor Drop-In Configuration Folder[edit]

Having a Tor Configuration Drop-In Folder makes implementation of additional features that require additional Tor settings much easier. For example it could improve usability to provide a whonix-gw-hidden-webserver package, that automates the Whonix-Gateway ™ specific instructions for Onion Services. Such a package could just drop the configuration snippet there, and if the feature gets disabled or the package installed, that configuration snippet gets purged. Adding additions to /etc/tor/torrc with a script is problematic, because those additions cannot be removed by a script if the user slightly modified those lines and because these can cause a dpkg interactive conflict resolution dialog.

Current Implementation[edit]

The implementation is as it follows.

Rejected Alternatives[edit]

Only Two Config Files[edit]

  • Using only /usr/share/tor/tor-service-defaults-torrc and /etc/tor/torrc, not using /etc/tor/torrc.examples.
  • And having configuration examples (instructions) in /usr/share/tor/tor-service-defaults-torrc. Using a minimal /etc/tor/torrc to tell them to look into /usr/share/tor/tor-service-defaults-torrc for configuration examples.
  • This is a bad idea, because users get tempted comment in things in /usr/share/tor/tor-service-defaults-torrc.
  • When they do this, they settings would get lost and overwritten without asking next time they update anon-gw-anonymizer-config, because /usr/share/tor/tor-service-defaults-torrc is not a configuration file (since in /usr, not /etc folder).

Only One Config File[edit]

  • Using only /etc/tor/torrc, leaving /usr/share/tor/tor-service-defaults-torrc with defaults (from Debian), not using /etc/tor/torrc.examples.
  • Using /etc/tor/torrc for user examples, user's own modifications and Whonix ™ Tor settings.
  • This is bad, because when users have edited /etc/tor/torrc and anon-gw-anonymizer-config gets updated, it will throw an dpkg interactive conflict resolution dialog. Users might decide to keep their old config file and will miss (security) improvements.

Tor Control[edit]

See [[Dev/onion-grater

  1. Talking_to_the_real_Tor_Control_Port|Talking to the real Tor Control Port]].

Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?[edit]

The short answer is this option was discussed with The Tor Project and Whonix ™ was granted permission to do so.

Interested readers who want to learn more should review the following:

Forum Discussion[edit]

Tor Duplicate Config File Restart Bug[edit]

May 27 13:04:26 host systemd[1]: tor.service: Succeeded.
May 27 13:04:26 host systemd[1]: Stopped Anonymizing overlay network for TCP (multi-instance-master).
May 27 13:04:26 host systemd[1]: Stopping Anonymizing overlay network for TCP (multi-instance-master)...
May 27 13:04:26 host systemd[1]: Stopping Anonymizing overlay network for TCP...
May 27 13:04:26 host systemd[1]: tor@default.service: Succeeded.
May 27 13:04:26 host systemd[1]: Stopped Anonymizing overlay network for TCP.
May 27 13:04:26 host systemd[1]: tor@default.service: Consumed 1min 6.810s CPU time.
May 27 13:04:26 host systemd[1]: anon-gw-anonymizer-config.service: Succeeded.
May 27 13:04:26 host systemd[1]: Stopped Make Sure Torrc Files Exist and Clean Tor Config Folders.
May 27 13:04:26 host systemd[1]: Stopping Make Sure Torrc Files Exist and Clean Tor Config Folders...
May 27 13:04:26 host systemd[1]: Starting Make Sure Torrc Files Exist and Clean Tor Config Folders...
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -d /etc/tor ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -d /etc/torrc.d ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -d /usr/local/etc/torrc.d ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -e /etc/tor/torrc ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -e /etc/torrc.d/95_whonix.conf ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -e /usr/local/etc/torrc.d/40_tor_control_panel.conf ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' '!' -e /usr/local/etc/torrc.d/50_user.conf ']'
May 27 13:04:26 host tor-config-sane[17986]: + '[' -n '' ']'
May 27 13:04:26 host tor-config-sane[17986]: + tor_user=debian-tor
May 27 13:04:26 host tor-config-sane[17986]: + '[' -n '' ']'
May 27 13:04:26 host tor-config-sane[17986]: + tor_group=debian-tor
May 27 13:04:26 host tor-config-sane[17986]: + '[' -n '' ']'
May 27 13:04:26 host tor-config-sane[17986]: + tor_dir=/var/lib/tor
May 27 13:04:26 host tor-config-sane[17986]: + '[' -n '' ']'
May 27 13:04:26 host tor-config-sane[17986]: + client_onion_auth_dir=/var/lib/tor/authdir
May 27 13:04:26 host tor-config-sane[17986]: + mkdir -p /var/lib/tor/authdir
May 27 13:04:26 host tor-config-sane[17986]: + chown debian-tor:debian-tor /var/lib/tor/authdir
May 27 13:04:26 host tor-config-sane[17986]: + search='%include /etc/torrc.d/
May 27 13:04:26 host tor-config-sane[17986]: %include /etc/torrc.d/95_whonix.conf'
May 27 13:04:26 host tor-config-sane[17986]: + replace='%include /etc/torrc.d/'
May 27 13:04:26 host tor-config-sane[17986]: + file_name=/etc/tor/torrc
May 27 13:04:26 host tor-config-sane[17986]: + LANG=C
May 27 13:04:26 host tor-config-sane[17986]: + str_replace '%include /etc/torrc.d/
May 27 13:04:26 host tor-config-sane[17986]: %include /etc/torrc.d/95_whonix.conf' '%include /etc/torrc.d/' /etc/tor/torrc
May 27 13:04:26 host tor-config-sane[17989]: Nothing replaced
May 27 13:04:26 host tor-config-sane[17986]: + true 0
May 27 13:04:26 host tor-config-sane[17990]: /usr/libexec/anon-gw-anonymizer-config/torrc-d-cleaner INFO: start.
May 27 13:04:26 host tor-config-sane[17990]: INFO: dpkg-new file found: /etc/torrc.d/60_network.conf.dpkg-new
May 27 13:04:26 host tor-config-sane[17990]: INFO: dpkg-new file found: /etc/torrc.d/65_gateway.conf.dpkg-new
May 27 13:04:26 host tor-config-sane[17990]: INFO: dpkg-new file found: /etc/torrc.d/65_leak_tests.conf.dpkg-new
May 27 13:04:26 host tor-config-sane[17990]: INFO: dpkg-new file found: /etc/torrc.d/70_workstation.conf.dpkg-new
May 27 13:04:26 host tor-config-sane[17990]: INFO: dpkg-new file found: /etc/torrc.d/95_whonix.conf.dpkg-new
May 27 13:04:26 host tor-config-sane[17990]: /usr/libexec/anon-gw-anonymizer-config/torrc-d-cleaner INFO: success.
May 27 13:04:26 host systemd[1]: Finished Make Sure Torrc Files Exist and Clean Tor Config Folders.
May 27 13:04:26 host systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
May 27 13:04:26 host systemd[1]: Starting Anonymizing overlay network for TCP...
May 27 13:04:26 host systemd[1]: Finished Anonymizing overlay network for TCP (multi-instance-master).
May 27 13:04:26 host vanguards[762]: WARNING[Fri May 27 13:04:26 2022]: Tor daemon connection closed. Trying again...
May 27 13:04:26 host tor[17993]: May 27 13:04:26.803 [notice] Tor 0.4.7.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.31 as libc.
May 27 13:04:26 host tor[17993]: May 27 13:04:26.803 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
May 27 13:04:26 host tor[17993]: May 27 13:04:26.806 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
May 27 13:04:26 host tor[17993]: May 27 13:04:26.806 [notice] Read configuration file "/etc/tor/torrc".
May 27 13:04:26 host tor[17993]: May 27 13:04:26.807 [notice] Processing configuration path "/etc/torrc.d/" at recursion level 1.
May 27 13:04:26 host tor[17993]: May 27 13:04:26.807 [notice] Including configuration file "/etc/torrc.d//60_network.conf".
May 27 13:04:26 host tor[17993]: May 27 13:04:26.808 [notice] Including configuration file "/etc/torrc.d//60_network.conf.dpkg-new".

Footnotes[edit]

  1. https://forums.whonix.org/t/whonix-gateway-tor-0-2-9-9-unrecommended-no-update-unsafe/4240/8
  2. The Debian target is usually the stable package, which is currently: bullseye) or Whonix ™.
  3. Patrick: "Historically when there was a botnet starting to use Tor, the LTS version barely connected while the latest stable had the ntor handshake which worked." See tor-weekly-news-september-4th-2013.
  4. Package: tor-geoipdb Version: 0.4.5.8-1~d10.buster+1 is Architecture: all and Depends: tor (>= 0.4.5.8-1~d10.buster+1). Thereby for example ended up in Whonix ™ repository for architecture ppc64el. This did not cause an issue yet.
  5. Relative Whonix ™ Forum discussion: https://forums.whonix.org/t/tor-releases-discussion/4578
  6. Please contact us if you would like to be a Tor nightly build tester for Whonix ™.
  7. Click here for an overview of all answers.