Actions

Non-Whonix ™ Tor Browser

From Whonix

About this Non-Whonix ™ Tor Browser Page
Support Status stable
Difficulty easy
Maintainer torjunkie
Support Support

Introduction[edit]

Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the Whonix ™ platform. This is useful in various cases:

  • Should Whonix ™ ever break, it is possible to search for a solution anonymously.
  • System-wide Tor problems can be easily detected by testing connectivity outside of Whonix ™.
  • Certain Tor / Tor Browser activities are difficult (or impossible) to configure in Whonix ™, but are much easier in the standard configuration. [1]

In Non-Qubes-Whonix ™, it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In Qubes-Whonix ™, it is recommended to install Tor Browser in a debian-10 AppVM.

Easy[edit]

All Platforms: Manual Tor Browser Download[edit]

Follow these instructions to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless Qubes-Whonix ™ users temporarily set sys-whonix as the NetVM for the non-Whonix ™ AppVM.

Debian Linux Hosts[edit]

Tor Browser can optionally be downloaded utilizing the tb-updater software package by Whonix ™ developers. By default the download does not occur over Tor, meaning it is not anonymous.

1. Add the Whonix ™ signing key.

Whonix first time users warning Warning:

The following command using gpg with --recv-keys either does no longer work or should not be used for security reasons. [2] The OpenPGP public key should be downloaded from the web instead. See also Secure Downloads. This is currently undocumented. This is not a Whonix ™ issue. It can be resolved as per Free Support Principle. Contributions to documentation are happily considered.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

2. Add the Whonix ™ APT repository.

echo “deb http://deb.whonix.org buster main contrib non-free” | sudo tee /etc/apt/sources.list.d/whonix.list

3. Update the package lists.

sudo apt-get update

4. Install tb-updater.

sudo apt-get install tb-updater

Moderate: Qubes-Whonix ™[edit]

Ambox notice.png Qubes-Whonix ™ R4 only! This method is anonymous.

The Qubes-Whonix ™ R4 or above instructions using Whonix ™ tb-updater are a little more difficult because TemplateVMs are non-networked by default.

These instructions:

  1. Anonymously retrieve and verify the Whonix ™ signing key.
  2. Copy the Whonix ™ signing key to a debian-10 TemplateVM clone (debian-10-tor).
  3. Add the Whonix ™ signing key to a list of trusted keys.
  4. Install apt-transport-tor in the debian-10-tor TemplateVM.
  5. Add the Whonix ™ onion repository.
  6. Install tb-updater from the Whonix ™ stable repository.
  7. Create a debian-tor-browser AppVM based on the debian-10 TemplateVM clone.
  8. Complete the anonymous installation of Tor Browser in the non-Whonix ™ VM.

Clone the debian-10 TemplateVM[edit]

Info Prerequisite: The Debian 10 TemplateVM must be manually installed first. In dom0, run.

sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-10

In Qube Manager: Right-click debian-10 templateClone qubeRename to debian-10-tor

anon-whonix Steps[edit]

Run the following commands in anon-whonix Konsole.

1. Add the Whonix ™ signing key.

Whonix first time users warning Warning:

The following command using gpg with --recv-keys either does no longer work or should not be used for security reasons. [3] The OpenPGP public key should be downloaded from the web instead. See also Secure Downloads. This is currently undocumented. This is not a Whonix ™ issue. It can be resolved as per Free Support Principle. Contributions to documentation are happily considered.

sudo apt-key adv --keyserver jirk5u4osbsr34t5.onion --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

2. Display the key fingerprint.

sudo apt-key adv --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

3. Verify the Whonix ™ signing key fingerprint.

Compare the fingerprint to the one found here.

4. Copy the Whonix ™ signing key to a temporary whonix.key file.

sudo apt-key export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA > /tmp/whonix.key

5. Copy the whonix.key text file to the debian-10-tor TemplateVM.

qvm-copy /tmp/whonix.key debian-10-tor

debian-10-tor TemplateVM Steps[edit]

Complete the following steps in debian-10-tor Konsole.

1. Add the Whonix ™ signing key to the list of trusted keys.

sudo apt-key add ~/QubesIncoming/anon-whonix/whonix.key

2. Install apt-transport-tor from the Debian repository. [4]

sudo apt-get install apt-transport-tor

3. Add the Whonix ™ stable onion APT repository.

Note: tor+http does not work in this configuration.

echo "deb http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

4. Update the package lists.

sudo apt-get update

5. Install tb-updater by Whonix ™.

sudo apt-get install tb-updater

Note: This step will correctly install tb-updater, but if it tries to automatically download Tor Browser it will fail because the download attempt from The Tor Project is blocked by default.

debian-tor-browser AppVM Steps[edit]

1. Create an AppVM based on the debian-10-tor TemplateVM: debian-tor-browser.

In Qube Manager: Left-click QubeCreate new qube

Use the following settings:

  • Name and label: debian-tor-browser
  • Type: AppVM
  • Template: debian-10-tor
  • Networking: default (sys-firewall)

2. Temporarily set sys-whonix as the NetVM for the Debian AppVM.

In Qube Manager: Right-click debian-tor-browserQube settingsNetworkingSelect sys-whonixOK

3. Download Tor Browser.

In Konsole, run.

update-torbrowser --input gui

4. Revert the networking setting to sys-firewall in Qube Manager.

5. Launch Tor Browser from the AppVM menu and check it is functional.

Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the update-torbrowser command again.

Footnotes[edit]

  1. For example, the Snowflake pluggable transport client is currently unavailable in Whonix ™.
  2. https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607
  3. https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607
  4. For support in downloading APT packages anonymously via the Tor network.

[advertisement] Looking to Sell Your Company? Contact me.


Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).

https | (forcing) onion
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.