Actions

Non-Whonix ™ Tor Browser

From Whonix



About this Non-Whonix ™ Tor Browser Page
Support Status stable
Difficulty easy
Contributor torjunkie [archive]
Support Support
Tbboutside.jpg

Introduction[edit]

Community Support Only!:
Info

Community Support Only means Whonix ™ developers are unlikely to provide free support for wiki chapters or pages with this tag. See Community Support for further information, including implications and possible alternatives.

Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the Whonix ™ platform. This is useful in various cases:

  • Should Whonix ™ ever break, it is possible to search for a solution anonymously.
  • System-wide Tor problems can be easily detected by testing connectivity outside of Whonix ™.
  • Certain Tor / Tor Browser activities are difficult (or impossible) to configure in Whonix ™, but are much easier in the standard configuration. [1]

In Non-Qubes-Whonix ™, it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In Qubes-Whonix ™, it is recommended to install Tor Browser in a debian-10 or debian-10-minimal AppVM (advanced users).

Note: If an expired key signature message like below appears, the steps in this chapter must be performed again due to an update of the Whonix ™ signing key; see Expired key signature [archive]. 

The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer adrelanos@riseup.net

Easy[edit]

All Platforms: Manual Tor Browser Download[edit]

Follow these instructions to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless Qubes-Whonix ™ users temporarily set sys-whonix as the NetVM for the non-Whonix ™ AppVM.

Debian Linux Hosts[edit]

Tor Browser can optionally be downloaded utilizing the tb-updater [archive] software package by Whonix ™ developers. By default the download does not occur over Tor, meaning it is not anonymous.

1. Add the Whonix ™ signing key.

Complete the following steps to add the Whonix ™ Signing Key to the system's APT keyring.

Open a terminal.

Install curl, gpg, gpg-agent. [2]

Install curl gpg gpg-agent.

1. Update the package lists. 

sudo apt-get update

2. Upgrade the system. 

sudo apt-get dist-upgrade

3. Install the curl gpg gpg-agent package.

Using apt-get command line parameter --no-install-recommends is in most cases optional. 

sudo apt-get install --no-install-recommends curl gpg gpg-agent

The procedure of installing curl gpg gpg-agent is complete.

Download Whonix ™ Signing Key. [3]

If you are using a Qubes TemplateVM, run. 

curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

If you are using Debian, run. 

curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

Users can check Whonix ™ Signing Key for better security.

Add Whonix ™ signing key to APT trusted keys. 

sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc

The procedure of adding Whonix ™ signing key is now complete.

2. Add the Whonix ™ APT repository. 

echo “deb https://deb.whonix.org buster main contrib non-free” | sudo tee /etc/apt/sources.list.d/derivative.list

3. Update the package lists. 

sudo apt-get update

4. Install tb-updater. 

sudo apt-get install tb-updater

Moderate: Qubes-Whonix ™[edit]

Ambox notice.png Qubes-Whonix ™ R4 only! This method is anonymous.

These instructions:

  1. Anonymously retrieve and verify the Whonix ™ signing key.
  2. Copy the Whonix ™ signing key to a debian-10 (debian-10-tor) or debian-10-minimal (debian-10-minimal-tor) TemplateVM clone.
  3. Add the Whonix ™ signing key to the list of trusted keys.
  4. Install apt-transport-tor in the debian-10-tor / debian-10-minimal-tor TemplateVM.
  5. Add the Whonix ™ stable APT repository.
  6. Install tb-updater from the Whonix ™ stable repository.
  7. Create a debian-tor-browser / debian-10-tor-minimal AppVM based on the TemplateVM clone.

The debian-10-minimal template provides a smaller attack surface, but is recommended for advanced users. Several package prerequisites are required for full functionality; see footnote. [4]

Clone the TemplateVM[edit]

Info Prerequisite: The debian-10 or debian-10-minimal TemplateVM must be manually installed first if it not already available. In dom0, run either. 

sudo qubes-dom0-update qubes-template-debian-10

Or. 

sudo qubes-dom0-update qubes-template-debian-10-minimal

In Qube Manager: Right-click debian-10 or debian-10-minimal templateClone qubeRename to debian-10-tor or debian-10-minimal-tor

anon-whonix Steps[edit]

Run the following commands in anon-whonix terminal. Advanced users can utilize a Whonix ™ DispVM instead in this section.

1. Download the Whonix ™ signing key. 

curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

2. Display the key fingerprint. 

gpg --keyid-format long --import --import-options show-only --with-fingerprint patrick.asc

3. Verify the Whonix ™ signing key fingerprint.

Compare the fingerprint to the one found here. The most important check is confirming the fingerprint exactly matches the output below. [5] 

      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA

The message gpg: key 8D66066A2EEACCDA: 104 signatures not checked due to missing keys is related to the The OpenPGP Web of Trust. Advanced users can learn more about this here.

4. Rename the Whonix ™ signing key to a temporary whonix.key file. 

mv patrick.asc /tmp/whonix.key

5. Copy the whonix.key text file to the debian-10-tor or debian-10-minimal-tor TemplateVM. 

qvm-copy /tmp/whonix.key debian-10-tor

Or. 

qvm-copy /tmp/whonix.key debian-10-minimal-tor

TemplateVM Steps[edit]

Complete the following steps in debian-10-tor or debian-10-minimal-tor terminal.

1. Add the Whonix ™ signing key to the list of trusted keys. 

sudo apt-key add ~/QubesIncoming/anon-whonix/whonix.key

2. Install apt-transport-tor [archive] from the Debian repository. [6] 

sudo apt-get install apt-transport-tor

3. Add the Whonix ™ stable APT repository. [7] [8] 

echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

4. Update the package lists. 

sudo apt-get update

5. Install tb-updater by Whonix ™. 

sudo apt-get install tb-updater

Note: This step will correctly install tb-updater and should also automatically download Tor Browser. If that does not occur, complete steps 2 to 4 below after creating an AppVM.

AppVM Steps[edit]

1. Create an AppVM based on the debian-10-tor or debian-10-minimal-tor TemplateVM.

In Qube Manager: Left-click QubeCreate new qube

Use the following settings:

  • Name and label: debian-tor-browser or debian-minimal-tor-browser
  • Type: AppVM
  • Template: debian-10-tor or debian-10-minimal-tor
  • Networking: default (sys-firewall)

2. Optional: Temporarily set sys-whonix as the NetVM for the Debian AppVM.

If Tor Browser was not downloaded at step 5 in the previous section, complete steps 2 to 4.

In Qube Manager: Right-click debian-tor-browser or debian-minimal-tor-browserQube settingsNetworkingSelect sys-whonixOK

3. Optional: Download Tor Browser.

In terminal, run. 

update-torbrowser --input gui

4. Optional: Revert the networking setting to sys-firewall in Qube Manager.

5. Launch Tor Browser from the AppVM menu and check it is functional.

Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the update-torbrowser command again.

Figure: Tor Browser in Qubes' debian-minimal-tor-browser AppVM

Debian10minimaltorbrowser.png

Footnotes[edit]

  1. For example, the Snowflake pluggable transport client is currently experimental in Whonix ™.
  2. gpg is required by apt-key. gpg-agent is required due to the following error message. 
    sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc

    gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
  3. See Secure Downloads to understand why curl and the parameters --tlsv1.3 --proto =https are used instead of wget.
  4. At the time of writing the Qubes documentation [archive] and forums [archive] suggest the following packages:
    • qubes-core-agent-passwordless-root
    • qubes-core-agent-networking
    • qubes-core-agent-nautilus
    • nautilus
    • zenity
    • gnome-keyring
    • policykit-1
    • libblockdev-crypto2
    • pulseaudio-qubes
  5. Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
  6. For support in downloading APT packages anonymously via the Tor network.
  7. Alternatively use the stable onion APT repository: 
    echo "deb http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

  8. Note: tor+http does not work in this configuration.
Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Install Tor Browser Outside of Whonix&body=https://www.whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix&title=Install Tor Browser Outside of Whonix link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix&t=Install Tor Browser Outside of Whonix link=https://mastodon.technology/share?message=Install Tor Browser Outside of Whonix%20https://www.whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix&t=Install Tor Browser Outside of Whonix

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Install_Tor_Browser_Outside_of_Whonix&oldid=65201"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information