Lantern
Introduction[edit]
Lantern is a censorship circumvention tool, an alternative to Tor bridges.
Lantern "implemented a bandwidth limitation of 500 MB/ month. When the bandwidth limit is reached, the connection is slowed down and Free users are prompted to upgrade to Lantern Pro". Specifically, the connection will be slowed down to approximately 20KB/s, making Lantern kind of unusable. On the other hand, considering the payment methods Lantern company offers, it is merely impossible for one to pay for Lantern Pro without damaging his/her privacy or/and anonymity.
TODO: expand
Connecting to Lantern before Tor[edit]
Testers only!
It is possible to configure Tor to use Lantern as proxy to establish the following tunnel:
User -> Lantern -> Tor -> Internet
If you want to do this, apply the following instructions.
Qubes-Whonix only! Non-Qubes-Whonix is unsupported.
In case you want to do that, it is recommended to read the following related wiki article: Tunnels/Introduction
For current limitations, see also blog post / forum discussion:
https://www.whonix.org/blog/connecting-to-lantern-before-tor
Create a new standalone ProxyVM called Lantern-Gateway based on Debian-8 template.
In Lantern-Gateway ProxyVM, The iptables rules must be unloaded.
If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.
sudo systemctl mask qubes-iptables sudo systemctl stop qubes-iptables sudo systemctl mask qubes-firewall sudo systemctl stop qubes-firewall
Open ~/fw-unload in an editor.
If you are using a graphical environment, run.
If you are using a terminal (Konsole), run.
Add.
#!/bin/bash
## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -o pipefail
error_handler() {
echo "ERROR!" >&2
exit 1
}
trap "error_handler" ERR
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT
$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X
$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT
$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X
exit 0
Save.
Make ~/fw-unload executable.
chmod +x ~/fw-unload
Unload all iptables firewall rules.
sudo ~/fw-unload
After firewall unload, run the following command to see if all firewall rules are really unloaded.
sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'
The output should show.
*mangle :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *raw :PREROUTING ACCEPT [0,0] :OUTPUT ACCEPT [0,0] COMMIT *nat :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *filter :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] COMMIT
IP Forwarding in the Lantern-Gateway ProxyVM could/should be disabled since it is not required.
sudo sysctl -w net.ipv4.ip_forward=0
Install missing lantern dependency. [1]
sudo apt-get install libappindicator3-1
Check if the downloaded deb file is still the right file. Go to https://getlantern.org/ and check for desktop, linux downloads.
curl --tlsv1.2 --proto =https https://s3.amazonaws.com/lantern/lantern-installer-beta-64-bit.deb --output ~/lantern-installer-beta-64-bit.deb
Install lantern. [2]
sudo dpkg -i ~/lantern-installer-beta-64-bit.deb
Start lantern while listening on all, not just the internal, network interfaces so it gets reachable from sys-whonix.
Let lantern listen for HTTP proxy requests.
lantern -addr 0.0.0.0:8787
Or let lantern listen for SOCKS5 proxy requests which is preferred.
lantern -socksaddr 0.0.0.0:8788
Shut down sys-whonix if running. Set sys-whonix NetVM to Lantern-Gateway. Restart sys-whonix.
In sys-whonix.
 | For Whonix 14 and later releases, all unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf. Users should not edit /etc/tor/torrc directly. |
Open /etc/tor/torrc.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu -> Applications -> Settings -> /etc/tor/torrc
If you are using a terminal-only Whonix-Gateway, complete the following steps.
Add one of the followings according to the proxy type lantern is listening for. [5] [6]
10.137.11.1 is just an example. You need to replace 10.137.11.1 with the IP of your Lantern-Gateway ProxyVM. You could run the following command within sys-whonix to find out the IP of your Lantern-Gateway ProxyVM.
qubesdb-read /qubes-gateway
HTTPSProxy 10.137.11.1:8787
Socks5Proxy 10.137.11.1:8788
Reload Tor.
After editing /etc/tor/torrc, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /etc/tor/torrc and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu -> Applications -> Settings -> Reload Tor
If you are using a terminal-only Whonix-Gateway, press on Expand on the right.
Complete the following steps.
Reload Tor.
Check Tor's daemon status.
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc". Configuration was valid
Done. Tor will use Lantern as proxy.
Footnotes[edit]
- ↑ Lack of a dependency declaration when installing Lantern on Debian
- ↑
- proper Debian deb package: https://github.com/getlantern/lantern/issues/4837
- Debian APT repository with lantern: https://github.com/getlantern/lantern/issues/4837
- add lantern to official Debian repositories: https://github.com/getlantern/lantern/issues/4837
- Debian lantern RFP (request for packaging): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828932
- ↑
In Lantern-Gateway, check if lantern's http port is functional.
In Lantern-Gateway, check if lantern's socks port is functional.
curl --tlsv1.2 --proto =https --proxytunnel --proxy 127.0.0.1:8788 https://check.torproject.org
curl --tlsv1.2 --proto =https --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org
- ↑
In sys-whonix, test if Tor is able to the http proxy that Lantern is providing.
In sys-whonix, test if Tor is able to the socks proxy that Lantern is providing.
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --proxytunnel --proxy 10.137.11.1:8788 https://check.torproject.org
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h://10.137.11.1:8788 https://check.torproject.org
- ↑
Socks would be better. According to https://github.com/getlantern/lantern/issues/2075 lantern already does have socks support. Issues opened: https://github.com/getlantern/lantern/issues/4838
Socks5Proxy 10.137.11.1:8788
- ↑ Setup will become easier with less need for IP changes as soon as Qubes implements optional static IP addresses.
Want to get involved with Whonix? Check out our Contribute page.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)