Jump to: navigation, search

Lantern

This page contains changes which are not marked for translation.

Other languages:
English • ‎中文


Lantern - Alternative Censorship Circumvention Tool


Introduction[edit]

Lantern is a censorship circumvention tool, an alternative to Tor bridges.

TODO: expand

Connecting to Lantern before Tor[edit]

Testers only!

It is possible to configure Tor to use Lantern as proxy to establish the following tunnel:
User -> Lantern -> Tor -> Internet

If you want to do this, apply the following instructions.

Qubes-Whonix only! Non-Qubes-Whonix is unsupported.

In case you want to do that, it is recommended to read the following related wiki article: Tunnels/Introduction

For current limitations, see also blog post / forum discussion:
https://www.whonix.org/blog/connecting-to-lantern-before-tor

Create a new standalone ProxyVM called Lantern-Gateway based on Debian-8 template.

In Lantern-Gateway ProxyVM, you need to unload iptables rules.

If you are using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.

sudo systemctl mask qubes-iptables
sudo systemctl stop qubes-iptables
sudo systemctl mask qubes-firewall
sudo systemctl stop qubes-firewall

Open ~/fw-unload in an editor.

If you are using a graphical environment, run:

kwrite ~/fw-unload

If you are using a terminal (Konsole), run:

nano ~/fw-unload

Add.

#!/bin/bash

## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -o pipefail

error_handler() {
  echo "ERROR!" >&2
  exit 1
}

trap "error_handler" ERR

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT

$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X

$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT

$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X

exit 0

Save.

Make ~/fw-unload executable.

chmod +x ~/fw-unload

Unload all iptables firewall rules.

sudo ~/fw-unload

After firewall unload, please run the following command to see if really all firewall rules are unload.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

Should show.

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*raw
:PREROUTING ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT

IP Forwarding in the Lantern-Gateway ProxyVM could/should be disabled since it is not required.

sudo sysctl -w net.ipv4.ip_forward=0

Install missing lantern dependency. [1]

sudo apt-get install libappindicator3-1

Check if the downloaded deb file is still the right file. Go to https://getlantern.org/ and check for desktop, linux downloads.

curl --tlsv1.2 --proto =https https://s3.amazonaws.com/lantern/lantern-installer-beta-64-bit.deb --output ~/lantern-installer-beta-64-bit.deb

Install lantern. [2]

sudo dpkg -i ~/lantern-installer-beta-64-bit.deb

Start lantern while listening on all, not just the internal, network interfaces so it gets reachable from sys-whonix.

lantern -addr 0.0.0.0:8788

[3]

Shut down sys-whonix if running. Set sys-whonix NetVM to Lantern-Gateway. Restart sys-whonix.

[4]

In sys-whonix. Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add the following. [5] [6]

10.137.11.1 is just an example. You need to replace 10.137.11.1 with the IP of your Lantern-Gateway ProxyVM. You could run the following command within sys-whonix to find out the IP of your Lantern-Gateway ProxyVM. qubesdb-read /qubes-gateway

HTTPSProxy 10.137.11.1:8788

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Done. Tor will use Lantern as proxy.

Footnotes[edit]

  1. Lack of a dependency declaration when installing Lantern on Debian
  2. In Lantern-Gateway, check if lantern's http port is functional.
    curl --tlsv1.2 --proto =https --proxytunnel --proxy 127.0.0.1:8788 https://check.torproject.org
    In Lantern-Gateway, check if lantern's socks port is functional.
    curl --tlsv1.2 --proto =https --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org
  3. In sys-whonix, test if Tor is able to the http proxy that Lantern is providing.
    UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --proxytunnel --proxy 10.137.11.1:8788 https://check.torproject.org
    In sys-whonix, test if Tor is able to the socks proxy that Lantern is providing.
    UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h://10.137.11.1:8788 https://check.torproject.org
  4. Socks would be better. According to https://github.com/getlantern/lantern/issues/2075 lantern already does have socks support. Issues opened: https://github.com/getlantern/lantern/issues/4838
    Socks5Proxy 10.137.11.1:8788
    
  5. Setup will become easier with less need for IP changes as soon as Qubes implements optional static IP addresses.

Random News:

Please help to improve Whonix's Wikipedia Page. See also feedback thread.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.