Actions

Lantern - Alternative Censorship Circumvention Tool

From Whonix


Introduction[edit]

Lantern is a censorship circumvention tool which can provide an alternative to Tor bridges. The design is similar to a VPN and encrypts all of a user's data through their servers and then proxies blocked sites. Note that Lantern in isolation is not an anonymity tool because it is technically possible to spy on user activity under this model. Another downside is that bandwidth limits also exist for non-subscribers: [1]

Lantern is designed to provide you with fast unfettered access to information online. Lantern is secure and encrypts your connection to blocked sites, but it is not an anonymity tool, so if you need or would like to be anonymous online, please use Tor. Otherwise, Lantern will give you faster access to blocked sites. ... To keep our free version running, we implemented a bandwidth limitation of 500 MB/ month. When the bandwidth limit is reached, the connection is slowed down and Free users are prompted to upgrade to Lantern Pro.

After bandwidth limits are reached the connection slows down to approximately 20KB/s, making Lantern virtually unusable. In order to remove this restriction, users must pay for the 'Lantern Pro' service. [2] The available options mean any payment is likely traceable, but this is not necessarily any more 'damaging' to privacy and/or anonymity than connecting to Lantern in the first place. [3] Interested readers can learn more at the Lantern forums and develeopers Q&A.

Connecting to Lantern before Tor[edit]

Ambox warning pn.svg.png Testers only! Qubes-Whonix ™ only! [4]

It is possible to configure Tor to use Lantern as a proxy to establish the following tunnel: UserLanternTorInternet

Before applying the following instructions, it is recommended to first read:

1. Create a new standalone ProxyVM called Lantern-Gateway based on the Debian-9 template.

2. Unload all firewall rules in Lantern-Gateway ProxyVM.

The iptables rules must be unloaded.

If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.

sudo systemctl mask qubes-iptables
sudo systemctl stop qubes-iptables
sudo systemctl mask qubes-firewall
sudo systemctl stop qubes-firewall

Open ~/fw-unload in an editor.

If you are using a graphical environment, run.

mousepad ~/fw-unload

If you are using a terminal (Konsole), run.

nano ~/fw-unload

Add.

#!/bin/bash

## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -o pipefail

error_handler() {
  echo "ERROR!" >&2
  exit 1
}

trap "error_handler" ERR

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT

$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X

$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT

$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X

exit 0

Save.

Make ~/fw-unload executable.

chmod +x ~/fw-unload

Unload all iptables firewall rules.

sudo ~/fw-unload

After firewall unload, run the following command to see if all firewall rules are really unloaded.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

The output should show.

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*raw
:PREROUTING ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT

3. Disable IP Forwarding in the Lantern-Gateway ProxyVM.

This should be disabled since it is not required.

sudo sysctl -w net.ipv4.ip_forward=0

4. Install a missing Lantern dependency. [5]

sudo apt-get install libappindicator3-1

5. Download and install Lantern.

Check if the path to the downloadable deb file is still correct. Navigate to https://getlantern.org/ and check for Linux desktop downloads.

curl --tlsv1.2 --proto =https https://s3.amazonaws.com/lantern/lantern-installer-beta-64-bit.deb --output ~/lantern-installer-beta-64-bit.deb

Install Lantern. [6]

sudo dpkg -i ~/lantern-installer-beta-64-bit.deb

6. Launch Lantern and configure HTTP proxy requests.

Start Lantern while listening on all, not just the internal, network interfaces so it is reachable from sys-whonix.

Let Lantern listen for HTTP proxy requests.

lantern -addr 0.0.0.0:8787

Or let Lantern listen for SOCKS5 proxy requests which is preferred.

lantern -socksaddr 0.0.0.0:8788

[7]

7. Change sys-whonix NetVM settings.

Shut down sys-whonix if it is running. Set the sys-whonix NetVM to Lantern-Gateway, then restart sys-whonix.

It is also encouraged to run various Tor tests at this step; see footnote. [8]

8. Edit the Tor configuration file in sys-whonix.

Info From Whonix 14 onwards, all user unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf and not anywhere else. Note that Whonix will not modify /usr/local/etc/torrc.d/50_user.conf once it is created, therefore the user is responsible for adding or removing specific configurations in this file.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Depending on the proxy type configured at step 6, add the relevant setting below. [9] [10]

10.137.11.1 is just an example and it must be replaced with the IP of the Lantern-Gateway ProxyVM. To discover the Lantern-Gateway ProxyVM IP, run the following command in sys-whonix: qubesdb-read /qubes-gateway

HTTPSProxy 10.137.11.1:8787
Socks5Proxy 10.137.11.1:8788

9. Reload Tor.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

The procedure is complete and Tor will now use Lantern as a proxy.

Footnotes[edit]

  1. https://getlantern.org/en_US/faq.html
  2. In early-2019, this costs $32 (USD) for one year, or $48 (USD) for two years.
  3. This is because advanced adversaries can discover that a user connected to Lantern (via logs), and pluggable transports are incapable of successfully hiding Tor use in all cases. Therefore, a payment trail simply acts as another confirmation mechanism and is not necessarily 'worse' under the circumstances.
  4. Non-Qubes-Whonix ™ is unsupported at present.
  5. Lack of a dependency declaration when installing Lantern on Debian - broken link.
  6. In Lantern-Gateway, check if Lantern's HTTP port is functional.
    curl --tlsv1.2 --proto =https --proxytunnel --proxy 127.0.0.1:8788 https://check.torproject.org
    In Lantern-Gateway, check if Lantern's SOCKS port is functional.
    curl --tlsv1.2 --proto =https --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org
  7. In sys-whonix, test if Tor is able to connect to the HTTP proxy that Lantern is providing.
    UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --proxytunnel --proxy 10.137.11.1:8788 https://check.torproject.org
    In sys-whonix, test if Tor is able to connect to the SOCKS proxy that Lantern is providing.
    UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h://10.137.11.1:8788 https://check.torproject.org
  8. SOCKS is considered to be better. According to this issue, Lantern already has SOCKS support. Open issues: https://github.com/getlantern/lantern/issues/4838
    Socks5Proxy 10.137.11.1:8788
    
  9. Setup should now be easier (less need for IP changes) because Qubes has implemented optional static IP addresses.

No comments for now due to spam. Use Whonix forums instead.


Random News:

Please consider a recurring donation!


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.