Jump to: navigation, search

Next

Warning[edit]

Documentation for the NEXT Whonix version! ONLY for developers! No guarantee it really makes into the next Whonix version.

I2P[edit]

4. Adjust I2P Settings:

  • I2P Tunnels Settings

Set the Inbound and Outbound Tunnel Length to 0:

sudo sed -i "s/\(.*outbound.length=\).*/\10/g;s/\(.*inbound.length=\).*/\10/g" "/var/lib/i2p/i2p-config/i2ptunnel.config"
[1]

  • I2P Router Configuration

(Explanation in order) [2] more Options [3]


sudo su -c "cat > "/var/lib/i2p/i2p-config/router.config" << EOF
i2np.laptopMode=true
i2np.ntcp.enable=true
i2np.ntcp.autoip=false
i2np.ntcp.ipv6=false
i2np.ntcp.maxConnections=20
i2np.udp.enable=false
i2np.udp.addressSources=hidden
i2np.udp.ipv6=false
i2np.upnp.enable=false
router.isHidden=true
router.sharePercentage=0
router.updateDisabled=true
time.disabled=true
time.sntpServerList=127.0.0.1
EOF"
[4][5]

onionshare[edit]

Unfinished! Work in progress!

Developers only!

TODO:

...


On Whonix-Gateway.

Control Port Filter Proxy needs some adjustments.

Open /etc/cpfpy.d/50_onionshare.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/cpfpy.d/50_onionshare.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/cpfpy.d/50_onionshare.conf

Add the following content.

CONTROL_PORT_FILTER_ALLOW_WILDCARDS=true

## Keep existing contents of variable CONTROL_PORT_FILTER_WHITELIST
## and extend it with control port commands required by onionshare as per:
## https://github.com/micahflee/onionshare/blob/master/onionshare/onionshare.py
CONTROL_PORT_FILTER_WHITELIST=getinfo version
CONTROL_PORT_FILTER_WHITELIST=add_onion *
CONTROL_PORT_FILTER_WHITELIST=SETEVENTS SIGNAL CONF_CHANGED
CONTROL_PORT_FILTER_WHITELIST=GETCONF __owningcontrollerprocess
CONTROL_PORT_FILTER_WHITELIST=SETEVENTS SIGNAL HS_DESC CONF_CHANGED

## TODO
## Dangerous.
## During development let all Tor control commands pass.
## We will restrict this and allow only required commands once this is working.
CONTROL_PORT_FILTER_DISABLE_FILTERING=true

We likely also need the following.

del_onion *

Perhaps others. To be tested.

Restart Control Port Filter Proxy.

sudo service control-port-filter-python restart

Inside Whonix-Workstation.

Unload Whonix-Workstation firewall: Dev/Firewall_Unload

You need to use onionshare 0.9.1 or above, because it has the required support for ephemeral Tor hidden services. [6] Install it from git.

Requires python3-stem 1.4.1b-1~bpo8+1 or higher. Can be installed from Debian backports.

Add Debian Jessie Backports to repos sources lists.

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.

A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

Update your package lists.

sudo apt-get update

Install python-stem.

sudo apt-get -t jessie-backports install python3-stem

Current status:

Control Port Filter Proxy event support has been implemented in Control Port Filter Proxy git development branch.

https://github.com/micahflee/onionshare/issues/220

Forum discussion:
https://forums.whonix.org/t/feature-request-onionshare-support/300


Tails Control Port Filter[edit]

working WIP

---
- match-exe-paths:
    - '*'
  match-users:
    - '*'
  match-hosts:
    - '*'
  commands:
    SIGNAL:
      - 'NEWNYM'
    GETINFO:
      - 'circuit-established'
      - 'status/circuit-established'
      - pattern: 'net/listeners/socks'
        response:
        - pattern:     '250-net/listeners/socks=".*"'
          replacement: '250-net/listeners/socks="127.0.0.1:9150"'
      - 'version'
      - 'onions/current'
    ADD_ONION:
      - pattern:     'NEW:BEST Port=80,(176[0-5][0-9])'
        replacement: 'NEW:BEST Port=80,{client-address}:{}'
    DEL_ONION:
      - '.+'
  confs:
    __owningcontrollerprocess:
  events:
    SIGNAL:
      suppress: true
    CONF_CHANGED:
      suppress: true
    HS_DESC:

ricochet[edit]

Unfinished! See also:

Let's finish development of #onionshare first. See above. Figuring out how to make onionshare work inside Whonix has made more progress.

Security implications not researched yet.

On Whonix-Gateway, Control Port Filter Proxy needs some adjustments.

Open /etc/cpfpy.d/50_ricochet.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/cpfpy.d/50_ricochet.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/cpfpy.d/50_ricochet.conf

Add the following content.

## Keep existing contents of variable CONTROL_PORT_FILTER_WHITELIST
## and extend it with control port commands required by torsion as per:
## "Documentation request for Whonix setup"
## https://github.com/special/torsion/issues/30
CONTROL_PORT_FILTER_WHITELIST=GETINFO status/circuit-established,SETCONF HiddenServiceDir,SETCONF HiddenServicePort,SETEVENTS STATUS_CLIENT

Restart Control Port Filter Proxy.

sudo service control-port-filter-python restart

whonixcheck SSL Certificate Pinning[edit]

How[edit]

UNFINISHED! See: https://github.com/Whonix/Whonix/issues/24

Advanced users only!

In Whonix-Gateway and Whonix-Workstation.

You need torbrowser-launcher installed. [7] Currently only available from wheezy-backports.

To enable this on a by case base, use the --pin-tpo-cert command line option. Example.

whonixcheck --pin-tpo-cert

Or to permanently enable this.

Create a file /etc/whonix.d/50_user.conf.

sudo nano /etc/whonix.d/50_user.conf

Add.

PIN_TPO_CERT="true"

Footnotes[edit]

  1. It's faster and less connection interrupts. Anonymity is already provided by Tor. No need to leech from Tor/I2P.
    • change router identity and UDP port when IP changes \n
    • Enable NTCP https://geti2p.net/en/docs/transport/ntcp
    • Disable automatic IP fetching # We dont want/need to publish the Exit-Node IP
    • Disable Ipv6 for the NTCP #Unsupported by Tor so we dont need it
    • Number of concurrent NTCP connections # Reduced Connections so we dont overload the Tor node with connection attempts
    • Disable Udp #Unsupported by Tor
    • Sets the source of IP detection
    • We dont want/need to publish the Exit-Node IP
    • Disable Ipv6 for Udp
    • toggles UPNP off # No need for Upnp
    • Don't save your IP in the netDB and publish to other I2P routers( https://trac.i2p2.de/ticket/1314#comment:3)
    • Sets the bandwidth that is max used by particiapting tunnels # We dont participate in Traffic so no need to share
    • Disable In-network Updates # We use apt for that
    • Disable time comparisation in I2P router
    • Set ntp timesource to localhost
  2. http://www.ugha.i2p.xyz/AdvancedConfigurationOptions , http://echelon.i2p.re/docs/advanced.options.txt and https://trac.i2p2.de/ticket/1677
  3. UDP is unsupported by Tor. Only outgoing TCP supported by Tor. If you know to use a hidden service, please add this information. Incoming connections are not possible, because Whonix-Workstation is firewalled.
  4. Clock Skew Issues: There should be none anymore since Whonix 9 so configuring time.sntpServerList=localhost is no longer necessary. Please report if they occur. (Old clock skew documentation moved to Deprecated#I2P.)
  5. Tor control protocol command add_onion
  6. Because torbrowser-launcher ships The Tor Projects SSL certificate

Random News:

Did you know that anyone can edit Whonix's wiki?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.