Jump to: navigation, search

Next

Warning[edit]

Documentation for the NEXT Whonix version! ONLY for developers! No guarantee it really makes into the next Whonix version.

onionshare[edit]

Unfinished! Work in progress!

TODO control-port-filter-python:


On Whonix-Gateway.

Needs Tor 0.2.7.5 or higher.

Open /etc/apt/sources.list.d/torproject.list in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/torproject.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/torproject.list

Add.

deb http://deb.torproject.org/torproject.org tor-experimental-0.2.7.x-jessie main

Save.

Update package lists and dist-upgrade.

sudo apt-get update && sudo apt-get dist-upgrade

Control Port Filter Proxy[1] needs some adjustments.

Open /etc/cpfpy.d/50_onionshare.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/cpfpy.d/50_onionshare.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/cpfpy.d/50_onionshare.conf

Add the following content.

CONTROL_PORT_FILTER_ALLOW_WILDCARDS=true

## Keep existing contents of variable CONTROL_PORT_FILTER_WHITELIST
## and extend it with control port commands required by onionshare as per:
## https://github.com/micahflee/onionshare/blob/master/onionshare/onionshare.py
CONTROL_PORT_FILTER_WHITELIST=protocolinfo 1
CONTROL_PORT_FILTER_WHITELIST=getinfo version
CONTROL_PORT_FILTER_WHITELIST=add_onion *

We likely also need the following.

del_onion *

Perhaps others. To be tested.

Restart Control Port Filter Proxy.

sudo service control-port-filter-python restart

Inside Whonix-Workstation.

You need to use onionshare 0.8 or above, because it has the required support for ephemeral Tor hidden services. [2] Install it from git.

Requires python-stem 1.3.0 or higher. Can be installed from Debian backports.

Add Debian Jessie Backports to repos sources lists.

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.

A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

Update your package lists.

sudo apt-get update

Install python-stem.

sudo apt-get -t jessie-backports install python-stem


Current status:

Even though Control Port Filter Proxy does not filter anything, it still does not work. It hangs at the following message.

Connecting to Tor control port to set up hidden service on port 43826.
Staring ephemeral Tor hidden service and awaiting publication

This is probably because Control Port Filter Proxy does not yet support registering Tor control protocol events.

Security implications not researched yet.

Forum discussion:
https://forums.whonix.org/t/feature-request-onionshare-support/300

ricochet[edit]

Unfinished! See also:

Let's finish development of #onionshare first. See above. Figuring out how to make onionshare work inside Whonix has made more progress.

Doesn't work yet, because Control Port Filter Proxy[3] does not support wildcards yet. Might also not work for other reasons yet.

Security implications not researched yet.

On Whonix-Gateway, Control Port Filter Proxy needs some adjustments.

Open /etc/cpfpy.d/50_ricochet.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/cpfpy.d/50_ricochet.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/cpfpy.d/50_ricochet.conf

Add the following content.

## Keep existing contents of variable CONTROL_PORT_FILTER_WHITELIST
## and extend it with control port commands required by torsion as per:
## "Documentation request for Whonix setup"
## https://github.com/special/torsion/issues/30
CONTROL_PORT_FILTER_WHITELIST=GETINFO status/circuit-established,SETCONF HiddenServiceDir,SETCONF HiddenServicePort,SETEVENTS STATUS_CLIENT

Restart Control Port Filter Proxy.

sudo service control-port-filter-python restart

whonixcheck SSL Certificate Pinning[edit]

How[edit]

UNFINISHED! See: https://github.com/Whonix/Whonix/issues/24

Advanced users only!

In Whonix-Gateway and Whonix-Workstation.

You need torbrowser-launcher installed. [4] Currently only available from wheezy-backports.

To enable this on a by case base, use the --pin-tpo-cert command line option. Example.

whonixcheck --pin-tpo-cert

Or to permanently enable this.

Create a file /etc/whonix.d/50_user.conf.

sudo nano /etc/whonix.d/50_user.conf

Add.

PIN_TPO_CERT="true"

Footnotes[edit]

  1. Dev/CPFP
  2. Tor control protocol command add_onion
  3. Dev/CPFP
  4. Because torbrowser-launcher ships The Tor Projects SSL certificate

Random News:

Did you contribute to Whonix? Feel free to add your name and what you did to the Whonix Authorship page.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.