Jump to: navigation, search

Next

Warning[edit]

Documentation for the NEXT Whonix version! ONLY for developers! No guarantee it really makes into the next Whonix version.

I2P[edit]

4. Adjust I2P Settings:

  • I2P Tunnels Settings

Set the Inbound and Outbound Tunnel Length to 0:

sudo sed -i "s/\(.*outbound.length=\).*/\10/g;s/\(.*inbound.length=\).*/\10/g" "/var/lib/i2p/i2p-config/i2ptunnel.config"
[1]

  • I2P Router Configuration

(Explanation in order) [2] more Options [3]


sudo su -c "cat > "/var/lib/i2p/i2p-config/router.config" << EOF
i2np.laptopMode=true
i2np.ntcp.enable=true
i2np.ntcp.autoip=false
i2np.ntcp.ipv6=false
i2np.ntcp.maxConnections=20
i2np.udp.enable=false
i2np.udp.addressSources=hidden
i2np.udp.ipv6=false
i2np.upnp.enable=false
router.isHidden=true
router.sharePercentage=0
router.updateDisabled=true
time.disabled=true
time.sntpServerList=127.0.0.1
EOF"
[4][5]

onionshare[edit]

You need onion-grater / upgrade to Whonix 14 testers-only. You get it by upgrading to Whonix 14 stretch.

Upgrade both Whonix-Gateway and Whonix-Workstation to Whonix 14 developers-only. For instructions see: Upgrading_Whonix_13_to_Whonix_14

Or use Whonix 13.0.0.1.4 developers-only from https://forums.whonix.org/t/whonix-13-0-0-1-4-developers-only/3486/3 or newer (if existing).

Extend onion-grater Whitelist

On Whonix-Gateway.

Create a new directory. [6]

mkdir -p /usr/local/etc/onion-grater-merger.d/

Copy the whitelist file to the new directory.

sudo cp /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/

Restart onion-grater.

sudo service onion-grater restart

Modify Whonix-Workstation User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix, complete these steps.
In Whonix-Workstation AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

kdesudo kwrite /rw/config/whonix_firewall.d/50_user.conf

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> User Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") -> Template: whonix-ws -> Whonix Global Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> Global Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

nano /etc/whonix_firewall.d/30_default.conf

Add. [7]

EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

Save.

Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run.

sudo whonix_firewall

Start onionshare.

Using the gui.

TODO document

Or alternatively from terminal.

onionshare /path/to/file

Current Status: Ready in Whonix 14.

Forum discussion:
https://forums.whonix.org/t/feature-request-onionshare-support

ricochet[edit]

On Whonix-Gateway, onion-grater needs some adjustments.

Extend onion-grater Whitelist

On Whonix-Gateway.

Create a new directory. [8]

mkdir -p /usr/local/etc/onion-grater-merger.d/

Copy the whitelist file to the new directory.

sudo cp /usr/share/onion-grater-merger/examples/40_ricochet.yml /usr/local/etc/onion-grater-merger.d/

Restart onion-grater.

sudo service onion-grater restart

Modify Whonix-Workstation User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix, complete these steps.
In Whonix-Workstation AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

kdesudo kwrite /rw/config/whonix_firewall.d/50_user.conf

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> User Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") -> Template: whonix-ws -> Whonix Global Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> Global Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

nano /etc/whonix_firewall.d/30_default.conf

Add.

EXTERNAL_OPEN_ALL=true

Save.

Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run.

sudo whonix_firewall

ZeroNet[edit]

whonixcheck SSL Certificate Pinning[edit]

UNFINISHED! See: https://github.com/Whonix/Whonix/issues/24

Advanced users only!

In Whonix-Gateway and Whonix-Workstation.

You need torbrowser-launcher installed. [9] Currently only available from wheezy-backports.

To enable this on a by case base, use the --pin-tpo-cert command line option. Example.

whonixcheck --pin-tpo-cert

Or to permanently enable this.

Create a file /etc/whonix.d/50_user.conf.

sudo nano /etc/whonix.d/50_user.conf

Add.

PIN_TPO_CERT="true"

Footnotes[edit]

  1. It is faster and less connection interrupts. Anonymity is already provided by Tor. No need to leech from Tor/I2P.
    • change router identity and UDP port when IP changes \n
    • Enable NTCP https://geti2p.net/en/docs/transport/ntcp
    • Disable automatic IP fetching # We dont want/need to publish the Exit-Node IP
    • Disable Ipv6 for the NTCP #Unsupported by Tor so we dont need it
    • Number of concurrent NTCP connections # Reduced Connections so we dont overload the Tor node with connection attempts
    • Disable Udp #Unsupported by Tor
    • Sets the source of IP detection
    • We dont want/need to publish the Exit-Node IP
    • Disable Ipv6 for Udp
    • toggles UPNP off # No need for Upnp
    • Don't save your IP in the netDB and publish to other I2P routers( https://trac.i2p2.de/ticket/1314#comment:3)
    • Sets the bandwidth that is max used by particiapting tunnels # We dont participate in Traffic so no need to share
    • Disable In-network Updates # We use apt for that
    • Disable time comparisation in I2P router
    • Set ntp timesource to localhost
  2. http://www.ugha.i2p.xyz/AdvancedConfigurationOptions , http://echelon.i2p.re/docs/advanced.options.txt and https://trac.i2p2.de/ticket/1677
  3. UDP is unsupported by Tor. Only outgoing TCP supported by Tor. If you know to use an onion service, please add this information. Incoming connections are not possible, because Whonix-Workstation is firewalled.
  4. Clock Skew Issues: There should be none anymore since Whonix 9 so configuring time.sntpServerList=localhost is no longer necessary. Please report if they occur. (Old clock skew documentation moved to Deprecated#I2P.)
  5. Using /usr/local/etc/onion-grater-merger.d/ because that is compatible with [[Qubes-Whonix] TemplateBased ProxyVMs, i.e. Whonix-Gateway (commonly called sys-whonix). Non-Qubes-Whonix users could also use /etc/onion-grater-merger.d/. Qubes-Whonix users could also use /etc/onion-grater-merger.d/ but then users would have to make /etc/onion-grater-merger.d/ persistent, which would require doing this inside the Whonix-Gateway TemplateVM (commonly called whonix-gw and restart their Whonix-Gateway ProxyVM or to use bind-dirs. Both is more more complciated than simply using /usr/local/etc/onion-grater-merger.d/ which is persistent either way and even allows multiple Whonix-Gateway ProxyVMs based on the same Whonix-Gateway TemplateVM for lets say one Whonix-Gateway ProxyVM increasing onion-grater's whitelist and the other with the default onion-grater whitelist.
  6. As per https://labs.riseup.net/code/issues/7870#note-15 onionshare uses ports 17600 to 17659.
  7. Using /usr/local/etc/onion-grater-merger.d/ because that is compatible with [[Qubes-Whonix] TemplateBased ProxyVMs, i.e. Whonix-Gateway (commonly called sys-whonix). Non-Qubes-Whonix users could also use /etc/onion-grater-merger.d/. Qubes-Whonix users could also use /etc/onion-grater-merger.d/ but then users would have to make /etc/onion-grater-merger.d/ persistent, which would require doing this inside the Whonix-Gateway TemplateVM (commonly called whonix-gw and restart their Whonix-Gateway ProxyVM or to use bind-dirs. Both is more more complciated than simply using /usr/local/etc/onion-grater-merger.d/ which is persistent either way and even allows multiple Whonix-Gateway ProxyVMs based on the same Whonix-Gateway TemplateVM for lets say one Whonix-Gateway ProxyVM increasing onion-grater's whitelist and the other with the default onion-grater whitelist.
  8. Because torbrowser-launcher ships The Tor Projects SSL certificate

Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.


https | (forcing) onion

Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)