Jump to: navigation, search

Next

Warning[edit]

Documentation for the NEXT Whonix version! ONLY for developers! No guarantee it really makes into the next Whonix version.

I2P[edit]

4. Adjust I2P Settings:

  • I2P Tunnels Settings

Set the Inbound and Outbound Tunnel Length to 0:

sudo sed -i "s/\(.*outbound.length=\).*/\10/g;s/\(.*inbound.length=\).*/\10/g" "/var/lib/i2p/i2p-config/i2ptunnel.config"
[1]

  • I2P Router Configuration

(Explanation in order) [2] more Options [3]


sudo su -c "cat > "/var/lib/i2p/i2p-config/router.config" << EOF
i2np.laptopMode=true
i2np.ntcp.enable=true
i2np.ntcp.autoip=false
i2np.ntcp.ipv6=false
i2np.ntcp.maxConnections=20
i2np.udp.enable=false
i2np.udp.addressSources=hidden
i2np.udp.ipv6=false
i2np.upnp.enable=false
router.isHidden=true
router.sharePercentage=0
router.updateDisabled=true
time.disabled=true
time.sntpServerList=127.0.0.1
EOF"
[4][5]

onionshare[edit]

Unfinished! Work in progress!

Developers only!

TODO:

Preparation[edit]

You need newer control port filter / upgrade to Whonix 14 developers-only. You get it by upgrading to Whonix 14 developers-only.

Upgrade both Whonix-Gateway and Whonix-Workstation to Whonix 14 developers-only. For instructions see: Dev/Control_Port_Filter_Proxy#tor-controlport-filter_by_Tails.

Configure Control Port Filter Proxy[edit]

On Whonix-Gateway.

Control Port Filter Proxy needs some adjustments.

Open /etc/tor-controlport-filter.d/40_onionshare.yml in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/tor-controlport-filter.d/40_onionshare.yml

If you are using a terminal-only Whonix, run:

sudo nano /etc/tor-controlport-filter.d/40_onionshare.yml

Get the profile content from the following location.

Restart Control Port Filter Proxy.

sudo service tor-controlport-filter restart

Configure Whonix-Workstation Firewall[edit]

This Firewall Unload instructions are not yet tested. (The above are.)

Inside Whonix-Workstation. [6]

Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:
In Whonix-Workstation AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

kdesudo kwrite /rw/config/whonix_firewall.d/50_user.conf

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Workstation, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

Add.

EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

Save.

Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run:

sudo whonix_firewall

enable backports[edit]

Add Debian Jessie Backports to repos sources lists.

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.

A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

Install Dependencies[edit]

Update your package lists.

sudo apt-get update

Install the dependencies from jessie-backports. [7]

sudo apt-get install --no-install-recommends -t jessie-backports python3-stem python3-flask python3-pyqt5 python-nautilus

Install onionshare[edit]

You need to use onionshare 0.9.1 or above, because it has the required support for ephemeral Tor hidden services. [8] Install it from git.

git clone https://github.com/micahflee/onionshare.git

Start onionshare - regular[edit]

cd onionshare

cd dev_scripts

./onionshare /usr/bin/nano

Start onionshare - stealth[edit]

sudo su -c "echo -e 'deb http://http.debian.net/debian stretch main' > /etc/apt/sources.list.d/stretch.list"
sudo apt-get update
sudo apt-get install --no-install-recommends -t stretch python3-stem

./onionshare --stealth /usr/bin/nano

Hack to get onionshare with stealth Hidden Services Support[edit]

Developers only.

#!/bin/bash

set -x
set -e

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

sudo su -c "echo -e 'deb http://http.debian.net/debian stretch main' > /etc/apt/sources.list.d/stretch.list"

sudo apt-get update

sudo apt-get install --yes --no-install-recommends -t jessie-backports python3-stem python3-flask python3-pyqt5 python-nautilus

sudo apt-get install --yes --no-install-recommends -t stretch python3-stem

## build dependencies
sudo apt-get install -y build-essential fakeroot python3-all python3-stdeb dh-python  python3-flask python3-stem python3-pyqt5 python-nautilus python3-nose

echo 'EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "' | sudo tee /etc/whonix_firewall.d/50_user.conf

sudo whonix_firewall

cd onionshare

./install/build_deb.sh 

sudo dpkg -i deb_dist/onionshare_0.9.2-1_all.deb

true $?

Current Status[edit]

TODO


Forum discussion:
https://forums.whonix.org/t/feature-request-onionshare-support

ricochet[edit]

Unfinished! See also:

On Whonix-Gateway, Control Port Filter Proxy needs some adjustments.

Open etc/tor-controlport-filter.d/40_ricochet.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite etc/tor-controlport-filter.d/40_ricochet.conf

If you are using a terminal-only Whonix, run:

sudo nano etc/tor-controlport-filter.d/40_ricochet.conf

Add the following content.

Restart Control P ort Filter Proxy.

sudo service control-port-filter-python restart

On Whonix-Gateway.

echo "EXTERNAL_OPEN_ALL=true" | sudo tee /etc/whonix_firewall.d/50_user.conf

ZeroNet[edit]

whonixcheck SSL Certificate Pinning[edit]

How[edit]

UNFINISHED! See: https://github.com/Whonix/Whonix/issues/24

Advanced users only!

In Whonix-Gateway and Whonix-Workstation.

You need torbrowser-launcher installed. [9] Currently only available from wheezy-backports.

To enable this on a by case base, use the --pin-tpo-cert command line option. Example.

whonixcheck --pin-tpo-cert

Or to permanently enable this.

Create a file /etc/whonix.d/50_user.conf.

sudo nano /etc/whonix.d/50_user.conf

Add.

PIN_TPO_CERT="true"

Footnotes[edit]

  1. It's faster and less connection interrupts. Anonymity is already provided by Tor. No need to leech from Tor/I2P.
    • change router identity and UDP port when IP changes \n
    • Enable NTCP https://geti2p.net/en/docs/transport/ntcp
    • Disable automatic IP fetching # We dont want/need to publish the Exit-Node IP
    • Disable Ipv6 for the NTCP #Unsupported by Tor so we dont need it
    • Number of concurrent NTCP connections # Reduced Connections so we dont overload the Tor node with connection attempts
    • Disable Udp #Unsupported by Tor
    • Sets the source of IP detection
    • We dont want/need to publish the Exit-Node IP
    • Disable Ipv6 for Udp
    • toggles UPNP off # No need for Upnp
    • Don't save your IP in the netDB and publish to other I2P routers( https://trac.i2p2.de/ticket/1314#comment:3)
    • Sets the bandwidth that is max used by particiapting tunnels # We dont participate in Traffic so no need to share
    • Disable In-network Updates # We use apt for that
    • Disable time comparisation in I2P router
    • Set ntp timesource to localhost
  2. http://www.ugha.i2p.xyz/AdvancedConfigurationOptions , http://echelon.i2p.re/docs/advanced.options.txt and https://trac.i2p2.de/ticket/1677
  3. UDP is unsupported by Tor. Only outgoing TCP supported by Tor. If you know to use a hidden service, please add this information. Incoming connections are not possible, because Whonix-Workstation is firewalled.
  4. Clock Skew Issues: There should be none anymore since Whonix 9 so configuring time.sntpServerList=localhost is no longer necessary. Please report if they occur. (Old clock skew documentation moved to Deprecated#I2P.)
  5. As per https://labs.riseup.net/code/issues/7870#note-15 onionshare uses ports 17600 to 17659.
  6. Requires python3-stem 1.4.1b-1~bpo8+1 or higher. Can be installed from Debian backports.
  7. Tor control protocol command add_onion
  8. Because torbrowser-launcher ships The Tor Projects SSL certificate

Random News:

Please consider a recurring donation!


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.