Jump to: navigation, search

Next

Warning[edit]

Documentation for the NEXT Whonix version! ONLY for developers! No guarantee it really makes into the next Whonix version.

onionshare[edit]

Unfinished! Work in progress!

TODO control-port-filter-python:


On Whonix-Gateway.

Needs Tor 0.2.7.5 or higher.

Open /etc/apt/sources.list.d/torproject.list with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/torproject.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/torproject.list

Add.

deb http://deb.torproject.org/torproject.org tor-experimental-0.2.7.x-jessie main

Save.

Update package lists and dist-upgrade.

sudo apt-get update && sudo apt-get dist-upgrade

Control Port Filter Proxy[1] needs some adjustments.

Open /etc/cpfpy.d/50_onionshare.conf with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/cpfpy.d/50_onionshare.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/cpfpy.d/50_onionshare.conf

Add the following content.

CONTROL_PORT_FILTER_ALLOW_WILDCARDS=true

## Keep existing contents of variable CONTROL_PORT_FILTER_WHITELIST
## and extend it with control port commands required by onionshare as per:
## https://github.com/micahflee/onionshare/blob/master/onionshare/onionshare.py
CONTROL_PORT_FILTER_WHITELIST=protocolinfo 1
CONTROL_PORT_FILTER_WHITELIST=getinfo version
CONTROL_PORT_FILTER_WHITELIST=add_onion *

We likely also need the following.

del_onion *

Perhaps others. To be tested.

Restart Control Port Filter Proxy.

sudo service control-port-filter-python restart

Inside Whonix-Workstation.

You need to use onionshare 0.8 or above, because it has the required support for ephemeral Tor hidden services. [2] Install it from git.

Requires python-stem 1.3.0 or higher. Can be installed from Debian backports.

Upgrade your system as usual. [3]

Create a file /etc/apt/sources.list.d/user.list. Open /etc/apt/sources.list.d/user.list with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/user.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/user.list

Add the following content.

deb http://ftp.us.debian.org/debian jessie-backports main contrib non-free

Save.

Update your package lists.

sudo apt-get update

Install a package from jessie-backports. Example.

sudo apt-get install -t jessie-backports python-stem

Note:

  • Don't forget the -t jessie-backports, which does the trick here.

Current status:

Even though Control Port Filter Proxy does not filter anything, it still does not work. It hangs at the following message.

Connecting to Tor control port to set up hidden service on port 43826.
Staring ephemeral Tor hidden service and awaiting publication

This is probably because Control Port Filter Proxy does not yet support registering Tor control protocol events.

Security implications not researched yet.

Forum discussion:
https://forums.whonix.org/t/feature-request-onionshare-support/300

ricochet[edit]

Unfinished! See also:

Let's finish development of #onionshare first. See above. Figuring out how to make onionshare work inside Whonix has made more progress.

Doesn't work yet, because Control Port Filter Proxy[4] does not support wildcards yet. Might also not work for other reasons yet.

Security implications not researched yet.

On Whonix-Gateway, Control Port Filter Proxy needs some adjustments.

Open /etc/cpfpy.d/50_ricochet.conf with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/cpfpy.d/50_ricochet.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/cpfpy.d/50_ricochet.conf

Add the following content.

## Keep existing contents of variable CONTROL_PORT_FILTER_WHITELIST
## and extend it with control port commands required by torsion as per:
## "Documentation request for Whonix setup"
## https://github.com/special/torsion/issues/30
CONTROL_PORT_FILTER_WHITELIST=GETINFO status/circuit-established,SETCONF HiddenServiceDir,SETCONF HiddenServicePort,SETEVENTS STATUS_CLIENT

Restart Control Port Filter Proxy.

sudo service control-port-filter-python restart

whonixcheck SSL Certificate Pinning[edit]

How[edit]

UNFINISHED! See: https://github.com/Whonix/Whonix/issues/24

Advanced users only!

In Whonix-Gateway and Whonix-Workstation.

You need torbrowser-launcher installed. [5] Currently only available from wheezy-backports.

To enable this on a by case base, use the --pin-tpo-cert command line option. Example.

whonixcheck --pin-tpo-cert

Or to permanently enable this.

Create a file /etc/whonix.d/50_user.conf.

sudo nano /etc/whonix.d/50_user.conf

Add.

PIN_TPO_CERT="true"

VPN before Tor[edit]

User -> VPN -> Tor -> Internet

Preparation[edit]

Since setting up OpenVPN on Whonix-Gateway including a Fail Closed Mechanism is challenging, it is highly recommend to learn how to set up OpenVPN on Debian stable (currently: jessie). Get a Debian stable VM. Install the Debian openvpn package. (sudo apt-get install openvpn) Figure out how to set up your VPN using OpenVPN in the command line. Only proceed if you succeeded setting that up. Do not post support requests before you succeeded with that exercise. You find some help with general VPN setup in the #VPN Setup chapter or on the TestVPN page.

Whonix 12 users may remember variable VPN_SERVERS. Don't wonder. That variable was abolished for better security. [6]

After installing Whonix-Gateway, do the following steps before activating Tor in Whonix Setup Wizard.

Firewall Settings[edit]

Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix User Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

Add the following settings. You can skip comments (starting with #). Don't use ; for comments. [7] Likely you do not need to either uncomment (removing the # in front) or modify VPN_INTERFACE / LOCAL_NET.

## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1

## For OpenVPN.
#VPN_INTERFACE=tun0

## Destinations you don not want routed through the VPN.
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
#      LOCAL_NET="\
#         127.0.0.0-127.0.0.24 \
#         192.168.0.0-192.168.0.24 \
#         192.168.1.0-192.168.1.24 \
#         10.152.152.0-10.152.152.24 \
#         10.0.2.2-10.0.2.24 \
#      "

Save.

Reload Firewall[edit]

Reload Whonix Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run:

sudo whonix_firewall

sudoers configuration[edit]

Open /etc/sudoers.d/tunnel_unpriv with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/sudoers.d/tunnel_unpriv

If you are using a terminal-only Whonix, run:

sudo nano /etc/sudoers.d/tunnel_unpriv

Comment in. (Remove the single hashes (# in front of all lines, but do not remove the double hashes (##). So it looks like this.

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty

Save.

VPN Setup[edit]
Introduction[edit]

In the following example we are using the free RiseUp VPN, because it is known to support TCP, UDP, SSL. You can use any VPN you like.

Preparation[edit]

Since the following setup on Whonix-Gateway while using its Fail Closed Mechanism is difficult, it is highly recommended to learn how to set up your VPN provider using OpenVPN on Debian stable (currently: jessie).

TODO:

/etc/openvpn files need to be readable by user tunnel.

Get VPN Certificate[edit]

Look inside the riseup VPN help page for RiseupCA.pem and (right click) download it. Store it in /etc/openvpn/RiseupCA.pem.

TODO: won't work without Tor being enabled

scurl https://help.riseup.net/security/network-security/riseup-ca/RiseupCA.pem | sudo tee /etc/openvpn/RiseupCA.pem
VPN Credentials[edit]

You need a riseup.net account. You need to know your riseup account name. Go to https://user.riseup.net/users/riseupusername/vpn to obtain your VPN secret. (VPN password) (Replace "riseupusername" with your actual riseup user name.) (Or just got to https://user.riseup.net, login and click on "VPN".)

Open /etc/openvpn/auth.txt with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/auth.txt

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/auth.txt

Add. (Add your actual user name and password.)

riseupusername
vpnsecret

Save.

VPN IP Address[edit]

Note, you must use IP addresses. You cannot use DNS hostnames. For example, you could not use vpn.riseup.net. You have to use IP addresses such as for example 198.252.153.226. You find out the IP from your provider or by using nslookup on the host. Example. (You need to use your actual DNS hostname, not vpn.riseup.net.)

nslookup vpn.riseup.net
VPN Configuration File[edit]

Open /etc/openvpn/openvpn.conf with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/openvpn.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/openvpn.conf

Add.

Note: make sure to adjust the remote 198.252.153.226 80 variable in your config (unless you are using nyc.vpn.riseup.net as your VPN service). Replace the IP (198.252.153.226) and port (80) to match your VPN service.

client

auth-user-pass auth.txt

## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80

ca RiseupCA.pem
remote-cert-tls server
script-security 1
proto tcp

user tunnel
iproute /usr/bin/ip_unpriv

dev tun0
persist-tun
persist-key

[8] [9]

Save.

DNS Configuration[edit]

TODO: update-resolv-conf ?

systemd setup[edit]

Create the OpenVPN systemd service file.

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

Enable the OpenVPN systemd service file.

sudo systemctl enable openvpn@openvpn

Start the OpenVPN systemd service.

sudo service openvpn@openvpn start

Check the OpenVPN systemd service status.

sudo service openvpn@openvpn status

TODO:

Make sure /var/run/openvpn is writable by user tunnel.

Enable Tor[edit]

Enable Tor using Whonix Setup Wizard.

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Whonix Setup Wizard

For terminal-only Whonix-Gateway, use.

sudo whonixsetup

Troubleshooting[edit]

Do not start openvpn as root. Do not use "sudo openvpn". This would lead to permission issues. Files in /run/openvpn folder owned by root. So they cannot be overwritten by user tunnel.

Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied

Footnotes[edit]

  1. Dev/CPFP
  2. Tor control protocol command add_onion
  3. This makes later installation from backports less likely to break the package management.
  4. Dev/CPFP
  5. Because torbrowser-launcher ships The Tor Projects SSL certificate
  6. https://phabricator.whonix.org/T460
  7. That config file is a bash fragment.
  8. The /usr/bin/ip_unpriv wrapper script is being provided by the usabilty-misc package. The /etc/sudoers.d/tunnel_unpriv wrapper script is being provided by the usabilty-misc package. The /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf wrapper script is being provided by the usabilty-misc package.
  9. We must run OpenVPN as user 'tunnel', because that is the only user besides user clearnet that will be allowed to establish external connections when using Whonix Firewall setting VPN_FIREWALL=1.


Random News:

Did you know that anyone can edit Whonix's wiki?


Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss | Investors | Donate

https | Mirror | Mirror | Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.

Get a backup of this wiki.