Actions

Template

Dev/Whonix Networking

From Whonix

Contents

Whonix-Gateway[edit]

anon-gw-anonymizer-config[edit]

Tor Configuration and Tweaks for Anonymity Distributions[edit]

Tor config file with distribution defaults (for stream isolation, etc.), example user configurations and other tweaks required. The Tor binary itself does not get modified.

This package is produced independently of, and carries no guarantee from, The Tor Project.

/usr/share/tor/tor-service-defaults-torrc.anondist[edit]

Whonix Tor configuration

https://www.whonix.org/wiki/Stream_Isolation [archive]

  • ControlSocket
  • SocksPort
  • HTTPTunnelPort
  • TransPort
  • DnsPort
  • Upstream Defaults File
  • Enable / Disable Tor
  • Leak Tests
  • General Settings
  • Workstation Trans/Dns-Port
  • Workstation SocksPorts
  • Gateway Trans/Dns-Port
  • Gateway SocksPorts

anon-gw-dhcp-conf[edit]

DHCP config for Anonymity Distribution Gateways[edit]

Prevents DHCP from modifications of /etc/resolv.conf by shipping a configuration file.

In context of Anonymity Distribution Gateways, it is useful to obtain network configuration for the interface to connect to the internet from a virtual machine or hardware router to avoid usability issues with manual static network configuration. At the same time, Anonymity Distribution Gateways usually do not need a functional system DNS resolver (/etc/resolv.conf), pointing to a clearnet DNS resolver, because ideally all the Gateway's traffic including its own DNS is routed through the anonymity network as well.

Usually the Gateway's firewall should ensure, that the Gateway will not leak it's own DNS requests. However, preventing DHCP from setting /etc/resolv.conf to a functional clearnet DNS resolver is useful as defense in depth. Also in case the Gateways system DNS resolver points to the anonymizer, it is crucial, that it does not get modified by DHCP.

/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate[edit]

prevent resolvconf from modifying /etc/resolv.conf

anon-gw-dns-conf[edit]

DNS configuration Anonymity Linux Distribution Gateways[edit]

Pointing /etc/resolv.conf to 127.0.0.1.

Whether a Anonymity Linux Distribution Gateway supports system DNS for its own traffic in the clear or anonymized mainly depends on the Gateway's firewall.

Routing the workstation's system DNS through the anonymizer (also known as Transparent DNS Proxy) or not is up to the Gateway's firewall as well.

/etc/resolv.conf.anondist[edit]

Configure to use torified DNS server for traffic originating from Whonix-Gateway.

Set /etc/resolv.conf to nameserver 127.0.0.1 and comments.

/lib/systemd/system/systemd-resolved.service.d/40_anon-dns-conf.conf[edit]

Disable systemd-resolved if file /etc/resolv.conf.anondist exists.

ipv4-forward-disable[edit]

Deactivates IPv4 forwarding using /etc/sysctl.d/[edit]

IPv4 forwarding is not required for a Tor based Anonymity Distribution Gateways. Deactivating it as defense in depth to prevent leaks.

For better security.

/etc/sysctl.d/ipv4-forward-disable.conf[edit]

Disable ipv4 Forwarding as per https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy [archive]

ipv6-disable[edit]

Deactivates IPv6 using /etc/sysctl.d/[edit]

There are no IPv6 Anonymity Distribution Gateways featuring an IPv6 firewall yet. Therefore deactivating it to prevent leaks.

For better security.

/etc/sysctl.d/ipv6-disable.conf[edit]

disable IPv6

whonix-gw-network-conf[edit]

Network Configuration for Whonix-Gateway[edit]

Includes etc/network/interfaces.d/30_non-qubes-whonix for Non-Qubes-Whonix-Gateway.

Sets up two network interfaces, an external one eth0 and an internal one eth1.

Provides /usr/share/whonix-gw-network-conf/network_internal_ip.txt.

/debian/whonix-gw-network-conf.links[edit]


Disable Predictable Network Interface Names as these are problematic. https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4 [archive] Disabling them as per 'zless /usr/share/doc/udev/README.Debian.gz'.

  • /dev/null /etc/systemd/network/99-default.link

/debian/whonix-gw-network-conf.triggers[edit]


Required for /etc/systemd/network/99-default.link to take effect as per 'zless /usr/share/doc/udev/README.Debian.gz'.

  • activate-noawait update-initramfs

/etc/network/interfaces.d/30_non-qubes-whonix[edit]

network interfaces configuration eth0 (external network interface) and eth1 (internal network interface)

static network configuration

eth0 #address 10.0.2.15
#netmask 255.255.255.0
#gateway 10.0.2.2

eth1 #address 10.152.152.10
#netmask 255.255.192.0

/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf[edit]

onion-grater systemd unit file extension

Run /usr/lib/onion-grater-merger as root to avoid permission conflicts. ExecStartPre=+/usr/lib/onion-grater-merger

Reconfigure onion-grater to listen on network interface eth1.

Whonix-Workstation[edit]

anon-apps-config[edit]

anonymity, privacy and security settings pre-configuration[edit]

Most settings take effect for newly created user account onlys, and not for existing user accounts.

Enables Menubar in Dolphin by default.

Deactivates KGpg's first run wizard. Uses hkp://qdigse2yzvuglcix.onion as default keyserver. Disables tip of the day. Disables KGpg's systray.

Double click instead of single click in KDE.

Deactivates maximize windows when moved to the top. In context of anonymity it might be better not to maximize the browser window (https://trac.torproject.org/projects/tor/ticket/7255 [archive]). To prevent users from accidentally maximizing their browser window, it is better when KDE's feature to maximize windows when moved to the top is disabled.

Deactivates KDE's system sounds.

Disables KDE graphics effects. Disables some background processes.

Stream Isolation (proxy) settings for KDE apps for Anonymity Distributions Configures global proxy settings, which acts as a fallback if no other proxy settings are set, for KDE applications to socks 10.152.152.10:9122. Otherwise unconfigured KDE applications would use no proxy settings (Transparent Proxying) if the anonymity distribution features a transparent proxy. Useful to improve stream isolation. On the other hand, anonymity distributions not featuring transparent proxying should probably not install this package by default, because then unconfigured KDE applications should by default not be able to connect.

Sets Unlimited Scrollback in Konsole.

Disables klipper clipboard history.

Deactivates automatic updates for Package Manager APT and Apper Useful in context of networks with limited traffic quota, slow networks and anonymity distributions. In latter case, the default automatic updates interval would be too predictable (expectable amount of traffic every X), thus eventually be vulnerable for traffic fingerprinting. Disabling Apper automatic updates only takes effect for newly created user accounts. Not for existing user accounts. This is most useful to help Linux distribution maintainers setting divergent defaults.

Longer Timeouts for Package Manager APT Raising timeout and retries using configuration snippet. Useful in context of slow networks and anonymity distributions.

Ships a configuration file /etc/apt/apt.conf.d/90longer-timeouts to configure apt-get.

Ships a configuration file /etc/skel/.config/vlc/vlcrc to configure VLC to not ask for network policy at start and sets vout=xcb_x11 to enable VM compatibility out-of-the-box.

Disabled gajim update manager by default for better security since it does not verify software signatures by hiding file /usr/share/gajim/plugins/plugin_installer/__init__.py using 'config-package-dev' 'hide'.

Disables systemd-resolved during boot unless file /etc/dns-enable exists.

Disables systemd-resolved fallback DNS (which by default is set to Google).

Due to technical limitations some settings only take effect for applications being started for the very first time, i.e. when the user config of that application in the user's home folder does not exist yet. Works best for new user accounts.

This package is most useful to help Linux distribution maintainers setting divergent defaults.

/etc/apt/apt.conf.d/90longer-timeouts[edit]

longer APT timeouts and more retires

/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf[edit]

Disable systemd-resolved unless file /etc/dns-enable exists.

/usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf[edit]


do not default to using Google nameservers https://phabricator.whonix.org/T793 [archive] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658 [archive] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658#216 [archive] https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html [archive] https://forums.whonix.org/t/os-generated-network-traffic [archive]

  • [Resolve]
  • FallbackDNS=

/usr/share/anon-apps-config/kioslaverc[edit]

KDE stream isolation settings.

/usr/share/anon-apps-config/ksmserverrc[edit]

disable session saving https://forums.whonix.org/t/kdesudo-error-popup-window-sdwdate-gui [archive]

  • loginMode=default

anon-ws-disable-stacked-tor[edit]

Prevents Tor over Tor in Anonymity Distribution Workstations[edit]

Supposed to be installed on Workstations, which prevents installing the real Tor package from upstream (ex: Debian, The Tor Project) APT repositories. Its purpose is to prevent, running Tor over Tor.

It allows installation of packages, which depend on Tor, such as TorChat, parcimonie and torbrowser-launcher.

This package uses the "Provides: tor" field[1], which should avoid any kinds of conflicts, in case upstream releases a higher version of Tor. This won't work for packages, which depend on an explicit version of Tor (such as TorChat). This is non-ideal, since for example the torchat package will install Tor, but still acceptable, because of the following additional implementations.

Binaries eventually installed (by the tor Debian package) /usr/bin/tor as well as /usr/sbin/tor are replaced with a dummy wrapper that does nothing (dpkg-diverted using config-package-dev).

systemd-socket-proxyd listens on Tor's default ports. system Tor's 127.0.0.1:9050, 127.0.0.1:9051 and TBB's 127.0.0.1:9150, 127.0.0.1:9051, which prevents the default Tor Browser Bundle or Tor package by The Tor Project from opening these default ports, which will result in Tor failing to open its listening port and therefore exiting, thus preventing Tor over Tor.

See also:

[1] See "7.5 Virtual packages - Provides" on http://www.debian.org/doc/debian-policy/ch-relationships.html [archive]

This package is produced independently of, and carries no guarantee from, The Tor Project.

/debian/anon-ws-disable-stacked-tor.displace[edit]

config-package-dev displace the following files:

  • /etc/default/tor.anondist
  • /usr/bin/tor.anondist
  • /usr/sbin/tor.anondist

/debian/anon-ws-disable-stacked-tor.postinst[edit]

/etc/X11/Xsession.d/ hook to source /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh

Add user "user" to the group "debian-tor", so user "user" can access Tor's control port. User "user" already exists thanks to the anon-base-files package.

  • addgroup --quiet user debian-tor

/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf[edit]

systemd-unit-files-generator and socat-unix-sockets configuration examples.

/etc/profile.d/20_torbrowser.sh[edit]

/etc/profile.d hook to source /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh

/etc/rsyslog.d/anon-ws-disable-stacked-tor.conf[edit]

rsyslog configuration drop-in snippet

No longer required since no longer using rinetd.

Workaround for: 'rinetd fills up the logs until disk is full up if it cannot bind' http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796235 [archive]

  • :msg, contains, "accept(0): Socket operation on non-socket" stop

/etc/X11/Xsession.d/20torbrowser[edit]

/etc/X11/Xsession.d/ hook to source /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh

/lib/systemd/system/anon-ws-disable-stacked-tor.service[edit]

Runs /usr/lib/anon-ws-disable-stacked-tor/state-files and /usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets.

/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf[edit]

Qubes-Whonix:

Clear 'ConditionPathExists=/run/qubes-service/whonix-gateway' set by the qubes-whonix package, which is useful on the gateway but not on the workstation.

In effect the dummy Tor service will run on Whonix-Workstation.

  • ConditionPathExists=

/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf[edit]

Compatibility with system Tor package.

Overrides systemd unit file by system Tor package for compatibility so the dummy Tor binary /usr/bin/tor gets load instead.

Makes all systemctl restart reload status commands compatible with dummy Tor.

/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf[edit]

Make 'sudo service tor status' exit '0' for better compatibility.

  • RemainAfterExit=yes

/usr/bin/tor.anondist[edit]

dummy Tor wrapper doing nothing but wait forever and

OnionShare support for configuration option "bundled Tor".

/usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets[edit]

socat-unix-sockets starter.

/usr/lib/anon-ws-disable-stacked-tor/state-files[edit]

Emulates Tor by copying and chmodding the correct state files such as /run/tor/control.authcookie.

/usr/lib/anon-ws-disable-stacked-tor/systemd-unit-files-generator[edit]

Generates systemd unit files in /lib/systemd/system/anon-ws-disable-stacked-tor_autogen_* which listen on common local ports used by popular Tor applications such as Tor Browser.

Redirect Whonix-Workstation port 9050 to Whonix-Gateway port 9050 and so forth.

Create a unix domain socket files such as /run/anon-ws-disable-stacked-tor/127.0.0.1_9050.sock and forward those to $GATEWAY_IP:9150 etc. See also: https://phabricator.whonix.org/T192 [archive]

system Tor default SocksSocket is /run/tor/socks redirect Whonix-Workstation unix domain socket file /run/tor/socks to Whonix-Gateway port 9050

Debian /usr/share/tor/tor-service-defaults-torrc uses '/run/tor/control' Tor ControlSocket Redirect Whonix-Workstation unix domain socket file /run/tor/control to Whonix-Gateway port 9051

/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh[edit]

Environment variables for Tor Browser integration.

Prevents Tor over Tor.

Deactivate tor-launcher, a Vidalia replacement as browser extension, to prevent running Tor over Tor. https://trac.torproject.org/projects/tor/ticket/6009 [archive] https://gitweb.torproject.org/tor-launcher.git [archive]

  • export TOR_SKIP_LAUNCH=1

The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables do not work flawlessly, due to an upstream bug in Tor Button:

  "TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
  https://trac.torproject.org/projects/tor/ticket/8336 [archive]

(As an alternative,

  /home/user/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

could be used.) Fortunately, this is not required for Whonix by default anymore, because systemd-socket-proxyd is configured to redirect Whonix-Workstation ports 127.0.0.1:9050 to Whonix-Gateway 10.152.152.10:9050 127.0.0.1:9051 to Whonix-Gateway 10.152.152.10:9051 127.0.0.1:9150 to Whonix-Gateway 10.152.152.10:9150 127.0.0.1:9151 to Whonix-Gateway 10.152.152.10:9151 #export TOR_SOCKS_HOST="10.152.152.10"
#export TOR_SOCKS_PORT="9150"
#export TOR_CONTROL_HOST="127.0.0.1"
#export TOR_CONTROL_PORT="9151"
this is to satisfy Tor Button just filled up with anything #export TOR_CONTROL_PASSWD='"password"'

We are not using TOR_TRANSPROXY=1 because that would break Tor Browser's per tab stream isolation. (Tor Browser talks to a Tor SocksPort and sets a socks user name and Tor is using IsolateSOCKSAuth by Tor default.) #export TOR_TRANSPROXY=1

Environment variable to configure Tor Browser to use a pre existing unix domain socket file instead of creating its own one to avoid Tor over Tor and to keep it being able to connect. systemd-socket-proxyd is being used for creation of unix domain socket file /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock and forwarding it to to Whonix-Gateway port 9150. https://phabricator.whonix.org/T192 [archive] https://trac.torproject.org/projects/tor/ticket/20111#comment:5 [archive]

  • export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
  • export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"

environment variable to skip TorButton control port verification https://trac.torproject.org/projects/tor/ticket/13079 [archive]

  • export TOR_SKIP_CONTROLPORTTEST=1

Environment variable to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the Whonix-Gateway, which is for security reasons forbidden from the Whonix-Gateway. https://trac.torproject.org/projects/tor/ticket/14100 [archive]

  • export TOR_NO_DISPLAY_NETWORK_SETTINGS=1

/usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf[edit]

Create folder /run/anon-ws-disable-stacked-tor.

  • d /run/anon-ws-disable-stacked-tor 0775 root root

/usr/sbin/tor.anondist[edit]

dummy Tor wrapper doing nothing but wait forever.

anon-ws-dns-conf[edit]

DNS configuration Anonymity Linux Distribution Workstations[edit]

Whether a Anonymity Linux Distribution Gateway supports anonymized system DNS for Workstation's traffic (also known as Transparent DNS Proxy) mainly depends on the Gateway's firewall.

This package is simply installing /etc/resolv.conf which points to 10.152.152.10, where an Anon-Gateway is supposed to provide a DnsPort on port 53.

When you do not wish to use the Transparent DNS features, this package can be removed.

/etc/resolv.conf.anondist[edit]

set nameserver 10.152.152.10 This works different in Qubes-Whonix.

bindp[edit]

Binding specific IP and Port for Linux Running Application[edit]

This package is probably most useful for Anonymity Distributions.

This package is produced independently of, and carries no guarantee from, The Tor Project.

/debian/bindp.postinst[edit]

Compiles /usr/lib/bindp.c to /usr/lib/libindp.so during package installation using gcc.

whonix-ws-network-conf[edit]

Network Configuration for Whonix-Workstation[edit]

Includes /etc/network/interfaces for Whonix-Workstation.

Sets up an internal network interface eth0.

Currently relevant for Non-Qubes-Whonix only.

/debian/whonix-ws-network-conf.links[edit]


Disable Predictable Network Interface Names as these are problematic. https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4 [archive] Disabling them as per 'zless /usr/share/doc/udev/README.Debian.gz'.

  • /dev/null /etc/systemd/network/99-default.link

/debian/whonix-ws-network-conf.triggers[edit]


Required for /etc/systemd/network/99-default.link to take effect as per 'zless /usr/share/doc/udev/README.Debian.gz'.

  • activate-noawait update-initramfs

/etc/network/interfaces.d/30_non-qubes-whonix[edit]

network interfaces configuration eth0 to communicate with Whonix-Gateway

static network configuration

#address 10.152.152.11
#netmask 255.255.192.0
#gateway 10.152.152.10

Shared by Whonix-Gateway and Whonix-Workstation[edit]

anon-apt-sources-list[edit]

/etc/apt/sources.list.d/debian.list for Anonymity Linux Distributions[edit]

A question of distribution maintenance strategies. The more standard way would indeed be populating /etc/apt/sources.list at install or build time and leaving /etc/apt/sources.list.d alone. The idea of managing /etc/apt/sources.list.d/debian.list for the user is, the anonymity distribution maintainers can decide when it is a better "change stable to oldstable", "keep wheezy as long as needed to work out [eventual!] issues that would break during upgrade to jessie" and such.

/etc/apt/sources.list.d/debian.list[edit]

Debian APT repository sources.list

Configured to use tor+https.

Technical notes: - Why is buster-updates disabled by default?

 See: https://wiki.debian.org/StableUpdates [archive]

- Why are sources (deb-src) disabled by default?

 Because those are not required by most users, to save time while
 running sudo apt update.

- See also: https://www.debian.org/security/ [archive] - See also: /etc/apt/sources.list.d/

anon-base-files[edit]

base files for Anonymity Distributions[edit]

Creates user "user" with password "changeme" (not in Qubes). That is if user "user" is not existing yet. And if it does create "user" user it also locks the root account. Therefore root account locking effectively only happens in new builds not having user "user" already created.

Adds user "user" to groups "cdrom,audio,dip,sudo,plugdev".

Creates version file /var/lib/anon-dist/build_version.

Anonymized operating system user name "user", /etc/hostname, /etc/hosts, /etc/machine-id, /var/lib/dbus/machine-id, which should be shared among all anonymity distributions. See also:

Ships a systemd unit file anon-base-files-skel-first-boot.service which runs /usr/lib/helper-scripts/first-boot-skel (part of helper-scripts) package.

This package gets installed by default in both, Kicksecure and Whonix.

/etc/hosts.anondist[edit]

Debian default /etc/hosts + Anonymity Distribution specific additions.

Currently only 127.0.0.1 host.localdomain host gets added.

anon-shared-build-apt-sources-tpo[edit]

Adds TPO's APT repository to Anonymity Linux Distributions[edit]

Comes with "deb http://deb.torproject.org/torproject.org [archive] stable main", The Tor Project's APT signing key.

This package is produced independently of, and carries no guarantee from, The Tor Project.

/etc/apt/sources.list.d/torproject.list[edit]

Tor Project APT repository sources.list

kicksecure-network-conf[edit]

Network Configuration for Kicksecure[edit]

Sets up external network interfaces eth0 by shipping a configuration file /etc/network/interfaces.d/30_kicksecure for Kicksecure.

Disables systemd Predictable Network Interface Names.

Configures DNS by shipping a configuration file /etc/resolv.conf for Kicksecure.

Enables DNSCrypt.

/etc/dnscrypt-proxy/kicksecure.toml[edit]

DNSCrypt configuration

/etc/network/interfaces.d/30_kicksecure[edit]

network interfaces configuration eth0

/etc/resolv.conf.kicksecure[edit]

DNSCrypt configuration

/lib/systemd/system/dnscrypt-proxy.service.d/30_kicksecure.conf[edit]

Reconfigure DNSCrypt to use configuration file /etc/dnscrypt-proxy/kicksecure.toml instead of the default /etc/dnscrypt-proxy/dnscrypt-proxy.toml.

This has the advantage that no config-package-dev displace is required and that changes to upstream config file do not conflict with Kicksecure config file.

qubes-whonix[edit]

Qubes Configuration for Whonix-Gateway and Whonix-Workstation[edit]

This package contains all the scripts and configuration options to be able to run Whonix-Gateway and Whonix-Workstation within a Qubes environment.

Whonix-Gateway should run as a ProxyVM.

Whonix-Workstation should run as an AppVM.

Template updates over Tor.

Package: qubes-whonix-shared-packages-recommended Architecture: all Depends: qubes-core-agent (<< 4.0.0-1) | qubes-core-agent-passwordless-root, qubes-kernel-vm-support, initramfs-tools, qubes-mgmt-salt-vm-connector, qubes-usb-proxy, qubes-input-proxy-sender, qubes-core-agent-thunar, qubes-core-agent-nautilus, ${misc:Depends} Description: Recommended packages for Qubes-Whonix-Gateway and Qubes-Whonix-Workstation

Recommended packages for Qubes-Whonix-Gateway and Qubes-Whonix-Workstation[edit]

A metapackage, which includes recommended packages to ensure, Qubes-Whonix standard tools are available and other useful recommended packages.

Safe to remove, if you know what you are doing.

Package: qubes-whonix-gateway-packages-recommended Architecture: all Depends: tinyproxy, yum, yum-utils, qubes-core-agent (<< 4.0.0-1) | qubes-core-agent-dom0-updates, ${misc:Depends} Description: Recommended packages for Qubes-Whonix-Gateway

Recommended packages for Qubes-Whonix-Gateway[edit]

A metapackage, which installs packages, which are recommended for Qubes-Whonix-Gateway.

Safe to remove, if you know what you are doing.

Package: qubes-whonix-workstation-packages-recommended Architecture: all Depends: qubes-thunderbird, qubes-gpg-split, qubes-pdf-converter, qubes-img-converter, pulseaudio-qubes | qubes-gui-agent (<< 4.0.0), ${misc:Depends} Description: Recommended packages for Qubes-Whonix-Workstation

Recommended packages for Qubes-Whonix-Workstation[edit]

A metapackage, which installs packages, which are recommended for Qubes-Whonix-Workstation.

Feel free to remove, if you know what you are doing.

/etc/qubes/protected-files.d/qubes-whonix.conf[edit]

Configure Qubes to not modify files shipped by Whonix:

  • /etc/hostname
  • /etc/hosts
  • /etc/localtime
  • /etc/timezone

/etc/uwt.d/40_qubes.conf[edit]

uwt Qubes-Whonix Integration

Runs only inside Qubes TemplateVM.

This configuration snippets configures uwt to wait before running apt until status file /run/qubes-service/whonix-secure-proxy or status file /run/qubes-service/whonix-secure-proxy-check-done exists. It will timeout after 120 seconds.

This is to determine if torified Qubes updates proxy was detected.

If torified Qubes updates proxy detection fails, it will prevent running apt and show the following warning.

WARNING: Execution of apt prevented by @file_name@ because no torified Qubes updates proxy found.

If torified Qubes updates proxy detection succeeds, it will disable apt uwtwrapper. In other words, run apt normally. Run apt without torsocks. Because apt config file. /etc/apt/apt.conf.d/01qubes-proxy will already have http proxy settings for TCP based Qubes Updates proxy Acquire::http::Proxy "http://10.137.255.254:8082/ [archive]"; or for qrexec based Qubes updates proxy. Acquire::http::Proxy "http://127.0.0.1:8082/ [archive]";

sdwdate[edit]

Secure Distributed Network Time Synchronization[edit]

Time keeping is crucial for security, privacy, and anonymity. Sdwdate is a Tor friendly replacement for rdate and ntpdate that sets the system's clock by communicating via onion encrypted TCP with Tor onion webservers.

At randomized intervals, sdwdate connects to a variety of webservers and extracts the time stamps from http headers (RFC 2616). Using sclockadj option, time is gradually adjusted preventing bigger clock jumps that could confuse logs, servers, Tor, i2p, etc.

This package contains the sdwdate time fetcher and daemon. No installation on remote servers required. To avoid conflicts, this daemon should not be enabled together with ntp or tlsdated.

/etc/qubes/suspend-post.d/30_sdwdate.sh[edit]

hook to run /usr/lib/sdwdate/suspend-post in Qubes-Whonix.

/etc/qubes/suspend-pre.d/30_sdwdate.sh[edit]

hook to run /usr/lib/sdwdate/suspend-pre in Qubes-Whonix.

security-misc[edit]

enhances misc security settings[edit]

Inspired by Kernel Self Protection Project (KSPP)

  • Implements most if not all recommended Linux kernel settings (sysctl) and

kernel parameters by KSPP.

kernel hardening:

  • deactivates Netfilter's connection tracking helper

Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. (!) Hence, this package disables this feature by shipping the /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.

  • Kernel symbols in various files in /proc are hidden as they can be

very useful for kernel exploits.

  • Kexec is disabled as it can be used to load a malicious kernel.

/etc/sysctl.d/kexec.conf

  • ASLR effectiveness for mmap is increased.
  • The TCP/IP stack is hardened by disabling ICMP redirect acceptance,

ICMP redirect sending and source routing to prevent man-in-the-middle attacks, ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks and enabling RFC1337 to protect against time-wait assassination attacks.

  • Some data spoofing attacks are made harder.
  • SACK can be disabled as it is commonly exploited and is rarely used by

uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.

  • Slab merging is disabled as sometimes a slab can be used in a vulnerable

way which an attacker can exploit.

  • Sanity checks, redzoning, and memory poisoning are enabled.
  • Machine checks (MCE) are disabled which makes the kernel panic

on uncorrectable errors in ECC memory that could be exploited.

  • Kernel Page Table Isolation is enabled to mitigate Meltdown and increase

KASLR effectiveness.

  • SMT is disabled as it can be used to exploit the MDS and other

vulnerabilities.

  • All mitigations for the MDS vulnerability are enabled.
  • A systemd service clears System.map on boot as these contain kernel symbols

that could be useful to an attacker. /etc/kernel/postinst.d/30_remove-system-map /lib/systemd/system/remove-system-map.service /usr/lib/security-misc/remove-system.map

  • Coredumps are disabled as they may contain important information such as

encryption keys or passwords. /etc/security/limits.d/disable-coredumps.conf /etc/sysctl.d/coredumps.conf /lib/systemd/coredump.conf.d/disable-coredumps.conf

  • The thunderbolt and firewire kernel modules are blacklisted as they can be

used for DMA (Direct Memory Access) attacks.

  • IOMMU is enabled with a boot parameter to prevent DMA attacks.
  • The kernel now panics on oopses to prevent it from continuing running a

flawed process.

  • Bluetooth is blacklisted to reduce attack surface. Bluetooth also has

a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns [archive]

  • A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and

/sys to the root user only. This hides a lot of hardware identifiers from unprivileged users and increases security as /sys exposes a lot of information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by running `systemctl enable hide-hardware-info.service` as root.

Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. /etc/modprobe.d/uncommon-network-protocols.conf The network protocols that are blacklisted are:

  • DCCP - Datagram Congestion Control Protocol
  • SCTP - Stream Control Transmission Protocol
  • RDS - Reliable Datagram Sockets
  • TIPC - Transparent Inter-process Communication
  • HDLC - High-Level Data Link Control
  • AX25 - Amateur X.25
  • NetRom
  • X25
  • ROSE
  • DECnet
  • Econet
  • af_802154 - IEEE 802.15.4
  • IPX - Internetwork Packet Exchange
  • AppleTalk
  • PSNAP - Subnetwork Access Protocol
  • p8023 - Novell raw IEEE 802.3
  • p8022 - IEEE 802.2

user restrictions:

  • A systemd service mounts /proc with hidepid=2 at boot to prevent users from

seeing each other's processes.

  • The kernel logs are restricted to root only.
  • The BPF JIT compiler is restricted to the root user and is hardened.
  • The ptrace system call is restricted to the root user only.

restricts access to the root account:

  • `su` is restricted to only users within the group `sudo` which prevents

users from using `su` to gain root access or to switch user accounts. /usr/share/pam-configs/wheel-security-misc (Which results in a change in file `/etc/pam.d/common-auth`.)

  • Add user `root` to group `sudo`. This is required to make above work so

login as a user in a virtual console is still possible. debian/security-misc.postinst

  • Abort login for users with locked passwords.

/usr/lib/security-misc/pam-abort-on-locked-password

  • Lock user accounts after 100 failed login attempts using pam_tally2.

/usr/share/pam-configs/tally2-security-misc

  • Logging into the root account from a virtual, serial, whatnot console is

prevented by shipping an existing and empty /etc/securetty. (Deletion of /etc/securetty has a different effect.) /etc/securetty.security-misc

informational output during Linux PAM:

  • Show failed and remaining password attempts.
  • Document unlock procedure if Linux user account got locked.
  • Point out, that there is no password feedback for `su`.
  • Explain locked (root) account if locked.
  • /usr/share/pam-configs/tally2-security-misc
  • /usr/lib/security-misc/pam_tally2-info
  • /usr/lib/security-misc/pam-abort-on-locked-password

access rights restrictions:

  • Removes read, write and execute access for others for all users who have

home folders under folder /home by running for example "chmod o-rwx /home/user" during package installation, upgrade or pam. This will be done only once per folder in folder /home so users who wish to relax file permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. debian/security-misc.postinst /usr/share/pam-configs/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown

access rights relaxations:

This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. It is recommended to lock and expire the root account. In new Whonix builds, root account will be locked by package anon-base-files. https://www.whonix.org/wiki/Root [archive] https://www.whonix.org/wiki/Dev/Permissions [archive] https://forums.whonix.org/t/restrict-root-access/7658 [archive] However, a locked root password will break rescue and emergency shell. Therefore this package enables passwordless resuce and emergency shell. This is the same solution that Debian will likely addapt for Debian installer. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 [archive] Adverse security effects can be prevented by setting up BIOS password protection, grub password protection and/or full disk encryption. /etc/systemd/system/emergency.service.d/override.conf /etc/systemd/system/rescue.service.d/override.conf

Disables TCP Time Stamps:

TCP time stamps (RFC 1323) allow for tracking clock information with millisecond resolution. This may or may not allow an attacker to learn information about the system clock at such a resolution, depending on various issues such as network lag. This information is available to anyone who monitors the network somewhere between the attacked system and the destination server. It may allow an attacker to find out how long a given system has been running, and to distinguish several systems running behind NAT and using the same IP address. It might also allow one to look for clocks that match an expected value to find the public IP used by a user.

Hence, this package disables this feature by shipping the /etc/sysctl.d/tcp_timestamps.conf configuration file.

Note that TCP time stamps normally have some usefulness. They are needed for:

  • the TCP protection against wrapped sequence numbers; however, to

trigger a wrap, one needs to send roughly 2^32 packets in one minute: as said in RFC 1700, "The current recommended default time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". So, this probably won't be a practical problem in the context of Anonymity Distributions.

  • "Round-Trip Time Measurement", which is only useful when the user

manages to saturate their connection. When using Anonymity Distributions, probably the limiting factor for transmission speed is rarely the capacity of the user connection.

Application specific hardening:

  • Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox
  • Deactivates previews in Dolphin.
  • Deactivates previews in Nautilus.
  • Deactivates thumbnails in Thunar.

Discussion:

Happening primarily in Whonix forums. https://forums.whonix.org/t/kernel-hardening/7296 [archive]

/etc/sysctl.d/tcp_hardening.conf[edit]

TCP/IP stack hardening

Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state.

  • net.ipv4.tcp_rfc1337=1

Disables ICMP redirect acceptance.

  • net.ipv4.conf.all.accept_redirects=0
  • net.ipv4.conf.default.accept_redirects=0
  • net.ipv4.conf.all.secure_redirects=0
  • net.ipv4.conf.default.secure_redirects=0
  • net.ipv6.conf.all.accept_redirects=0
  • net.ipv6.conf.default.accept_redirects=0

Disables ICMP redirect sending.

  • net.ipv4.conf.all.send_redirects=0
  • net.ipv4.conf.default.send_redirects=0

Ignores ICMP requests.

  • net.ipv4.icmp_echo_ignore_all=1

Enables TCP syncookies.

  • net.ipv4.tcp_syncookies=1

Disable source routing.

  • net.ipv4.conf.all.accept_source_route=0
  • net.ipv4.conf.default.accept_source_route=0

/etc/sysctl.d/tcp_timestamps.conf[edit]

disable IPv4 TCP Timestamps

  • net.ipv4.tcp_timestamps=0

uwt[edit]

Use Applications over Tor with Stream Isolation and Time Privacy[edit]

Can add "torsocks" and/or "timeprivacy" before invocation of applications when configured to do so. For example, when simply typing "apt-get" instead of "torsocks apt-get", "apt-get" can still be routed over Tor.

The uwt package comes with the following applications pre-configured to use uwtwrapper, Tor and stream isolation: - apt - apt-file - apt-get - aptitude-curses - curl - git - gpg - gpg2 - mixmaster-update - rawdog - ssh - wget - yum - yumdownloader - wormhole

To circumvent a uwt wrapper on a by case base, you append ".anondist-real" to the command, for example "apt-get.anondist-real". You can also deactivate specific or all uwt wrappers by using the stackable .d-style configuration folder /etc/uwt.d.

Uwt can only work only as good as torsocks. If torsocks is unable to route all of an application's traffic over Tor, ex. if there is an leak, there will also be one when using uwt. For that reason, it is recommended to use Anonymity Distributions, that prevent such leaks.

If an applications has native support for socks proxy settings, those should be preferred over uwt. Also refer to the TorifyHOWTO and your distribution's documentation.

Timeprivacy can keep your time private. You can create wrappers for applications and timeprivacy will feed those applications with a fake time, which obfuscates at which time you really used that applications (such as when you made the git commit or when you signed that document). It does NOT set your time zone to UTC. (You could manually set your timezone to UTC or install the timezone-utc package.)

This package is probably most useful for Anonymity Distributions.

This package is produced independently of, and carries no guarantee from, The Tor Project.

/debian/uwt.displace[edit]

replace the following files with the uwt version

Using config-package-dev displace.

/etc/tor/torsocks configuration file

  • /etc/tor/torsocks.conf.anondist

Replace apt, wget, curl, ssh, onionshare, ricochet, wormhole with uwt wrapper which then calls /usr/lib/uwtwrapper.

  • /usr/bin/apt.anondist
  • /usr/bin/apt-file.anondist
  • /usr/bin/apt-get.anondist
  • /usr/bin/aptitude-curses.anondist
  • /usr/bin/curl.anondist
  • /usr/bin/git.anondist
  • /usr/bin/gpg.anondist
  • /usr/bin/gpg2.anondist
  • /usr/bin/mixmaster-update.anondist
  • /usr/bin/rawdog.anondist
  • /usr/bin/ssh.anondist
  • /usr/bin/wget.anondist
  • /usr/bin/yum.anondist
  • /usr/bin/yumdownloader.anondist
  • /usr/bin/onionshare.anondist
  • /usr/bin/onionshare-gui.anondist
  • /usr/bin/ricochet.anondist
  • /usr/bin/wormhole.anondist

/etc/profile.d/20_uwt.sh[edit]

/etc/profile.d hook to source /usr/lib/uwt/uwt.sh

/etc/sudoers.d/uwt[edit]

Disable torsocks warning spam such as. [May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165) https://phabricator.whonix.org/T317 [archive]

  • Defaults:ALL env_keep += "TORSOCKS_LOG_LEVEL"

/etc/tor/torsocks.conf.anondist[edit]

torsocks configuration

  • AllowInbound 1
  • AllowOutboundLocalhost 1
  • IsolatePID 1

/etc/uwt.d/30_uwt_default.conf[edit]

uwt configuration

/etc/X11/Xsession.d/20uwt[edit]

/etc/X11/Xsession.d hook to source /usr/lib/uwt/uwt.sh

/usr/bin/apt.anondist[edit]

uwt wrapped application

  • export uwtwrapper_parent="${BASH_SOURCE[0]}"
  • exec /usr/lib/uwtwrapper "$@"

/usr/bin/apt-file.anondist[edit]

uwt wrapped application

/usr/bin/apt-get.anondist[edit]

uwt wrapped application

/usr/bin/aptitude-curses.anondist[edit]

uwt wrapped application

/usr/bin/curl.anondist[edit]

uwt wrapped application

  • export uwtwrapper_parent="${BASH_SOURCE[0]}"
  • exec /usr/lib/uwtwrapper "$@"

/usr/bin/git.anondist[edit]

uwt wrapped application

/usr/bin/gpg2.anondist[edit]

uwt wrapped application

/usr/bin/mixmaster-update.anondist[edit]

uwt wrapped application

/usr/bin/onionshare-gui.anondist[edit]

uwt wrapped application

/usr/bin/rawdog.anondist[edit]

uwt wrapped application

/usr/bin/ricochet.anondist[edit]

uwt wrapped application

ricochet does not have unix domain socket file support, therefore it depends on the TOR_CONTROL_HOST and TOR_CONTROL_PORT environment variables being set. Otherwise it would try to start its own Tor instance. https://phabricator.whonix.org/T444 [archive]

  • TOR_CONTROL_HOST="127.0.0.1"
  • TOR_CONTROL_PORT="9151"
  • export TOR_CONTROL_HOST
  • export TOR_CONTROL_PORT
  • export uwtwrapper_parent="${BASH_SOURCE[0]}"
  • exec /usr/lib/uwtwrapper "$@"

/usr/bin/ssh.anondist[edit]

uwt wrapped application

/usr/bin/time_privacy[edit]

undocumented

/usr/bin/wget.anondist[edit]

uwt wrapped application

/usr/bin/wormhole.anondist[edit]

uwt wrapped application

/usr/bin/yum.anondist[edit]

uwt wrapped application

/usr/bin/yumdownloader.anondist[edit]

uwt wrapped application

/usr/lib/uwt/uwt.sh[edit]


Disable torsocks warning spam such as. [May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165) https://phabricator.whonix.org/T317 [archive]

  • export TORSOCKS_LOG_LEVEL=1

/usr/lib/uwtexec[edit]


This script is used by uwtwrapper as a workaround to preserve the zeroth argument when executing programs with other wrappers like faketime or torsocks.

/usr/lib/uwt_settings_show[edit]


/usr/lib/uwtwrapper[edit]

When running uwt wrapped applications (such as apt, wget, curl, onionshare or others) automatically prepend torsocks or bindp. I.e.

When for example apt or curl is executed, what really happens is running torsocks apt or torsocks curl.

uwtwrappers and /usr/lib/uwtwrapper are hacks to socksify applications that do not support native socks proxy settings. Used to implement Stream Isolation. https://www.whonix.org/wiki/Stream_Isolation [archive]

In essence, uwtwrappers are installed so users can type commands like apt-get normally while transparently injecting torsocks, thereby stream isolating them.

To understand better how uwt wrappers function, you could for example open /usr/bin/apt-get.anondist in an editor.

Also useful to run: ls -la /usr/bin/apt-get*

You will see, that /usr/bin/apt-get has been replaced with a symlink to /usr/bin/apt-get.anondist. (This was done using config-package-dev.)

/usr/bin/apt-get.anondist is a uwt wrapper.

/usr/bin/apt-get.anondist-orig is the original apt-get binary.

bindp is used to make applications which listen on the internal IP by default such as onionshare (which is the right thing to outside of Whonix) listen on the external IP instead. See also:

whonix-firewall[edit]

Firewall for Whonix-Gateway and Whonix-Workstation[edit]

iptables rules script and firewall configuration file for Whonix-Gateway and Whonix-Workstation.

Whonix-Gateway Firewall Features: - transparent proxying - stream isolation - reject invalid packages - fail closed mechanism - optional VPN-Firewall - optional isolating proxy - optional incoming flash proxy - optional Tor relay

Do not remove, unless you no longer wish to use Whonix.

/debian/whonix-firewall.postinst[edit]

Creates linux user accounts used by firewall script clearnet tunnel notunnel whonixcheck sdwdate updatesproxycheck.

Creates empty /etc/whonix_firewall.d/50_user.conf which is not owned by any package if not existing.

/etc/whonix_firewall.d/30_whonix_gateway_default.conf[edit]

Whonix firewall configuration file

/etc/whonix_firewall.d/30_whonix_workstation_default.conf[edit]

Whonix firewall configuration file

/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf[edit]

Fail Closed Mechanism. When the Whonix firewall systemd service failed, do not bring up the network.

TODO: does not cover Qubes-Whonix since Qubes does not use networking.service. TODO: disabled, broken. Breaks networking on package upgrades. https://phabricator.whonix.org/T875 [archive]

#[Unit]
#After=whonix-firewall.service
#Requires=whonix-firewall.service

/lib/systemd/system/whonix-firewall.service[edit]

Runs /usr/lib/whonix-firewall/enable-firewall.

On Whonix-Gateway or Whonix-Workstation (if /usr/share/anon-gw-base-files/gateway or /usr/share/anon-ws-base-files/workstation exists), loads Whonix Firewall.

(Does nothing inside Qubes TemplateVMs.)

If loading Whonix Firewall fails, creates /run/anon-firewall/failed.status.

/usr/bin/whonix_firewall[edit]

firewall starter wrapper

/usr/bin/whonix-gateway-firewall[edit]

firewall script

/usr/bin/whonix-workstation-firewall[edit]

firewall script

/usr/lib/whonix-firewall/enable-firewall[edit]

Wrapper to start firewall and create failure status files on failure.

/usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test[edit]

stream isolation developer test script