Version Number[edit]

To discover what Tor version is currently in use, run the following command inside Whonix-Gateway (Qubes-Whonix: sys-whonix).

anon-info

The output should be similar to the following.

INFO: version of the 'tor' package: 0.3.2.10-1~d80.jessie+1

Permissions on directory /var/run/tor are too permissive Error[edit]

To discover if you are affected by the Permissions on directory /var/run/tor are too permissive error, ^[1] run the following command inside Whonix-Gateway (Qubes-Whonix: sys-whonix).

sudo cat /var/run/tor/log | grep -i permissive

If a user is affected, a warning similar to the following will appear.

Aug 03 17:36:33.000 [warn] Permissions on directory /var/run/tor are too permissive.

Currently there is only one workaround, which needs to be manually applied after every reboot.

sudo chmod --recursive 700 /var/run/tor

Log Analysis[edit]

Introduction[edit]

Analysis of Tor's log can be useful if connectivity issues emerge.

Open Tor Log[edit]

Users can inspect two logs:

• The persistent Tor log: /var/log/tor/log; and/or
• The Tor log since last boot: /var/run/tor/log ^[2]

Open /var/run/tor/log in an editor with root rights.

kdesudo kwrite /var/run/tor/log

sudo nano /var/run/tor/log

Watch Tor Log[edit]

Users can also watch Tor's log as it is written.

sudo tail -f /var/run/tor/log

This command is especially useful when Tor is reloaded or restarted simultaneously in another terminal window.

To reload Tor, run the following command.

sudo service tor@default reload

To restart Tor, run the following command.

sudo service tor@default restart

Non-Issues[edit]

See Also[edit]

• Why does Whonix use Tor?
• Why is Tor slow?
• Censorship Circumvention - Tor Bridge Mode, using (private) (obfuscated) bridges
• Hide the fact that you are using Tor/Whonix
• Controlling Tor
• Hosting Tor Onion Services, ANY, Hidden Webserver
• Comparison of Tor, Proxies, CGI proxies, Proxy Chains and VPN Services

Advanced Topics[edit]

Entry Guards[edit]

Introduction[edit]

Many well known enhanced anonymity designs such as Tor, Whonix, and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.^[6]

Note: Guard fingerprinting techniques are similar to methods that track users via MAC addresses. If this is a realistic threat, then MAC address randomization is also recommended.

In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.^{[7] [8] [9]}

Warning: In some situations it is safer to not use the usual guard relay!

Guard Fingerprinting[edit]

While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards ^[10] and de-anonymize a user. For instance:

• The same entry guards are used across various physical locations and access points.

• The same entry guards are used after permanently moving to a different physical location.

Consider the following scenario. A user connects to Tor via a laptop at their home address. Soon afterwards, the same user attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired using the same laptop. This is problematic for anonymity, as the Tor client is using the same entry guard normally correlated with the user’s home address.

Network adversaries who are monitoring traffic have a high degree of certainty that the “anonymous” posts from the city location are related to the same person who connected to that specific guard relay at home. The relative uncommonness of Tor usage exacerbates the potential for de-anonymization.

There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home:

• Clone Whonix-Gateway (sys-whonix) with New Entry Guards.

• Regenerate the Tor State File after Saving the Current Tor State.

• Configure Tor to use Alternate Bridges.

• If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.

Forum discussion:
https://forums.whonix.org/t/persistent-tor-entry-guard-relays-can-make-you-trackable-across-different-physical-locations/2090

^[11]

Manual Rotation of Tor Guards[edit]

Security and Performance Related Issues[edit]

Users may be tempted to create a new Whonix-Gateway (sys-whonix) in the following circumstances:

• Bootstrapping is slow or regularly fails.
• Tor logs show warnings suggesting evidence of route manipulation attacks or other oddities.
• Logs reveal attempted attacks on Whonix or Tor processes, for example in AppArmor logs.
• Current Tor performance is very slow or unreliable due to collapsing circuits or other factors.
• The user is concerned about the amount of Tor data that could be revealed if the Whonix-Gateway is infected, particularly after a long period of use.

Creating a new Whonix-Gateway or sys-whonix will likely lead to a new set of Tor entry guards, which is proven to degrade anonymity. Forcing the rotation of guards more often than Tor’s default is dangerous for several reasons:

• It increases the likelihood of a compromised or malicious Tor guard being selected. This increases the chance of a successful correlation attack if the adversary runs Tor exit relays in the network.
• The user is more likely to traverse a given set of Internet infrastructure links that are under the adversary's control, such as Autonomous Systems (ASes) or Internet Exchange Points (IXPs).
• Every change of Tor guards acts like a fingerprinting mechanism, since other users are less likely to pick the same set. If the adversary is able to enumerate a user's Tor guards, and later observes someone with the same set, the chance is high the two observations stem from the same person.

For these reasons the Tor Project changed its design in 2014 to have a solitary primary guard node, and increased the set period for guard rotation. Users should also not discount the possibility that an adversary might purposefully cause poor Tor throughput, in the hope Tor guards are manually changed:

We should also consider whether an adversary can *induce* congestion or resource exhaustion to cause a target user to switch away from her guard. Such an attack could work very nicely coupled with the guard enumeration attacks discussed above.

In one sense, slow Tor entry guards should be welcomed - “honeypot” operators on the Tor network are unlikely to have constrained bandwidth which might chase away intended targets.

Warning: Users considering using disposable Whonix-Gateway ProxyVMs in Qubes R4 are warned that this technique severely degrades anonymity; new Tor guards are created during each distinct Whonix session.

If users feel compelled in their circumstances to proceed despite the anonymity risks, then it may be safer to first try:

• One of the fallback primary entry guards.
• A configured bridge.
• Chaining other tunnels with Tor.
• Creating a fresh Whonix-Gateway (sys-whonix), and copying across the Tor state file.

The safest decision is to persist with poor performance and wait for normal guard rotation.

Mitigate the Threat of Guard Fingerprinting[edit]

If guard fingerprinting across different locations is a concern, there are several ways to mitigate this threat. Viable options include: bridges, temporarily rotating guards, or cloning Whonix-Gateway (sys-whonix) with new guards.

Note: Weigh the fingerprinting risks outlined in the previous section before proceeding. In most cases the decision to not rotate guards (even temporarily) is the correct one.

Clone Whonix-Gateway (sys-whonix) with New Entry Guards[edit]

It is possible to clone the current Whonix-Gateway (sys-whonix) VM and regenerate the Tor state file. Once the VM is cloned, it is important that the original is not unintentionally used for any anonymous activities. To nullify this threat, consider disabling networking in the original Whonix-Gateway until returning home.

Warning: Users should not clone the Whonix-Gateway (sys-whonix) with new guards at the home address. If the Tor client connects through the home network, the new guards might be correlated to the home address.

Create a clone of the Whonix-Gateway (sys-whonix) and name it Whonix-Gateway-temp VM (sys-whonix-temp VM) .

• • Virtualbox: follow these instructions to create a VM snapshot.
  • Qubes-Whonix: Right-click on sys-whonix -> Clone VM
• Regenerate the Tor State File.

Regenerate the Tor State After Saving the Tor State Folder[edit]

Non-Qubes-Whonix only!

Prior to arriving at the remote location, the Whonix-Gateway Tor state folder is moved to the $HOME directory, and the Tor state file is regenerated.

1. In Whonix-Gateway konsole, stop Tor.

sudo systemctl stop tor@default

2. In Whonix-Gateway konsole, remove the temporary Tor state folder.

sudo rm -r /var/lib/tor

3. In Whonix-Gateway konsole, restore the Tor state folder.

sudo mv ~/tor /var/lib

4. In Whonix-Gateway konsole, restart Tor.

sudo systemctl restart tor@default

Before returning home, the Tor state folder is restored to its original settings.

1. In Whonix-Gateway konsole, Stop Tor.

sudo systemctl stop tor@default

2. In Whonix-Gateway konsole, move the Tor state folder to the $HOME directory.

sudo mv /var/lib/tor ~/

3. In Whonix-Gateway konsole, restart Tor.

sudo systemctl restart tor@default

Alternating Bridges[edit]

If bridges are already in use, alternate bridges are recommended for different locations. If bridges are not used, consideration should be given to using entry guards in your primary location and relying on alternate bridges in different locations.

Complete the following steps on Whonix-Gateway (Qubes-Whonix: sys-whonix).

1. Disable Tor using the whonix-setup-wizard (safest option).

Start the whonix-setup-wizard.

sudo whonixsetup

Choose the Disable Tor option. Press next.

2. Configure Tor to use bridges. Refer to the Bridges documentation.

3. Enable Tor using whonixsetup / whonix-setup-wizard at the new location.

4. Before leaving this location, disable Tor. If traveling to a different area, add a different bridge address. To revert to the usual guard nodes used at home, remove the torrc bridge settings before enabling the network, or rollback to a VM snapshot created at home.

Copy Tor Configuration files and Settings to Another sys-whonix Instance[edit]

Qubes-Whonix only!

Warning: Users are strongly encouraged to follow the instructions as they are written to avoid unforeseen consequences.[12]

On occasion, Qubes-Whonix users may want to copy the Tor state along with custom configuration options from an existing sys-whonix ProxyVM to another sys-whonix instance. For example, this is useful for testing later Whonix releases without aiding deanonymization attempts by advanced adversaries, ^[13] or creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.

Copy Tor State Files to Another sys-whonix Instance[edit]

The following instructions copy the Tor state from sys-whonix-old to sys-whonix-new.

1. In sys-whonix-new, stop Tor

sudo systemctl stop tor@default

2. In sys-whonix-new, remove the Tor state file.

Warning: Care is required when removing files so extra spaces are not added to the file path! As an example, if a space is accidentally placed before the asterisk in the command to remove the Tor state file, the removal of the / (root directory) and all system data would be the unfortunate consequence.

sudo su

sudo rm /var/lib/tor/*

3. In sys-whonix-old, stop Tor

sudo systemctl stop tor@default

4. In sys-whonix-old, copy the Tor state file across to sys-whonix-new

sudo qvm-copy /var/lib/tor sys-whonix-new

If the following error appears, it can be safely ignored (hit "OK" when prompted).

qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)

5. In sys-whonix-new, list the QubesIncoming directory to ensure the Tor state file was copied over successfully

ls ~/QubesIncoming/sys-whonix-old/tor

The output should include the files below.

  cached-certs cached-microdescs lock
  cached-microdesc-consensus cached-microdescs.new state

6. In sys-whonix-new, move the newly copied Tor state file to /var/lib/tor

sudo mv ~/QubesIncoming/sys-whonix-old/tor/* /var/lib/tor

7. In sys-whonix-new, change ownership of all files in the Tor state folder to debian-tor

sudo chown -R debian-tor:debian-tor /var/lib/tor

8. In sys-whonix-new, start Tor

sudo systemctl start tor@default

9. In sys-whonix-new, run whonixcheck to verify Tor is functioning properly^[14]

whonixcheck

Copy Tor Configuration Options (torrc) to Another sys-whonix[edit]

Note: Users may also migrate Whonix 13 torrc options to Whonix 14 based sys-whonix instances. To do this users must revise the instructions to use /usr/local/etc/torrc.d/50_user.conf as the destination for the torrc options in place of /etc/tor/torrc[15] For migration between Whonix 14 based sys-whonix VMs, use /usr/local/etc/torrc.d/50_user.conf as both the source and destination file for torrc options.[16]

Note: For Whonix 14 and later releases, all user unique Tor configurations (torrc) options should be stored in /usr/local/etc/torrc.d/50_user.conf and not anywhere else.

The following instructions copy the custom Tor configuration options (torrc) from sys-whonix-old to sys-whonix-new.

1. In sys-whonix-old, copy the torrc options across to sys-whonix-new

qvm-copy /etc/tor/torrc sys-whonix-new

If the following error appears, it can be safely ignored (hit "OK" when prompted).

 qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)

2. In sys-whonix-new, print the QubesIncoming directory to ensure the torrc options were copied over successfully

cat ~/QubesIncoming/sys-whonix-old/torrc

3. In sys-whonix-new, move the torrc options from the QubesIncoming directory to the torrc file

sudo mv ~/QubesIncoming/sys-whonix-old/torrc /etc/tor/torrc

4. In sys-whonix-new, change ownership of the Tor configuration file

sudo chown -R root:root /etc/tor

5. In sys-whonix-new, restart Tor so the newly copied torrc options take affect

sudo systemctl restart tor@default

6. In sys-whonix-new, run whonixcheck to verify Tor is functioning properly.^[17]

whonixcheck

Fresh Tor Entry Guards by Regenerating the Tor State File[edit]

The action is inadvisable unless the user is aware of the consequences; see Introduction.

The following instructions manually change a user's Tor entry guards. One use case for this action is before a user permanently relocates to a new area.

Complete the following steps on Whonix-Gateway (Qubes-Whonix: sys-whonix).

1. Disable Tor using the whonix-setup-wizard (safest option).

Start the whonix-setup-wizard.

sudo whonixsetup

Choose the Disable Tor option. Press next.

2. Delete Tor's state file.

sudo rm /var/lib/tor/state

3. Enable Tor using whonixsetup / whonix-setup-wizard at the new location.

Configure Non-Persistent Entry Guards[edit]

Some users may consider configuring non-persistent entry guards so they constantly change. In almost all cases this is inadvisable, because persistent entry guards are a critical security feature as explained in the introduction. A far more secure alternative is Alternating Bridges, although this requires a considerable time investment.

To proceed in spite of the warning, press on expand on the right.

Complete these steps in Whonix-Gateway (Qubes-Whonix: sys-whonix).

1. If using Whonix 12 or earlier, adjust whonixcheck settings.

Open /etc/whonix.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.

[select code]

kdesudo kwrite /etc/whonix.d/50_user.conf

kdesudo kwrite /etc/whonix.d/50_user.conf

If you are using a terminal-only Whonix, run.

[select code]

sudo nano /etc/whonix.d/50_user.conf

sudo nano /etc/whonix.d/50_user.conf

Add.

[select code]

whonixcheck_skip_functions+=" check_tor_pid "

whonixcheck_skip_functions+=" check_tor_pid "

Save.

2. Disable Tor using the whonix-setup-wizard (safest option).

Start the whonix-setup-wizard.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> System -> Whonix Setup Wizard

If you are using a terminal-only Whonix-Gateway, complete the following steps.

[select code]

sudo whonixsetup

sudo whonixsetup

Choose the Disable Tor option. Press next.

3. Modify Tor settings.

For Whonix 14 and later releases, all unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf. Users should not edit /etc/tor/torrc directly.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps.

[select code]

sudo nano /etc/tor/torrc

sudo nano /etc/tor/torrc

Add.

[select code]

DataDirectory /var/run/tor

DataDirectory /var/run/tor

Save.

4. Enable Tor using whonixsetup / whonix-setup-wizard at the new location.

5. Before leaving this location, disable Tor and repeat the above steps if traveling to a different area. To revert to the usual guard nodes at home, remove the torrc setting before enabling the network, or rollback to a VM snapshot that was created there.

Notes[edit]

• The proposed Tails solutions towards AdvGoalTracking have disadvantages ^{[18] [19]} and are not suitable options for Whonix. The reason is Whonix does not connect directly to a user's internet LAN, so trying to remember a network based on its SSID will not work. Unlike wireless access points, physical or virtual wired networks lack SSIDs and cannot be "remembered" that way.

• Even if it were possible, it is best to avoid letting adversaries influence guard changes in any way. Spoofing MAC addresses or SSIDs would trigger the use of the alternate entry guard recorded for another "location profile". Global networks also have generic characteristics that cannot be differentiated from the point of view of a connecting device, resulting in the same guards being used on different networks.

• Developers/Auditors-only: The development discussion related to this documentation chapter: research non-persistent entry guards.

Blacklist Certain Onion Services from Connecting[edit]

This procedure is experimental. Testers only.

For Whonix 14 and later releases, all unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf. Users should not edit /etc/tor/torrc directly.

Open /etc/tor/torrc.

sudo nano /etc/tor/torrc

The following is an example onion service that is added to /etc/tor/torrc. Replace bbbbbb6qtmqg65g6.onion with the actual onion service that should be blacklisted.

MapAddress bbbbbb6qtmqg65g6.onion 127.0.0.1

Reload Tor.

sudo service tor@default reload

sudo service tor@default status

Active: active (running) since ...

sudo -u debian-tor tor --verify-config

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Additional SocksPorts[edit]

Adding additional Tor SocksPorts to /etc/tor/torrc is non-intuitive. ^[20]

As noted in the Tor man page (man tor):

By default, an option on the command line overrides an option found in the configuration file, and an option in a configuration file overrides one in the defaults file.

This rule is simple for options that take a single value, but it can become complicated for options that are allowed to occur more than once: if you specify four SOCKSPorts in your configuration file, and one more SOCKSPort on the command line, the option on the command line will replace all of the SOCKSPorts in the configuration file. If this is not what you want, prefix the option name with a plus sign, and it will be appended to the previous set of options instead.

Nick Mathewson from The Tor Project has also noted: ^[21]

So to make sure that the SocksPort in the torrc does what you want, write it as +SocksPort.

After adding custom ports, a user would also have to edit the Whonix firewall unless they were lucky. For example, various custom ports for such use cases have already been added. Those are documented here.

UDP[edit]

The Tor software does not yet support UDP, [22] although Tor provides a DnsPort. If UDP is urgently required in Whonix, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.

Reload Tor[edit]

Reload Tor.

sudo service tor@default reload

sudo service tor@default status

Active: active (running) since ...

sudo -u debian-tor tor --verify-config

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Restart Tor[edit]

Restart Tor.

sudo service tor@default Restart

sudo service tor@default status

Active: active (running) since ...

sudo -u debian-tor tor --verify-config

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Disable Tor[edit]

Disable Tor using the whonix-setup-wizard (safest option).

Start the whonix-setup-wizard.

sudo whonixsetup

Choose the Disable Tor option. Press next.

Footnotes / References[edit]

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)