Connecting to Tor before a Proxy

From Whonix

Balloon-936780640.jpg

UserTorProxyInternet

Introduction[edit]

Ambox warning pn.svg.png Before combining Tor with other tunnels, be sure to read and understand the risks!

Ambox notice.png Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.

Proxy Warning[edit]

Whonix ™ first time users warning Warning! Take careful note of the following issues when using standard, common http(s)/SOCKS4(a)/5 proxies -- anonymizers that only use http(s)/SOCKS4(a)/5 as an interface [1] are exempt.

  • Most problems with these proxies are not caused by Whonix ™.
  • Tor exit relays and their ISPs can still monitor your connection to its destination.
  • Be especially careful with http(s) proxies. Some of them send the X-Forwarded-For header which discloses the IP address. http(s) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies.
  • When using X-Forwarded-For http(s) proxies, destination servers can determine the IP of your Tor exit relay.

For further detailed information on proxies, see: Tor vs. Proxies, Proxy Chains.

Generally[edit]

There are three different methods to connect to Tor before a proxy.

Table: Post-Tor Proxy Connection Methods

Proxy Settings Method Proxifier Method Transparent Proxying Method
Application requires no support for proxy settings No Yes Yes
Likelihood of leaks [2] going user → Tor → Internet Depends [3] Depends [4] Lower [5]
DNS can be resolved by the same proxy Yes Yes Needs extra DNS resolver [6]
Per application configuration required Yes Yes No
System wide configuration No No Yes
Proxy chains possible No Yes, but see footnote

[7]

No [8]
Setup difficulty Different per application Always very similar Initial setup difficult

Proxy Settings Method[edit]

Introduction[edit]

You could use an application's native proxy settings to configure applications in Whonix ™ to use an extra proxy. This of course supposes, that the application has proxy settings. After understanding Whonix ™ default stream isolation configuration, there is no difference from using proxy settings in an ordinary way, other than that it is running inside Whonix-Workstation ™. If proxy settings are honored by an application or not is another question and out of scope, see TorifyHOWTO. There is a list of applications that come pre-configured with Whonix ™ for Stream Isolation. If you plan on changing the proxy settings of any of those, you must read the notes below.

Ambox warning pn.svg.png

  • Apply the following steps to avoid unexpected results such as broken connectivity and/or traffic bypassing the tunnel-link and only going through Tor.
  • Qubes-Whonix ™ exception: There is one tunnel configuration where Qubes-Whonix ™ users are better placed. When a separate tunnel-link VM is used between anon-whonix and sys-whonix (anon-whonixTunnel-linksys-whonix), these connections will fail without the following modifications.

Tor Browser Notes[edit]

Complete the following steps inside Whonix-Workstation ™ (anon-whonix).

1. Launch Tor Browser.

2. And enter about:config into the URL bar and press enter.

3. Change the following settings.

4. Set extensions.torbutton.use_nontor_proxy to true.

5. Set network.proxy.no_proxies_on to 0.

6. Proxy specific settings.

Depending on using a HTTP, HTTPS or SOCKS proxy.

A) HTTP proxy

If a HTTP proxy is being used, modify address and port number to the following strings.

  • network.proxy.http
  • network.proxy.http_port

B) HTTPS proxy

If a HTTPS proxy is being used, modify the following strings instead.

  • network.proxy.ssl
  • network.proxy.ssl_port

C) SOCKS proxy

This process can be repeated with socks proxies, but it is redundant and does not provide any advantage over the former types. The reason is because only Tor Browser is modified and no other programs are being tunneled through it.

  • Set network.proxy.socks to the IP of proxy server.
  • Set network.proxy.socks_port to the port number of the proxy server.
  • Set network.proxy.socks_remote_dns to
    • false - if the proxy server does not support resolving DNS. In this case, DNS will go through Tor exit nodes thanks to Whonix ™, or
    • true - if the proxy server does resolving DNS which is better.
  • Set network.proxy.socks_version to either 4 or 5 depending on the version of the proxy server.

7. Done.

Tor Browser proxy configuration has been completed.

Misc Application Notes[edit]

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this the Whonix ™ system default must be removed from the application's settings.

TODO: document and expand.

Remove proxy settings for APT repository files.

1. Platform specific notice:

2. If you previously onionized any repositories, that has to be undone; see Onionizing Repositories.

3. Remove any mention of tor+ in file /etc/apt/sources.list (if it was previously configured; that file is empty by default in Whonix ™ / Kicksecure) or any file in folder /etc/apt/sources.list.d.

4. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

5. Remove any mention of tor+.

6. Done.

The process of removing proxy settings from APT repository files is now complete.

Remove proxy settings for Tor Browser Downloader by Whonix ™.

1. Platform specific notice:

2. Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

3. Paste. [10] [11]

TB_NO_TOR_CON_CHECK=1 CURL_PROXY="--fail"

4. Save and exit.

5. Done.

Proxy settings have been removed from Tor Browser Downloader by Whonix ™.

For some applications, this is impossible:

These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. Therefore you can only deactivate sdwdate and/or not use applications like OnionShare and Ricochet IM.

uwt wrapped application notes[edit]

Whonix ™ ships a list of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.

On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers. Follow the instructions below in order to disable this.

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.

For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.

1. Platform specific notice:

2. Open file /etc/uwt.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/uwt.d/50_user.conf

3. Add.

uwtwrapper_global="0"

4. Save and exit.

5. Done.


Proxyfier Method[edit]

General[edit]

After understanding Whonix ™ default stream isolation configuration, there is no difference from using a Proxyfier in an ordinary way, other than that it is running inside Whonix-Workstation ™. There is a list of applications that come pre-configured with Whonix ™ for Stream Isolation. If you plan on changing the proxy settings of any of those, you must read the notes below.

If the Proxifier is leak free or in worst case leaks through Tor alone (thanks to Whonix ™), is another question and not in Whonix ™ power, see TorifyHOWTO.

Ambox warning pn.svg.png

  • Apply the following steps to avoid unexpected results such as broken connectivity and/or traffic bypassing the tunnel-link and only going through Tor.
  • Qubes-Whonix ™ exception: There is one tunnel configuration where Qubes-Whonix ™ users are better placed. When a separate tunnel-link VM is used between anon-whonix and sys-whonix (anon-whonixTunnel-linksys-whonix), these connections will fail without the following modifications.

Tor Browser Notes[edit]

Ambox warning pn.svg.png There is currently no tested, known to work solution for using Tor Browser with the #Proxyfier Method. This is not a Whonix ™ issue but rather an issue with socksifier software and Tor Browser. This would also happen if Whonix ™ was not involved. (For a basic architectural explanation, see Free Support Principle.) Figuring this out is up to you. Please contribute. Alternatively try #Proxy Settings Method.

Introduction

This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [13] [14]

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or preferably Multiple Whonix-Workstation ™.

Local socks proxy Method

Since other methods to configure Tor Browser to use system default networking are broken due to Tor Browser changes by upstream, this new local socks proxy method stops anon-ws-disable-stacked-tor local port 9150 redirection to Whonix-Gateway ™ 9150 (where a Tor SocksPort is listening). As a replacement, a local socks proxy listens on Whonix-Workstation ™ local port 9150 which then forwards the traffic using system default networking. In result, if the user is using a VPN inside Whonix-Workstation ™ or in a VPN-Gateway wretched between Whonix-Gateway ™ and Whonix-Workstation ™, Tor Browser would use the VPN.

In this documentation, Dante is used as a local socks proxy. Development notes are kept on Dev/Dante.

1. Legacy notices.

  • New users, that did not apply instructions from this page again: No special notice.
  • Existing users: See below.

A few settings need to be undone.

  • A) Previous changes to /etc/environment as documented previously for other methods need to be undone.
  • B) Tor Browser needs to be re-installed. This is because undoing the previous configuration is difficult and undocumented.

2. Stop default anon-ws-disable-stacked-tor service for port 9150.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

3. Prevent default anon-ws-disable-stacked-tor systemd unit from starting.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

4. Install the local socks proxy server.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

A) Add Debian source repository.

Open file /etc/apt/sources.list.d/debian-src.list in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian-src.list

Paste.

deb-src https://deb.debian.org/debian bullseye main contrib non-free

Save and exit.

sudo apt update

B) Install build dependencies.

sudo apt build-dep dante-server

C) Get dante source code.

apt-get source dante-server

D) Open the dante accesscheck.c source file.

mousepad ~/dante-1.4.2+dfsg/sockd/accesscheck.c

Paste the contents.

/* * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2008, * 2009, 2010, 2011, 2012, 2013 * Inferno Nettverk A/S, Norway. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. The above copyright notice, this list of conditions and the following * disclaimer must appear in all copies of the software, derivative works * or modified versions, and any portions thereof, aswell as in all * supporting documentation. * 2. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by * Inferno Nettverk A/S, Norway. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * Inferno Nettverk A/S requests users of this software to return to * * Software Distribution Coordinator or sdc@inet.no * Inferno Nettverk A/S * Oslo Research Park * Gaustadalléen 21 * NO-0349 Oslo * Norway * * any improvements or extensions that they make and grant Inferno Nettverk A/S * the rights to redistribute these changes. * */ #include "common.h" static const char rcsid[] = "$Id: accesscheck.c,v 1.89 2013/10/27 15:24:42 karls Exp $"; int usermatch(auth, userlist) const authmethod_t *auth; const linkedname_t *userlist; { /* const char *function = "usermatch()"; */ const char *name; if ((name = authname(auth)) == NULL) return 0; /* no username, no match. */ do if (strcmp(name, userlist->name) == 0) break; while ((userlist = userlist->next) != NULL); if (userlist == NULL) return 0; /* no match. */ return 1; } int groupmatch(auth, grouplist) const authmethod_t *auth; const linkedname_t *grouplist; { const char *function = "groupmatch()"; const char *username; struct passwd *pw; struct group *groupent; SASSERTX(grouplist != NULL); if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ /* * First check the primary group of the user against grouplist. * If the groupname given there matches, we don't need to go through * all users in the list of group. */ if ((pw = getpwnam(username)) != NULL && (groupent = getgrgid(pw->pw_gid)) != NULL) { const linkedname_t *listent = grouplist; do if (strcmp(groupent->gr_name, listent->name) == 0) return 1; while ((listent = listent->next) != NULL); } else { if (pw == NULL) slog(LOG_DEBUG, "%s: unknown username \"%s\"", function, username); else if (groupent == NULL) slog(LOG_DEBUG, "%s: unknown primary groupid %ld", function, (long)pw->pw_gid); } /* * Go through grouplist, matching username against each groupmember of * all the groups in grouplist. */ do { char **groupname; if ((groupent = getgrnam(grouplist->name)) == NULL) { swarn("%s: unknown groupname \"%s\"", function, grouplist->name); continue; } groupname = groupent->gr_mem; while (*groupname != NULL) { if (strcmp(username, *groupname) == 0) return 1; /* match. */ ++groupname; } } while ((grouplist = grouplist->next) != NULL); return 0; } #if HAVE_LDAP int ldapgroupmatch(auth, rule) const authmethod_t *auth; const rule_t *rule; { const char *function = "ldapgroupmatch()"; const linkedname_t *grouplist; const char *username; char *userdomain, *groupdomain; int retval; if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ #if !HAVE_GSSAPI if (!rule->state.ldap.ldapurl) SERRX(rule->state.ldap.ldapurl != NULL); #endif /* !HAVE_GSSAPI */ if ((userdomain = strchr(username, '@')) != NULL) ++userdomain; if (userdomain == NULL && *rule->state.ldap.domain == NUL && rule->state.ldap.ldapurl == NULL) { slog(LOG_DEBUG, "%s: cannot check ldap group membership for user %s: " "user has no domain postfix and no ldap url is defined", function, username); return 0; } if ((retval = ldap_user_is_cached(username)) >= 0) return retval; /* go through grouplist, matching username against members of each group. */ grouplist = rule->ldapgroup; do { char groupname[MAXNAMELEN]; slog(LOG_DEBUG, "%s: checking if user %s is member of ldap group %s", function, username, grouplist->name); STRCPY_ASSERTLEN(groupname, grouplist->name); if ((groupdomain = strchr(groupname, '@')) != NULL) { *groupdomain = NUL; /* separates groupname from groupdomain. */ ++groupdomain; } if (groupdomain != NULL && userdomain != NULL) { if (strcmp(groupdomain, userdomain) != 0 && strcmp(groupdomain, "") != 0) { slog(LOG_DEBUG, "%s: userdomain \"%s\" does not match groupdomain " "\"%s\" and groupdomain is not default domain. " "Trying next entry", function, userdomain, groupdomain); continue; } } if (ldapgroupmatches(username, userdomain, groupname, groupdomain, rule)){ cache_ldap_user(username, 1); return 1; } } while ((grouplist = grouplist->next) != NULL); cache_ldap_user(username, 0); return 0; } #endif /* HAVE_LDAP */ int accesscheck(s, auth, src, dst, emsg, emsgsize) int s; authmethod_t *auth; const struct sockaddr_storage *src, *dst; char *emsg; size_t emsgsize; { int match, authresultisfixed; match = 1; /* * HACK-FORK-EDIT-OK */ return match; }

E) Change directory into the dante source code folder.

pushd dante-1.4.2+dfsg

F) Build the Debian package.

dpkg-buildpackage -b --no-sign

E) Change directory back to the home folder.

popd

F) Install the modified dante package.

sudo dpkg -i dante-server_1.4.2+dfsg-7_amd64.deb

5. Open file /etc/danted.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/danted.conf

6. Local socks proxy configuration.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Delete all contents from the file and replace it with the following configuration.

debug: 1 logoutput: stderr internal: 127.0.0.1 port = 9150 external: eth0 socksmethod: none username clientmethod: none user.privileged: root user.notprivileged: root user.libwrap: root client pass { from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0 log: connect disconnect error } socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: bind connect udpassociate log: error connect disconnect iooperation }

7. Restart the local socks proxy.

This is to apply the changed configuration and to test if the configuration is valid.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl restart danted.service

8. tb-starter Configuration

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Stop Tor from using unix domain socket files for socks so it uses socks on IP 127.0.0.1 port 9150 instead.

Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

Paste.

unset TOR_SOCKS_IPC_PATH

Save and exit.

9. Platform specific notice:

  • Non-Qubes-Whonix: No special notice required.
  • Qubes-Whonix: Shutdown Template. Once done, restart App Qube.

10. Start Tor Browser.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In Whonix-Workstation ™ App Qube.

torbrowser

Tor Browser should now be using system default networking thanks to the local socks proxy.

No additional configuration of Tor Browser is required.

11. Done.

For older methods, which might be broken due to Tor Browser changes by upstream, please press on Expand on the right.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [15]

1. Platform specific notice.

2. Open file /etc/environment in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/environment

3. Add the following line.

TOR_TRANSPROXY=1 ## newline at the end

4. Save and exit.

5. Reboot.

Reboot is required to make changes to configuration file /etc/environment take effect.

6. Done.

/etc/environment method configuration has been completed.

Tor Browser Settings Changes

This step is required since Tor Browser 10. [16]

1. Platform specific notice.

2. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

3. network.dns.disabled → set to false

4. extensions.torbutton.launch_warning → set to false

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Command Line Method

1. Platform specific notice:

2. Navigate to the Tor Browser folder.

cd ~/.tb/tor-browser

3. Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

4. Done.

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

1. Platform specific notice:

2. Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/.tb/tor-browser/Browser/start-tor-browser below #!/usr/bin/env bash.

3. Set.

export TOR_TRANSPROXY=1

4. Done.

start-tor-browser Method configuration has been completed.

Ignore Tor Button's Open Network Settings

Whonix ™ has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [17]


Misc Application Notes[edit]

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this the Whonix ™ system default must be removed from the application's settings.

TODO: document and expand.

Remove proxy settings for APT repository files.

1. Platform specific notice:

2. If you previously onionized any repositories, that has to be undone; see Onionizing Repositories.

3. Remove any mention of tor+ in file /etc/apt/sources.list (if it was previously configured; that file is empty by default in Whonix ™ / Kicksecure) or any file in folder /etc/apt/sources.list.d.

4. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

5. Remove any mention of tor+.

6. Done.

The process of removing proxy settings from APT repository files is now complete.

Remove proxy settings for Tor Browser Downloader by Whonix ™.

1. Platform specific notice:

2. Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

3. Paste. [18] [19]

TB_NO_TOR_CON_CHECK=1 CURL_PROXY="--fail"

4. Save and exit.

5. Done.

Proxy settings have been removed from Tor Browser Downloader by Whonix ™.

For some applications, this is impossible:

These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. Therefore you can only deactivate sdwdate and/or not use applications like OnionShare and Ricochet IM.

uwt wrapped application notes[edit]

Whonix ™ ships a list of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.

On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers. Follow the instructions below in order to disable this.

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.

For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.

1. Platform specific notice:

2. Open file /etc/uwt.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/uwt.d/50_user.conf

3. Add.

uwtwrapper_global="0"

4. Save and exit.

5. Done.

uwt[edit]

Introduction[edit]

uwt uses torsocks. While the name torsocks implies it is Tor specific, it is not. You can point it to any socks proxy.

uwt wrapped application example[edit]

uwt -t 5 -i 10.152.152.10 -p 9153 /usr/bin/wget.anondist-orig -c https://check.torproject.org

regular application example[edit]

Requires deactivated wget uwt wrapper!

uwt -t 5 -i 10.152.152.10 -p 9156 /usr/bin/wget -c https://check.torproject.org

[20] [21] [22]

Tor Browser Example[edit]

(Untested! Please leave feedback if it worked for you!)

First, you must remove Tor Browser proxy settings before you can combine it with a proxifier.

Introduction

This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [23] [24]

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or preferably Multiple Whonix-Workstation ™.

Local socks proxy Method

Since other methods to configure Tor Browser to use system default networking are broken due to Tor Browser changes by upstream, this new local socks proxy method stops anon-ws-disable-stacked-tor local port 9150 redirection to Whonix-Gateway ™ 9150 (where a Tor SocksPort is listening). As a replacement, a local socks proxy listens on Whonix-Workstation ™ local port 9150 which then forwards the traffic using system default networking. In result, if the user is using a VPN inside Whonix-Workstation ™ or in a VPN-Gateway wretched between Whonix-Gateway ™ and Whonix-Workstation ™, Tor Browser would use the VPN.

In this documentation, Dante is used as a local socks proxy. Development notes are kept on Dev/Dante.

1. Legacy notices.

  • New users, that did not apply instructions from this page again: No special notice.
  • Existing users: See below.

A few settings need to be undone.

  • A) Previous changes to /etc/environment as documented previously for other methods need to be undone.
  • B) Tor Browser needs to be re-installed. This is because undoing the previous configuration is difficult and undocumented.

2. Stop default anon-ws-disable-stacked-tor service for port 9150.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

3. Prevent default anon-ws-disable-stacked-tor systemd unit from starting.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

4. Install the local socks proxy server.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

A) Add Debian source repository.

Open file /etc/apt/sources.list.d/debian-src.list in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian-src.list

Paste.

deb-src https://deb.debian.org/debian bullseye main contrib non-free

Save and exit.

sudo apt update

B) Install build dependencies.

sudo apt build-dep dante-server

C) Get dante source code.

apt-get source dante-server

D) Open the dante accesscheck.c source file.

mousepad ~/dante-1.4.2+dfsg/sockd/accesscheck.c

Paste the contents.

/* * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2008, * 2009, 2010, 2011, 2012, 2013 * Inferno Nettverk A/S, Norway. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. The above copyright notice, this list of conditions and the following * disclaimer must appear in all copies of the software, derivative works * or modified versions, and any portions thereof, aswell as in all * supporting documentation. * 2. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by * Inferno Nettverk A/S, Norway. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * Inferno Nettverk A/S requests users of this software to return to * * Software Distribution Coordinator or sdc@inet.no * Inferno Nettverk A/S * Oslo Research Park * Gaustadalléen 21 * NO-0349 Oslo * Norway * * any improvements or extensions that they make and grant Inferno Nettverk A/S * the rights to redistribute these changes. * */ #include "common.h" static const char rcsid[] = "$Id: accesscheck.c,v 1.89 2013/10/27 15:24:42 karls Exp $"; int usermatch(auth, userlist) const authmethod_t *auth; const linkedname_t *userlist; { /* const char *function = "usermatch()"; */ const char *name; if ((name = authname(auth)) == NULL) return 0; /* no username, no match. */ do if (strcmp(name, userlist->name) == 0) break; while ((userlist = userlist->next) != NULL); if (userlist == NULL) return 0; /* no match. */ return 1; } int groupmatch(auth, grouplist) const authmethod_t *auth; const linkedname_t *grouplist; { const char *function = "groupmatch()"; const char *username; struct passwd *pw; struct group *groupent; SASSERTX(grouplist != NULL); if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ /* * First check the primary group of the user against grouplist. * If the groupname given there matches, we don't need to go through * all users in the list of group. */ if ((pw = getpwnam(username)) != NULL && (groupent = getgrgid(pw->pw_gid)) != NULL) { const linkedname_t *listent = grouplist; do if (strcmp(groupent->gr_name, listent->name) == 0) return 1; while ((listent = listent->next) != NULL); } else { if (pw == NULL) slog(LOG_DEBUG, "%s: unknown username \"%s\"", function, username); else if (groupent == NULL) slog(LOG_DEBUG, "%s: unknown primary groupid %ld", function, (long)pw->pw_gid); } /* * Go through grouplist, matching username against each groupmember of * all the groups in grouplist. */ do { char **groupname; if ((groupent = getgrnam(grouplist->name)) == NULL) { swarn("%s: unknown groupname \"%s\"", function, grouplist->name); continue; } groupname = groupent->gr_mem; while (*groupname != NULL) { if (strcmp(username, *groupname) == 0) return 1; /* match. */ ++groupname; } } while ((grouplist = grouplist->next) != NULL); return 0; } #if HAVE_LDAP int ldapgroupmatch(auth, rule) const authmethod_t *auth; const rule_t *rule; { const char *function = "ldapgroupmatch()"; const linkedname_t *grouplist; const char *username; char *userdomain, *groupdomain; int retval; if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ #if !HAVE_GSSAPI if (!rule->state.ldap.ldapurl) SERRX(rule->state.ldap.ldapurl != NULL); #endif /* !HAVE_GSSAPI */ if ((userdomain = strchr(username, '@')) != NULL) ++userdomain; if (userdomain == NULL && *rule->state.ldap.domain == NUL && rule->state.ldap.ldapurl == NULL) { slog(LOG_DEBUG, "%s: cannot check ldap group membership for user %s: " "user has no domain postfix and no ldap url is defined", function, username); return 0; } if ((retval = ldap_user_is_cached(username)) >= 0) return retval; /* go through grouplist, matching username against members of each group. */ grouplist = rule->ldapgroup; do { char groupname[MAXNAMELEN]; slog(LOG_DEBUG, "%s: checking if user %s is member of ldap group %s", function, username, grouplist->name); STRCPY_ASSERTLEN(groupname, grouplist->name); if ((groupdomain = strchr(groupname, '@')) != NULL) { *groupdomain = NUL; /* separates groupname from groupdomain. */ ++groupdomain; } if (groupdomain != NULL && userdomain != NULL) { if (strcmp(groupdomain, userdomain) != 0 && strcmp(groupdomain, "") != 0) { slog(LOG_DEBUG, "%s: userdomain \"%s\" does not match groupdomain " "\"%s\" and groupdomain is not default domain. " "Trying next entry", function, userdomain, groupdomain); continue; } } if (ldapgroupmatches(username, userdomain, groupname, groupdomain, rule)){ cache_ldap_user(username, 1); return 1; } } while ((grouplist = grouplist->next) != NULL); cache_ldap_user(username, 0); return 0; } #endif /* HAVE_LDAP */ int accesscheck(s, auth, src, dst, emsg, emsgsize) int s; authmethod_t *auth; const struct sockaddr_storage *src, *dst; char *emsg; size_t emsgsize; { int match, authresultisfixed; match = 1; /* * HACK-FORK-EDIT-OK */ return match; }

E) Change directory into the dante source code folder.

pushd dante-1.4.2+dfsg

F) Build the Debian package.

dpkg-buildpackage -b --no-sign

E) Change directory back to the home folder.

popd

F) Install the modified dante package.

sudo dpkg -i dante-server_1.4.2+dfsg-7_amd64.deb

5. Open file /etc/danted.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/danted.conf

6. Local socks proxy configuration.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Delete all contents from the file and replace it with the following configuration.

debug: 1 logoutput: stderr internal: 127.0.0.1 port = 9150 external: eth0 socksmethod: none username clientmethod: none user.privileged: root user.notprivileged: root user.libwrap: root client pass { from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0 log: connect disconnect error } socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: bind connect udpassociate log: error connect disconnect iooperation }

7. Restart the local socks proxy.

This is to apply the changed configuration and to test if the configuration is valid.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl restart danted.service

8. tb-starter Configuration

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Stop Tor from using unix domain socket files for socks so it uses socks on IP 127.0.0.1 port 9150 instead.

Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

Paste.

unset TOR_SOCKS_IPC_PATH

Save and exit.

9. Platform specific notice:

  • Non-Qubes-Whonix: No special notice required.
  • Qubes-Whonix: Shutdown Template. Once done, restart App Qube.

10. Start Tor Browser.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In Whonix-Workstation ™ App Qube.

torbrowser

Tor Browser should now be using system default networking thanks to the local socks proxy.

No additional configuration of Tor Browser is required.

11. Done.

For older methods, which might be broken due to Tor Browser changes by upstream, please press on Expand on the right.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [25]

1. Platform specific notice.

2. Open file /etc/environment in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/environment

3. Add the following line.

TOR_TRANSPROXY=1 ## newline at the end

4. Save and exit.

5. Reboot.

Reboot is required to make changes to configuration file /etc/environment take effect.

6. Done.

/etc/environment method configuration has been completed.

Tor Browser Settings Changes

This step is required since Tor Browser 10. [26]

1. Platform specific notice.

2. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

3. network.dns.disabled → set to false

4. extensions.torbutton.launch_warning → set to false

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Command Line Method

1. Platform specific notice:

2. Navigate to the Tor Browser folder.

cd ~/.tb/tor-browser

3. Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

4. Done.

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

1. Platform specific notice:

2. Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/.tb/tor-browser/Browser/start-tor-browser below #!/usr/bin/env bash.

3. Set.

export TOR_TRANSPROXY=1

4. Done.

start-tor-browser Method configuration has been completed.

Ignore Tor Button's Open Network Settings

Whonix ™ has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [27]


Then try this command. (Untested! Please leave feedback if it worked for you!)

uwt -t 5 -i 10.152.152.10 -p 9153 ~/.tb/tor-browser/App/Firefox/firefox --profile ~/.tb/tor-browser/Data/profile

[28]

proxychains[edit]

Warnings[edit]

  • We don't know how well proxychains works. For example torsocks has a IPv6 leak bug[29]. We don't know if proxychains forces everything through the proxies. Whonix ™ only ensures, should their be leaks, they go only through Tor.
  • There are at least three different versions of proxychains. The old/original/unmaintained version on sourceforge.net and two forks on github. We don't know about that status of any of them and haven't heard of anyone looking if they do really work as expected. The two authors argue with each other and we weren't motivated to understand the conflict and to determine which version is better. However, any leaks not going through the proxy(chain) will go through Tor.

Setup[edit]

Install proxychains.

sudo apt install proxychains

Open proxychains configuration file.

Open file /etc/proxychains.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/proxychains.conf

Go to the bottom of the settings file. Comment out "socks4 127.0.0.1 9050" and add for example "socks5 10.152.152.10 9152" (for Tor stream isolation) or "socks5 ip port" with an IP and port of your choice to set the proxy settings.

[ProxyList]
## add proxy here ...
## meanwhile
## defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 10.152.152.10 9152
# socks5 x.x.x.x xxxx

[30]

Save the configuration file. Test afterwards.

example uwt wrapped application[edit]

proxychains /usr/bin/wget.anondist-orig https://check.torproject.org

[31]

example regular application[edit]

Requires deactivated wget uwt wrapper!

proxychains /usr/bin/wget https://check.torproject.org

Tor Browser example[edit]

The combination of proxychains and Tor Browser does currently not work. Someone needs to Contribute by figuring this out. Otherwise this will not be possible for a very long time. See forum discussion.

First, you must remove Tor Browser proxy settings before you can combine it with a proxifier.

Introduction

This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [32] [33]

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or preferably Multiple Whonix-Workstation ™.

Local socks proxy Method

Since other methods to configure Tor Browser to use system default networking are broken due to Tor Browser changes by upstream, this new local socks proxy method stops anon-ws-disable-stacked-tor local port 9150 redirection to Whonix-Gateway ™ 9150 (where a Tor SocksPort is listening). As a replacement, a local socks proxy listens on Whonix-Workstation ™ local port 9150 which then forwards the traffic using system default networking. In result, if the user is using a VPN inside Whonix-Workstation ™ or in a VPN-Gateway wretched between Whonix-Gateway ™ and Whonix-Workstation ™, Tor Browser would use the VPN.

In this documentation, Dante is used as a local socks proxy. Development notes are kept on Dev/Dante.

1. Legacy notices.

  • New users, that did not apply instructions from this page again: No special notice.
  • Existing users: See below.

A few settings need to be undone.

  • A) Previous changes to /etc/environment as documented previously for other methods need to be undone.
  • B) Tor Browser needs to be re-installed. This is because undoing the previous configuration is difficult and undocumented.

2. Stop default anon-ws-disable-stacked-tor service for port 9150.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

3. Prevent default anon-ws-disable-stacked-tor systemd unit from starting.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

4. Install the local socks proxy server.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

A) Add Debian source repository.

Open file /etc/apt/sources.list.d/debian-src.list in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian-src.list

Paste.

deb-src https://deb.debian.org/debian bullseye main contrib non-free

Save and exit.

sudo apt update

B) Install build dependencies.

sudo apt build-dep dante-server

C) Get dante source code.

apt-get source dante-server

D) Open the dante accesscheck.c source file.

mousepad ~/dante-1.4.2+dfsg/sockd/accesscheck.c

Paste the contents.

/* * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2008, * 2009, 2010, 2011, 2012, 2013 * Inferno Nettverk A/S, Norway. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. The above copyright notice, this list of conditions and the following * disclaimer must appear in all copies of the software, derivative works * or modified versions, and any portions thereof, aswell as in all * supporting documentation. * 2. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by * Inferno Nettverk A/S, Norway. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * Inferno Nettverk A/S requests users of this software to return to * * Software Distribution Coordinator or sdc@inet.no * Inferno Nettverk A/S * Oslo Research Park * Gaustadalléen 21 * NO-0349 Oslo * Norway * * any improvements or extensions that they make and grant Inferno Nettverk A/S * the rights to redistribute these changes. * */ #include "common.h" static const char rcsid[] = "$Id: accesscheck.c,v 1.89 2013/10/27 15:24:42 karls Exp $"; int usermatch(auth, userlist) const authmethod_t *auth; const linkedname_t *userlist; { /* const char *function = "usermatch()"; */ const char *name; if ((name = authname(auth)) == NULL) return 0; /* no username, no match. */ do if (strcmp(name, userlist->name) == 0) break; while ((userlist = userlist->next) != NULL); if (userlist == NULL) return 0; /* no match. */ return 1; } int groupmatch(auth, grouplist) const authmethod_t *auth; const linkedname_t *grouplist; { const char *function = "groupmatch()"; const char *username; struct passwd *pw; struct group *groupent; SASSERTX(grouplist != NULL); if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ /* * First check the primary group of the user against grouplist. * If the groupname given there matches, we don't need to go through * all users in the list of group. */ if ((pw = getpwnam(username)) != NULL && (groupent = getgrgid(pw->pw_gid)) != NULL) { const linkedname_t *listent = grouplist; do if (strcmp(groupent->gr_name, listent->name) == 0) return 1; while ((listent = listent->next) != NULL); } else { if (pw == NULL) slog(LOG_DEBUG, "%s: unknown username \"%s\"", function, username); else if (groupent == NULL) slog(LOG_DEBUG, "%s: unknown primary groupid %ld", function, (long)pw->pw_gid); } /* * Go through grouplist, matching username against each groupmember of * all the groups in grouplist. */ do { char **groupname; if ((groupent = getgrnam(grouplist->name)) == NULL) { swarn("%s: unknown groupname \"%s\"", function, grouplist->name); continue; } groupname = groupent->gr_mem; while (*groupname != NULL) { if (strcmp(username, *groupname) == 0) return 1; /* match. */ ++groupname; } } while ((grouplist = grouplist->next) != NULL); return 0; } #if HAVE_LDAP int ldapgroupmatch(auth, rule) const authmethod_t *auth; const rule_t *rule; { const char *function = "ldapgroupmatch()"; const linkedname_t *grouplist; const char *username; char *userdomain, *groupdomain; int retval; if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ #if !HAVE_GSSAPI if (!rule->state.ldap.ldapurl) SERRX(rule->state.ldap.ldapurl != NULL); #endif /* !HAVE_GSSAPI */ if ((userdomain = strchr(username, '@')) != NULL) ++userdomain; if (userdomain == NULL && *rule->state.ldap.domain == NUL && rule->state.ldap.ldapurl == NULL) { slog(LOG_DEBUG, "%s: cannot check ldap group membership for user %s: " "user has no domain postfix and no ldap url is defined", function, username); return 0; } if ((retval = ldap_user_is_cached(username)) >= 0) return retval; /* go through grouplist, matching username against members of each group. */ grouplist = rule->ldapgroup; do { char groupname[MAXNAMELEN]; slog(LOG_DEBUG, "%s: checking if user %s is member of ldap group %s", function, username, grouplist->name); STRCPY_ASSERTLEN(groupname, grouplist->name); if ((groupdomain = strchr(groupname, '@')) != NULL) { *groupdomain = NUL; /* separates groupname from groupdomain. */ ++groupdomain; } if (groupdomain != NULL && userdomain != NULL) { if (strcmp(groupdomain, userdomain) != 0 && strcmp(groupdomain, "") != 0) { slog(LOG_DEBUG, "%s: userdomain \"%s\" does not match groupdomain " "\"%s\" and groupdomain is not default domain. " "Trying next entry", function, userdomain, groupdomain); continue; } } if (ldapgroupmatches(username, userdomain, groupname, groupdomain, rule)){ cache_ldap_user(username, 1); return 1; } } while ((grouplist = grouplist->next) != NULL); cache_ldap_user(username, 0); return 0; } #endif /* HAVE_LDAP */ int accesscheck(s, auth, src, dst, emsg, emsgsize) int s; authmethod_t *auth; const struct sockaddr_storage *src, *dst; char *emsg; size_t emsgsize; { int match, authresultisfixed; match = 1; /* * HACK-FORK-EDIT-OK */ return match; }

E) Change directory into the dante source code folder.

pushd dante-1.4.2+dfsg

F) Build the Debian package.

dpkg-buildpackage -b --no-sign

E) Change directory back to the home folder.

popd

F) Install the modified dante package.

sudo dpkg -i dante-server_1.4.2+dfsg-7_amd64.deb

5. Open file /etc/danted.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/danted.conf

6. Local socks proxy configuration.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Delete all contents from the file and replace it with the following configuration.

debug: 1 logoutput: stderr internal: 127.0.0.1 port = 9150 external: eth0 socksmethod: none username clientmethod: none user.privileged: root user.notprivileged: root user.libwrap: root client pass { from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0 log: connect disconnect error } socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: bind connect udpassociate log: error connect disconnect iooperation }

7. Restart the local socks proxy.

This is to apply the changed configuration and to test if the configuration is valid.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl restart danted.service

8. tb-starter Configuration

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Stop Tor from using unix domain socket files for socks so it uses socks on IP 127.0.0.1 port 9150 instead.

Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

Paste.

unset TOR_SOCKS_IPC_PATH

Save and exit.

9. Platform specific notice:

  • Non-Qubes-Whonix: No special notice required.
  • Qubes-Whonix: Shutdown Template. Once done, restart App Qube.

10. Start Tor Browser.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In Whonix-Workstation ™ App Qube.

torbrowser

Tor Browser should now be using system default networking thanks to the local socks proxy.

No additional configuration of Tor Browser is required.

11. Done.

For older methods, which might be broken due to Tor Browser changes by upstream, please press on Expand on the right.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [34]

1. Platform specific notice.

2. Open file /etc/environment in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/environment

3. Add the following line.

TOR_TRANSPROXY=1 ## newline at the end

4. Save and exit.

5. Reboot.

Reboot is required to make changes to configuration file /etc/environment take effect.

6. Done.

/etc/environment method configuration has been completed.

Tor Browser Settings Changes

This step is required since Tor Browser 10. [35]

1. Platform specific notice.

2. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

3. network.dns.disabled → set to false

4. extensions.torbutton.launch_warning → set to false

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Command Line Method

1. Platform specific notice:

2. Navigate to the Tor Browser folder.

cd ~/.tb/tor-browser

3. Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

4. Done.

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

1. Platform specific notice:

2. Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/.tb/tor-browser/Browser/start-tor-browser below #!/usr/bin/env bash.

3. Set.

export TOR_TRANSPROXY=1

4. Done.

start-tor-browser Method configuration has been completed.

Ignore Tor Button's Open Network Settings

Whonix ™ has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [36]


Then try this command.

proxychains ~/.tb/tor-browser/start-tor-browser

Might be also interesting:


Transparent Proxying Method[edit]

Introduction[edit]

Advanced users only!

To make clear, what this is about. Whonix-Gateway ™ is already serving as a Transparent Proxy [37], which means, that all applications not explicitly configured [38] to use a SocksPort, can connect through Tor without any settings. This section is about configuring Whonix-Workstation ™ also to act as a Transparent Proxy [39]. Use case: a user wants to ensure all traffic goes through Tor (by using Whonix-Gateway ™) and want to additionally ensure, all traffic goes through a proxy choosen by the user after the Tor link, i.e. user → Tor → proxy → internet.

[40]

You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.

In case you redirect the network layer directly with iptables, you need a TransPort. Unfortunately very few applications, do offer a TransPort. For example, Tor supports a TransPort. In most other cases, you need to translate the different kinds of data.

Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.

Required reading:

Tools[edit]

Tor is a socks proxy and also has a TransPort. Unfortunately, Tor can not be directly used as a http proxy. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort.

redsocks can also accept "Trans data streams" and can forward them to https, socks4 and socks5 proxies. If you were to use a http proxy (no https, without connect-method, see proxy article), you could access only http sites, no https sites. Rather redsocks can convert UDP DNS queries to TCP DNS queries.

DNS resolution[edit]

The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.

It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see Transparent Proxying Method for explanation. You need an extra DNS server, which answers over TCP.

You have several options to resolve DNS.

Either leave the setup as it is, Tor's DnsPort and therefore the Tor exit relays will still do the DNS requests. (See DNS rule #1.) This is probably not what you want, since you wanted to cloak your identity with an additional proxy after Tor.

Alternatively you can use a public DNS resolver. The instructions for Secondary DNS Resolver#DNSCrypt by OpenDNS should work out of the box (tested). (See DNS rule #2.)

All DNS resolvers [41] should work, as long TCP is supported and as long you are querying a TCP enabled DNS server. [42] [43] [44] [45]

Read the DNS related warnings.

Prevent Bypassing the Tunnel-Link[edit]

Ambox warning pn.svg.png

  • Apply the following steps to avoid unexpected results such as broken connectivity and/or traffic bypassing the tunnel-link and only going through Tor.
  • Qubes-Whonix ™ exception: There is one tunnel configuration where Qubes-Whonix ™ users are better placed. When a separate tunnel-link VM is used between anon-whonix and sys-whonix (anon-whonixTunnel-linksys-whonix), these connections will fail without the following modifications.

Introduction
Disabling stream isolation will prevent bypassing of the tunnel-link. By default, many pre-installed applications are configured for Stream Isolation in Whonix ™. These specific applications are configured to use Tor SocksPorts, instead of Tor's TransPort.

All applications which are configured to use a Tor SocksPorts are not tunneled through the tunnel-link, but instead they are only tunneled through Tor. The reason is the following configuration does not touch local connections to 10.152.152.10, which is the Whonix-Gateway ™. Therefore, all Tor Browser proxy settings must be removed if attempting to tunnel Tor Browser via the route UserTorTunnel-linkInternet (or similar); see below for instructions.

Deactivate uwt Wrappers

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.

For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.

1. Platform specific notice:

2. Open file /etc/uwt.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/uwt.d/50_user.conf

3. Add.

uwtwrapper_global="0"

4. Save and exit.

5. Done.


Tor Browser Remove Proxy Settings

Introduction

This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [46] [47]

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or preferably Multiple Whonix-Workstation ™.

Local socks proxy Method

Since other methods to configure Tor Browser to use system default networking are broken due to Tor Browser changes by upstream, this new local socks proxy method stops anon-ws-disable-stacked-tor local port 9150 redirection to Whonix-Gateway ™ 9150 (where a Tor SocksPort is listening). As a replacement, a local socks proxy listens on Whonix-Workstation ™ local port 9150 which then forwards the traffic using system default networking. In result, if the user is using a VPN inside Whonix-Workstation ™ or in a VPN-Gateway wretched between Whonix-Gateway ™ and Whonix-Workstation ™, Tor Browser would use the VPN.

In this documentation, Dante is used as a local socks proxy. Development notes are kept on Dev/Dante.

1. Legacy notices.

  • New users, that did not apply instructions from this page again: No special notice.
  • Existing users: See below.

A few settings need to be undone.

  • A) Previous changes to /etc/environment as documented previously for other methods need to be undone.
  • B) Tor Browser needs to be re-installed. This is because undoing the previous configuration is difficult and undocumented.

2. Stop default anon-ws-disable-stacked-tor service for port 9150.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

3. Prevent default anon-ws-disable-stacked-tor systemd unit from starting.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

4. Install the local socks proxy server.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

A) Add Debian source repository.

Open file /etc/apt/sources.list.d/debian-src.list in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian-src.list

Paste.

deb-src https://deb.debian.org/debian bullseye main contrib non-free

Save and exit.

sudo apt update

B) Install build dependencies.

sudo apt build-dep dante-server

C) Get dante source code.

apt-get source dante-server

D) Open the dante accesscheck.c source file.

mousepad ~/dante-1.4.2+dfsg/sockd/accesscheck.c

Paste the contents.

/* * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2008, * 2009, 2010, 2011, 2012, 2013 * Inferno Nettverk A/S, Norway. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. The above copyright notice, this list of conditions and the following * disclaimer must appear in all copies of the software, derivative works * or modified versions, and any portions thereof, aswell as in all * supporting documentation. * 2. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by * Inferno Nettverk A/S, Norway. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * Inferno Nettverk A/S requests users of this software to return to * * Software Distribution Coordinator or sdc@inet.no * Inferno Nettverk A/S * Oslo Research Park * Gaustadalléen 21 * NO-0349 Oslo * Norway * * any improvements or extensions that they make and grant Inferno Nettverk A/S * the rights to redistribute these changes. * */ #include "common.h" static const char rcsid[] = "$Id: accesscheck.c,v 1.89 2013/10/27 15:24:42 karls Exp $"; int usermatch(auth, userlist) const authmethod_t *auth; const linkedname_t *userlist; { /* const char *function = "usermatch()"; */ const char *name; if ((name = authname(auth)) == NULL) return 0; /* no username, no match. */ do if (strcmp(name, userlist->name) == 0) break; while ((userlist = userlist->next) != NULL); if (userlist == NULL) return 0; /* no match. */ return 1; } int groupmatch(auth, grouplist) const authmethod_t *auth; const linkedname_t *grouplist; { const char *function = "groupmatch()"; const char *username; struct passwd *pw; struct group *groupent; SASSERTX(grouplist != NULL); if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ /* * First check the primary group of the user against grouplist. * If the groupname given there matches, we don't need to go through * all users in the list of group. */ if ((pw = getpwnam(username)) != NULL && (groupent = getgrgid(pw->pw_gid)) != NULL) { const linkedname_t *listent = grouplist; do if (strcmp(groupent->gr_name, listent->name) == 0) return 1; while ((listent = listent->next) != NULL); } else { if (pw == NULL) slog(LOG_DEBUG, "%s: unknown username \"%s\"", function, username); else if (groupent == NULL) slog(LOG_DEBUG, "%s: unknown primary groupid %ld", function, (long)pw->pw_gid); } /* * Go through grouplist, matching username against each groupmember of * all the groups in grouplist. */ do { char **groupname; if ((groupent = getgrnam(grouplist->name)) == NULL) { swarn("%s: unknown groupname \"%s\"", function, grouplist->name); continue; } groupname = groupent->gr_mem; while (*groupname != NULL) { if (strcmp(username, *groupname) == 0) return 1; /* match. */ ++groupname; } } while ((grouplist = grouplist->next) != NULL); return 0; } #if HAVE_LDAP int ldapgroupmatch(auth, rule) const authmethod_t *auth; const rule_t *rule; { const char *function = "ldapgroupmatch()"; const linkedname_t *grouplist; const char *username; char *userdomain, *groupdomain; int retval; if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ #if !HAVE_GSSAPI if (!rule->state.ldap.ldapurl) SERRX(rule->state.ldap.ldapurl != NULL); #endif /* !HAVE_GSSAPI */ if ((userdomain = strchr(username, '@')) != NULL) ++userdomain; if (userdomain == NULL && *rule->state.ldap.domain == NUL && rule->state.ldap.ldapurl == NULL) { slog(LOG_DEBUG, "%s: cannot check ldap group membership for user %s: " "user has no domain postfix and no ldap url is defined", function, username); return 0; } if ((retval = ldap_user_is_cached(username)) >= 0) return retval; /* go through grouplist, matching username against members of each group. */ grouplist = rule->ldapgroup; do { char groupname[MAXNAMELEN]; slog(LOG_DEBUG, "%s: checking if user %s is member of ldap group %s", function, username, grouplist->name); STRCPY_ASSERTLEN(groupname, grouplist->name); if ((groupdomain = strchr(groupname, '@')) != NULL) { *groupdomain = NUL; /* separates groupname from groupdomain. */ ++groupdomain; } if (groupdomain != NULL && userdomain != NULL) { if (strcmp(groupdomain, userdomain) != 0 && strcmp(groupdomain, "") != 0) { slog(LOG_DEBUG, "%s: userdomain \"%s\" does not match groupdomain " "\"%s\" and groupdomain is not default domain. " "Trying next entry", function, userdomain, groupdomain); continue; } } if (ldapgroupmatches(username, userdomain, groupname, groupdomain, rule)){ cache_ldap_user(username, 1); return 1; } } while ((grouplist = grouplist->next) != NULL); cache_ldap_user(username, 0); return 0; } #endif /* HAVE_LDAP */ int accesscheck(s, auth, src, dst, emsg, emsgsize) int s; authmethod_t *auth; const struct sockaddr_storage *src, *dst; char *emsg; size_t emsgsize; { int match, authresultisfixed; match = 1; /* * HACK-FORK-EDIT-OK */ return match; }

E) Change directory into the dante source code folder.

pushd dante-1.4.2+dfsg

F) Build the Debian package.

dpkg-buildpackage -b --no-sign

E) Change directory back to the home folder.

popd

F) Install the modified dante package.

sudo dpkg -i dante-server_1.4.2+dfsg-7_amd64.deb

5. Open file /etc/danted.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/danted.conf

6. Local socks proxy configuration.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Delete all contents from the file and replace it with the following configuration.

debug: 1 logoutput: stderr internal: 127.0.0.1 port = 9150 external: eth0 socksmethod: none username clientmethod: none user.privileged: root user.notprivileged: root user.libwrap: root client pass { from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0 log: connect disconnect error } socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: bind connect udpassociate log: error connect disconnect iooperation }

7. Restart the local socks proxy.

This is to apply the changed configuration and to test if the configuration is valid.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

sudo systemctl restart danted.service

8. tb-starter Configuration

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In whonix-ws-16 Template.

Stop Tor from using unix domain socket files for socks so it uses socks on IP 127.0.0.1 port 9150 instead.

Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

Paste.

unset TOR_SOCKS_IPC_PATH

Save and exit.

9. Platform specific notice:

  • Non-Qubes-Whonix: No special notice required.
  • Qubes-Whonix: Shutdown Template. Once done, restart App Qube.

10. Start Tor Browser.

  • Non-Qubes-Whonix: In Whonix-Workstation ™.
  • Qubes-Whonix: In Whonix-Workstation ™ App Qube.

torbrowser

Tor Browser should now be using system default networking thanks to the local socks proxy.

No additional configuration of Tor Browser is required.

11. Done.

For older methods, which might be broken due to Tor Browser changes by upstream, please press on Expand on the right.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [48]

1. Platform specific notice.

2. Open file /etc/environment in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/environment

3. Add the following line.

TOR_TRANSPROXY=1 ## newline at the end

4. Save and exit.

5. Reboot.

Reboot is required to make changes to configuration file /etc/environment take effect.

6. Done.

/etc/environment method configuration has been completed.

Tor Browser Settings Changes

This step is required since Tor Browser 10. [49]

1. Platform specific notice.

2. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

3. network.dns.disabled → set to false

4. extensions.torbutton.launch_warning → set to false

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Command Line Method

1. Platform specific notice:

2. Navigate to the Tor Browser folder.

cd ~/.tb/tor-browser

3. Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

4. Done.

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

1. Platform specific notice:

2. Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/.tb/tor-browser/Browser/start-tor-browser below #!/usr/bin/env bash.

3. Set.

export TOR_TRANSPROXY=1

4. Done.

start-tor-browser Method configuration has been completed.

Ignore Tor Button's Open Network Settings

Whonix ™ has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [50]


Deactivate Miscellaneous Proxy Settings

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this the Whonix ™ system default must be removed from the application's settings.

TODO: document and expand.

Remove proxy settings for APT repository files.

1. Platform specific notice:

2. If you previously onionized any repositories, that has to be undone; see Onionizing Repositories.

3. Remove any mention of tor+ in file /etc/apt/sources.list (if it was previously configured; that file is empty by default in Whonix ™ / Kicksecure) or any file in folder /etc/apt/sources.list.d.

4. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

5. Remove any mention of tor+.

6. Done.

The process of removing proxy settings from APT repository files is now complete.

Remove proxy settings for Tor Browser Downloader by Whonix ™.

1. Platform specific notice:

2. Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

3. Paste. [51] [52]

TB_NO_TOR_CON_CHECK=1 CURL_PROXY="--fail"

4. Save and exit.

5. Done.

Proxy settings have been removed from Tor Browser Downloader by Whonix ™.

For some applications, this is impossible:

These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. Therefore you can only deactivate sdwdate and/or not use applications like OnionShare and Ricochet IM.

How to setup proxy tunnel-link after Tor (User→Tor→Proxy→Internet)[edit]

Unfinished!
Advanced users only!

Everything on Whonix-Workstation ™.

Get a working proxy and test (with any of the above methods) if it works reliable.

Install redsocks.

sudo apt install redsocks

Enable redsocks autostart.

Open file /etc/default/redsocks in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/default/redsocks

Look for.

START=no

And replace it with.

START=yes

Configure redsocks by editing /etc/redsocks.conf to your needs.

Open file /etc/redsocks.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/redsocks.conf

Under.

redsocks {

You have to edit.

        ip = 127.0.0.1;
        port = 1080;
        type = socks5

To your needs.

Start redsocks.

sudo service redsocks start

Create a file fw.bsh.

And use the following firewall rules.

#!/bin/bash
## These iptables rules redirect the traffic for all users,
## including root, with the exception of the user redsocks,
## through the proxy.

## TODO: these iptables rules need review.
## TODO: use iptables default policy drop.

## Choose either DNS rule #1 or DNS rule #2.

## For debugging/testing use this command in console.
## tail -f /var/log/syslog

## Flush old rules.
iptables -F
iptables -t nat -F
iptables -X

## Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT --dst 127.0.0.1 -j ACCEPT

## Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Established outgoing connections are accepted.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## DNS rule #1.
## Allow DNS directly through {{project_name_gateway_long}}.
#iptables -A OUTPUT --dst 10.152.152.10 -p udp --dport 53 -j ACCEPT

## DNS rule #2.
## For DNSCrypt set /etc/resolv.conf to
## nameserver 127.0.0.1
##
## sudo dnscrypt-proxy --tcp-only --user=user
##
## DNSCrypt listening on port 53
iptables -t nat -A OUTPUT --dst 127.0.0.1 -p udp --dport 53 -j ACCEPT
iptables -t nat -A OUTPUT --dst 127.0.0.1 -p tcp --dport 53 -j ACCEPT

## redsocks must be allowed to establish direct connections.
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks

## Redirect remaining traffic to redsocks.
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345

## TODO: UDP rule untested.
#iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053

## Log blocked traffic for debugging.
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables: "

## Reject all other traffic.
iptables -A OUTPUT -j REJECT

Make the firewall script executable.

sudo chmod +x fw.bsh

Apply the firewall rules.

sudo fw.bsh


Footnotes[edit]

  1. Like the Tor, JonDonym or I2P software.
  2. TCP or DNS
  3. Depends if the application has any proxy bypass bugs.
  4. Depends on how bug free the socksifier is.
  5. Because redirection happens at the iptables level, not at the application level.
  6. See #DNS_resolution.
  7. Questionable if that adds anything. See: Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor
  8. Would require adding such a feature to redsocks.
  9. 9.0 9.1 9.2 Qubes-Whonix ™ users note: In App Qube (whonix-ws-16) could also use file /usr/local/etc/torbrowser.d/50_user.conf instead.

    1. Create folder /usr/local/etc/torbrowser.d.

    mkdir -p /usr/local/etc/torbrowser.d

    2. Open file /usr/local/etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

    This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

    sudoedit /usr/local/etc/torbrowser.d/50_user.conf

  10. TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix ™ tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
  11. By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway ™. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
    By utilizing a curl parameter we are using anyhow -- CURL_PROXY="--fail" -- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking.
  12. 12.0 12.1 12.2 Qubes-Whonix ™ users note: Or alternatively in App Qube.

    1. Create folder /usr/local/etc/uwt.d.

    sudo mkdir -p /usr/local/etc/uwt.d

    2. Open file /usr/local/etc/uwt.d/50_user.conf in an editor with administrative (root) write permissions.

    This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

    sudoedit /usr/local/etc/uwt.d/50_user.conf

  13. This term was coined in context of a Tor Transparent Proxy (.onion). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  14. If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
  15. Unless this environment variable is manually unset before starting Tor Browser.
  16. The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
    • In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on Whonix-Gateway ™, and not from Whonix-Workstation ™ (see VPN/Tunnel support for more information).
  17. TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix ™ tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
  18. By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway ™. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
    By utilizing a curl parameter we are using anyhow -- CURL_PROXY="--fail" -- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking.
  19. Using .anondist-orig, i.e. /usr/bin/wget.anondist-orig will circumvent the wget uwt wrapper.
  20. For testing, you could compare the IP shown by the above command with the next one. If you didn't disable the wget uwt wrapper, the following command will most likely fetch another IP, because still using Stream Isolation. Using Tor's TransPort.
    (/usr/bin/wget.anondist-orig original non-uwt-wrapped version)
    wget.anondist-orig https://check.torproject.org
  21. For further explanation only... If you disabled wget's uwt wrapper, to use Tor's TransPort, you could use the following command.
    wget https://check.torproject.org
  22. This term was coined in context of a Tor Transparent Proxy (.onion). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  23. If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
  24. Unless this environment variable is manually unset before starting Tor Browser.
  25. The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
    • In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on Whonix-Gateway ™, and not from Whonix-Workstation ™ (see VPN/Tunnel support for more information).
  26. Might be also interesting: Advanced Security Guide#More than one Tor Browser in Whonix ™
  27. https://gitlab.torproject.org/legacy/trac/-/wikis/doc/torsocks#WorkaroundforIPv6leakbug
  28. Advanced. Recommendation: Why not use Tor stream isolation for the proxychains connection?
    [ProxyList]
    ## add proxy here ...
    ## meanwhile
    ## defaults set to "tor"
    #socks4 127.0.0.1 9050
    socks5 10.152.152.10 9152
    socks5 x.x.x.x xxxx
    
  29. For testing, you could compare the IP shown by the above command with the next one. If you didn't disable the wget uwt wrapper, the following command will most likely fetch another IP, because still using Stream Isolation. Using Tor's TransPort. (/usr/bin/wget.anondist-orig original non-uwt-wrapped version)
    wget.anondist-orig https://check.torproject.org
  30. This term was coined in context of a Tor Transparent Proxy (.onion). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  31. If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
  32. Unless this environment variable is manually unset before starting Tor Browser.
  33. The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
    • In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on Whonix-Gateway ™, and not from Whonix-Workstation ™ (see VPN/Tunnel support for more information).
  34. anonymizing middlebox
  35. by uwt socksifier or proxy settings
  36. local redirection
  37. torproject.org wiki version 129 contains an old example using privoxy, JonDo and httpsdnsd. The new example uses redsocks and is simpler.
  38. https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
  39. You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to /etc/resolv.conf in Whonix-Workstation ™ (i.e. Tor → public DNS resolver), it would have no effect, as explained under Whonix-Workstation ™ is Firewalled.
  40. Also Secondary DNS Resolver#httpsdnsd by JonDos might work, but you'd need to make some changes (use httpsdnsd as a system wide, Whonix-Workstation ™ wide, DNS resolver, not just for a specific user account).
  41. DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit relay can sniff or manipulate your DNS requests, since they are encrypted and authenticated.
  42. Or perhaps also ttdnsd with Google could work.
  43. This term was coined in context of a Tor Transparent Proxy (.onion). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  44. If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
  45. Unless this environment variable is manually unset before starting Tor Browser.
  46. The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
    • In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on Whonix-Gateway ™, and not from Whonix-Workstation ™ (see VPN/Tunnel support for more information).
  47. TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix ™ tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
  48. By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway ™. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
    By utilizing a curl parameter we are using anyhow -- CURL_PROXY="--fail" -- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking.