Cwtch messaging

nyxnor · October 15, 2022, 10:15pm

I will wait for a SOCKSAuth request so they do the base first and have some time to “relax” of doing anonymity distribution requests.

behemothwerecat · January 26, 2023, 3:24pm

Is Cwtch (v. 1.10) currently usable with the Whonix gateway (running from the Whonix workstation)? If so, what should be the ‘advanced tor configuration’?

socks port
control port
" and specify further options by entering custom torrc options"

nyxnor · February 20, 2023, 9:30pm

The issues I opened were not closed so I don’t believe so.
About the advanced tor configuration, it won’t fix the problem as the address the onion service is binding is unreachable by the Whonix Gateway.

nyxnor · June 5, 2023, 4:13pm

Cwtch is aiming to support Tails, using onion-grater.

This is good for Whonix also.
Blocker is host binding.

storms · August 23, 2023, 3:20pm

Whonix support is ready for testing

nyxnor · August 28, 2023, 6:08am

Nice, but it is still nightly and the guide is incomplete.

Follow Running Cwtch on Whonix | The Cwtch Handbook

Note the guide is missing some things.

It is missing EXTERNAL_OPEN_PORTS for whonix-firewall. Use the same pattern as for onionshare.

EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "

Reload the firewall

sudo whonix_firewall

Later, the onion-grater profile is not properly formatted, the replacement lines are need to be indented/aligned with replacement.
Second issue with the profile is everything after exe-path needs to be indented according to exe-path, not on the first column.

This is the one I am using correctly indented:

# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern

---
- exe-paths:
    - '*'
  users:
    - '*'
  hosts:
    - '*'
  commands:
    AUTHCHALLENGE:
      - 'SAFECOOKIE .*'
    SETEVENTS:
      - 'CIRC WARN ERR'
      - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
    GETINFO:
      - 'net/listeners/socks'
      - '.*'
    GETCONF:
      - 'DisableNetwork'
    SETCONF:
      - 'DisableNetwork.*'
    ADD_ONION:
      - '.*'
    DEL_ONION:
      - '.+'
    HSFETCH:
      - '.+'
  events:
    CIRC:
      suppress: true
    ORCONN:
      suppress: true
    INFO:
      suppress: true
    NOTICE:
      suppress: true
    WARN:
      suppress: true
    ERR:
      suppress: true
    HS_DESC:
      response:
        - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
          replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
        - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
          replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
        - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
          replacement: '650 HS_DESC UPLOADED {} {} redacted'
        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH'
          replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
          replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
        - pattern:     '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
          replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
        - pattern:     '.*'
          replacement: ''
    HS_DESC_CONTENT:
      suppress: true

If everything is fine with the profile, running /usr/lib/onion-grater-merger will not throw errors.

The rest of the guide is fine.

Download the recommended nightly build.
Extract it to ~/.local/lib/cwtch

env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true LOG_LEVEL=debug ~/.local/lib/cwtch/cwtch

It didn’t fail to connect to tor but I couldn’t send messages, says the contact is offline. did not find any relevant information with log level debug to report.

Also, it is necessary to close the application properly via the X of the application, not the window manager, for a proper shutdown, else:

tor/torProvider.go [ERR ] 550 Unspecified Tor error: Onion address collision - Recovering, but this probably indicates some weird tor configuration issue...

Because it is not running DEL_ONION when closing the application improperly.

This is not a proper feedback. If someone can submit upstream your logs would help the development.

nyxnor · September 2, 2023, 8:03pm

Cwtch is working on Whonix.

nyxnor · September 2, 2023, 8:08pm

It was failing because the onion-grater profile was not rewriting to the client address, the pull request to the Cwtch docs above fix this.

Patrick · September 3, 2023, 2:17pm

Excellent!

Feature requests:

send a pull request to onion-grater so we ship the cwtch profile in Whonix by default
open a feature request for cwtch to set variables CWTCH_TAILS CWTCH_RESTRICT_PORTS and CWTCH_BIND_EXTERNAL_WHONIX automatically if Whonix was detected. That could be based by testing if file /usr/share/anon-ws-base-files/workstation exists.

related:
Whonix ™ friendly applications best practices chapter Programmatically Detecting Whonix ™ in Whonix wiki

Patrick · September 3, 2023, 2:19pm

What’s the point of LD_LIBRARY_PATH?

nyxnor · September 4, 2023, 12:21am

Will do once it is improved. It is not hardened, it is just “working” as of now.

What I don’t like about the profile:

  commands:
    GETINFO:
      - '.*'
    SETCONF:
      - 'DisableNetwork.*'

I see all those variables as necessary on Whonix, not optional, so system detection would be nice. They are already doing that with CWTCH_BIND_EXTERNAL_WHONIX, by blocking it if Whonix is not detected.

nyxnor · September 4, 2023, 12:24am

Tails installation:

Tails onion-grater profile:

Forgot to change Whonix onion-grater profile…

But will wait to get a definitive profile.
Also, because the profile is repeated on the documentation an another file, I think it should not be in the docs, code duplication will be forgotten.

nyxnor · September 4, 2023, 2:46am

nyxnor · September 6, 2023, 12:20am

nyxnor · September 6, 2023, 12:55am

Patrick · September 6, 2023, 11:59am

Thank you! Merged.

This is now in the testers repository.

nyxnor · September 6, 2023, 1:18pm

nyxnor · September 6, 2023, 1:25pm

This is become strange because there is no reasons for Cwtch to have extra information on the profile, like Whonix packaging ## meta start for example.

In the future, we may ask for them to simply mention Whonix already has the profile that only needs to be loaded, therefore no code duplication to keep in sync with files that don’t completely match.

Patrick · September 6, 2023, 6:03pm

Merged.

This is now in the testers repository.

storms · October 3, 2023, 3:41pm

Cwtch now has a stable release candidate, which includes Whonix support (thanks @nyxnor !!).

I’m running Qubes-Whonix (Whonix 16, waiting for Qubes OS 4.2 to be stable to upgrade to Whonix 17). I followed the install instructions.

Upon launching, I get the error output:
cwtch-autobindings/lib.go [ERR ] Error connecting to Tor replacing with ErrorACN: write tcp 127.0.0.1:57352->127.0.0.1:9051: write: broken pipe

Within the UI, a similar message is under “Tor Status”.

Others in the Cwtch Testers group have had the same issue.

Note sure if this is relevant, but additionally the first two lines of output are:

(cwtch:5927): dbind-WARNING **: 15:32:42.325: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files

(cwtch:5927): Gdk-CRITICAL **: 15:32:42.388: gdk_window_get_state: assertion 'GDK_IS_WINDOW (window)' failed

Any thoughts on what is causing this? Discussion in the Cwtch Testers group did not resolve the issue.

I’m not sure whether this is expected behaviour, but even after “Reload Firewall”, the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf still appears empty. The Whonix docs imply that it would not be empty if a change to the firewall settings was made.