Long Wiki Edits Thread

Thanks all. I will make those blog changes shortly.

@0brand. Good pickup. I ended up protecting all the 250+ templates to deter trolls who were getting a little active in recent months.

I’ve changed the permission on that template so you should be able to edit it now.

No problem - let me test Sandboxed Tor Browser without backports (will purge the other version of Bubblewrap).

Will also change wording on onionshare also i.e. users can manually install it or use Sid package.

Draft instructions to follow here - I’ll give it a crack and you linux pros tell me whether it’s the canonical method or not. To say the online Debian instructions are involved would be an understatement i.e. just installing one package from testing requires a ton of pinning & APT steps.

OK - Sandboxed Tor Browser does not need Bubblewrap from stretch-backports to work correctly, just the normal repos:

• Fixed wiki.

• Updated wiki text to reflect April 2018 status of sandbox specs.

• I’ve tested that both Sandboxed Tor Browser stable and alpha work in Whonix 14 - they do.

• Haven’t played with optional configurations like sound etc, so I’ll leave that as an exercise for the interested Whonix user, since it opens up unnecessary attack vectors.

Note the error message around Adawaita theme in Konsole is:

sandbox: Failed to find Adwaita gtk-2.0 theme.

Since this theme is probably installed in standard Tor Browser (the running Sandboxed Tor Browser instance does look a little different), perhaps we should recommend users install it, as it may otherwise pose a fingerprinting vector(?).

Moving on to onionshare…

@iry @0brand

Adopted your changes for the suggested Whonix 14 blog release wording (further above).

Once we have acceptable OnionShare install instructions with a Whonix wiki reference, it’s ready for saving as a draft blog. Anything else you want to highlight feature-wise?

Thank you for your awesome work! It looks great to me!

torjunkie

Whonix 14 blog release is impeccable. Great work!

What do you think about adding this step by step guide to wiki/Tor? Then have a step in the Whonix 14 testers blog that has users copy and paste Tor State File from sys-whonix-13 to sys-whonix-14. ( and also has a link to these instructions?)

Copying Tor State to secondary sys-whonix

torjunkie: the language in this guide is not complete. Just wanted to get your opinion before I went any further. Aslo these instructions assume sys-whonix is based on Whonix-14 and sys-whonix-13 (obvious)

1. In sys-whonix stop Tor.

   sudo systemctl stop tor@default

2. In sys-whonix remove Tor State File. Note: Its likely that this command will complain that the process is busy. This can be ignored.

   sudo rm -r /var/lib/tor

3. In sys-whonix, ensure /var/lib/tor is empty. This command should produce no output.

   sudo ls /var/lib/tor

4. In sys-whonix-13, stop tor.

   sudo systemctl stop tor@default

5. In sys-whonix-13, copy the Tor State File to sys-whonix. Users must upgrade to a root prompt (root@host:# ) for the command to exit successfully.

   Note: If users encounter this error it can be ignored. qfile-agent: Fatal error: stat “VM” (error type: No such file or directory) . Hit “OK” when prompted

   sudo su

   qvm-copy /var/lib/tor sys-whonix

6. In sys-whonix, list the QubesIncoming directory to ensure Tor State File was copied over successfully.

   ls ~/QubesIncoming/sys-whonix-13/tor

   The output should include these files:

   cached-certs cached-microdescs lock
cached-microdesc-consensus cached-microdescs.new state

7. In sys-whonix, move Tor State File to /var/lib/tor .

   sudo mv ~/QubesIncoming/sys-whonix-13/tor/* /var/lib/tor

8. In sys-whonix, ensure all files listed in step 6 are now in /var/lib/tor and have the proper ownership. For Tor to function, files in this directory should be owned by debian-tor . If files do not have proper ownership, proceed to step 9. Otherwise skip to step 10.

   sudo ls -l /var/lib/tor

   Note: The first 2 lines of the output should look similar to this. Notice the proper file ownership ‘debian-tor debian-tor’.

   -rw------- 1 debian-tor debian-tor 20442 Feb 22 21:22 cached-certs
-rw------- 1 debian-tor debian-tor 1985454 Apr 4 00:04 cached-microdesc-consensus

9. In sys-whonix, change ownership of the Tor State File to debian-tor.

   sudo chown debian-tor: -R /var/lib/tor

10. In sys-whonix, verify Tor State file is owned by debian-tor.

    sudo ls -l /var/lib/tor

11. In sys-whonix, start Tor.

    sudo systemctl start tor@default

12. In sys-whonix, verify Tor is functioning properly.

    whonixcheck -v

Excellent work 0brand and great idea to add to the wiki!

Then your blog post only needs to refer to the wiki link. i.e. something like →

Step X: Copy the Whonix 13 Tor state to the secondary sys-whonix

Users are recommended to copy their Whonix 13 Tor state to the secondary (Whonix 14) sys-whonix to maintain the same Tor entry guard and defend against tracking attempts by advanced adversaries.

Follow the instructions at the following link:

whonix.org/wiki/XXXXXX

Note:

• Steps 1 & 2 have same commands.
• The rest of it looks logical to me, but I haven’t tested it.

Does it work okay for you?

These instructions can live under the Advanced Topics section of the Tor chapter with an appropriate title.

I moved a few things around to group sys-whonix commands together after this guide was copied to this thread. Didn’t realize step 2 was a repeat of step 1. Fixed!

Thanks for pointing that out!

Yes, tested:

sys-whonix-13 → sys-whonix-13
sys-whonix-14 → sys-whonix-14
sys-whonix-13 → sys-whonix-14 and visa versa

The first round of testing I kept getting errors and Tor wouldn’t start. After about an hour and a half I realized my mistake. I went back and ran sudo chown debian-tor: -R /var/lib/tor in all sys-whonix VMs and Tor functioned properly.

I should have this guide completed later today and the testers blog updated.

Or should I wait until this wiki entry is approved by Patrick before adding this step to testers blog?

I will add (Step X: Copy the Whonix 13 Tor state to the secondary sys-whonix) to the blog post with a note stating instructions will be added shortly to the wiki?

Chapter “Copy Tor State File to Fresh sys-whonix VM” added to wiki/Tor.

https://whonix.org/wiki/w/index.php?title=Tor&oldid=33071&diff=cur

Not sure if I like chapter title. I saw this terminology used under the “Rotation of Entry Guards” chpater and I tried to copy the language.

On occasion, users may be tempted to create a new Whonix-Gateway (Qubes-Whonix: sys-whonix) because:

• One of the fallback primary entry guards.
• A configured bridge.
• Possibly combine tunnels with Tor.
• Creating a fresh Whonix-Gateway (sys-whonix), and copying across the Tor state file.

Also, In the instructions, what would be the correct terminology to use - Tor state, Tor state file(s), Tor state folder? It seem different terminology should be used depending on the context of the instructions.

If any changes are necessary please let me know.

Almost forgot, Qubes-Whonix 14 Testers blog instructions have been update.

Very good!

torjunkie:

sandbox: Failed to find Adwaita gtk-2.0 theme.

Since this theme is probably installed in standard Tor Browser (the running Sandboxed Tor Browser instance does look a little different), perhaps we should recommend users install it, as it may otherwise pose a fingerprinting vector(?).

Guess:
Good to have it installed (from Debian package sources), if avaialble.

Should:
Not matter.

Real answer:
Only Tor Browser developers are capable to answer that.

Excellent work 0brand - I think I can happily retire now

I edited your stuff, plus the rest of the Tor chapter, which had various entries (not yours) that was irritating me for language/expression.

I was thinking the exact same thing. I’m not sure. I gather “Tor state” is the generic expression, but I left it mostly as is.

Thanks again, that is very useful to have extra steps in there.

OK - will add a step there when I get a chance.

Reminder to self: also fix AppArmor parameter for Qubes-Whonix.

The Tor chapter looks awesome! Thanks for the help!

Reminder to myself: fix Apparmor parameters before torjunkie gets to it.

Sorry about that. I was a little side tracked with the Tor wiki chapter.

That will be completed and ready for your review later on today.

Done!

https://whonix.org/w/index.php?title=Template:Qubes_AppArmor&oldid=33430&diff=cur

Changed Apparmor qvm-prefs option from ‘-l’ to ‘-g’ . I didn’t see the need to change the ‘-s’ option for R4 since it is ignored.

Language changes were necessary in the introduction IMO. It was very hard to understand. Plus minor language changes in the instructions.

I’m sure the template could use further changes/polishing. Let me know if I can help!

Off topic:

Just saw this post by Patrick. Should the new chapter in wiki/Tor that was just created use this command to stop Tor? This command works in Whonix 13 ( just tested it ). Maybe wait for his guidance when he reviews the new chapter?

Use /lib/systemd/system/tor@service.d instead
https://phabricator.whonix.org/T785

Noticed sys-whonix-A and sys-whonix-B in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of course

I will fix later on today along with using /lib/systemd/system/tor@service.d , as per Patrick.

0brand:

Noticed sys-whonix-A and sys-whonix-B in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of course

I will fix later on today along with using /lib/systemd/system/tor@service.d , as per Patrick.

It’s a research ticket. It’s not yet clear we want that. Needs testing /
figuring out. If it works, then all ok.

OnionShare in Qubes-Whonix 14

@Patrick - please point out the faults in this method below if it is unsafe or not canonical.

Building OnionShare from Source

Whonix recommends against APT pinning because it has previously broken functionality. For example, on one occasion templates thought they were not connected to Whonix Gateway; see Dev/APT Pinning - Kicksecure.

Therefore, this procedure builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux

To install OnionShare in Whonix 14:

1. Create an anon-onionshare AppVM based on the whonix-ws (14) template.

2. Open a terminal and navigate to the persistent home directory; this avoids polluting the TemplateVM upon which it is based.

cd /home/user

3. Install git which is not available by default in the AppVM.

sudo apt-get install git

4. Clone the OnionShare directory.

git clone GitHub - onionshare/onionshare: Securely and anonymously share files, host websites, and chat with friends using the Tor network

5. Change into the OnionShare directory.

cd onionshare

6. Retrieve Micah Lee’s PGP key using the long key ID.

Note: This key ID is taken from www.micahflee.com

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73

7. Examine the available git tags, and verify the latest version and its commit (v1.3 at the time of writing). Good signature messages should appear for each verify command below.

git tag

git verify-tag v1.3

git verify-commit v1.3^{commit}

8. Install OnionShare dependencies.

Warning: Do not proceed unless signatures were good for the two git verification steps.

The user must install the following dependencies.

sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy

9. Extend the onion-grater whitelist on sys-whonix (14).

Steps 9-10 are sourced from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare

In sys-whonix (14), open Konsole and create the following directory.

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

Symlink the onion-grater profile to the onion-grater settings folder.

sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/

Restart onion-grater.

sudo service onion-grater restart

10. Modify the anon-onionshare user firewall settings and reload them.

In Konsole, first make sure the folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Create the necessary user.conf file.

sudo nano /etc/whonix_firewall.d/50_user.conf

Add ports that are required by OnionShare.

EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

Save and exit.

11. Start the OnionShare GUI in anon-onionshare.

./dev_scripts/onionshare-gui

12. Select the settings button/icon (cog symbol) in the OnionShare GUI.

Under “How should OnionShare connect to Tor?” select “Connect using socket file”, and set the socket file to /var/run/tor/control.

Under “Tor authentication options” select “No authentication, or cookie authentication”.

13. Test the OnionShare settings.

Click the “Test Settings” button. If all steps were completed correctly, Tor will successfully connect.

The GUI should say it supports both ephemeral onion services and stealth onion services.

Check “Create stealth onion services” to make OnionShare operations more secure.

Actual Test

After doing all these steps above, it worked!

I was able to share a dummy file with one sentence of text in it, that was made available at a random onion address.

The same instructions can be used for non-Qubes-Whonix, except each instance of sys-whonix and anon-onionshare is substituted with Whonix-Gateway and Whonix-Workstation instead.

Conclusion

OnionShare, a piece of cake in Whonix

AppArmor Consideration

@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?

Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub

Tor wiki chapter “Copy the Tor State File to Another sys-whonix Instance”

Mistakes fixed

https://whonix.org/w/index.php?title=Tor&oldid=33454&diff=cur

TODO

1. Anything that take priority as per Patrick, torjunkie

2. Whonix 14 Call for testers blog post. Update as needed

3. Whonix ™ Protection against Real World Attacks

• think of a more catchy page name:
• also more catchy og:description

4. TimeSync: Whonix ™ Time Synchronization Mechanism

• Come up with a new name for the attack as per: Long Wiki Edits Thread - #494 by Patrick

  This all I have so far. Could use some ideas.

  • domU clock skew correlation through domX compromise
  • clock skew correlation through sister domain compromise

5. System Hardening Checklist

   • add instructions to change repos back to using http://URI (clearnet) servers.
   • good to have if .onions go down again. Also for users with slow connections and can’t update system etc.

6. Fix broken link user reported in Multiple Tor Browsers safe setup in Whonix - #3 by clockworld

7. Add Qubes specific install instructions for “Using Tor Browser without Tor” chapter

torjunkie:

OnionShare in Whonix 14

@Patrick - please point out the faults in this method below if it is unsafe or not canonical.

Building OnionShare from Source

Whonix recommends against APT pinning because it has previously broken functionality.

No. I wouldn’t go so far. Pinning is fine. Just needs to be done right.
Not using generic codenames (stable, testing). Using specific codenames
(jessie, stretch, buster).

For example, on one occasion, templates thought they were not connected to Whonix Gateway; see Dev/APT Pinning - Kicksecure.

Unrelated to apt pinning.

Therefore, this test builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux

To install OnionShare in Whonix 14:

1. Create an anon-onionshare AppVM based on the whonix-ws (14) template.

Ok, it’s user choice (optional) but good practice.

2. Open a terminal and switch to the persistent directory; this avoids polluting the TemplateVM upon which it is based.

cd /home/user

3. Install git which is not available by default in the AppVM.

sudo apt-get install git

4. Clone the OnionShare directory.

git clone GitHub - onionshare/onionshare: Securely and anonymously share files, host websites, and chat with friends using the Tor network

5. Change into the OnionShare directory.

cd onionshare

6. Receive Micah Lee’s PGP key using the long-ID key version.

Note: This key ID is taken from www.micahflee.com

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73

7. Examine the git tags available, and verify the latest version and it’s commit (v1.3 at the time of writing). Good signature messages should appear for the second and third steps.

git tag

git verify-tag v1.3

git verify-commit v1.3^{commit}

8. Install OnionShare dependencies.

Warning: Do not proceed unless signatures were good for the two git verification steps.

The user must install the following dependencies, except Tor, which is already installed by Whonix.

sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy

9. Extend the onion-grater whitelist on whonix-gw (14).

Follow the directions from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare

Ok.

That is, first create a new directory via Konsole in whonix-gw.

Can be done in sys-whonix. (Covered by bind-dirs.) (Maybe onion-grater
add wiki template needs improvement?)

Doing in whonix-gw TemplateVM is okay too but then it applies for all
Whonix-Gateway ProxyVMs based on sys-whonix. Probably not needed.

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

Symlink the onion-grater profile to the onion-grater settings folder.

sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/

Please use the existing wiki template,

Restart onion-grater.

sudo service onion-grater restart

10. Modify the Whonix-Workstation User Firewall Settings and reload them.

In Konsole in whonix-ws (copying instructions from the link above), first make sure the folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Create the necessary user conf file.

sudo nano /etc/whonix_firewall.d/50_user.conf

Add ports that are required by OnionShare.

EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

Save and exit.

11. Start the OnionShare GUI in whonix-ws.

./dev_scripts/onionshare-gui

12. Select the settings button/icon (cog symbol) in the OnionShare GUI.

Under “How should OnionShare connect to Tor?” choose “Connect using socket file”, and set the socket file to /var/run/tor/control.

Under “Tor authentication options” choose “No authentication, or cookie authentication”.

13. Test the OnionShare settings.

Click the “Test Settings” button. If all has gone well, you should see a successful connection to Tor.

The GUI should say it supports both ephemeral onion services and stealth onion services.

Check “Create stealth onion services” if you want to make OnionShare more secure.

Actual Test

Well I did all these steps above, and it worked!

Good.

I was able to share a dummy file with one sentence of text in it, that went to a random onion address.

Note

I skipped this step below, because OnionShare works anyway. It is unclear why it isn’t needed in Whonix i.e. allowing OnionShare to connect to the system Tor socket file explicitly, but perhaps the GUI step is sufficient:

Package anon-ws-disable-stacked-tor makes it appear as if Tor is running
in Whonix-Workstation, “Tor emulation”. Even though Tor is not running
there. And forwards to Whonix-Gateway. ( Need of update:
anon-ws-disable-stacked-tor )

Connecting to Tor · onionshare/onionshare Wiki · GitHub

sudo usermod -a -G debian-tor username

Should be also done already by anon-ws-disable-stacked-tor.

But, who gives a shit if it works.

Conclusion

OnionShare, a piece of cake in Whonix

AppArmor Consideration

@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?

Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub

Doesn’t onionshare ship a profile by its own already?

Some nitpicks…

Maybe change to sys-whonix-old / sys-whonix-new. Better than a and b. Always clearer.

sys-whonix-new: after stopping Tor, also delete Tor state folder.

Why: imagine sys-whonix-new has a Tor state file that sys-whonix-old did not have. In that case it would not be a clean migration of the same. It would have an extraneous file.

Is sudo su required? Would sudo work?

sudo ls -l /var/lib/tor - not useful to run before fixing permissions using chown. After using chown usually we shouldn’t need to check. I think we can trust chown if no errors were shown. sudo ls -l /var/lib/tor is only useful for debugging. (Perhaps keep as footnote.)

whonixcheck -v: the -v shouldn’t be encouraged for most users. It’s non-verbose by default to keep the generated confusion from any whonixcheck output low. Please mention [[whonixcheck]] (where -v could be documented.).