Problem Starting Onion Service on Whonix-gw

mimp · February 7, 2018, 4:36am

Qubes 4.0rc4
i have a StandaloneVM that is a clone of whonix-gw
Tor version 0.3.2.9
Linux host 4.14.13-3.pvops.qubes.x86_64

I follow the instructions here:

but running

sudo cat /var/lib/tor/hidden_service/hostname

returns “No such file or directory”

I’ve set up hidden services on Whonix before and i believe this was very straight forward. This is my first time attempting it in Qubes. Any suggestions appreciated.

0brand · February 9, 2018, 11:14am

Hi mimp

Can you post the output of these 3 commands in sys-whonix standalone konsole.

sudo service tor@default reload
sudo service tor@default status
sudo -u debian-tor tor --verify-config

mimp · February 9, 2018, 4:26pm

I am trying to do this in a StandaloneVM that is a clone of whonix-gw and connected to sys-firewall. The output of these commands in the StandaloneVM appear to be the same as sys-whonix:

sys-whonix

tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static)
Drop-In: /lib/systemd/system/tor@default.service.d
└─30_qubes.conf, 40_qubes.conf
Active: active (running) since Sun 2018-02-04 22:25:36 UTC; 4 days ago
Process: 747 ExecReload=/bin/kill -HUP ${MAINPID} (code=exited, status=0/SUCCESS)
Process: 879 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
Process: 855 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
Main PID: 910 (tor)
CGroup: /system.slice/system-tor.slice/tor@default.service
└─910 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9182’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9183’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9184’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9185’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9186’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9187’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9188’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9189’ for SocksPort. This allows everybody… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:5300’ for DNSPort. This allows everybody o… wanted.
Feb 09 16:11:47 host Tor[910]: You configured a non-loopback address ‘10.137.0.8:9040’ for TransPort. This allows everybody… wanted.
Hint: Some lines were ellipsized, use -l to show in full.
user@host:~$ sudo -u debian-tor tor --verify-config
Feb 09 16:12:15.456 [notice] Tor 0.3.2.9 (git-64a719dd25a21acb) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1t, Zlib 1.2.8, Liblzma 5.1.0alpha, and Libzstd N/A.
Feb 09 16:12:15.456 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Feb 09 16:12:15.456 [notice] Read configuration file “/etc/tor/torrc”.
Configuration was valid

StandaloneVM setup to run onion service v3:

user@host:~$ sudo service tor@default status
● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static)
Drop-In: /lib/systemd/system/tor@default.service.d
└─30_qubes.conf, 40_qubes.conf
Active: active (running) since Fri 2018-02-09 16:14:41 UTC; 2min 45s ago
Process: 2765 ExecReload=/bin/kill -HUP ${MAINPID} (code=exited, status=0/SUCCESS)
Process: 857 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
Process: 836 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
Main PID: 960 (tor)
CGroup: /system.slice/system-tor.slice/tor@default.service
└─960 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-…

Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: You configured a non-loopback addr…
Feb 09 16:14:51 host Tor[960]: New control connection opened from…
Feb 09 16:14:52 host Tor[960]: New control connection opened from…
Feb 09 16:14:52 host Tor[960]: New control connection opened from…
Hint: Some lines were ellipsized, use -l to show in full.
user@host:~$ sudo -u debian-tor tor --verify-config
Feb 09 16:17:30.175 [notice] Tor 0.3.2.9 (git-64a719dd25a21acb) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1t, Zlib 1.2.8, Liblzma 5.1.0alpha, and Libzstd N/A.
Feb 09 16:17:30.175 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Feb 09 16:17:30.175 [notice] Read configuration file “/etc/tor/torrc”.
Configuration was valid

0brand · February 9, 2018, 10:59pm

Hi mimp

I configured a StandalonVM (whonix-gw) for v3 hidden service but was unable to reproduce your results. Could you have miss-typed /var/lib/tor/hidden_service/ in your torrc? Could you please post your torrc but make sure to redact any sensitive info.

mimp · February 9, 2018, 11:43pm

0brand,

Thanks so much for trying that for me. You are correct. I had “/var/log/tor” instead of “/var/lib/tor” so it kept reading correctly in my head. I changed it and now I"m getting a v3 address in /var/lib/tor/hidden_service/hostname

Solved!

Now I’ve just got to figure out the fire wall. For qubes the wiki says to do:

sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

But it isn’t clear to me if that is in the ws or the gw. I’m somewhat familiar with iptables, but if someone can explain why that command is necessary that would be helpful.

Thanks.

0brand · February 11, 2018, 11:06am

Hi mimp

sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

But it isn’t clear to me if that is in the ws or the gw.

This is done in Whonix-Workstation (if you look just prior to step 1: Install Server Software)

if someone can explain why that command is necessary that would be helpful.

If you need an exception for a specific application you installed.