Attempt at Physical GW failed: no connectivity

claudi8b6 · March 16, 2016, 1:10pm

entr0py,
I’m looking for a secure yet as close as possible to an out of the box solution, I can’t spend a year studying security.
I found two projects which could satisfy my requirements: “Onion Pi”, and “Safeplug”, for the Raspberry Pi. I’ll try to set it up on a PC running Debian. Will it be secure though?

EDIT: I tried to debug the Gateway some more and looks like the NIC for eth1 was causing the troubles. I replaced it and now the new NIC appears as eth2 in ifconfig though. Anyway looks like it’s working…

entr0py · March 16, 2016, 5:44pm

Just glanced at the tutorials you linked. They list the bare minimum steps required to get client traffic over Tor so I wouldn’t expect them to be as secure as Whonix. I don’t know all of Gateway’s customizations to vanilla Debian but off the top of my head here are some reasons those DIY projects are less secure than Gateway:

uses DHCP
no stream isolation
looser iptables rules
no clock defenses

Qubes TorVM is probably the best candidate to use for comparison in this chart (minus the Qubes OS specific stuff): Anonymity Operating System Comparison - Whonix ™ vs Tails vs Tor Browser Bundle. Some additional reasons from there:

tor-gateway not torrified
no prevention of tor-over-tor
no apparmor

Good to hear! You can grep all the eth1’s to eth2 or fiddle with udev rules to assign eth2 back to eth1.

claudi8b6 · March 16, 2016, 8:22pm

I can’t do without a physical gateway since the OS I’d like to torify fails to start in Qubes (I tried, assumed it’s due to no VT-d).

[quote=“entr0py, post:22, topic:2221”]
Good to hear! You can grep all the eth1’s to eth2 or fiddle with udev rules to assign eth2 back to eth1.
[/quote]GW is working, but WS isn’t, which might be due to the change in ethernet name. In GW ifconfig doesn’t show anything to indicate the eth2 is connected to anything…
What should I grep? I tried dmesg | eth1 but it provides with nothing of value.

entr0py · March 16, 2016, 9:50pm

VT-d is not an absolute requirement for any OS. VT-x is required for HVM’s, like Windows. System requirements | Qubes OS

eth0 is auto-configured. The Internal Network adapter (here eth2) must be manually configured.

see:

The scripts are well-commented. Read them and change what makes sense. To be honest, best idea might be to re-build the whole thing now that your adapters are working.

I know this isn’t what you want to hear but from my first post in this thread:

Physical Isolation at this point is really a DIY / experimental project and Free Support for Whonix ™ surely applies. Snowden, the noob, used Tails so you could do worse than going with one of the other Whonix platforms.

If you are willing to invest time & energy to make Physical GW work, you might want to take a step back and read a bit about linux networking in general. Debian wiki & doc is a great resource:
https://wiki.debian.org/NetworkConfiguration
https://wiki.debian.org/WiFi/HowToUse

Good luck!

PS: Rebuild one-more time paying very very special attention to the networking verfication step I linked. If your cards are lined up properly, it all might work without touching a thing.

claudi8b6 · March 17, 2016, 8:39pm

Hi entr0py,
before I reinstall the GW, do I have to make sure the NIC going to the router is called eth0? Currently it’s named eth1.

Patrick · March 17, 2016, 9:17pm

Yes. You save a lot trouble by sticking to the defaults.

claudi8b6 · March 17, 2016, 10:57pm

Gotcha.
Any idea why neare the end of the build script I get all sort of messges such as:
EXT4-fs unable to read superblock
FAT-fs bogus number of FAT structure
ntfs: read_ntfs_boot_sector primary boot sector is invalid
qnx4 no qnx4 filesystem no root dir