authenticated onion service not working using old or new methods

Support
1

I found this thread that seemed to be a similar issue: http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/issues-with-onion-service-authentication/12205

It seems that entering the private keys via the browser in Whonix does not work? I would be happy to get the authorization working either way.

I recently upgraded to Qubes 4.1, after doing so the whonix gateway I was using for authenticated access would no longer boot. So I decided to start from scratch. After failing with the manual set up, I found out the setup now has automated scripts described here: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Onion_Services#Onion_Service_Authentication_Client_Setup

The scripts are:

for the client: anon-server-to-client-install
for the host: anon-auth-autogen

However, using the scripts also failed to work for me. Instead of getting the pop up box asking for a private key it just gives me “Unable to Connect”.

In my old manual setup I had to edit /usr/local/etc/torrc.d50_user.conf to add:

 ClientAuthDir /var/lib/tor/authdir

The current docs make reference to this file:

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

But there is nothing in the instructions about editing that file. So I tried adding the ClientAuthDir above. Then the browser gives me a different message “The Connection Was Rest” (instead of “Unable to Connect”).

It seems the docs for the client set up is incorrect. And I’m unable to get an authenticated connection via Tor Browser.

2

Getting authenticated Tor onion services to work outside of Whonix first might be helpful. (Generic Bug Reproduction) That might give insights on what’s wrong with the automation scripts, if anything.

That never worked.

It’s already here:

This might help:
Troubleshooting

3

I do have it working. In fact, I restored my backup of old whonix gateway I was using to connect in Qubes 4.0.4 and I have it working again in Qubes Whonix (Qubes 4.1). [after testing stuff below this is no longer true :frowning: But was using it successfully for a day or so. ]

OK, good to know, I’ve never used it either, but seemed potentially easier.

Should the reference to 50_user.conf be removed from here then:
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Onion_Services#Onion_Service_Authentication_Client_Setup

Since that is no longer used here?

Here’s my attempts to test the automated scripts again, but in the end I just broke everything somehow.

on new gateway anon-server-to-client-install ended with “Success”. When I use this as my gateway I still get the pop up in my browser asking for an authentication key.

So I compared my old working gateway to the new one.

old gw has /usr/local/etc/torrc.d/50_user.conf
new gw has /usr/local/etc/torrc.d/43_clientonionauthdir.conf

both set the ClientOnionAuthDir

As you pointed out, new gw also has this in /etc/torrc.d/65_gateway.conf

All that seems equivalent.

Then I confirmed the *.auth_private files on each qube. The difference was that the old one had “.onion” at the end of the onion address. The new autogenerated key file did not have that.

I tried adding “.onion” to the file on the new gw to match the old one. Then I restarted tor on the new gw. But nothing changed, I still get the prompt for an authentication key in Tor Browser. I can’t figure out what the difference is that could be causing this.

However, then I restarted tor on the gateway to the server where the new public key was added. This led the authenticated connection to give an “Unable to Connect” response in Tor browser. Whereas another connection from an unauthenticated machine will bring up the popup asking for the authentication key.

I tried restoring gateways from backups again and am still getting “Unable to Connect” (when I was able to connect before starting this post). Unauthenticated connections will reach the site and prompt for authentication key still. Either way I cannot access the site anymore and am confused why my old working gateway stopped working when I did not alter it.

1 Like
4

Yes. Done.

5
6

Good to know. May try that some time.

I just got my authentication working again. What worked was restoring the gateway for the server from a backup. Creating a new gateway for the client by cloning sys-whonix-16. Copying authentication file from old client gateway to this new client gateway. Reloading tor on the gateway.

I never got it to work using the automated scripts.

I spent many hours just getting the above to work, with inconsistent results. The one thought I had was that I was not waiting long enough for changes to take place before testing? As a result I was not able to find any problems with the automated scripts or why they were not working for me. At this point I need to just keep the working setup I have. And if no one else has had problems with the scripts it may have just been user error in how I was testing.

7

Possibly. → Onion Services Reliability Issues

8

There are two options to setup Onion Service Client Authentication. Chose either option A) or B).

9

Hi Patrick, I was playing around with the advertised options to enable Onion Service Client Authentication. The “sudo anon-server-to-client-install 1.auth_private” produced errors. But it worked when one was just “sudo onion-grater-add 40_onion_authentication” and then dropping the respective private key files into “/var/lib/tor/authdir”.

10

What error message?

Did 1.auth_private exist in your working folder?