I reinstalled gateway and workstation and I followed again the wiki page for bisq to be sure that I did not make any mistake during the installation. I can confirm the issues I reported for version 1.6.4.
Please check the wiki text:
Verify the fingerprint. It should show.
Key fingerprint = 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
The most important check is confirming the key fingerprint exactly matches the output below
It looks like fingerprint is not right in wiki. Iāve checked from different locations.
Hello,
i follow this guide installations:
Blockquote www. whonix. org/wiki/Bisq#cite_note-11
and after use that command to start it :
Blockquote /opt/bisq/bin/Bisq --torControlPort=9051 --torControlPassword=notrequired --socks5ProxyBtcAddress=127.0.0.1:9050 --useTorForBtc=true --daoActivated=false
have that error:
Blockquote Apr-17 19:26:57.336 [JavaFX Application Thread] WARN b.n.p.s.p.ProtectedStorageEntry: ProtectedStorageEntry::isSignatureValid() failed. ProtectedStorageEntry { Payload: Filter{ bannedOfferIds=,
Blockquote pr-17 19:42:35.995 [JavaFX Application Thread] WARN b.n.p.s.p.ProtectedStorageEntry: ProtectedStorageEntry::isSignatureValid() failed.
ProtectedStorageEntry {
Payload: Filter{
bannedOfferIds=,
As i see forum is not quite active
Tried to report it to upstream? Because whonix doesnt develop Bisq.
1 Like
Very likely not caused by Whonix. Such issues can usually only be resolved as per https://www.whonix.org/wiki/Free_Support_Principle.
1 Like
Hi, Iām trying to set up Bisq in a Qubes/Whonix environment.
I followed the guide in the Whonix wiki/Bisq; the Bisq client runs and outbound connections work fine.
However, I never get inbound connections to the hidden service set up by Bisq, so these must get blocked somehow.
In the Bisq log, there is an entry saying
Nov-10 20:28:43.328 [TorControlParser] DEBUG o.b.n.tor.Tor: hiddenService: HS_DESC RECEIVED [onion addr] NO_AUTH redacted redacted
so apparently, the hidden service is published, but canāt be reached. I tried to connect with Tor browser, which gives the error message āunable to connectā.
I did run onion-grater-add 40_bisq on sys-whonix
and added
EXTERNAL_OPEN_ALL=true to /usr/local/etc/whonix_firewall.d/50_user.conf
on the workstation qube (a standalone based on whonix-ws-16).
On sys-whonix:
user@host:~$ sudo whonix_firewall -i
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - OK: Loading Whonix firewallā¦
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - OK: Skipping firewall mode detection since already set to āfullā.
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - OK: (Full torified network access allowed.)
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: WORKSTATION_TRANSPARENT_TCP=1
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: WORKSTATION_TRANSPARENT_DNS=1
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: WORKSTATION_ALLOW_SOCKSIFIED=1
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: CONTROL_PORT_FILTER_PROXY_ENABLE=1
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_ALLOW_INCOMING_DIR_PORT=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_ALLOW_INCOMING_OR_PORT=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: DIR_PORT=80
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: OR_PORT=443
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_TRANSPARENT_TCP=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_TRANSPARENT_UDP=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_TRANSPARENT_DNS=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: ALLOW_GATEWAY_ROOT_USER=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: ALLOW_GATEWAY_USER_USER=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_ALLOW_INCOMING_SSH=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: GATEWAY_ALLOW_INCOMING_ICMP=0
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: Opening External TCP port(s): NONE
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: Opening External UDP port(s): NONE
2022-11-10 20:53:36 - /usr/bin/whonix-gateway-firewall - INFO: WORKSTATION_ALLOW_SOCKSIFIED=ā1ā, Socks Ports will be reacheable from the Workstation
2022-11-10 20:53:37 - /usr/bin/whonix-gateway-firewall - INFO: opening Internal TCP port(s): 9050 9100 9101 9102 9103 9104 9105 9106 9107 9108 9109 9110 9111 9114 9115 9117 9118 9122 9123 9124 9125 9150
2022-11-10 20:53:37 - /usr/bin/whonix-gateway-firewall - INFO: opening TCP port(s) 9152:9189 for user custom applications
2022-11-10 20:53:37 - /usr/bin/whonix-gateway-firewall - OK: Whonix firewall loaded.
And on the Whonix workstation qube:
user@host:~$ sudo whonix_firewall -i
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - OK: Loading Whonix firewallā¦
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - OK: Skipping firewall mode detection since already set to āfullā.
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - OK: (Full torified network access allowed.)
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - INFO: Opening External TCP port(s): NONE
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - INFO: Opening External UDP port(s): NONE
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - INFO: EXTERNAL_OPEN_ALL=ātrueā, all external ports will be opened
2022-11-10 20:58:20 - /usr/bin/whonix-workstation-firewall - OK: Qubes DNS firewall rules ok.
2022-11-10 20:58:21 - /usr/bin/whonix-workstation-firewall - OK: Whonix firewall loaded.
Any ideas what might be causing this? How could I troubleshoot the issue? Iām quite familiar with Linux and networking, but fairly new to Tor onion services and Qubes/Whonix.
By the way, if I set up an ordinary Debian 11 Qube (with sys-firewall as net qube) following the Bisq Wiki Running_Bisq_on_Qubes guide, everything works just fine ā but Iād rather use a Whonix ā¦
Maybe bisq changed something and now an onion-grater profile update is required? Developer documentation was recently revised. This might help with learning what itās about and how to debug it, see:
Thanks!
Do you have any pointers for troubleshooting? Any logs to check apart from the Bisq log? Possibly any logging that I could activate?
As I said, my understanding of onion services is very sketchy. Iām very willing to learn, but I did not find any detailed documentation on the torproject site (i.e., what happens exactly on the network level when an onion service āxyz-onion:9999ā (dash instead of period beause I ācanāt include linksā ā¦) is created/published on the server side and located/accessed from the client side).
Iām aware of the guide āhow to set up an onion serviceā but the Bisq/Whonix scenario is somewhat different. I understand that Bisq sends commands to āTor controlā on whonix-gw, which in turn announces the Bisqās onion service to the Tor network, but what is supposed to happen when a Tor client tries to access that onion service? I guess the client connects to whonix-gw from the outside (via Tor relays and finally sys-net on Qubes), but I donāt understand how whonix-gw relays the connection to whonix-ws (and Bisq running there). Any docs - preferably short of reading source code of various repositories 
- highly appreciated ā¦
Run onion-grater in debug mode.
@plasticpalmarvin did you find one solution to get tor inbound connections for bisq? I am using KVM/Whonix but I am facing the same problem of lack of tor inboud connections for bisq
Unfortunately, I could not get it to work, so eventually I gave up and Iām using now a standard Debian Qube for Bisq, which works fine. I definitely would have preferred a Whonix Qube ā¦
Patrickās suggestions concerning the onion-grater didnāt really address the issue - onion-grater is about controlling tor (in this case, permitting Bisq to publish its hidden service), not about accepting/denying in-/outbound connections to a hidden service that Bisq sets up on whonix-ws. I didnāt figure out how inbound connections are supposed to work in this scenario, so I didnāt have a good enough understanding to do meaningful troubleshooting. Any inbound connections (that terminate on whonix-gw) would have to be forwarded to Bisq on the whonix-workstation somehow.
I realize it is a whonix security feature to not have inbound connections (easily), but in this case, it kinda sucks ā¦ after all, Bisq doesnāt work properly if the hidden service it sets up cannot be reached.
For debug, youād need to learn how to run a non-bisq related onion service (such as a web server) as an onion service first as per:
Did you still use Whonix gateway?
Hi @Patrick , Iāve set up about 100 onion services, and that skills is not helpful to understand how to use Bisq with Whonix.
I continue to be unable to use Bisq on Whonix, despite Bisq being a supported program for Whonix. This is recent, and other users continue to have this issue also.
Itās possible that a recent Bisq update has made the old instructions incomplete or incorrect, and without any information on how to debug, itās a matter of reading raw packets. Not so easy. It would be much more helpful if you or another dev could answer @plasticpalmarvin, specifically when it comes to Whonix-specific things like onion-grater-add. The word ādebugā does not appear anywhere on the onion-grater-add man page so saying that he should run in debug mode is not very helpful. If you know how to run onion-grater-mode in debug mode, it would be very helpful to share that.
But it is not clear that debugging onion-grater-add would help. How would it? I think this only adds the config file, but does not tell you anything about the connectivity status to the downstream whonix workstation that has the onion service (Bisq) on it.
Also, the instructions on the Whonix wiki are poorly formatted, as in a CSS or HTML problem, and it makes it very difficult to read the instructions. How recently has the Whonix team tested Bisq and these instructions?
And it is not clear if onion-grater-add should be run on the gateway only once, or every time.
What I have a feeling is that 40_bisq.yml is not current, for newer versions of Bisq circa autumn 2022. I would like to help you debug this, but I am at the limit of what I am able to test without more input from you or another developer. Please tell me how I can help.
I hope thatās not neededā¦ And thereās a good chance itās not.
onion-grater-add probably does not need debugging. Itās a simple script, helper utility that works for other onion-grater profiles.
What would need debugging the bisq onion-grater profile.
- onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix chapter Bisq in Whonix wiki
- onion-grater/usr/share/doc/onion-grater-merger/examples/40_bisq.yml at master Ā· Whonix/onion-grater Ā· GitHub
If/when that has happened, was/will be mentioned in this forum thread.
Generally, Principle of least astonishment - Wikipedia is the goal. Should something user unfriendly / complicated / weird be required (such as if there was a case where setup command that needs to be re-run every time), then this will be mentioned. Otherwise, default assumption would be the user friendly situation, i.e. following documentation as is, only needing to run the command once being required.
Quite likely.
Yes, help needed and wanted for this one.
I donāt know what you mean. Please report this in a separate forum thread and perhaps a screenshot would be helpful.
Great. I followed the instructions you linked to and I edited ā¦/50_user.conf. I restarted daemons and onion-grater, and I am currently running with journalctl -f -i onion-grater.
I donāt know what I should expect to see here, but I am excited to learn. This is what you mean by debug, yes?
Something that can help: do you have any ideas for how I can test the connection to the Bisq node? Something similar to testing an SMTP server with openssl_connect -s_client? I know you are not a Bisq dev and I have asked them but it was worth asking you also. This could help me test onion-grater and the tor connection directly ( such as on localhost:9999)
Oh shit. So Whonix has never tested Bisq? Whonix devs do not know if 40_bisq is current? I know the Bisq devs do not know.
That makes sense, but let me ask: how does this work in Whonix-gateway on Qubes where the sys-whonix takes itself from a template every time?
Also, if a person was not thinking clearly and he ran onion-grater-add 40_bisq more than one time, will this cause a problem? Should he re-create the whonix-gateway?
Another question. Where does onion-grater-add copy 40_bisq data to? What file/directory should I be checking to make sure that the data copied over, and only copied over once? Or does this load into RAM?
Okay here is my first observation:
The whonix gateway, under sudo journalctl -f -u onion-grater I see this:
Jan 31 11:03:38 host onion-grater[3029]: Tor control port filter started, listening on 10.137.0.127:9051
Why is it listening on 10.137.0.127:9051? The Bisq node on the whonix workstation is listed as port 9999. Does 40_bisq translate from 9051 to 9999? I do not see this in github (/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_bisq.yml)
(On the other hand, netstat -tupnl does not show any activity for port 9999 on the workstation. Hm. Anyway, it will help to have this question answered.