bootstrap stucked at 10% with sys-whonix

boistordu · October 7, 2017, 12:31am

Hi,

I’m new to Qubes but I’m used to virtualization and have already done some trial/error with qubes installation and also I’ve red a lot about qubes and qubes networking so “I should not” be out of my depth here.

So for the first few trials I’ve used sys-whonix as out of the box and it managed to connect me to Tor without any bridges configuration but of course I didn’t get any long-term connectivity. First thing to say, is that I didn’t find any documentation about how it was connecting by itself and in comparison with the need to configure some bridges for a more advanced configuration… That I think is really a must to have for every average user, if anyone has that article on hand, could be great to link it?

Second, which is my real problem, I’ve made my torrc user configuration as said in the tutorials with 3 obfs4 bridges. Since then I can’t make the bootstrap working no more and so can’t connect to Tor. It is stucked at 10% which seems to be the handshake with the first bridge right?

For more details:
1/the first batch for bridges that I took from the website was no good, one was unpingable. So I was guessing that was part of the problem. So I took another batch of bridges and the three here are pingable.
2/ I didn’t make any changes to sys-firewall, and even so, if I understand correctly, the whole concept is to block exiting connection, not incoming connections. So to my knowledge it would’nt change a thing.
3/ Since it was working out of the box, I guess it’s not my LAN configuration either …
4/ the template is up to date I think . 0.2.9.10
5/ No date problem too.

The whonixsetup is green so I guess there is no error in my torrc.
So I’m a bit out of ideas here.
Are there bad batch of bridges and so you need to try a lot of them?
Should I open a port in My LAN configuration?
I guess I should’nt say my country here, but to my knowledge there is no censorship here…

So what should I provide ? the status of the service is good and active

Oct 07 00:23:09 host Tor[2752]: New control connection opened from 127.0.0.1.
Oct 07 00:23:09 host Tor[2752]: New control connection opened from 127.0.0.1.
Oct 07 00:23:20 host Tor[2752]: New control connection opened from 127.0.0.1.
Oct 07 00:23:20 host Tor[2752]: New control connection opened from 127.0.0.1.
Oct 07 00:23:30 host Tor[2752]: New control connection opened from 127.0.0.1.

I have a bit no clue here… Should I try a third, forth or even fifth batch of bridges?
Thanks in advance
Best regards

boistordu · October 7, 2017, 1:22am

so in arm controller I have that messages from the 3 differents bridges (don’t know if I’m authorized to put their ip here.
(“server rejected connection”) so why a server would reject my connection if I have copy paste the lines from the website and so if I have the good certs?

anf that too: [WARN] Socks version 71 not recognized. (Tor is not an http proxy.)

boistordu · October 7, 2017, 1:28am

smae with a third batch and same warn messages and still no connectivity

0brand · October 7, 2017, 10:02am

HI boistordu

Are you configuring your bridges in whonix-gw template or sys-whonix proxy-vm? You should be configuring your bridges in the latter ( sys-whonix )

boistordu · October 7, 2017, 11:24am

Yes in sys-whonix like described in the tutorial, through the managed "tor User Config2 button in Qmanager start menu …
So that’s not it no…

boistordu · October 7, 2017, 2:46pm

is there any log or any output I should paste here?

boistordu · October 7, 2017, 3:02pm

any idea even the simplest one could maybe help me so go for it.

boistordu · October 8, 2017, 7:03pm

does someone know at least what could mean “server rejected connection”?
Could it be the result of no packet transmitting because of firewall of sys-firewall?
Is it in any case a message of the bridge itself?
Is it because my provider is blocking it?
I need at least a lead or a clue here please…

Is the policy of cookie related to that ?

[EDIT]
I’ve made some progress.
It seems that if I’m open my app vm which is based on a debian 9 template and which is linked to sys-firewall but had to script at startup to connect to nfs share of my network, it stops all connection from sys-whonix…
If I don’t start it or if i close it and reload the firewall and restart to then I got connectivity again even if it is not from bridges since I’ve still have the essages of server rejection…

By the way, are we nnot supposed to use maybe anything else than the tor browser or the anon-whonix vm to link with sys-whonix? or can we use also the disposable vm based on something else than whonix?

boistordu · October 8, 2017, 11:13pm

The help mail address does not work, is that normal ? I have always a mail that says impossible to create a ticket?

0brand · October 9, 2017, 12:32am

Hi boistordu

Yes you can connect with non-anon-whonix VMs:

0brand · October 9, 2017, 12:32am

Hi boistordu

What help mail address are you referring to?

boistordu · October 9, 2017, 4:54am

Yeah i’ve seen that but since this odd problem have some odd variations too… I wasn’t sure anymore.

boistordu · October 9, 2017, 4:58am

help@rt.torproject.org

with an answer from :
rt@rt.torproject.org
with content : No permission to create tickets in the queue ‘help’

retireve in

If your Tor doesn’t work, you should email help@rt.torproject.org. Try including as much info about your case as you can, including the list of bridges and Pluggable Transports you tried to use, your Tor Browser version, and any messages which Tor gave out, etc.

Patrick · October 9, 2017, 7:06am

These are unrelated and explained here:
https://www.whonix.org/wiki/Tor_Controller#Arm_FAQ

boistordu · October 9, 2017, 8:31am

okey duly noted

and for that?

 16:49:44 [WARN] Proxy Client: unable to connect to 192.36.31.251:56761 ("server rejected connection") [4 duplicates hidden]

and sorry to have put the address ip but I could really not do anything else since no one is taking that in consideration apparently.
This message happens for every single one ip address I put in the configuration file

0brand · October 9, 2017, 10:11am

Hi boistordu

What qubes (appvm or otherwise) do you have between sys-whonix and sys-net?
Do you have a any ports blocked on your lan or otherwise?
Did you make a config error?

You can also ask for help on http://tor.stackexchange.com

boistordu · October 9, 2017, 10:18am

original sys-net and sys-firewall. I’ve just changed to fedora-25-minimal’s template by downloading them with qubes-update and put them up-to date of course
I have no odd network configuration but yeah my router blocks incoming new transmission like standard configuration, it’s not a DMZ if that’s what you mean ?
I have checked the configuration of the tor user configuration file several times and checked it with whonix connection wizard and it checks out plus it is pretty simple. Only the first time I had done a typo error but that’s all. I’ve not changed anything else in whonix-gw beside put it up-to-date the first time.

entr0py · October 9, 2017, 6:34pm

I’m coming to this thread late. I don’t fully understand your issue. If you don’t mind, I’d like to start from the beginning:

Why do you want to use bridges?

Out-of-the-box meaning sys-whonix -> sys-firewall -> sys-net?
You had connectivity to Tor? Did Whonixcheck return any errors?
Why do you say “of course”? Why would you expect not to get long-term connectivity?

Patrick · October 9, 2017, 6:36pm

Not suggesting you should try… But did you try if connections work for you without bridges?

Could you please try if you get a non-Whonix installation of Tor working with bridges? I mean, pretend you wouldn’t know about Whonix. Then use system Tor such as the tor package on Debian stretch. Does that work for you?

If yes, then you should be able to reproduce the same with Whonix? Otherwise please report back here.
If no, please sort out this issue as per https://www.whonix.org/wiki/Free_Support_Principle.

boistordu · October 10, 2017, 8:24am

Okey no problem with that.
So out of the box, I didn’t get any connectivtiy more than a couple of minutes.
So to give you an example, if I needed to see let’s say a video tutorial on something in IT hosted on a website that I don’t trust fully (that’s my main usage of tor, using it to go to websites which from I don’t trust the code for example) of 10 minutes or so, I could’nt do so because for every one or two minutes I had to wait several minutes that sys-whonix find another circuit for me. Apparently I can’t stay on the same circuit for more than a couple of minutes, which makes the whole experience like hell.
And it’s the same with tails by the way.
So I look further and I’ve seen that bridges were a solution or at least it is presented as a step in the configuration of the sys-whonix. Not much like something optional. So I’ve done it and because that didn’t improve the situation, that I’ve gone seeing the arm controller where I’ve seen all these rejection.

and the ‘of course’ and ‘expected’ are because it’s presented on the website like that. From qubes but also from whonix. A bit like, “configuration for full connectivity are like this”, and not something like “The system should work out of the box but if it doesn’t please do the next step”