bootstrap stucked at 10% with sys-whonix

Qubes-Whonix
21

I’ve tried with tails, same problem… I mean about the bad connectivity.
I can of course try again but in the next couple of days only. Need some time to prepare a vm or two with different setups like for a lab test.

22

This is progress. As Patrick suggested, Whonix is a complex system with many moving parts. When troubleshooting, use the simplest configuration possible - plain Debian/Fedora connected to sys-net. Install Tor and get it working (without bridges if you don’t need them).

Once Tor is connected, test it by visiting sites that are known to be Tor friendly - torproject.org, whonix.org. Your issues may just be website-specific.

How are you monitoring Tor circuits? arm doesn’t label circuits with the associated destination. Use onioncircuits. (Debian-9 or Debian-8-backports).

23

I’ve done some tests but not every one of them.

install the tor browser in a windows 10 vm in qubes which goes trough sys-net then through sys-firewall, doesn’t give much of trouble. It connects directly without any problem in both case and didn’t seem to have connectivity problems through time.(needed extensive tests) .
I’m going to retry tails in qubes.
I still have problems with sys-whonix and connectivity which is pretty random.
Should I redownload the template of whonix-gw to be sure that there are no problems with it? And maybe test it whitout updating it and after updates ?

The connectivity problems are not website specific for sure.

I’m not monitoring to circuits, I didn’t monitor circuits yet, I’m going to use what you say. But it’s only pretty obvious the connectivity problems I get, it’s not like it has to change circuits and so need to reload for a few seconds or things like that. It’s more 2 minutes of connectivity -> 5 minutes down where no websites are accessible anymore -> then again 2 min of connectivity. It’s not like I could have a doubt about the problem.

24

So Tor Browser (without bridges) works inside
windows 10 -> sys-firewall -> sys-net?

“Doesn’t give much trouble?” Does it work or not?

If it works, then try
sys-whonix -> sys-firewall -> sys-net
Open arm and see what it says.

Why would there be problems? Did you make changes to anything in the template? The only thing the template should be used for is updates. You might want to re-create sys-whonix proxyVM depending on how much you changed the config.

Without updating? No. Whonix templates should always be kept up-to-date.

1 Like
25

not much of a trouble it was just an expression to say that besides the current windows 10 problem under qubes there was no problem with connectivity Tor->sys-firewall->sys-net

So I’ve cloned the 2 templates of whonix. Deleted the old ones. renamed the 2 vm (proxy +app). Redownloaded the templates. Recreated the 2 vm based on those template. And I’ve just launched it. Here what it did :
Screenshot_2017-10-14_16-53-40Screenshot_2017-10-14_16-57-42

So we can both agree, because I redownloaded the template and put the system like out of the box… That clearly it doesn’t work out of the box on my system.
So I’m going now to update the template, and then install onioncircuits and give you the print screen about it.

Later I’m going to retest tails on that machine and see what happens.

Note: I redownloaded the template to see if without the template and without having done any modifications it did work or not like ti supposed to do.

26

I was hoping to have some connectivity over time but apparently not. So cna’t update, can’t install onioncircuits.
So here we are.
I could change the proxyvm of the template to go through sys-firwwall… But I would like to know what you think before to do so.

27

Please follow these minimal steps:

  1. first, what version of Qubes are you running?

  2. install whonix-gw template (skip this if you haven’t touched the template at all since your install today):
    [user@dom0 ~]$ sudo dnf remove qubes-template-whonix-gw
    [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw

  3. create sys-whonix proxyVM:
    [user@dom0 ~]$ qvm-remove sys-whonix
    [user@dom0 ~]$ qvm-create -p -t whonix-gw -l red sys-whonix

  4. set sys-whonix’s netVM to sys-net (unless you have a good reason for using sys-firewall - in which case, that may be the issue):
    [user@dom0 ~]$ qvm-prefs -s sys-whonix netvm sys-net

  5. now click on sys-whonix. click Start VM.

  6. you will be presented with a dialog by Whonix Setup Wizard. Choose “I am ready to enable Tor.” Click Next.

  7. in dom0 terminal:
    [user@dom0 ~]$ qvm-run sys-whonix konsole

  8. wait a few minutes, then in sys-whonix konsole:
    user@host:~$ cat /var/log/tor/log
    paste results here.

  9. also, type
    user@host:~$ date
    and confirm that it returns the correct UTC date/time.
    Current UTC — Coordinated Universal Time

1 Like
28

R3.2

1/passed
2/passed (because I follow the tutorial as described on the website which is the same thing) or maybe you have reason to believe that qubes manager ave some bugs related to that ?
3/That’s not a bad idea(never think about it because of the whole firewall spirit of qubes)!!! going to try it now… well… it’s not pretty, my boot strap stopped at 45 % too.
the max I can have, have done it 3 times, its 59%

sorry the logs are very ugly.
I did’nt had enough lines to put it here.
pastebinlog

and the date was close to 1 minute of the utc time so it’s not that.

29

so we are now more than 35 minutes later from the beginning of the operation.
I’ve finally the right to download the tor browser in anon-whonix. I m going to see if I can get to the end, which is very slow right now so I’m very doubting that.

30

so here the next lines of the logs. I have noted that the tor controller of sys-whonix have updated itself from the first boot yesterday.
You will notice the timestamp. About 15 minutes to have connectivity… that’s painful. Seems better now anyway than before. So sys-firewall is just a added factor that catalyze the problem…
So I m going to install onioncircuits . Never used it so I might need help .
[EDIT] since I don’t want to do any mistakes. By default, we are under 8.6 debian. Do you me to update and then to add backports to the 8.6? or to upgrade to stretch debian and then install onioncircuits?

Oct 15 08:42:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:42:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:42:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:42:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:42:37.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:37.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:38.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:38.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:40.000 [notice] New control connection opened.
Oct 15 08:42:40.000 [notice] New control connection opened.
Oct 15 08:42:40.000 [notice] New control connection opened.
Oct 15 08:42:40.000 [notice] New control connection opened.
Oct 15 08:42:40.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:40.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:42.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:43.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:45.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:45.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:48.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:48.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:48.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:48.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:50.000 [notice] New control connection opened.
Oct 15 08:42:50.000 [notice] New control connection opened.
Oct 15 08:42:50.000 [notice] New control connection opened.
Oct 15 08:42:50.000 [notice] New control connection opened.
Oct 15 08:42:51.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:51.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:53.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:54.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:56.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:56.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:58.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:58.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:59.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:42:59.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:00.000 [notice] New control connection opened.
Oct 15 08:43:00.000 [notice] New control connection opened.
Oct 15 08:43:00.000 [notice] New control connection opened.
Oct 15 08:43:00.000 [notice] New control connection opened.
Oct 15 08:43:02.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:02.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:05.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:05.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:08.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:08.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:08.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:09.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:10.000 [notice] New control connection opened.
Oct 15 08:43:10.000 [notice] New control connection opened.
Oct 15 08:43:10.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:10.000 [notice] New control connection opened.
Oct 15 08:43:10.000 [notice] New control connection opened.
Oct 15 08:43:11.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:13.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:13.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:19.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:19.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:21.000 [notice] New control connection opened.
Oct 15 08:43:21.000 [notice] New control connection opened.
Oct 15 08:43:21.000 [notice] New control connection opened.
Oct 15 08:43:21.000 [notice] New control connection opened.
Oct 15 08:43:29.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:29.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:31.000 [notice] New control connection opened.
Oct 15 08:43:31.000 [notice] New control connection opened.
Oct 15 08:43:31.000 [notice] New control connection opened.
Oct 15 08:43:31.000 [notice] New control connection opened.
Oct 15 08:43:39.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:39.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:41.000 [notice] New control connection opened.
Oct 15 08:43:41.000 [notice] New control connection opened.
Oct 15 08:43:41.000 [notice] New control connection opened.
Oct 15 08:43:41.000 [notice] New control connection opened.
Oct 15 08:43:49.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:50.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:43:52.000 [notice] New control connection opened.
Oct 15 08:43:52.000 [notice] New control connection opened.
Oct 15 08:43:52.000 [notice] New control connection opened.
Oct 15 08:43:52.000 [notice] New control connection opened.
Oct 15 08:44:00.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:00.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:02.000 [notice] New control connection opened.
Oct 15 08:44:02.000 [notice] New control connection opened.
Oct 15 08:44:02.000 [notice] New control connection opened.
Oct 15 08:44:02.000 [notice] New control connection opened.
Oct 15 08:44:10.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:10.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:12.000 [notice] New control connection opened.
Oct 15 08:44:12.000 [notice] New control connection opened.
Oct 15 08:44:12.000 [notice] New control connection opened.
Oct 15 08:44:12.000 [notice] New control connection opened.
Oct 15 08:44:20.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:20.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:22.000 [notice] New control connection opened.
Oct 15 08:44:22.000 [notice] New control connection opened.
Oct 15 08:44:23.000 [notice] New control connection opened.
Oct 15 08:44:23.000 [notice] New control connection opened.
Oct 15 08:44:31.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:31.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:33.000 [notice] New control connection opened.
Oct 15 08:44:33.000 [notice] New control connection opened.
Oct 15 08:44:33.000 [notice] New control connection opened.
Oct 15 08:44:33.000 [notice] New control connection opened.
Oct 15 08:44:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:44:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:44:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:44:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:44:41.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:41.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:43.000 [notice] New control connection opened.
Oct 15 08:44:43.000 [notice] New control connection opened.
Oct 15 08:44:43.000 [notice] New control connection opened.
Oct 15 08:44:43.000 [notice] New control connection opened.
Oct 15 08:44:51.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:51.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:44:53.000 [notice] New control connection opened.
Oct 15 08:44:53.000 [notice] New control connection opened.
Oct 15 08:44:53.000 [notice] New control connection opened.
Oct 15 08:44:53.000 [notice] New control connection opened.
Oct 15 08:45:01.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:02.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:04.000 [notice] New control connection opened.
Oct 15 08:45:04.000 [notice] New control connection opened.
Oct 15 08:45:04.000 [notice] New control connection opened.
Oct 15 08:45:04.000 [notice] New control connection opened.
Oct 15 08:45:12.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:12.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:14.000 [notice] New control connection opened.
Oct 15 08:45:14.000 [notice] New control connection opened.
Oct 15 08:45:14.000 [notice] New control connection opened.
Oct 15 08:45:14.000 [notice] New control connection opened.
Oct 15 08:45:22.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:22.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:24.000 [notice] New control connection opened.
Oct 15 08:45:24.000 [notice] New control connection opened.
Oct 15 08:45:24.000 [notice] New control connection opened.
Oct 15 08:45:24.000 [notice] New control connection opened.
Oct 15 08:45:32.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:32.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:34.000 [notice] New control connection opened.
Oct 15 08:45:34.000 [notice] New control connection opened.
Oct 15 08:45:34.000 [notice] New control connection opened.
Oct 15 08:45:34.000 [notice] New control connection opened.
Oct 15 08:45:43.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:43.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:44.000 [notice] Bootstrapped 63%: Loading relay descriptors
Oct 15 08:45:44.000 [notice] Bootstrapped 68%: Loading relay descriptors
Oct 15 08:45:45.000 [notice] New control connection opened.
Oct 15 08:45:45.000 [notice] New control connection opened.
Oct 15 08:45:45.000 [notice] New control connection opened.
Oct 15 08:45:45.000 [notice] New control connection opened.
Oct 15 08:45:53.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:54.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:45:55.000 [notice] New control connection opened.
Oct 15 08:45:55.000 [notice] New control connection opened.
Oct 15 08:45:55.000 [notice] New control connection opened.
Oct 15 08:45:55.000 [notice] New control connection opened.
Oct 15 08:46:05.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:05.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:05.000 [notice] New control connection opened.
Oct 15 08:46:05.000 [notice] New control connection opened.
Oct 15 08:46:05.000 [notice] New control connection opened.
Oct 15 08:46:05.000 [notice] New control connection opened.
Oct 15 08:46:15.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:15.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:15.000 [notice] New control connection opened.
Oct 15 08:46:15.000 [notice] New control connection opened.
Oct 15 08:46:15.000 [notice] New control connection opened.
Oct 15 08:46:15.000 [notice] New control connection opened.
Oct 15 08:46:25.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:25.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:26.000 [notice] New control connection opened.
Oct 15 08:46:26.000 [notice] New control connection opened.
Oct 15 08:46:26.000 [notice] New control connection opened.
Oct 15 08:46:26.000 [notice] New control connection opened.
Oct 15 08:46:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:46:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:46:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:46:34.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for circuit)
Oct 15 08:46:35.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:36.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:36.000 [notice] New control connection opened.
Oct 15 08:46:36.000 [notice] New control connection opened.
Oct 15 08:46:36.000 [notice] New control connection opened.
Oct 15 08:46:36.000 [notice] New control connection opened.
Oct 15 08:46:46.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:46.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:46.000 [notice] New control connection opened.
Oct 15 08:46:46.000 [notice] New control connection opened.
Oct 15 08:46:46.000 [notice] New control connection opened.
Oct 15 08:46:46.000 [notice] New control connection opened.
Oct 15 08:46:56.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:56.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:46:56.000 [notice] New control connection opened.
Oct 15 08:46:56.000 [notice] New control connection opened.
Oct 15 08:46:57.000 [notice] New control connection opened.
Oct 15 08:46:57.000 [notice] New control connection opened.
Oct 15 08:47:04.000 [notice] Bootstrapped 78%: Loading relay descriptors
Oct 15 08:47:04.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Oct 15 08:47:04.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Oct 15 08:47:05.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Oct 15 08:47:05.000 [notice] Bootstrapped 100%: Done
Oct 15 08:47:06.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:47:06.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:47:07.000 [notice] New control connection opened.
Oct 15 08:47:07.000 [notice] New control connection opened.
Oct 15 08:47:07.000 [notice] New control connection opened.
Oct 15 08:47:07.000 [notice] New control connection opened.
Oct 15 08:49:25.000 [notice] Your system clock just jumped 125 seconds forward; assuming established circuits no longer work.
Oct 15 08:49:25.000 [notice] Tried for 139 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for rendezvous desc)
Oct 15 08:49:25.000 [notice] Tried for 138 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for rendezvous desc)
Oct 15 08:49:26.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Oct 15 08:49:26.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Oct 15 08:55:51.000 [warn] Socks version 71 not recognized. (Tor is not an http proxy.)
Oct 15 08:55:52.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:55:52.000 [notice] New control connection opened from 127.0.0.1.
Oct 15 08:57:40.000 [notice] New control connection opened.
Oct 15 09:15:39.000 [notice] New control connection opened.
Oct 15 09:15:39.000 [notice] New control connection opened.
Oct 15 09:15:39.000 [notice] New control connection opened.
Oct 15 09:15:39.000 [notice] New control connection opened.
31

no big connectivity problems fir now. Im going to continue to monitor the situation, but it seems that it is capable of changing circuits more fluently than before because of the change with sys-firewall. So even if the circuit is no more valid, I have a few seconds only of loss of connectivity.

[EDIT] I take back what I said. connectivity is still a mess compared to the tor browser installed on any OS.
I still have loss of connectivity and too often and for too much time, which shouldn’t been happening if it’s not happening with tor browser alone…

32

Thanks for troubleshooting! A couple of points…

  • sys-firewall doesn’t really do anything unless you’ve added some filters or routing instructions. If you are just using sys-firewall out-of-the-box, then it doesn’t add any protection to your system (other than being an additional NAT router). The only reason I asked you to bypass it was that I thought you might have changed settings on sys-whonix’s firewall tab. sys-whonix comes with a strict built-in firewall that should be safe enough to face the net directly.

  • onioncircuits won’t help troubleshoot this issue. It won’t hurt anything so you’re still welcome to install it. Just follow standard backports procedure: Instructions. You can install in whonix-gw for persistence or sys-whonix for one-time use. Your templates should always be up-to-date. Do not upgrade to Stretch.

Regarding your issue, the fact that you were able to connect to a directory server and download relay information rules out many possibilities. Network connections either work or they don’t. When you have unreliable, intermittent connectivity, the culprit is usually poor network connectivity on your end (ie from a mobile connection). Or a sloppy attempt at censorship - which is probably not the case since the bridges you used were equally unreliable.

You insist that you have reliable Tor circuits when using Tor Browser on another OS. That would indicate that Whonix has somehow modified the Tor client. See: Frequently Asked Questions - Whonix ™ FAQ It’s possible some torrc setting is causing this, but highly unlikely from my experience. I’m basically out of good ideas…

  • If using laptop, is there another location with a trusted network you could use to test?

  • Try plain Debian VM with Tor:
    dom0:
    [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8
    [user@dom0 ~]$ qvm-run -a debian-8 gnome-terminal
    debian-8-templateVM:
    user@host:~$ sudo apt-get update && sudo apt-get dist-upgrade
    user@host:~$ sudo apt-get install tor
    user@host:~$ sudo poweroff
    dom0:
    [user@dom0 ~]$ qvm-create -p -t debian-8 -l red test-tor
    [user@dom0 ~]$ qvm-prefs -s test-tor netvm sys-firewall
    [user@dom0 ~]$ qvm-run -a test-tor gnome-terminal
    test-tor:
    user@host:~$ sudo tail -n 20 -f /var/log/tor/log

1 Like
33

Just to throw my two pennies, when I can’t bootstrap I do in sys-whonix flush of iptables rules, and set default to accept, and it always works.
It usually happens after not connecting to tor for a while , but usually at least SOME of the circuits fails.

edit by entr0py: See below.

34

Please don’t do this! Whonix-Gateway firewall is in place to mitigate possibility of leaks. If you find that Tor is not creating new circuits after an extended period of inactivity, restart the Tor daemon:

sudo systemctl restart tor@default

In many cases, simply running whonixcheck will cause Tor to function properly again.

1 Like
35

sorry for the delay of answer. As I said, with other network 4G or other landline somewhere else this is working but I didn’t use it over time so I don’t know if there is a loss of connectivity over time.

But there has been some evolution with the different updates and the behaviour si not still the same.
I can’t say, and sorry for that, that whonix is very well coded. I have for example the whonix-check window disappearing from time to time whitout any reason and the conditions of this appearing would be way too much complicated to explain. But facts remains, this tool can crash too apparently or something similar.
We should have way more debug messages if we ask for, to know if the tcp packets are coming or if there is any error messages or anything else which we don’t have. And since I didn’t hear you all along about any log messages that I should go read to find the sources of the problem it seems that there isn’t… That should tell us something about the quality of programming of this thing.
Anyway I don’t disagree that maybe my ubiquiti equipment would be at fault here, but even so, the program should have a tcpdump and some filter and some logreader to debug this thing, because yes this whonix setup should be as well a network diag instrument since we should install it on most of laptop in the world and especially in war conflict zones.
So y es I’m very disappointed by this thing since it should gives to any user or IT admin enough tools combined, already launched, to discover a way to communicate with outside world and not have a bunch of equipment and/or knowledge to diagnostic the situation and so see which parameters we should change.

user@test-tor:~$ sudo tail -n 20 -f /var/log/tor/log
Nov 21 11:23:22.000 [notice] Tor 0.2.9.12 (git-2b1e823d7bc05a37) opening new log file.
Nov 21 11:23:22.591 [notice] Tor 0.2.9.12 (git-2b1e823d7bc05a37) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f and Zlib 1.2.8.
Nov 21 11:23:22.592 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Nov 21 11:23:22.592 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Nov 21 11:23:22.592 [notice] Read configuration file "/etc/tor/torrc".
Nov 21 11:23:22.599 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 21 11:23:22.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Nov 21 11:23:22.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Nov 21 11:23:22.000 [notice] Bootstrapped 0%: Starting
Nov 21 11:23:22.000 [notice] Signaled readiness to systemd
Nov 21 11:23:23.000 [notice] Opening Socks listener on /var/run/tor/socks
Nov 21 11:23:23.000 [notice] Opening Control listener on /var/run/tor/control
Nov 21 11:23:23.000 [notice] Bootstrapped 5%: Connecting to directory server
Nov 21 11:23:23.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Nov 21 11:23:24.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Nov 21 11:23:24.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Nov 21 11:23:24.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
^[[ANov 21 11:23:57.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Nov 21 11:23:57.000 [notice] Bootstrapped 40%: Loading authority key certs
Nov 21 11:23:57.000 [notice] Bootstrapped 45%: Asking for relay descriptors
Nov 21 11:23:57.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6497, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
Nov 21 11:24:27.000 [notice] Bootstrapped 50%: Loading relay descriptors
Nov 21 11:24:29.000 [notice] Bootstrapped 57%: Loading relay descriptors
Nov 21 11:24:29.000 [notice] Bootstrapped 65%: Loading relay descriptors
Nov 21 11:24:29.000 [notice] Bootstrapped 72%: Loading relay descriptors
Nov 21 11:24:29.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Nov 21 11:24:29.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Nov 21 11:24:30.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Nov 21 11:24:30.000 [notice] Bootstrapped 100%: Done

I’ve done it on debian-9 and clone debian-9 first because I don’t like to install anything on my original template.

36

Do you mean without the iptables restrictions services are not firewalled and accessible to the outside world or they’re only important as a 2nd defense for bugs?

37

Yes. The iptables restrictions are the services’ firewall. If your Whonix-Gateway is connected directly to the public Internet, then anybody can send requests to tor and tinyproxy. Which is precisely why it says in your Tor log:
[notice] You configured a non-loopback address '10.152.152.10:9050' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.

In practice on Qubes, this won’t happen because both netVMs and proxyVMs do not forward incoming traffic by default. However they do forward outgoing traffic so if you flushed your iptables in Whonix-Gateway and decided to use Firefox, it would connect in the clear.

Firewalls are not an infallible defense against network intrusion or data leaks. They are highly effective at preventing leaks due to misconfigured / buggy software or user error. Data leaks | Qubes OS

At the same time, not having a strict firewall in place can lower the barrier for many attacks of opportunity.

38

since the transition to fedora-26-minimal it’s worse than ever in my case through my ubiquiti equipment. Nothing is let trhough about whonix. No change about debian with test-tor, that s work well .

And I am more and more confident that there is a problem between vlan inside of qubes and vlan inside of my ubiquiti network. So I don’t know how the packets are going out from qubes, if there are untaggged or not but I think there is clearly a problem in that.

39

so what should I use as tools in the whonix vm ? tcpdump and look for packets ?

40

The difficulty of troubleshooting this along with the fact that no other users have had similar complaints in over a month should indicate that there is something unique to your situation.

To recap, here are the relevant facts:

at primary location: sys-whonix -> ??? -> sys-net:

conclusion: unreliable Tor connectivity at primary location using sys-whonix

at other locations: sys-whonix -> ??? -> sys-net

conclusion: unknown

at primary location?: debian-9 -> ??? -> sys-net

tor bootstraps properly.
loses connection often? or not?

conclusion: unknown

primary location: win10 -> sys-firewall -> sys-net

conclusion: unknown. now is a good time for extensive tests

There are too many questions there still. You need to test thoroughly and provide detailed information. At this point, I’m not convinced this is a Whonix issue.

  1. If you have unreliable Tor connectivity at primary location and it works elsewhere, then it’s clearly a problem with your ISP, LAN, or network hardware. You need to get support from your hardware provider or ISP.

  2. If you have unreliable Tor connectivity at primary location using Whonix but Tor connectivity is reliable using Debian template or Windows 10 through same network connection, then that would be very strange indeed.

Where do you want to install a packet monitor? Do you think packets are being lost between Qubes VMs? You could simply see packet counts using iptables but I highly doubt that Qubes networking is the issue here.

(Also, I have no idea what ubiquiti is. Are you using wireless connections?)

Here’s a better test. Since you’re using Qubes, do this at the same time.

  1. anon-whonix → sys-whonix → sys-net
    get tor bootstrapped in gateway.
    launch tor browser in workstation and download some big debian .iso.

  2. win10 or debian → sys-net
    install tor browser bundle
    launch tor browser and download some big debian .iso.

If 2 works and 1 doesn’t, then we have a problem.
If neither works, then test using a different network connection and/or a different network.
If both work, then hooray.