ClientOnionAuthDir in DispVM

How I can setup ClientOnionAuthDir in whonix DispVM in Qubes?

That I follow tor documentation for customer authorization in v3 hidden service, I to add this line to /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/torrc

ClientOnionAuthDir /home/user/keys

And I to key of customer to /home/user/keys/

Then I test to connect my service hidden. It not work. I test click New Identity for tor browser restarts. It not work. What I missing?

I notice I can connect my service hidden if I put configuration in sys-whonix. If I to add this to /usr/local/etc/torrc.d/50_user.conf

ClientOnionAuthDir /var/lib/tor/keys

And I to key of customer to /var/lib/tor/keys/client.auth_private. I confirm this work. I can connect my service hidden after restart tor.

What needed for to add ClientOnionAuthDir and key direct to whonix DispVM in Tor Browser config and no sys-whonix?

That won’t work. No Tor running in workstation.

That won’t work out of the box due to mandatory access control.

First simplification for learning: try in non-disp, persistent VM first.

Also see the usual onion services documentation for seeing what does usually work how:

1 Like


That won’t work out of the box due to mandatory access control.

Yes! Thank you! I test movement to /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/keys. It do not work.

Possible to keys running in whonix-workstation?

It understands tor the service run in gateway no workstation. l work the configuration add to gateway. Now I want to work in workstation. Why workstation have torrc file in directory of tor browser? It 100% useless?

If /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Tor/torrc is 100% useless, the possible to not release whonix-ws with this file? Otherwise, it appear this torrc file in whonix-ws provides configuration additional and override whonix-gw torrc.

Also see the usual onion services documentation for seeing what does usually work how:

Unfortunately, whonix the documentation does not show how use ClientOnionAuthDir v3 hidden service.

The possible has ClientOnionAuthDir configuration in whonix-ws at all? The very important that laptop not persisting for the key. This why I need in DispVM. Any ideas? Thank you.

Technical reasons. To avoid modifications, because, see below…

Possible in theory but better to keep modifications to Tor Browser as minimal as possible for better stability and easier review since lots of Tor Browser issues are already falsely attributed to Whonix.

Modification of Tor Browser would further add to the confusion.

Messing with any files inside Tor Browser has potential to break it or break its internal updater. At very least, consequences would take time to research. More stable and time efficient o just keep it as is.

Yes, Tor doesn’t run on Whonix-Workstation. Therefore that file has no effect.

“Ephemeral” Tor onion services. Creation (and re-creation) of such onion services is started from inside Whonix-Workstation. A Tor aware application will use Tor control protocol commands to create it. The key is either discarded (temporary onion services) or retained by the application (restartable onion service with stable onion domain name). An example application is OnionShare.

Should be, because…

Whonix does not modify Tor.
Tor - Whonix
Should function the same.

Onion Services - Whonix documents HiddenServiceDir.
ClientOnionAuthDir should function similarly.

See Free Support for Whonix ™ - i.e. find out how to use this in an easier environment first. For example on non-Whonix, non Qubes. For example on Debian buster. If it works there, replicating the same in Whonix should be simple.

I don’t think ClientOnionAuthDir can be used in Whonix-Workstation.
Whonix-Gateway only. Because it is a Tor config file based configuration.

See also:

There, read:

Ephemeral Whonix-Gateway ™ ProxyVMs

Use ephemeral Tor onion services using Tor control protocol.

But still notice the forensics related warnings on Qubes Disposables.