Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) - new

Patrick · June 10, 2016, 2:38pm

Originally published at: News - Whonix Forum
Lantern is a censorship circumvention tool, an alternative to Tor bridges.

Testers only! As an exercise and proof of concept, I quickly put together a documentation chapter for Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet). Qubes-Whonix only! Non-Qubes-Whonix is unsupported.

https://www.whonix.org/wiki/Lantern

At the moment these instructions have several limitations.

They install Lantern in a separate ProxyVM behind sys-whonix. The motivation behind this was better security. Lantern is not installable from Debian. It's a package from the lantern website. In theory, Tor should not be compromised if Lantern was compromised. But if Lantern was compromised to begin with or more easily exploited than Tor, it is very much desirable to run Lantern in a separate ProxyVM for better isolation.
However, this is very impractical. Since Qubes does not support static IP addresses yet, the Tor config setting /etc/tor/torrc 'Socks5Proxy 10.137.10.1:8788' is not stable. When the Lantern ProxyVM gets its IP changed, connectivity breaks and /etc/tor/torrc in sys-whonix needs a manual update. Not great.
It would be a lot more usable to document how to run Lantern directly in sys-whonix (under user tunnel with TUNNEL_FIREWALL=true etc.) However, then we would have less isolation.
Does not autostart Lantern yet.
The footnotes on the wiki page contain several TODO items.
And more...
I probably won't be able to become a maintainer of a fully featured Lantern-Gateway comparable to Whonix-Gateway using Tor. Help welcome.
Lantern seems to have connectivity issues on its own. Even for me in a non-censored area, it works for me in only 1 of 4 attempts. Often I needed to restart the VM and start fresh. Shutdown of Lantern does not seem to be clean. Often in the Lantern-Gateway VM - while no Whonix network is involved - I am unable to visit any websites from the automatically started lantern browser.

Déjà vu? This blog post is very similar to my last blog post Connecting to JonDonym before Tor (User -> JonDonym -> Tor -> Internet).

Patrick · June 10, 2016, 2:42pm

Previous discussion:
https://forums.whonix.org/t/connecting-to-lantern-before-tor-user-lantern-tor-internet

2xiangzi · June 12, 2016, 6:50pm

Thank you Patrick for all your work – another reason I love Whonix is there’s such a supportive and efficient community behind it:)

Maybe I can help to do some TODO:)

That’s strange because I followed exactly your instruction to install and use Lantern but nothing wrong happened to me when using it within the Lantern-Gateway.

However, I did met some problem when following the instruction, and here’s what I’ve done (for 3 times):

Create a new standalone ProxyVM called Lantern-Gateway based on Debian-8 template.
Unload Qubes iptables rules in the Lantern-Gateway ProxyVM:
2.1 sudo nano unload.sh
2.2 copy Firewall_Unload to unload.sh and save it.
2.3 sudo chmod -x unload.sh
2.4 sudo unload.sh
Install lantern
lantern -addr 0.0.0.0:8788
curl --tlsv1.2 --proto =https --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org
But it failed
According to “lantern -help”, by runnig ‘lantern -addr IP:Port’, lantern open a http port instead of socks5. It seems taht the instruction need to be changed?
I tried letting Iceweasel to use proxy listening on 127.0.0.1:8788 and it worked.
According to the wiki: “You could run the following command within sys-whonix to find out the IP of your Lantern-Gateway ProxyVM:
qubesdb-read /qubes-gateway”
But what it showed when I ran this command was the GatewayIP of sys-whonix itself. I don’t know why but I’m sure sys-whonix was using Lantern-Gateway as netvm.
Then I tried adding each of the following to torrc separately:
Socks5Proxy Lantern-GatewayIP:8788
HTTPSProxy Lantern-GatewayIP:8788

but neither of them made Tor work.(It stopped at 5% during boot up)

Would you please help me to find what I have done wrong?

Thank you very much!

Patrick · June 12, 2016, 6:54pm

After firewall unload, please run the following command to see if really all firewall rules are unload.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

Should show.

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*raw
:PREROUTING ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT

Patrick · June 12, 2016, 7:02pm

Firewall unload instructions improved. Firewall unload verification instructions added.

Patrick · June 12, 2016, 7:47pm

Instructions changed to http proxy. Could not get socks to work. However, lantern seems to support socks, they say so in this ticket:
https://github.com/getlantern/lantern/issues/2075

Can you figure out how to make socks listen on non-local, on all interfaces (0.0.0.0)? That would be better.

You might have changed the NetVM while sys-whonix was already running. Then I could imagine that happening. Otherwise should not happen. Please try again.

Another breaking bug I found was Qubes default iptables rules being reinforced. Just now added to instructions how to disable qubes-firewall and qubes-iptables.

I got Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) working.

2xiangzi · June 16, 2016, 6:03pm

All right, let me have a try! By the way, would you please tell me the benefits of using a socks5 port instead of http port? For remote-DNS, I guess?[quote=“Patrick, post:6, topic:2583”]
You might have changed the NetVM while sys-whonix was already running. Then I could imagine that happening. Otherwise should not happen. Please try again.
[/quote]

I changed the NetVM while sys-whonix was shutdown, and it’s still the same result

Thank you sir, I got it working successfully by following your instruction!

Patrick · June 20, 2016, 10:50am

2xiangzi:

By the way, would you please tell me the benefits of using a socks5 port instead of http port?

I believe socks is a simpler and more general purpose protocol than
http. Speed and security may be better. This could use more research.

Patrick · June 29, 2016, 11:28am

Various changes were made and lantern tickets were posted @2xiangzi:
Lantern: Difference between revisions - Whonix

2xiangzi · July 4, 2016, 9:27pm

Thank you, sir!

Although changes have been made: Lantern: Difference between revisions - Whonix, the page still seems to be untranslatable.

Patrick · July 4, 2016, 9:33pm

Made the page translateable. Seems this is an action only admins can click. Please try now. Should you have further comments on translations, please create a new thread in the Whonix website sub forum.

2xiangzi · December 28, 2016, 5:25pm

Document changes:

Add the way to let Lantern listen for socks5 proxy requests.
Add an introduction to Lantern version 3.x.

BTW: The amount of remaining free monthly data can be seen on the UI of Lantern. However, lantern will not automatically show the UI when starting which may be a bug. What I did was adding another arg when starting it:
lantern -socksaddr string -add-uiaddr 127.0.0.1:1123
then opened a browser to access 127.0.0.1:1123 manually.

Patrick · March 13, 2017, 1:52pm

//cc @iry