Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) - new

Originally published at: News - Whonix Forum
Lantern is a censorship circumvention tool, an alternative to Tor bridges.

Testers only! As an exercise and proof of concept, I quickly put together a documentation chapter for Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet). Qubes-Whonix only! Non-Qubes-Whonix is unsupported.

https://www.whonix.org/wiki/Lantern

At the moment these instructions have several limitations.

  • They install Lantern in a separate ProxyVM behind sys-whonix. The motivation behind this was better security. Lantern is not installable from Debian. It's a package from the lantern website. In theory, Tor should not be compromised if Lantern was compromised. But if Lantern was compromised to begin with or more easily exploited than Tor, it is very much desirable to run Lantern in a separate ProxyVM for better isolation.
  • However, this is very impractical. Since Qubes does not support static IP addresses yet, the Tor config setting /etc/tor/torrc 'Socks5Proxy 10.137.10.1:8788' is not stable. When the Lantern ProxyVM gets its IP changed, connectivity breaks and /etc/tor/torrc in sys-whonix needs a manual update. Not great.
  • It would be a lot more usable to document how to run Lantern directly in sys-whonix (under user tunnel with TUNNEL_FIREWALL=true etc.) However, then we would have less isolation.
  • Does not autostart Lantern yet.
  • The footnotes on the wiki page contain several TODO items.
  • And more...
  • I probably won't be able to become a maintainer of a fully featured Lantern-Gateway comparable to Whonix-Gateway using Tor. Help welcome.
  • Lantern seems to have connectivity issues on its own. Even for me in a non-censored area, it works for me in only 1 of 4 attempts. Often I needed to restart the VM and start fresh. Shutdown of Lantern does not seem to be clean. Often in the Lantern-Gateway VM - while no Whonix network is involved - I am unable to visit any websites from the automatically started lantern browser.
DĆ©jĆ  vu? This blog post is very similar to my last blog post Connecting to JonDonym before Tor (User -> JonDonym -> Tor -> Internet).
1 Like

Previous discussion:
https://forums.whonix.org/t/connecting-to-lantern-before-tor-user-lantern-tor-internet

Thank you Patrick for all your work ā€“ another reason I love Whonix is thereā€™s such a supportive and efficient community behind it:)

Maybe I can help to do some TODO:)

Thatā€™s strange because I followed exactly your instruction to install and use Lantern but nothing wrong happened to me when using it within the Lantern-Gateway.

However, I did met some problem when following the instruction, and hereā€™s what Iā€™ve done (for 3 times):

  1. Create a new standalone ProxyVM called Lantern-Gateway based on Debian-8 template.

  2. Unload Qubes iptables rules in the Lantern-Gateway ProxyVM:
    2.1 sudo nano unload.sh
    2.2 copy Firewall_Unload to unload.sh and save it.
    2.3 sudo chmod -x unload.sh
    2.4 sudo unload.sh

  3. Install lantern

  4. lantern -addr 0.0.0.0:8788

  5. curl --tlsv1.2 --proto =https --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org
    But it failed
    According to ā€œlantern -helpā€, by runnig ā€˜lantern -addr IP:Portā€™, lantern open a http port instead of socks5. It seems taht the instruction need to be changed?
    I tried letting Iceweasel to use proxy listening on 127.0.0.1:8788 and it worked.

  6. According to the wiki: ā€œYou could run the following command within sys-whonix to find out the IP of your Lantern-Gateway ProxyVM:
    qubesdb-read /qubes-gatewayā€
    But what it showed when I ran this command was the GatewayIP of sys-whonix itself. I donā€™t know why but Iā€™m sure sys-whonix was using Lantern-Gateway as netvm.

  7. Then I tried adding each of the following to torrc separately:
    Socks5Proxy Lantern-GatewayIP:8788
    HTTPSProxy Lantern-GatewayIP:8788

but neither of them made Tor work.(It stopped at 5% during boot up)

Would you please help me to find what I have done wrong?

Thank you very much!

After firewall unload, please run the following command to see if really all firewall rules are unload.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

Should show.

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*raw
:PREROUTING ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT

Firewall unload instructions improved. Firewall unload verification instructions added.

Instructions changed to http proxy. Could not get socks to work. However, lantern seems to support socks, they say so in this ticket:
https://github.com/getlantern/lantern/issues/2075

Can you figure out how to make socks listen on non-local, on all interfaces (0.0.0.0)? That would be better.

You might have changed the NetVM while sys-whonix was already running. Then I could imagine that happening. Otherwise should not happen. Please try again.


Another breaking bug I found was Qubes default iptables rules being reinforced. Just now added to instructions how to disable qubes-firewall and qubes-iptables.

I got Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) working.

All right, let me have a try! By the way, would you please tell me the benefits of using a socks5 port instead of http port? For remote-DNS, I guess?[quote=ā€œPatrick, post:6, topic:2583ā€]
You might have changed the NetVM while sys-whonix was already running. Then I could imagine that happening. Otherwise should not happen. Please try again.
[/quote]

I changed the NetVM while sys-whonix was shutdown, and itā€™s still the same result :frowning:

Thank you sir, I got it working successfully by following your instruction!

2xiangzi:

By the way, would you please tell me the benefits of using a socks5 port instead of http port?

I believe socks is a simpler and more general purpose protocol than
http. Speed and security may be better. This could use more research.

Various changes were made and lantern tickets were posted @2xiangzi:
Lantern: Difference between revisions - Whonix

Thank you, sir!

Although changes have been made: Lantern: Difference between revisions - Whonix, the page still seems to be untranslatable.

Made the page translateable. Seems this is an action only admins can click. Please try now. Should you have further comments on translations, please create a new thread in the Whonix website sub forum.

Document changes:

  1. Add the way to let Lantern listen for socks5 proxy requests.
  2. Add an introduction to Lantern version 3.x.

BTW: The amount of remaining free monthly data can be seen on the UI of Lantern. However, lantern will not automatically show the UI when starting which may be a bug. What I did was adding another arg when starting it:
lantern -socksaddr string -add-uiaddr 127.0.0.1:1123
then opened a browser to access 127.0.0.1:1123 manually.

//cc @iry