cwtch messaging

Sarah Lewis built an asynchronous and group messaging solution on top of the Ricochet protocol written in Go.

This would be an interesting major addition to Whonix if there are enough resources to package it independently. I will open a ticket depending on feasibility.

/cc @iry because you are interested in Ricochet.


Cwtch alpha debuts a couple of days ago

Includes Android prototype:

1 Like

Any tips on running this on whonix 16?
Cwtch is stuck at the loading splash screen for me.
Iv tried it previous and had this problem and still have the same problem now with the nightly builds. I gave it a try because the nightly builds have improvements to work on tor systems!


Using the latest flwtch / linux nightlies (g5e8f) from buildDOTopenprivacyDOTca/files/ cwtch is stuck at the splash screen.

is there anything whonix can do to get this working?
Getting stuck at “[DBUG] checking if we can run system installed tor or bundled tor”

An issue has been opened for this on their issue tracker.
gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqdDOT onion/


1 Like


Can I assume you are one of the developers because you opened this thread on the same day it was opened upstream by the devs. I am asking this because then I will adapt my explanation according to the listener.

Likely need to add a configuration / other option that either allows cwtch to use Tor OR allows cwtch to be started without invoking tor cmd.

Use tor’s control protocol, do not start tor, it is running on the Gateway, not on the Workstation.

See how this is done for OnionShare above, where there is a filter called onion-grater running on the Gateway. If cwtch uses the controller, then we can add an option to whitelist its commands to ADD_ONION.

If still following with the built in tor, maybe try to not use the built-in binary as was done for Bisq Bisq: The P2P Exchange Network

Possibly merge these threads together cwtch messaging - #7 by huwaqu

1 Like


1 Like

#324 - Whonix: Cwtch halts on Splash Screen when attempting to Start Tor - cwtch-ui - Open Privacy Gitea

Notified them about this thread.

1 Like


Related to Cwtch on Whonix, maybe it is even close as per last comment on the above issue. Maybe it is already working if someone wants to try.

1 Like

There is an issue for the Cwtch docs to add Whonix and Tails instruction to the “Advanced Tor Configuration” section

[url I can’t post as a new user]/

1 Like


When using tor, use onion, because their plain domain blocks tor exits.

1 Like

Trying out cwtch.

Click on the onion on the top right corner > Enable Advanced Tor Configuration > Custom SOCKS Port 9101 > Custom Control Port > 9051.

Then on the gateway, enable onion-grater debug mode.
Then see logs to allow what is required.

Currently trying it out, UI is much better than Briar and also has option to specify the aforementioned torrc parameters from the menu, which Briar and many other tor applications does not have.

1 Like

It requires:

GETCONF DisableNetwork
GETINFO network-liveness
GETINFO status/bootstrap-phase
ADD_ONION ED25519-V3:ONIONPRIVKEY Flags=DiscardPK,Detach Port=9878,

I didn’t see the ADD_ONION NEW, maybe cwtch creates the onion keys instead of expecting some key from tor.

About the random target port, need to search the source code for the range or ports because cwtch can have multiple profiles.

The virtual port is probably fixed for cwtch and that is better for connections when the virtual port is known.

If someone wants to try later today, would be cool, else I would need to message myself with different disposable workstations.


The target port does not seem to be capped, for me ranged more than 20k ports… bug upstream later

1 Like

For some reason it still can’t connect.

$ LOG_LEVEL=debug ~/.local/bin/cwtch
2022/10/14 16:38:32 tor/BaseOnionService.go [DBUG] running garbage collection...
2022/10/14 16:38:39 plugins/networkCheck.go [DBUG] publishing network error for tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd -- ActionTimedOutError
2022/10/14 16:38:39 utils/eventHandler.go [DBUG] New Profile Event to Handle: &{{NetworkError 4233632878 map[Error:ActionTimedOutError Onion:tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd Status:Error]} tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd}
2022/10/14 16:38:43 plugins/networkCheck.go [DBUG] publishing network error for tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd -- socks connect tcp>tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd.onion:9878: unknown error unknown code: 242
2022/10/14 16:38:43 utils/eventHandler.go [DBUG] New Profile Event to Handle: &{{NetworkError 3428761036 map[Error:socks connect tcp>tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd.onion:9878: unknown error unknown code: 242 Onion:tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd Status:Error]} tdgwzcrk7rbwpjirwxxew5jy425cuvmvx7u4njcr4rl3ocfyykqqkvyd}
2022/10/14 16:39:00 tor/BaseOnionService.go [DBUG] Error connecting to e5udu4awsqphjzyjjraikesqlcpqva6htbgdczudld34owbefidl2oyd socks connect tcp>e5udu4awsqphjzyjjraikesqlcpqva6htbgdczudld34owbefidl2oyd.onion:9878: unknown error TTL expired

Another things is that onion-grater replies that the net/listeners/socks is, and cwtch tries to use it over the specified SocksPort.

tor/BaseOnionService.go [DBUG] Error connecting to e5udu4awsqphjzyjjraikesqlcpqva6htbgdczudld34owbefidl2oyd socks connect tcp>e5udu4awsqphjzyjjraikesqlcpqva6htbgdczudld34owbefidl2oyd.onion:9878: unknown error unknown code: 242
1 Like

I feel noob now, forgot to open port on the WS firewall.

Edit: still can’t connect :frowning:

Edit2: cwtch binds to, not

user@host:~$ curl
curl: (1) Received HTTP/0.9 when not allowed

user@host:~$ qubesdb-read /qubes-ip
user@host:~$ curl.anondist-orig $(qubesdb-read /qubes-ip):26469
curl: (7) Failed to connect to port 26469: Connection refused


1 Like

Their controller library is at http://gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqd.onion/openprivacy/bine

It will later be used by use to see which commands should be allowed.

1 Like


This is to avoid telling TB all the socks listener on Whonix-Gateway. Many. Not useful information.

      - pattern: 'net/listeners/socks'
        - pattern:     '250-net/listeners/socks=".*"'
          replacement: '250-net/listeners/socks=""'

So the SocksPort hiding feature isn’t built-in. It’s also just an onion-grater profile. Even though the default one.

But maybe not important enough. If it confuses cwtch, then feel free to remove that (if that works) or replace with something more suitable. Or maybe the cwtch onion-grater profile could overrule that as required.

Also in case anyone doesn’t know yet, this might be useful to know…

  • A) /etc/onion-grater-merger.d
  • B) /etc/onion-grater.d

Might be useful to look at the profile which onion-grater is actually going to use. See file:


Generally, we shouldn’t require applications to suite Whonix if that is avoidable. Ideally onion-grater is modified instead. This is because by default, applications are unaware of Whonix and talk to Tor’s ControlPort. Whonix / Tails adding onion-grater in between as a proxy is another layer of complexity. But now if applications are adding their own logic to react different in case of anonymity distribution versus non-anonymity distribution, that makes his even more entangled.

#550 - cwtch overwrites custom torrc options with replies from controller - cwtch-ui - Open Privacy Gitea

Thanks for this information. Is there a standard way of discovering this this from Whonix?

Not from the Workstation and that is the objective.

Which information? About which Tor SocksPorts can be discovered through Tor control protocol? If yes, then Whonix would be better off having an optional cwtch onion-grater profile to show any ports which cwtch would be interested in.

cwtch (or similar applications) could also share Tor Browser’s default IP port 9150. (If these are cwtch’s defaults. I didn’t check.) This is because Tor Browser sets a socks user name anyhow. (A different socks user name per top level domain at time of writing afaik.) Based on Tor’s IsolateSOCKSAuth feature. So sharing that port isn’t a big deal.

A feature which Tor friendly applications would be good would be to set their own socks user name to benefit from Tor’s IsolateSOCKSAuth feature. Ideally contextually a different Tor socks user name. The context be for example could be “connection to server 1 versus connection to server 2”. Then even in theory if Tor socks user name setting feature was broken, Tor still stream isolate the traffic.

These are features that can be required without needing to mention Whonix. These are for the benefit of any user anywhere. Unrelated to Whonix. Often this motivates some upstreams more.

Another common issue of Tor friendly applications versus Whonix is the listen interface. Does their web server (such as in case of OnionShare) (or other server for chat) listen on That cannot work. It needs to listen on all interfaces. (Technical nitpick: on Whonix-Workstation external interface.)

related wiki pages:

It makes Cwtch uses the one replied by the controller, even if I specify for Cwtch another port, it will ignore because it thinks the controller has the most updated option.

Yes but if we use an onion-grater profile for Cwtch, then it will be applied for every WS unless host is specified in the onion-grater profile. I don’t believe Whonix should display all SocksPorts and the let the Workstation choose, I believe the best method is to specify and the program follow the directions.

But then Which SocksPort will be used by Cwtch? The first it gets? The second? the last? It will probably use a SocksPort that another application is already using.

Ok, that is one point. Another point is that every other application that query the controller will also use that port.

Cwtch does not have that yet as far as I know but could be a good feature request. Upstream are replying fast to my posts.
And yes, SOCKSAuth is tor’s default isolation flag so it is best to use it then to hope another isolation flag has to be optionally specified.

I tried… but some are quite Whonix specific like the listen interface.

Yes as per mentioned here http://gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqd.onion/
Asked them to make it a variable.
But if they prefer Whonix ™ friendly applications best practices detecting Whonix, then that is also ok.

1 Like

I don’t think upstream changing the UI (user interface) is the best solution. Then users always would have to do some manual settings.

Better would be to have this automated as much as possible. Better solutions would be:


  • easier to implement for upstream
  • no upstream UI changes required
  • non-Whonix users cannot choose the wrong option in UI (more fail-safe, upstream might like that too)
  • could even be easy enough so a patch / pull request could be contributed

Until/if this gets implemented by upstream to change the listen interface from localhost to external interface a workaround might be possible using:


There might be discussions in the forums / examples in Whonix source code on how to use it.

Actually no SocksPort at all. Nowadays unix domain socket files should be preferred. Even for non-Whonix. Also Tor Browser nowadays is using unix domain socket files. In context of non-Whonix, it provides better protections from leaks. And then Tor Settings Autodetection?

There is no Cwtch configuration file I could find…
In the ~/.cwtch/tor/torrc, we can change ControlPort and SocksPort.
Updated upstream to automate the process to also be easier for them #553 - option to bind target port to - cwtch-ui - Open Privacy Gitea

I will try this but they need to limit the target ports first, because every time I have to do see which was the target port it binded to to open the firewall port.

But that doesn’t solve the problem of Stream Isolation and also Cwtch is onion traffic only, their torrc has SocksPort 9050 OnionTrafficOnly.
Cwtch has no problem using the one replied from the controller (9050), and I think mentiong unix domain sockets is only good if they are already using it, which I don’t think they are.

1 Like

How-to: Open All Ports in Whonix-Workstation ™ Firewall


Streams are going to be isolated even if using 9050 which should be unused by default. Except when there’s already a different custom installed application using the same port. Even 9151 would be stream isolated since Tor Browser uses IsolateSOCKSAuth. Surely non-ideal but a very good start.

Could you please make a feature request for the socks user name setting or perhaps better to not post too many tickets in a short time?