Cwtch messaging

I don’t think upstream changing the UI (user interface) is the best solution. Then users always would have to do some manual settings.

Better would be to have this automated as much as possible. Better solutions would be:

• A) changing the listen interface depending on a status file similar as mentioned in * Listen Interface
• B) config.d support
• C) an environment variable

Advantages:

• easier to implement for upstream
• no upstream UI changes required
• non-Whonix users cannot choose the wrong option in UI (more fail-safe, upstream might like that too)
• could even be easy enough so a patch / pull request could be contributed

Until/if this gets implemented by upstream to change the listen interface from localhost to external interface a workaround might be possible using:

bindp

There might be discussions in the forums / examples in Whonix source code on how to use it.

Actually no SocksPort at all. Nowadays unix domain socket files should be preferred. Even for non-Whonix. Also Tor Browser nowadays is using unix domain socket files. In context of non-Whonix, it provides better protections from leaks. And then Tor Settings Autodetection?

There is no Cwtch configuration file I could find…
In the ~/.cwtch/tor/torrc, we can change ControlPort and SocksPort.
Updated upstream to automate the process to also be easier for them #553 - option to bind target port to 0.0.0.0 - cwtch-ui - Open Privacy Gitea

I will try this but they need to limit the target ports first, because every time I have to do see which was the target port it binded to to open the firewall port.

But that doesn’t solve the problem of Stream Isolation and also Cwtch is onion traffic only, their torrc has SocksPort 9050 OnionTrafficOnly.
Cwtch has no problem using the one replied from the controller (9050), and I think mentiong unix domain sockets is only good if they are already using it, which I don’t think they are.

How-to: Open All Ports in Whonix-Workstation ™ Firewall

Great!

Streams are going to be isolated even if using 127.0.0.1 9050 which should be unused by default. Except when there’s already a different custom installed application using the same port. Even 127.0.0.1 9151 would be stream isolated since Tor Browser uses IsolateSOCKSAuth. Surely non-ideal but a very good start.

Could you please make a feature request for the socks user name setting or perhaps better to not post too many tickets in a short time?

I will wait for a SOCKSAuth request so they do the base first and have some time to “relax” of doing anonymity distribution requests.

Is Cwtch (v. 1.10) currently usable with the Whonix gateway (running from the Whonix workstation)? If so, what should be the ‘advanced tor configuration’?

• socks port
• control port
• " and specify further options by entering custom torrc options"

The issues I opened were not closed so I don’t believe so.
About the advanced tor configuration, it won’t fix the problem as the address the onion service is binding is unreachable by the Whonix Gateway.

Cwtch is aiming to support Tails, using onion-grater.

This is good for Whonix also.
Blocker is host binding.

Whonix support is ready for testing

Nice, but it is still nightly and the guide is incomplete.

Follow Running Cwtch on Whonix | The Cwtch Handbook

Note the guide is missing some things.

It is missing EXTERNAL_OPEN_PORTS for whonix-firewall. Use the same pattern as for onionshare.

EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "

Reload the firewall

sudo whonix_firewall

Later, the onion-grater profile is not properly formatted, the replacement lines are need to be indented/aligned with replacement.
Second issue with the profile is everything after exe-path needs to be indented according to exe-path, not on the first column.

This is the one I am using correctly indented:

# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern

---
- exe-paths:
    - '*'
  users:
    - '*'
  hosts:
    - '*'
  commands:
    AUTHCHALLENGE:
      - 'SAFECOOKIE .*'
    SETEVENTS:
      - 'CIRC WARN ERR'
      - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
    GETINFO:
      - 'net/listeners/socks'
      - '.*'
    GETCONF:
      - 'DisableNetwork'
    SETCONF:
      - 'DisableNetwork.*'
    ADD_ONION:
      - '.*'
    DEL_ONION:
      - '.+'
    HSFETCH:
      - '.+'
  events:
    CIRC:
      suppress: true
    ORCONN:
      suppress: true
    INFO:
      suppress: true
    NOTICE:
      suppress: true
    WARN:
      suppress: true
    ERR:
      suppress: true
    HS_DESC:
      response:
        - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
          replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
        - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
          replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
        - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
          replacement: '650 HS_DESC UPLOADED {} {} redacted'
        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH'
          replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
          replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
        - pattern:     '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
          replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
        - pattern:     '.*'
          replacement: ''
    HS_DESC_CONTENT:
      suppress: true

If everything is fine with the profile, running /usr/lib/onion-grater-merger will not throw errors.

The rest of the guide is fine.

Download the recommended nightly build.
Extract it to ~/.local/lib/cwtch

env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true LOG_LEVEL=debug ~/.local/lib/cwtch/cwtch

It didn’t fail to connect to tor but I couldn’t send messages, says the contact is offline. did not find any relevant information with log level debug to report.

Also, it is necessary to close the application properly via the X of the application, not the window manager, for a proper shutdown, else:

tor/torProvider.go [ERR ] 550 Unspecified Tor error: Onion address collision - Recovering, but this probably indicates some weird tor configuration issue...

Because it is not running DEL_ONION when closing the application improperly.

This is not a proper feedback. If someone can submit upstream your logs would help the development.

Cwtch is working on Whonix.

It was failing because the onion-grater profile was not rewriting to the client address, the pull request to the Cwtch docs above fix this.

Excellent!

Feature requests:

• send a pull request to onion-grater so we ship the cwtch profile in Whonix by default
• open a feature request for cwtch to set variables CWTCH_TAILS CWTCH_RESTRICT_PORTS and CWTCH_BIND_EXTERNAL_WHONIX automatically if Whonix was detected. That could be based by testing if file /usr/share/anon-ws-base-files/workstation exists.

related:
Whonix ™ friendly applications best practices chapter Programmatically Detecting Whonix ™ in Whonix wiki

What’s the point of LD_LIBRARY_PATH?

Will do once it is improved. It is not hardened, it is just “working” as of now.

What I don’t like about the profile:

  commands:
    GETINFO:
      - '.*'
    SETCONF:
      - 'DisableNetwork.*'

I see all those variables as necessary on Whonix, not optional, so system detection would be nice. They are already doing that with CWTCH_BIND_EXTERNAL_WHONIX, by blocking it if Whonix is not detected.

Tails installation:

Tails onion-grater profile:

Forgot to change Whonix onion-grater profile…

But will wait to get a definitive profile.
Also, because the profile is repeated on the documentation an another file, I think it should not be in the docs, code duplication will be forgotten.

Thank you! Merged.

This is now in the testers repository.