non-Whonix users cannot choose the wrong option in UI (more fail-safe, upstream might like that too)
could even be easy enough so a patch / pull request could be contributed
Until/if this gets implemented by upstream to change the listen interface from localhost to external interface a workaround might be possible using:
bindp
There might be discussions in the forums / examples in Whonix source code on how to use it.
Actually no SocksPort at all. Nowadays unix domain socket files should be preferred. Even for non-Whonix. Also Tor Browser nowadays is using unix domain socket files. In context of non-Whonix, it provides better protections from leaks. And then Tor Settings Autodetection?
I will try this but they need to limit the target ports first, because every time I have to do see which was the target port it binded to to open the firewall port.
But that doesn’t solve the problem of Stream Isolation and also Cwtch is onion traffic only, their torrc has SocksPort 9050 OnionTrafficOnly.
Cwtch has no problem using the one replied from the controller (9050), and I think mentiong unix domain sockets is only good if they are already using it, which I don’t think they are.
Streams are going to be isolated even if using 127.0.0.1 9050 which should be unused by default. Except when there’s already a different custom installed application using the same port. Even 127.0.0.1 9151 would be stream isolated since Tor Browser uses IsolateSOCKSAuth. Surely non-ideal but a very good start.
Could you please make a feature request for the socks user name setting or perhaps better to not post too many tickets in a short time?
Is Cwtch (v. 1.10) currently usable with the Whonix gateway (running from the Whonix workstation)? If so, what should be the ‘advanced tor configuration’?
socks port
control port
" and specify further options by entering custom torrc options"
The issues I opened were not closed so I don’t believe so.
About the advanced tor configuration, it won’t fix the problem as the address the onion service is binding is unreachable by the Whonix Gateway.
It is missing EXTERNAL_OPEN_PORTS for whonix-firewall. Use the same pattern as for onionshare.
EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "
Reload the firewall
sudo whonix_firewall
Later, the onion-grater profile is not properly formatted, the replacement lines are need to be indented/aligned with replacement.
Second issue with the profile is everything after exe-path needs to be indented according to exe-path, not on the first column.
It didn’t fail to connect to tor but I couldn’t send messages, says the contact is offline. did not find any relevant information with log level debug to report.
Also, it is necessary to close the application properly via the X of the application, not the window manager, for a proper shutdown, else:
tor/torProvider.go [ERR ] 550 Unspecified Tor error: Onion address collision - Recovering, but this probably indicates some weird tor configuration issue...
Because it is not running DEL_ONION when closing the application improperly.
This is not a proper feedback. If someone can submit upstream your logs would help the development.
send a pull request to onion-grater so we ship the cwtch profile in Whonix by default
open a feature request for cwtch to set variables CWTCH_TAILSCWTCH_RESTRICT_PORTS and CWTCH_BIND_EXTERNAL_WHONIX automatically if Whonix was detected. That could be based by testing if file /usr/share/anon-ws-base-files/workstation exists.
I see all those variables as necessary on Whonix, not optional, so system detection would be nice. They are already doing that with CWTCH_BIND_EXTERNAL_WHONIX, by blocking it if Whonix is not detected.
But will wait to get a definitive profile.
Also, because the profile is repeated on the documentation an another file, I think it should not be in the docs, code duplication will be forgotten.