Specifically for yax.im I had to create a rule that allowed out to tcp 212.21.75.16:5222 Plus change around rule order.
Otherwise i kept getting Connection Lost?
I created a Debian 10 StandaloneVM in Qubes and installed https://packages.debian.org/buster/dino-im
I’m going to try experimenting with dino-im in Whonix 15. Maybe I’ll get lucky.
Installed dino-im in Whonix-ws-15 and not able to connect. There are no logs showing my firewall is blocking dino. I set deb-10-standalone netvm to my whonix-gw-15-standalone and still no connection. (deb-10-standalone was the VM that i got dino working in). So it has to be either whoinx-gw or Tor causing the issue.
Whonix-ws-15-standalone
user@host:~$ env G_MESSAGES_DEBUG=all dino-im
(process:8379): Gtk-WARNING **: 01:20:46.324: Locale not supported by C library.
Using the fallback 'C' locale.
(dino-im:8379): dbind-WARNING **: 01:20:46.332: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files
(dino-im:8379): GLib-GIO-DEBUG: 01:20:46.334: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(dino-im:8379): GLib-GIO-DEBUG: 01:20:46.336: Failed to initialize networkmanager (GNetworkMonitorNM) for gio-network-monitor:
(dino-im:8379): Gtk-DEBUG: 01:20:46.371: Connecting to session manager
(dino-im:8379): Gtk-DEBUG: 01:20:46.372: Failed to get the GNOME session proxy: The name org.gnome.SessionManager is not owned
(dino-im:8379): Gtk-DEBUG: 01:20:46.372: Failed to get the Xfce session proxy: The name org.xfce.SessionManager is not owned
(dino-im:8379): Gtk-DEBUG: 01:20:46.373: Failed to get an inhibit portal proxy: The name org.freedesktop.portal.Desktop is not owned
CONNECTION LOST?
Debina-10-standalone with Whonix-Gateway as netvm.
user@deb-10-clone:~$ dino-im
(dino-im:1106): GLib-GIO-DEBUG: 21:35:24.174: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(dino-im:1106): GLib-GIO-DEBUG: 21:35:24.176: Failed to initialize networkmanager (GNetworkMonitorNM) for gio-network-monitor:
(dino-im:1106): Gtk-DEBUG: 21:35:24.229: Connecting to session manager
(dino-im:1106): Gtk-DEBUG: 21:35:24.230: Failed to get the GNOME session proxy: The name org.gnome.SessionManager is not owned
(dino-im:1106): Gtk-DEBUG: 21:35:24.230: Failed to get the Xfce session proxy: The name org.xfce.SessionManager is not owned
(dino-im:1106): Gtk-DEBUG: 21:35:24.231: Failed to get an inhibit portal proxy: The name org.freedesktop.portal.Desktop is not owned
[account-creation@yax.im] New connection with resource dino.7932b5cf: 0x5ac5bec724f0
CONNECTION LOST?
[account-creation@yax.im] Error: Temporarily unable to resolve “_xmpp-client._tcp.yax.im”
[account-creation@yax.im] Check reconnect in 3 sec
[account-creation@yax.im] New connection with resource dino.7932b5cf: 0x5ac5beec0bd0
CONNECTION LOST?
[account-creation@yax.im] Error: Temporarily unable to resolve “_xmpp-client._tcp.yax.im”
[account-creation@yax.im] Check reconnect in 3 sec
[account-creation@yax.im] New connection with resource dino.7932b5cf: 0x5ac5bee24d10
CONNECTION LOST?
[account-creation@yax.im] Error: Temporarily unable to resolve “_xmpp-client._tcp.yax.im”
[account-creation@yax.im] Check reconnect in 3 sec
Tested: Doesn’t work with WS firewall completely disabled nor with a VPN enabled (in case it needed UDP DNS for some reason?)
Now that any type of DNS can be resolved over Tor as per MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt - #17 by Patrick you could continue testing and working with upstream.
However, since dino-im does not even work over clearnet (as tested by @0brand), it looks that could be a lost cause.
Perhaps report a separate bug for the clearnet related connectivity issues? Metnion no Tor is involved to avoid confusion (by just using the same user name and being mentally labeld as “ah Tor issue”). Don’t do it for me though. Only if you’d like to use dino-im (inside Whonix). I haven’t made friends with dino-im just yet. Just solving some generally interesting issues (which was DNSCrypt over Tor).
I thought it didn’t work on Debian templates behind NetVM without some config changes? Technically it hasn’t been tested on a plain Debian system.
Nonetheless things are defintely more interesting now with the options for DNS over Tor. Perhaps libresolv can be used with Gajim to avoid it going through TransPort.
Doesn’t help with that. libresolv is more for use cases like “no Tor DnsPort but custom DNS resolver and TransPort”.
That is rather Managing programs without Tor DNS Support / orjail / GitHub - orjail/orjail: a more secure way to force programs to exclusively use tor network.
Dino was working in a Debian 10 StandaloneVM behind sys-firewall posted here in the dino forum. All tests in Whonix failed .
Just tested dino-im in qubes-whonix and here is the result of the test:
Install it from debian buster-backport in order to make it work. Stable repo installation will lead to connection failure over Tor.
Do Not install it using apt install dino-im because it will show you a hell of dependencies , use instead apt install --no-install-recommends dino-im
It doesnt support connection for hidden services addresses #666.
It doesnt support for modifying/steric the connection to specific IP and Port #115.
It logs the chat history in plain text and cant be deleted/disabled #742 , #651.
Not aware of supporting Tor or proxies by default since the start of the app this give indication of not very good experience/care on privacy/anonymity level from their devs.
Their development speed some what medium-slow 246 opened tickets , 339 closed.
Maybe Further testing needed for e.g:
That’s great news! The other stuff you point out are relatively minor nitpicks that can be solved with time. This is the only modern looking and viable desktop client at the moment.
Can you please open a ticket for socks5 support?
they suggested many stuff related , lets see how they are advancing.
Its better to avoid these security garbage apps, just because its working doesnt mean its secure (as shown from some tickets). Until their devs learn some security practices this app is garbage and bad security app for whonix users.
Note: another bug discovered that one you login over Tor for the first time (first time creating account) then you cant login again due to drop connection. (Reported through IRC)
Please don’t demean anybody’s work without an informed opinion by an expert security auditor.
I’m confused. Is this about the backports version?
It clear like the sun in the middle of the day, doesnt need security consultation on obvious things.
i will simplify:
OK so I wouldn’t count that as working.
Can you try registering a new account with a different service server to the ones they bundle and see if they block connections?
Doesnt matter same thing.
HulaHoop via Whonix Forum:
Hi. I’ve had success with dino from backports. I can sign in, add contacts and have conversations. OMEMO works with other dino im users, but the people on Gajim cannot exchange keys with dino. Apps have nuances in how they implement OMEMO and it’s causing breakage across the ecosystem.
Can’t post links.
Google the article OMEMO is broken in general across the ecosystem on monal’s blog.
There aren’t any OMEMO clients on MacOS or iOS that are bug free and easy to use. Some servers like jabber de have a web chat feature with OMEMO running in a browser.
Thanks for the report. I will update the docs and see if upstream can get its act together.
Tasks remaining:
A default install won’t happen before Debian Bullseye at the earliest since we don’t carry backports.
Consider if worth documenting in the mean time
File report about OMEMO incompatibility upstream. EDIT: Already noted and being worked on
See what needs to be done to support isolated streams. EDIT: No longer a blocker according to the Default App Support policy
Asked where keys are stored for documenting backup/restore purposes: Migrating key material · Issue #850 · dino/dino · GitHub
- Dino IM is the best option currently. It provides the best UX, a modern and clean look and OMEMO support.
It’s planned for inclusion by default in Whonix 16.
Should be installed in milestone_whonix_16 by default?
(If it doesn’t have a milestone on phabricator or discourse forums, it will potentially be forgotten by that time.)
Yeah.
OK saw that. Adding tags is available when editing the topic title.
at this point, if it’s an instant messenger that works without hassle, even if it is limited to people using the same damn client software, i’m cool with it. instant message client’s have been the bane of my existence when it’s come to having timely complete documentation.