find way to have Tor ephermal hidden service using applications in Whonix-Workstation bind on all interfaces


ID: 561
PHID: PHID-TASK-tw2utvdizhtry4osfbuu
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal


For example onionshare binds its webserver on

That cannot work because it needs to bind on the external IP.


  • a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.

  • b) Some solution using bindp.

    BIND_ADDR=“” LD_PRELOAD=/home/user/bindp/ onionshare a

(tested to work)

Not great, not generic.

  • c) An iptables based solution that requires net.ipv4.conf.all.route_localnet=1.

What are the security implications of net.ipv4.conf.eth0.route_localnet=1 / route_localnet?

Not great, not generic.

  • d)
socat TCP-LISTEN:17600,bind=,fork TCP:
  • Loads of socat listeners. At some point they could even eat too much RAM if they become too many.
  • Could be made conditional by only loading these listeners if onionshare is installed. (Not great when installed inside template and not all Whonix-Workstations use onionshare.)
  • EDIT: Perhaps not that many socat listeners by using systemd socket activation.
  • related: port anon-ws-disable-stacked-tor to systemd socket activation T623

  • e) something better?


  • f) write draft for local listener standard on debian-devel T635



2017-01-10 08:49:04 UTC


2017-01-10 08:54:59 UTC


2017-01-10 10:08:22 UTC


2017-01-10 10:14:09 UTC


2017-01-10 23:58:09 UTC


2017-01-11 18:30:46 UTC


2017-02-13 18:36:47 UTC