Flushing iptables once, else no connection

Using Whonix 15.0.1.4.9 libvirt for Debian, I had similiar problems to tiredlexor’s: Tor is not yet fully bootstrapped. 30 % done

After nothing seemed to get blocked by iptables (nothing related showed up in journalctl), I again tried to flush and set the policy to allow for the chains. At least, I thought, it works like this.

What puzzles me is the following: Whonix connects fine after rebooting now, after having done the above once. I assumed it would stop working again, because it didn’t with the default policies in place from the start, right?

So here is my question, I guess … is this a good thing?

I am not sure about the implications of having it connect once without any rules in place. Any idea if I should try something else? And what is going on, even? I’m tired.

tltr:

  • gateway boots fine, but get’s stuck at establishing tor connection at 30%
  • flushing iptables and setting chains to ALLOW “fixes” this, which is the only weird thing happening
  • after flushing/allowing once, then using default policies, it works
1 Like

Can you follow @Patrick’s debug instructions in the linked thread and post the logs? It will help us fix the problem

2 Likes

Nothing blocked shows up by default in systemd journal. This needs to be explicitly enabled.

Flush iptables inside Whonix-Gateway or the host?

No. Certainly not expected.

Please also check this:

1 Like

Let me start by thanking you for your replies! I really appreciate it.

I followed the instructions provided in the mentioned post, but I didn’t find anything mentioning iptable etc., but it wouldn’t be the first time for me to miss something. So I repeated the step. What’s the best way for posting logs here? I’ll try putting it into the details tag. This is on a cloned (i. e. fresh) gateway. I truncated it only a bit.

Log
-- Logs begin at Tue 2020-10-13 16:29:25 UTC, end at Tue 2020-10-13 16:33:31 UTC. --
Oct 13 16:29:25 host kernel: Linux version 4.19.0-10-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
    …
Oct 13 16:31:16 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=whonix-firewall comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:16 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=whonix-firewall-restarter comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:16 host systemd[1]: Started Whonix firewall loader.
Oct 13 16:31:16 host systemd[1]: Started Whonix firewall watcher.
Oct 13 16:31:16 host systemd[1]: Reached target Network (Pre).
Oct 13 16:31:16 host systemd[1]: Starting Raise network interfaces...
Oct 13 16:31:16 host firewall-restarter[684]: + set -e
Oct 13 16:31:16 host firewall-restarter[684]: + mkdir --parents /run/qubes-service
Oct 13 16:31:16 host firewall-restarter[684]: + mkdir --parents /run/sdwdate
Oct 13 16:31:16 host firewall-restarter[684]: + chown --recursive sdwdate:sdwdate /run/sdwdate
Oct 13 16:31:16 host firewall-restarter[684]: ++ mktemp
Oct 13 16:31:16 host firewall-restarter[684]: + inotifywait_subshell_fifo=/tmp/tmp.8LtAEKQ0hv
Oct 13 16:31:16 host firewall-restarter[684]: + rm --force /tmp/tmp.8LtAEKQ0hv
Oct 13 16:31:16 host firewall-restarter[684]: + mkfifo /tmp/tmp.8LtAEKQ0hv
Oct 13 16:31:16 host firewall-restarter[684]: + inotifywait_subshell_pid=700
Oct 13 16:31:16 host firewall-restarter[684]: + '[' -f /run/sdwdate/first_success ']'
Oct 13 16:31:16 host firewall-restarter[684]: + '[' -f /run/qubes-service/whonix-secure-proxy ']'
Oct 13 16:31:16 host firewall-restarter[684]: + read file_name
Oct 13 16:31:16 host firewall-restarter[684]: + wait 702
Oct 13 16:31:16 host firewall-restarter[684]: + inotifywait --quiet --recursive --monitor --event create --format %w%f /run/sdwdate/ /run/qubes-service/
Oct 13 16:31:16 host systemd[1]: Started Raise network interfaces.
Oct 13 16:31:16 host systemd[1]: Reached target Network.
Oct 13 16:31:16 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=networking comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:16 host systemd[1]: Starting Tor control port filter proxy...
Oct 13 16:31:16 host systemd[1]: Started Additional protections for Tor onion services.
Oct 13 16:31:16 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=vanguards comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:16 host systemd[1]: Starting Permit User Sessions...
Oct 13 16:31:16 host systemd[1]: Starting OpenVPN service...
Oct 13 16:31:16 host systemd[1]: Starting Anonymizing overlay network for TCP...
Oct 13 16:31:16 host systemd[1]: Started OpenVPN service.
Oct 13 16:31:16 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=openvpn comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:16 host systemd[1]: Started Permit User Sessions.
Oct 13 16:31:16 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-user-sessions comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:17 host systemd[1]: Condition check resulted in Light Display Manager being skipped.
Oct 13 16:31:17 host systemd[1]: Starting Ram Adjusted Desktop Starter...
Oct 13 16:31:17 host systemd[1]: Started Serial Getty on ttyS0.
Oct 13 16:31:17 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=serial-getty@ttyS0 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:17 host tor[735]: Oct 13 16:31:17.479 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Oct 13 16:31:17 host ram_adjusted_desktop_starter[736]: [INFO] If your host has little RAM, you are advised to reduce Gateway RAM to 256 MB. No graphical desktop environment will be started in that case. A Gateway without graphical desktop environment works as good as one with, it's just not that convenient. If you want, you can sometimes start a graphical desktop environment by toggling how much RAM is available to Gateway. Documentation about this feature can be found here: https://www.whonix.org/wiki/rads
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.695 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.696 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.696 [notice] Read configuration file "/etc/tor/torrc".
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.697 [notice] Included configuration file or directory at recursion level 2: "/usr/share/tor/tor-service-defaults-torrc.anondist".
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.825 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/".
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.825 [notice] Included configuration file or directory at recursion level 1: "/etc/torrc.d/".
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.825 [warn] Option 'DisableNetwork' used more than once; all but the last value will be ignored.
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.826 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 13 16:31:18 host tor[735]: Oct 13 16:31:17.895 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 13 16:31:18 host ram_adjusted_desktop_starter[736]: [INFO] Trying to start login manager (graphical desktop environment) lightdm...
Oct 13 16:31:17 host systemd[1]: Starting Light Display Manager...
Oct 13 16:31:18 host tor[735]: Configuration was valid
Oct 13 16:31:18 host lightdm[752]: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files
Oct 13 16:31:18 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=lightdm comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:18 host systemd[1]: Started Light Display Manager.
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.764 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.764 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.764 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.764 [notice] Read configuration file "/etc/tor/torrc".
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.765 [notice] Included configuration file or directory at recursion level 2: "/usr/share/tor/tor-service-defaults-torrc.anondist".
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.765 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/".
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.765 [notice] Included configuration file or directory at recursion level 1: "/etc/torrc.d/".
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.765 [warn] Option 'DisableNetwork' used more than once; all but the last value will be ignored.
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.766 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.766 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 13 16:31:18 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=rads comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:18 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=getty@tty1 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 13 16:31:18 host systemd[1]: Started Ram Adjusted Desktop Starter.
Oct 13 16:31:18 host systemd[1]: Started Getty on tty1.
Oct 13 16:31:18 host systemd[1]: Reached target Login Prompts.
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.979 [notice] You configured a non-loopback address '10.152.152.10:9050' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 13 16:31:18 host tor[753]: Oct 13 16:31:18.979 [notice] You configured a non-loopback address '10.152.152.10:9100' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
    …
Oct 13 16:33:14 host vanguards[731]: NOTICE[Tue Oct 13 16:33:14 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 13 16:33:14 host vanguards[731]: NOTICE[Tue Oct 13 16:33:14 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 13 16:33:15 host vanguards[731]: NOTICE[Tue Oct 13 16:33:15 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 13 16:33:15 host vanguards[731]: NOTICE[Tue Oct 13 16:33:15 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
… repeating every second …
Oct 13 16:33:30 host vanguards[731]: NOTICE[Tue Oct 13 16:33:30 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 13 16:33:30 host vanguards[731]: NOTICE[Tue Oct 13 16:33:30 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 13 16:33:31 host audit[2448]: USER_ACCT pid=2448 uid=1000 auid=1000 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_tally2,pam_permit acct="user" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Oct 13 16:33:31 host sudo[2448]:     user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/bin/journalctl

Would I have looked closer in the first place, I probably would have noticed vanguards panicing about tor needing descriptors. The only files/folders existing in /var/lib/tor are authdir, keys, lock and state. I went and booted up the previous mentioned gateway (which had its iptables flushed once) … on which the needed files exist. If I could guess I’d say they didn’t before flushing iptables (duh).

If you want, it would be my pleasure to repeat the process with something debugging it.

Inside the Whonix-Gateway.

I should have mentioned: TBB works fine on the host. Whonix worked fine on this specific host with Virtualbox, from which I wanted to finally migrate. I say worked, because I unfortunately removed it already. Could reinstall if necessary.

And of course I don’t want to waste your limited time! I just thought it would be a good idea to share my problem. So thank you again for your time and for creating this project in particular.

1 Like

Okay, now something happened. I wrote the previous post for an extended amount of time and had the fresh cloned gateway running in the background.
The first line about blocking something happened more than 10 minutes after booting:

Line of journalctl

Oct 13 16:42:45 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:d6:b7:84:52:54:00:47:16:7b:08:00 SRC=178.33.183.251 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=46857 DF PROTO=TCP SPT=443 DPT=33244 WINDOW=320 RES=0x00

Nearly 1000 lines like this appeared, surrounded by message about it not finding the needed directory. It took until 17:11 (i. e. 30 minutes after the first block appearing) for those messages to disappear and the gateway is now able to connect - without having to flush iptables etc.

So, maybe I just was(/am) too impatient? It does work now, which means in theory I am able to use the workstation, too. I’m not used for the first startup to take so long, so maybe that’s why I got confused. Did I just waste all of our time?

Update: Just wanted to add that I decided to replicate the scenario once again so I cloned another fresh gateway today and it obviously is stuck at 30% for a few hours now, so I guess I was lucky (or unlucky?) yesterday.
Or am I just missing something out of incompetence?

1 Like

Please post what you have from journalctl

2 Likes

It’s just the following messages (with the debugging messages obviously differing in details) repeating all the time. I guess those are the ones you’d need?

journal
Oct 14 17:43:11 host vanguards[704]: NOTICE[Wed Oct 14 17:43:11 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:11 host vanguards[704]: WARNING[Wed Oct 14 17:43:11 2020]: Tor daemon connection failed: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:12 host vanguards[704]: NOTICE[Wed Oct 14 17:43:12 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:12 host vanguards[704]: NOTICE[Wed Oct 14 17:43:12 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:13 host vanguards[704]: NOTICE[Wed Oct 14 17:43:13 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:13 host vanguards[704]: NOTICE[Wed Oct 14 17:43:13 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:14 host vanguards[704]: NOTICE[Wed Oct 14 17:43:14 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:14 host vanguards[704]: NOTICE[Wed Oct 14 17:43:14 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:14 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45495 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:14 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45496 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:14 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59039 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:15 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45497 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:15 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59040 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:15 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59041 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:15 host vanguards[704]: NOTICE[Wed Oct 14 17:43:15 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:15 host vanguards[704]: NOTICE[Wed Oct 14 17:43:15 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:15 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45498 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:15 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59042 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:16 host vanguards[704]: NOTICE[Wed Oct 14 17:43:16 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:16 host vanguards[704]: NOTICE[Wed Oct 14 17:43:16 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:16 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45499 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:16 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59043 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:17 host vanguards[704]: NOTICE[Wed Oct 14 17:43:17 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:17 host vanguards[704]: NOTICE[Wed Oct 14 17:43:17 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:18 host vanguards[704]: NOTICE[Wed Oct 14 17:43:18 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:18 host vanguards[704]: NOTICE[Wed Oct 14 17:43:18 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:18 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45500 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:18 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59044 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:43:19 host vanguards[704]: NOTICE[Wed Oct 14 17:43:19 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:19 host vanguards[704]: NOTICE[Wed Oct 14 17:43:19 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:43:20 host vanguards[704]: NOTICE[Wed Oct 14 17:43:20 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:43:20 host vanguards[704]: NOTICE[Wed Oct 14 17:43:20 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying 

Oct 14 17:51:20 host vanguards[704]: NOTICE[Wed Oct 14 17:51:20 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:20 host vanguards[704]: NOTICE[Wed Oct 14 17:51:20 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:21 host vanguards[704]: NOTICE[Wed Oct 14 17:51:21 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:21 host vanguards[704]: NOTICE[Wed Oct 14 17:51:21 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:21 host vanguards[704]: WARNING[Wed Oct 14 17:51:21 2020]: Tor daemon connection failed: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:22 host vanguards[704]: NOTICE[Wed Oct 14 17:51:22 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:22 host vanguards[704]: NOTICE[Wed Oct 14 17:51:22 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:23 host vanguards[704]: NOTICE[Wed Oct 14 17:51:23 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:23 host vanguards[704]: NOTICE[Wed Oct 14 17:51:23 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:23 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=212.47.229.2 DST=10.0.2.15 LEN=595 TOS=0x00 PREC=0x00 TTL=52 ID=45508 DF PROTO=TCP SPT=9001 DPT=52662 WINDOW=320 RES=0x00 ACK PSH URGP=0 
Oct 14 17:51:24 host vanguards[704]: NOTICE[Wed Oct 14 17:51:24 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:24 host vanguards[704]: NOTICE[Wed Oct 14 17:51:24 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:25 host vanguards[704]: NOTICE[Wed Oct 14 17:51:25 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:25 host vanguards[704]: NOTICE[Wed Oct 14 17:51:25 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 17:51:25 host kernel: Whonix blocked input4: IN=eth0 OUT= MAC=52:54:00:5e:24:f6:52:54:00:7a:33:ae:08:00 SRC=45.66.33.45 DST=10.0.2.15 LEN=588 TOS=0x00 PREC=0x00 TTL=54 ID=59052 DF PROTO=TCP SPT=443 DPT=48704 WINDOW=319 RES=0x00 ACK PSH URGP=0 
Oct 14 17:51:26 host vanguards[704]: NOTICE[Wed Oct 14 17:51:26 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 17:51:26 host vanguards[704]: NOTICE[Wed Oct 14 17:51:26 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...

Oct 14 17:56:13 host systemd[1]: Starting Cleanup of Temporary Directories...
Oct 14 17:56:13 host systemd-tmpfiles[5740]: [/usr/lib/tmpfiles.d/openvpn.conf:3] Duplicate line for path "/run/openvpn", ignoring.
Oct 14 17:56:13 host systemd-tmpfiles[5740]: [/usr/lib/tmpfiles.d/spice-vdagentd.conf:2] Line references path below legacy directory /var/run/, updating /var/run/spice-vdagentd → /run/spice-vdagentd; please update the tmpfiles.d/ drop-in file accordingly.
Oct 14 17:56:13 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 14 17:56:13 host audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 14 17:56:13 host systemd[1]: systemd-tmpfiles-clean.service: Succeeded.
Oct 14 17:56:13 host systemd[1]: Started Cleanup of Temporary Directories.

Oct 14 18:02:02 host vanguards[704]: NOTICE[Wed Oct 14 18:02:02 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 18:02:02 host vanguards[704]: WARNING[Wed Oct 14 18:02:02 2020]: Tor daemon connection failed: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 18:02:03 host vanguards[704]: NOTICE[Wed Oct 14 18:02:03 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 18:02:03 host vanguards[704]: NOTICE[Wed Oct 14 18:02:03 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 18:02:04 host vanguards[704]: NOTICE[Wed Oct 14 18:02:04 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 18:02:04 host vanguards[704]: NOTICE[Wed Oct 14 18:02:04 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 18:02:05 host sdwdate[745]: 2020-10-14 18:02:05 - sdwdate - INFO - The clock is sane.
Oct 14 18:02:05 host sdwdate[745]: Within build timestamp Wed 26 Aug 2020 04:08:09 PM UTC and expiration timestamp Tue 17 May 2033 10:00:00 AM UTC.
Oct 14 18:02:05 host sdwdate[745]: 2020-10-14 18:02:05 - sdwdate - WARNING - Tor is not yet fully bootstrapped. 30 % done.
Oct 14 18:02:05 host sdwdate[745]: Tor reports: WARN BOOTSTRAP PROGRESS=30 TAG=loading_status SUMMARY="Loading networkstatus consensus" WARNING="Connection timed out" REASON=TIMEOUT COUNT=1 RECOMMENDATION=ignore HOSTID="B4CAFD9CBFB34EC5DAAC146920DC7DFAFE91EA20" HOSTADDR="212.47.233.86:9001"
Oct 14 18:02:05 host vanguards[704]: NOTICE[Wed Oct 14 18:02:05 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1
Oct 14 18:02:05 host vanguards[704]: NOTICE[Wed Oct 14 18:02:05 2020]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...
Oct 14 18:02:06 host vanguards[704]: NOTICE[Wed Oct 14 18:02:06 2020]: Vanguards 0.3.1 connected to Tor 0.4.3.6 using stem 1.7.1

Oct 14 17:57:12 host audit[5966]: USER_ACCT pid=5966 uid=1000 auid=1000 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_tally2,pam_permit acct="user" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Oct 14 17:57:12 host sudo[5966]:     user : TTY=unknown ; PWD=/home/user ; USER=root ; COMMAND=/bin/lsblk --noheadings --all --raw --output RO
Oct 14 17:57:12 host audit[5966]: USER_CMD pid=5966 uid=1000 auid=1000 ses=1 subj==unconfined msg='cwd="/home/user" cmd=2F62696E2F6C73626C6B202D2D6E6F68656164696E6773202D2D616C6C202D2D726177202D2D6F757470757420524F terminal=? res=success'
Oct 14 17:57:12 host audit[5966]: CRED_REFR pid=5966 uid=0 auid=1000 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_tally2,pam_wheel,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Oct 14 17:57:12 host sudo[5966]: pam_unix(sudo:session): session opened for user root by (uid=0)
Oct 14 17:57:12 host audit[5966]: USER_START pid=5966 uid=0 auid=1000 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_permit,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Oct 14 17:57:12 host sudo[5966]: pam_unix(sudo:session): session closed for user root
Oct 14 17:57:12 host audit[5966]: USER_END pid=5966 uid=0 auid=1000 ses=1 subj==unconfined msg='op=PAM:session_close grantors=pam_permit,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Oct 14 17:57:12 host audit[5966]: CRED_DISP pid=5966 uid=0 auid=1000 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_tally2,pam_wheel,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'

There are no other messages inbetween. If its a full log you want, I wouldn’t know how to post that on here properly, so any clue would be appreciated!

1 Like

iptables is strangely blocking connections from your guards AFAICT.

What version Whonix are you running and when did you notice this? What host OS are you using?

2 Likes

Do you use any fireball on the host operating system?

This is weird since these firewall rules are unchanged for a very long term now and we didn’t have such reports before.

The probably most relevant log entry, firewall related log entry seems to be this one:

Can you reproduce this too? @HulaHoop

1 Like

No, however I haven’t updated from 15.0.1.3.9 yet and I have ufwall on the host FWIW

2 Likes

I’m using 15.0.1.4.9 and noticed it about two days before I came here to post about it. Didn’t use Whonix for KVM earlier, Virtualbox worked fine before but that was another version. Running a Debian buster host.

Iptables normally, but I deactivated it.

1 Like

Did you import the Whonix-external network settings config? VBox is using the same network range try uninstalling it then attempt connecting again.

2 Likes

I did, actually.

Not installed anymore!

1 Like

Did you change any settings on Whonix-Gateway?

Modified something?

Hosting onion services?

Did you run tor from command line?

Whonix is using system Tor from the Debian tor package. User debian-tor is allowed to make external connections. Relevant parts…

whonix-firewall/whonix-gateway-firewall at master · Whonix/whonix-firewall · GitHub

   [ -n "$TOR_USER" ] || TOR_USER="$(id -u debian-tor)"

      NO_NAT_USERS+=" $TOR_USER"

   local no_nat_user
   for no_nat_user in $NO_NAT_USERS ; do
      $iptables_cmd -t nat -A OUTPUT -m owner --uid-owner "$no_nat_user" -j RETURN
   done

   for no_nat_user in $NO_NAT_USERS ; do
      $iptables_cmd -A OUTPUT -m owner --uid-owner "$no_nat_user" -j ACCEPT
   done

And then incoming connections are allowed.

$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT

Long time ago we were using ESTABLISHED,RELATED but this was changed for hardening.

Maybe Tor, linux kernel or some other change I am unaware off now necessities making that ESTABLISHED,RELATED again.

Otherwise I am at loss why only now and only in your case firewall is blocking this.

1 Like

Also tell us if you’ve tried connecting to a VPN on the GW or running any other setup than default.

1 Like

The only thing I changed (after the first time doing it with the standard amount) is the amount of RAM for the gateway + in the GW the lines for the logging to happen. That’s it, i swear.

I’m not hosting anything nor did I run tor from command line.

Nothing fancy like that. It’s like this:
boot fresh 15.0.1.4.9 Gateway XFCE (from .xz archive) → accepting terms → open console → sudoedit the logging settings for iptables → start the anon con wizard

That’s literally it.

Would it help if I’d try to use another version? I can compile it too, but I thought going with the currently available archive would be the best case for troubleshooting.

  • Perhaps try again after resetting Tor state to use other guards (@Patrick any steps for that?)

  • Try using bridges and report back?

1 Like

With bridges it gets connected a little bit faster (it’s still random) and it loses connection quite often (like it does without bridges), i. e. there are still popping up all these blocked addresses, to the point I can’t even update/upgrade the system for the first time.

Thank you for all the answers so far, by the way! Appreciate it.

Little update: Just to rule out something weird on the host side I put a fresh Debian stable install on another set of hardware and it’s exactly the same there. shrugs

Almost forgot: AFAIA they change when you switch bridges? Still, tried it with a deleted state file; no difference.

Wanted to give an update here. For the last 24 hours, I had a more or less reliable connections through obfs4 bridges. I.e. I could update the systems and perform normal activities.

That it doesn’t function well without bridges still is something that strikes me as odd thought, as I never really had to rely on them for a functioning connection?

But like this, it can’t be really considered a Whonix related problem, can it? Because else bridges wouldn’t work too, I guess?

Whatever, just sharing my thoughts on the matter.

Try : Whisker menu -> Tor Data -> delete everything in that folder -> anon-connection-wizard and choose to connect directly to the Tor network.

It could be the guards you are using doing something weird with the connections. Perhaps changing them is enough to fix this.

1 Like