[graphical gui] Whonix Setup Wizard / Anon Connection Wizard - Technical Discussion

troubadour · December 19, 2015, 10:43pm

Patrick · January 28, 2016, 10:18am

https://github.com/Whonix/whonix-setup-wizard/commit/8df32c994d70a461b3f4d6754af45640c61e8b6e

Patrick · February 1, 2016, 7:07pm

TPO has changed the default bridges transport to obfs4. ( Whonix ™ and Tor Limitations ) So we should do that also.

Patrick · March 31, 2016, 1:33am

https://github.com/Whonix/whonix-setup-wizard/commit/8a20a48799f66fa256033c24313cbd9675d59725

Patrick · April 21, 2016, 4:01am

Patrick · April 21, 2016, 4:11am

@troubadour is missing in action apparently. Unfortunately! No known reason.

anon-connection-wizard is not ready yet. whonix-setup-wizard is broken Whonix 13 release also.

Since I can fix neither in time, I think the best course of action is to use the working whonix-setup-wizard Whonix 12 release branch as starting point, then see git log Whonix12..master and backport relevant stuff such as stable-proposed-updates and other relevant fixes (tor -> tor@default and what else).

Patrick · April 21, 2016, 4:26am

Relevant seems:

commit 8a20a48799f66fa256033c24313cbd9675d59725
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Thu Mar 31 01:29:06 2016 +0000

    added stable-proposed-updates repository

    https://phabricator.whonix.org/T200

commit 8df32c994d70a461b3f4d6754af45640c61e8b6e
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Thu Jan 28 11:19:16 2016 +0100

    tor -> tor@default

commit 6c2061165455e9b6f7a49f1729b97d14dff1d666
Author: troubadoour <trobador@riseup.net>
Date:   Sat Dec 19 19:51:39 2015 +0000

    sudo -> kdesudo

commit 7cac2aa31efd28c37b1c94c5f2edcc1ebe3a424d
Author: troubadoour <trobador@riseup.net>
Date:   Fri Dec 18 23:51:08 2015 +0000

    deprecate finish page

commit ca9e0f977dd6ca5d8fd5d556cfb159e49db21b10
Author: troubadoour <trobador@riseup.net>
Date:   Thu Nov 26 14:06:11 2015 +0000

    tor 0.2.7.5 -> use tor@default service in tor_status.py
    tor service returns status 0 immediatly, regardless of tor status.

Patrick · April 21, 2016, 5:27pm

This is done.

Patrick · November 21, 2016, 10:18pm

TPO is working on a new Tor Browser Launcher with improved usability.

Patrick · March 13, 2017, 3:08pm

github.com/Kicksecure/anon-connection-wizard

Basic features implementation

Kicksecure:master ← irykoon:master

opened 06:00AM - 11 Mar 17 UTC

irykoon

+172 -33

Hi @adrelanos ! After hours of intensive learning and coding process, I am th…rilled to present the basic implementation of anon-connection-wizard. The main features that have been implemented includes: 1. Allowing users to use different kinds of customized bridges; 2. Allowing users to use different types of proxies; Apart from that, the default bridges have also been renewed since the old ones were not valid anymore. Additionally, several minor changes have also been made. Please notice that this is just a very basic implementation of anon-connection-wizard. There are still several bugs need fixing and a large number of exciting features need implementing. The detail of them will be discussed later in other pull requests.

github.com/Kicksecure/anon-connection-wizard

Pluggable transport renew

Kicksecure:master ← irykoon:pluggable-transport-renew

opened 06:33AM - 11 Mar 17 UTC

irykoon

+190 -34

The Tor launcher in the current stable Tor Browser Bundle (6.5.1) only offers th…e followings as bridge or pluggable-transport options: 1. obfs3 2. obfs4 3. fte 4. meek-amazon 5. meek-azure The current anon-connection-wizard provides the following three options: 1. obfs3 2. obfs4 3. scramblesuit In anon-connection-wizard scramblesuit option should be discarded. And I will uncomment the [fte](https://phabricator.whonix.org/T520), [meeks](https://phabricator.whonix.org/T386) options as soon as they are implemented in Whonix. BTW: I am so looking forward to that day since it will greatly improve the usability of Whonix in heavily-censored area.

github.com/Kicksecure/anon-connection-wizard

A proposal for redesigning anon-connection-wizard for better usability

Kicksecure:master ← irykoon:redesign-user-interface

opened 10:39PM - 11 Mar 17 UTC

irykoon

+172 -33

# Background Currently, I have been working on the anon-connection-wizard, a Py…thon-clone of the Tor Launcher which aims at providing Tor users with a graphical instruction on configuring the Tor. The application is especially helpful for users who live in Tor-censored area. This is because those users can only connect to the Tor network with the help of other censorship circumvention tools which include but are not limited to Tor bridges, pluggable transports and other third party Internet censorship circumvention tools like Lantern and VPN. # Problem Statement However, the current instruction provided by the anon-connection-wizard and Tor launcher may not be clear enough. That is to say, users are very likely to not be able to correctly connect to the Tor network even with the help of their instruction. # Related Research A detailed and published [research](https://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-58.pdf) conducted in 2015 also addressed the problem [1]. In that research, the researchers firstly did a small-scale user behavior experiment on the Tor Launcher for Tor Browser Bundle 5.0.3. And then, they redesigned the user interface of it basing on their observation on users’ behaviors and the direct feedback from the users. After finishing the redesign of the Tor launcher, they conducted a 124-participant experiment which aimed at examining the effectiveness of their redesign. The result showed an approximately 10 percentages of improvement in success rate and a 100 percentages of reducing on the time to success when comparing their redesign of Tor Launcher with the original one. For reasons I do not know, their [redesigned Tor Launcher](https://github.com/nmalkin/tor-launcher) [2] has not been adopted by the Tor project. However, since anon-connection-wizard is a clone of the Tor Launcher, it may be able to benefit from the recommendations and suggestions offered by that research. # Other Improvement If you believe the redesign of the anon-connection-wizard is a good idea, I also have some other recommendations. The current Tor Launcher mainly focuses on helping users circumvent the Internet censorship by Tor-supported methods like bridges and obfuscation technology. However, in areas under strict censorship, those methods may not be sufficient to help users to circumvent the Internet censorship. For example, in countries like China, the [only](https://www.torproject.org/docs/pluggable-transports) usable Tor-supported censorship circumvention method is “meek-amazon” [3], which also does not grantee working all the time. Besides, meek has not been [supported](https://phabricator.whonix.org/T386 ) by Whonix yet [4], making people in China or other heavily-censored area hard to connect to Tor only with the help of those Tor-supported censorship circumvention methods. In fact, people in those area usually use some third-party censorship circumvention tools to connect to the Tor network. Two main options are Virtual Private Network and proxy-based censorship circumvention tools like Psiphon3 and Lantern. Unfortunately, the Tor Launcher and the current anon-connection-wizard have not provided users using those third-party censorship circumvention tools with sufficient instructions. To clarify the problem, the following two examples simulate those users’ experience: 1. Alice uses a VPN to bypass the Internet censorship. One day she wants to try using the Tor. The first question asked by anon-connection-wizard is to describe her situation. Although knowledgeable users know she can connect to the Tor network “directly” using that VPN, Alice, as a first-time user may find “This computer’s Internet connection is censored” described her situation better. 2. Similarly, Bob uses the Lantern software to connect to the free Internet. One day he wants to try using the Tor. After choosing the configure option, Bob is asked if he’s connection to the Tor-network is censored. Naturally, Bob answers yes to that question and then he is asked to configure bridges in order to connect to the Tor network. After finishing that step, he is asked if he needs a proxy to connect to the Internet. Of course Bob does not think he needs one because he just checked the weather on the Internet without even knowing what proxy is. However, we know that the bridges will not be very helpful for Bob and all he has to do is to set proxy to use Lantern. What’s even worse? Even if Bob knows he does not need a bridge but a proxy setting to connect to the Tor network, the next step is still not easy for him. Since every time the proxy setting is auto-configured by Lantern client, Bob even does not know which port Lantern is listening on. Bob also does not know what is the proxy IP of Lantern. Bob does not know what 127.0.0.1 or local-host means. Bob is not sure if he needs an username and a password for his proxy. All the confusing questions make Bob frustrated. With the last hope, Bob tries to visit the URL provided by the anon-connection-wizard for help. But this does not work neither because the Tor website is also blocked. # Alternative Choice The two examples above illustrates how confusing the current instructions in anon-connection-wizard is. However, one may argue that we can use an online documents to instruct users how to configure it correctly instead of redesigning the anon-connection-wizard. Although I agree that an online documentation can be helpful to users, I do not think it can replace the redesign of the anon-connection-wizard because it makes anon-connection-wizard meaningless. Beside the potential connection issue to the online documents, if a large amount of users have to see online documents to configure anon-connection-wizard, they can see an online guideline on how to configure the torrc file manually instead. # My Position According to the argument above, I would like to propose a redesign of the current anon-connection-wizard which aims at improving its usability. I hope that my work will help more people to connect to the Tor network efficiently and successfully. # Research Schedule My planning research schedule is as follows: 1. Generate ideas on redesigning the anon-continence-wizard users interface, basing on the recommendations from outside sources, problems discussed above and suggestions from other people (11/March/2017-12/March/2017); 2. Present the planning redesign to public to receive feedback (12/March/2017); 3. Implement the redesign (12/March/2017-17/March/2017); 4. Prepare for the user behavior experiment, including recruitment and setting up environment (18/March/2017-20/March/2017); 5. Conduct the experiment (21/March/2017); 6. Process and analysis the experiment data (22/March/2017-24/March/2017); 7. Write the research report (25/March/2017-29/March/2017). # References [1] Fifield, David et al. "Tor’S Usability For Censorship Circumvention". N.p., 2017. Web. 11 Mar. 2017. [2] "Nmalkin/Tor-Launcher". GitHub. N.p., 2017. Web. 11 Mar. 2017. [3] The Tor Project, Inc. "Tor Project: Pluggable Transports". Torproject.org. N.p., 2017. Web. 11 Mar. 2017. [4] “T386 Meek Pluggable Transport". Phabricator.whonix.org. N.p., 2017. Web. 11 Mar. 2017.

https://forums.whonix.org/t/a-proposal-for-redesigning-anon-connection-wizard-for-better-usability

Minor nitpick: Could you please add a single space before comments? I.e. please not:

some-command#comment here

i.e. please use:

some-command # comment here

@iry

I think this is standard almost everywhere. Please correct me should I be wrong on anything.

Patrick · March 13, 2017, 3:54pm

Could you please port it to python3(.4)?

(highest Debian stretch python version available from packages.debian.org through apt-get)

(Optional: by looking at whonix-setup-wizard git commit history you could get many if not all pointers on what needs changed to make it work with python3.)

I don’t think I reviewed anon-connection-wizard before because it was never deployed. Going thorough the historic script as as well as your changes at once. Some comments are about old issues, where fixes would be appreciated anyhow.

proxy_password = ‘’#Q: Do we need special care for password? Like encryption? A: No. At least tor_launcher does not do that.

Agreed.

(This was probably not a bug introduced by you.)

        f = open('/var/cache/whonix-setup-wizard/status-files/whonix_connection.done', 'w')
        f.close()
        shutil.copy('/etc/tor/torrc', '/etc/tor/torrc.orig')

Please move the shutil.copy on top to make sure it really happens. (Race conditions, other corner cases.)

netwotk
briges
benifits
supprot
supproted
offcial
wether
becuase
orinal
availble
Unfinishde
costom
briges
shold
essetial

Typos. (Probably not be introduced by you.)

(Btw if not too much effort, please enable a spell checker in your editor.)

(I was wondering to fix some of these small nitpicks myself, however I abstained from it to not have your bigger more important changes merge conflict with mine.)

Please set your editor to remove trailing spaces.

        self.bridges = ['obfs4 (recommended)',
                        'obfs3',
                        '''
                        The following will be uncommented as soon as being implemented.
                        Detail: https://github.com/Whonix/anon-connection-wizard/pull/2
                        '''
                        #'fte',
                        #'meek-amazon',
                        #'meek-azure'
    ]

The closing bracket intent looks wrong.

            # Notice that the scramblesuit is even not supproted in offcial 6.5.1 TBB
            # Is this option still useful or safe?
            # No. Do not use it anymore.

Agreed. If a pluggable support was deprecated from TBB, we should not provide that option in anon-connection-wizard. (Well, unless a strong argument was made.)

Whonix Connection Wizard

Please strip out Whonix there so this can be a general purpose package, which is not really tied to Whonix.

shutil.copy('/etc/tor/torrc.orig', '/etc/tor/torrc')

Legacy. This is not so great. A very rudimentary implementation.

That way the user cannot add any custom customizations since these would be overwritten.

On the topic of configuration file edits, could you read please Tor integration in Whonix Development Notes and tell me what you think about that?

Until torrc.d-style configuration directories (#1922) · Issues · Legacy / Trac · GitLab is implemented - which is likely not very soon - which is likely after anon-connection-wizard is finished… What do you think, should anon-connection-wizard edit /etc/tor/torrc using the ### BEGIN anon-connection-wizard ### / ### END anon-connection-wizard ### approach? Let’s call that the edit marker approach or can you think of a better term for this?

Another approach would be:

write the output of anon-connection-wizard to a file in /var/cache/anon-connection-wizard/output.conf (check if okay with FHS)
append /var/cache/anon-connection-wizard/output.conf to /usr/share/tor/tor-service-defaults-torrc (still use markers, but not for the user to add customizations, but to mark changes from anon-connection-wizard)
when the anon-gw-anonymizer-config package is upgraded, /usr/share/tor/tor-service-defaults-torrc would be overwritten
we’d to make sure using Debian maintainer scripts (or even Debian triggers if required) to re-append /var/cache/anon-connection-wizard/output.conf before Tor gets reload (so settings are not lost on upgrades)
That way we would not have to edit /etc/tor/torrc.

What do you think?

                        # Q: Why there is no those lines in torrc after using Torlauncher to configure that?
                        # Do we really need these?
                        # If so, can we just input them as default and mange them only use UseBridges 0/1 to control it?

Please see:

                    # TODO: Both proxy_ip and proxy_port are not implemented yet.
                    # Done.

In that case, please remove the comment.

print 'ERROR: This must be run as root!\nUse "kdesudo".'# Q: But why?

Because of unix file permissions. torrc and status files are not owned by user user. However, gui applications have to be run as a user using kdesudo or gksudo. To simplify this we could provide a shell wrapper that automates prepending the kdesudo. Also on the gateway we can have anon-connection-wizard start passwordless as sudo using sudoers. (Which is one of the simplest parts, please ask me if you don’t know how to do that so I can save you the time from figuring that out.)

iry · March 14, 2017, 6:41am

Hey Patrick!
I really appreciate your detailed feedback on my code!
Just let you know I have been working on the problems you mentioned. A detailed progress report will be provided soon!

iry · March 17, 2017, 8:00pm

Hi @Patrick! Again, thank you very much for your feedback! Because of your feedback, I realized a large number of mistakes I made without even knowing anout before! I did benefit a lot from it. The followings are my reply.

Done! I have learned more about programming style from PEP8.

Done. I have ported it to python3.4. However, some python3 dependencies and modules are not available in current Whonix Stable Repository, including python3-yaml, guimessage etc.

Btw, I tried to upgrade Whonix Stable Repository to Whonix Developer Repository in Whonix-gateway several times using GUI application Whonix Repository. But it kind of broking the VM: Tor control port unavailable, apt-get broken etc.
Could you please tell me what I have done wrong?

I have port it from PyQt4 to PyQt5, which took me an unexpected long time. This is because the way to use signal-and-slot in PyQt4 is no longer supported in PyQt5.

Done. But I still do not understand the point. Could you please explain more about the problem? Or could you please recommend me some resources that I can learn it myself? Thank you very much!

Done! Thank you for your suggestions!

I have change the “Whonix” to “anon”. But it seems “anon” is still a Whonix-related name, isn’t it?

Start to work on the rest of the problems! I will reply to them as soon as possible!

My pull request is as follows:

github.com/Kicksecure/anon-connection-wizard

Port from Python2 to Python3.4 & from PyQt4 to PyQt5

Kicksecure:master ← irykoon:master

opened 07:23PM - 17 Mar 17 UTC

irykoon

+213 -196

Main changes: - Port from Python2 to Python3.4 - Port from PyQt4 to PyQt5 … Minor changes: - Eliminate race conditions - Custom bridges allows multiple input - Change "Whonix" to "anon" in name - Programming style changed according to [PEP8](https://www.python.org/dev/peps/pep-0008/#comments) - Delete trailing spaces - Typo correction

Main changes:

```
Port from Python2 to Python3.4
```
```
Port from PyQt4 to PyQt5
```

Minor changes:

```
Eliminate race conditions
```
```
Custom bridges allows multiple input
```
```
Change "Whonix" to "anon" in name
```

Programming style changed according to PEP8

```
Delete trailing spaces
```
```
Typo correction
```

iry · March 17, 2017, 8:01pm

Since I am a new forum user who is not allowed to reply more than three times in a same topic, I have to edit my previous replies to say more.
@Patrick just in case you can not receive new edit notification.

I agree with you. anon-connection-wizard should read the previous bridge/proxy configuration from the file and adjust the default UI accordingly. Just like what Tor Launcher has been doing.

Conclusion:

According to the current knowledge I have, I strongly prefer the “edit marker approach” to the “output.conf approach”.

Argument:

Let’s compare the “edit marker approach” and the “output.conf approach” in three different aspects:

###Usability:
####“output.conf approach”

Hiding the /var/cache/anon-connection-wizard/output.conf file from users will force users to do the proxy/bridges setting through anon-connection-wizard, which will cause some potential problems.

For example, a user used anon-connection-wizard to configured the bridge and proxy setting for at least once. Later, for some reasons (like the guidance of an online docs/tutorial, the attraction of exploring) he/she decided to configure the bridge and proxy setting from /etc/tor/torrc file manually. However, his/her setting might have a conflict between the old one appended in the /usr/share/tor/tor-service-defaults-torrc . Maybe the old bridge and proxy setting were not valid anymore, causing the Tor unable to connect successfully. However, there was no simply way that he/she could know the reason, because he/she see no error in /etc/tor/torrc setting.

What he/she can do is either starting anon-connection-wizard to configure nothing to remove the old setting, or removing the old bridge/proxy settings from both /var/cache/anon-connection-wizard/output.conf and
/usr/share/tor/tor-service-defaults-torrc. Either way will greatly reduce the usability because it requires users to ask or search for the solution and then a lot of work.

####“edit marker approach”
In this case, when users want to edit bridge/proxy setting manually from /etc/tor/torrc, they will see the setting generated by anon-connection-wizard and realize they may need to delete them.

To make it even more user-friendly, we can comment things like below in the ‘/etc/tor/torrc’:
### BEGIN anon-connection-wizard ###
### You may need to remove the following block to let your manually configured proxy/bridges setting work

###The purposes of the files:
According to the wiki:

/etc/tor/torrc is designed as a Tor configuration file that may be used by user.

/usr/share/tor/tor-service-defaults-torrc is designed as a Tor configuration file that should be only used by Whonix and should not be used by users.

The proxy/bridge settings is generated by users with the help of anon-connection-wizard, so the settings are considered as users’ configuration that naturally go to /etc/tor/torrc instead of
/usr/share/tor/tor-service-defaults-torrc.

###Implementation and Maintenance cost:
The “output.conf approach” will create an extra file /var/cache/anon-connection-wizard/output.conf for the Tor configuration, making the Tor configuration in Whonix more separated/scattered.

The “output.conf approach” will also introduce a large amount of unnecessary work which includes:

Patrick · March 19, 2017, 3:09pm

Oh, I wasn’t aware of these forum restrictions. Just now upgraded your account. (Multi posting is very much fine since it’s very constructive and no “help!”, “help me faster” ;).)

We’ll include anon-connection-wizard on stretch based Whonix, i.e. the next release, Whonix 14. Then these dependencies will be available. (There won’t be any more major Whonix upgrades for jessie based Whonix 13.)

You might have more luck using these instructions:

(I’ll stress luck. I’ll leave a notification in the forums when I want to encourage developers or testers to upgrade when I made sure it’s working out of the box.)

Resources, well not so much directly. Perhaps TOCTU (time of check time of use) and perhaps “atomic commit” applies. (Enough to understand roughly what these concepts are about.)

In theoretic terms: do an action first, then create a status file that it’s done.

In case of sh.copy, first the status file was created and the action after that. In case

the VM crashes (power loss) (not very likely, but with thousands of users at some point it may happen to someone and since it’s easily avoidable to run into such a corner case why not)
or in case the action fails for whatever reasons (perhaps hdd hardware failure, code issues, whatnot)

then we’re better off not having the status file created since the action did not happen. By that we avoid inconsistent states, where another run of the program would think “status file exists, that state is already true, not doing again, skipping”, while that is not true.

anon just stands for anonymity or anonymous whatever sounds better in that case. Components developed under the Whonix umbrella with that name are easily reused by other anonymity related projects or other custom builds.

I’ll agree with “edit marker approach” being better. Will be looking into your pull request early next week.

iry · March 19, 2017, 3:59pm

Thank you very much for your help, Patrick!

Sounds great! Looking forward to the mature upgrade.

Thank you! I found your explanation very clear. And I am still going to search and learn more from the resources you recommended.

I am going to implement that soon.

Thank you very much, Patrick!

iry · May 18, 2017, 8:21pm

TODO List:
##IO:

edit mark approach

##GUI:
###start page:

if customized file exists, a warning will appear when users choose to connect to the Tor network directly
a kind reminder may be added, saying that “if you are using a VPN to circumvent the Tor censorship, you can click the connect button without further configuration.”

###censorship circumvention options page:

research if the three options make the instructions more clear or more confusing
research if the first bridge button page should be called a “censorship circumvention options” page and adjust the options accordingly
Is a FascistFirewall option commonly used by users? if so, maybe we can support it in censorship circumvention tools option page. For example, an option saying “My ISP only allows 80 and 443 port”.

###bridge page:

make customized bridge input supports syntax highlighting

###proxy page:

sock4 should disable username and password textboxes
username and password can be hide with a “advanced button”
add a help button to make it more friendly to first time users
if the proxy_type is “-” then a warning will appear (like what Tor Launcher has been doing), however, not sure if we really need a proxy_type as “-”.
add clear instructions for the proxy settings

###general:

custom CSS
Does the current GUI need changing entirely? If so, a Qt designer may be used for efficiency. If only small change on GUI, change it manually should be fine. If other application, like whonix-setup-wizard and welcome-application used by Tails are also using Qt designer, a UI file generated by Qt designer may help the future integration.

###setting confirmation page:

add a setting confirmation page before going to the tor_status page

iry · May 18, 2017, 8:53pm

Hi @Patrick! My current TODO list for the anon-connection-wizard is above. Please let me know if you have any feedback, new idea or answers to some mentioned questions.

Apart from the questions above, the following is a general development question. I can make a separate topic if it is the preferred:

Two of my recent commits are shown “unverified” by Github because “The email in this signature doesn’t match the committer email”. However, the signatures themselves are good. In such a case, can a future “verified” commit be interpreted as “I have audited the previous code and newly-added code”? Or can it only be interpreted as “I am only responsible for what I commit this time”?

Thank you very much for your time!

Patrick · May 18, 2017, 9:08pm

CSS? You lost me at hello.[quote=“iry, post:229, topic:650”]
Qt designer may be used for efficiency
[/quote]

Sure.

You tell me.

That could worsen usability.

Not that I know.

Non-bridge Censorship Circumvention Tools here? Why not. Doesn’t hurt. It’s mentioned here Configure (Private) (Obfuscated) Tor Bridges

This.

iry · May 18, 2017, 9:09pm

The following is a brief instruction on how to set up a anon-connection-wizard testing environment on Whonix13:

create a new whonix-gateway vm
install dependecies:
sudo apt-get install python3-yaml
sudo apt-get install python3-pyqt5
sudo apt-get install python3-stem
copy guimessage module, anon-connection-wiazard.py and tor_status.py to /usr/lib/python3/dist-packages/

Open question: What is the best way to develop applications used in Whonix-gateway? Currently, I have been developing anon-connection-wizard in Whonix-workstation and only copy it to a whonix-gateway for testing. I am not sure if this is the best way to do things in terms of developing anonymously or/and efficiently.