Will /etc/torrc.d/95_whonix.torrc
be persistent?
All done:
Details:
- Fix obfs4 default bridges connectivity issue
- Distinguish bridge_type_with_comment from bridge_type
- Switch to /usr/local/etc/torrc.d/40_anon_connection_wizard.torrc
- Put DisableNetwork line into 40_anon_connection_wizard.torrc
- Simplify tor_status.py
- Throughout update repair_torrc.py
iry:
Will
/etc/torrc.d/95_whonix.torrc
be persistent?
It already is yes, there since latest Whonix stretch upgrade.
iry:
Should we use
/usr/local/etc/torrc.d/40_anon_connection_wizard.torrc
instead?
Certainly yes. Certainly /usr/local/etc/torrc.d/
. Good Catch!
iry:
But does that mean when users would like to decide enable or disable Tor, they will modify
40_anon_connection_wizard.torrc
manually?
Right, not covered at this point. But should be. I didnât have these
users in mind.
Any suggestions?
Editing 40_anon_connection_wizard.torrc
is not great - since machine
modified file. 50_user.torrc
would be the place for that.
We extend the comment in /etc/tor/torrc
and explain to add
DisableNetwork 0
to 50_user.torrc
for users who wish to manually
enable Tor? /etc/tor/torrc
will be the place where most users will be
looking anyhow since torrc.d
is new.
I messed up something. My latest requests made anon-connection-wizard Whonix specific. But I guess there could be an âif Whonix, use /usr/local/etc/torrc.dâŚ, otherwise use /etc/torrc.dâ.
repair_torrc() function will be called when we want to gurantee the existence of:
-âfixed_nothingâ if everything is good in torrc
âŚ
/etc/tor/torrc is exactly the same with /etc/tor/torrc.anondist
.anondist ist anondist (in practice Whonix) specific.
/etc/tor/torrc is a symlink to /etc/tor/torrc.anondist.
shutil.copyfile('/etc/tor/torrc.anondist', '/etc/tor/torrc')
It should be a symlink. Not a copy. But only in Whonix.
To keep things simple and non-Whonix specific, I suggest to handle only /etc/tor/torrc, make sure itâs contents are correct and thatâs about it. Not sure it is clever to try to restore the symlink since Whonix specific and⌠Dunno.
Instead ofâŚ
f.write("\
## Do not edit this file!\n\
Could you please add the files to anon-connectino-wizard /usr/share/anon-connection-wizard/etc/tor/torrc
?
In other words⌠Letâs use
/usr/share/anon-connection-wizard/etc/tor/torrc
/usr/share/anon-connection-wizard/etc//torrc.d/95_whonix.torrc
so we donât have to update the text in the python source but can simple copy from anon-gw-anonymizer-config to there?
Patrick Schleizer:
I messed up something. My latest requests made anon-connection-wizard Whonix specific. But I guess there could be an âif Whonix, use /usr/local/etc/torrc.dâŚ, otherwise use /etc/torrc.dâ.
No worry. I tried to make the code very generic so there will not be too
much work to make it Whonix non-specific.
repair_torrc() function will be called when we want to gurantee the existence of:
-âfixed_nothingâ if everything is good in torrc
âŚ
/etc/tor/torrc is exactly the same with /etc/tor/torrc.anondist.anondist ist anondist (in practice Whonix) specific.
/etc/tor/torrc is a symlink to /etc/tor/torrc.anondist.
shutil.copyfile('/etc/tor/torrc.anondist', '/etc/tor/torrc')
It should be a symlink. Not a copy. But only in Whonix.
I agree. It will make the changes much easier.
To keep things simple and non-Whonix specific, I suggest to handle only /etc/tor/torrc, make sure itâs contents are correct and thatâs about it. Not sure it is clever to try to restore the symlink since Whonix specific and⌠Dunno.
Instead ofâŚ
f.write("\
## Do not edit this file!\n\
Could you please add the files to anon-connectino-wizard
/usr/share/anon-connection-wizard/etc/tor/torrc
?In other words⌠Letâs use
/usr/share/anon-connection-wizard/etc/tor/torrc
/usr/share/anon-connection-wizard/etc//torrc.d/95_whonix.torrc
so we donât have to update the text in the python source but can simple copy from anon-gw-anonymizer-config to there?
Sounds great to me. I will do the pull request later today.
Patrick Schleizer:
iry:
But does that mean when users would like to decide enable or disable Tor, they will modify
40_anon_connection_wizard.torrc
manually?Right, not covered at this point. But should be. I didnât have these
users in mind.Any suggestions?
Editing
40_anon_connection_wizard.torrc
is not great - since machine
modified file.50_user.torrc
would be the place for that.We extend the comment in
/etc/tor/torrc
and explain to add
DisableNetwork 0
to50_user.torrc
for users who wish to manually
enable Tor?/etc/tor/torrc
will be the place where most users will be
looking anyhow sincetorrc.d
is new.
I agree we should keep DisableNetwork 0
in 50_user.torrc
which can
both be modified by users and anon-connection-wizard. I changed the way
to write DisableNetwork 0
yesterday, so it may take a little bit time
(later today) to adjust the change.
What do you think will be the best (most used) approach to detect if we are in Whonix?
To make anon-connection-wizard not Whonix specific, repair_torrc() now only gurantee the existence of:
- /etc/torrc.d/
- /etc/tor/torrc
- â%include /etc/torrc.dâ line in /etc/tor/torrc file
With anon-connection-wizard installed, in Whonix, the parsing path will be:
/etc/tor/torrc
--> /etc/torrc.d/
--> /etc/torrc.d/95_whonix.torrc
--> /usr/local/etc/torrc.d
--> /usr/local/etc/torrc.d/40_anon_connection_wizard.torrc
--> /usr/local/etc/torrc.d/50_user.torrc
With anon-connection-wizard installed, in Debian, the parsing path will be:
/etc/tor/torrc
--> /etc/torrc.d/
--> /etc/torrc.d/40_anon_connection_wizard.torrc
--> /etc/torrc.d/50_user.torrc
iry:
What do you think will be the best (most used) approach to detect if we are in Whonix?
anondist:
If file /usr/share/anon-gw-base-files/gateway
exists.
Whonix:
If file /usr/share/whonix/marker
exists.
Since /usr/local/etc/torrc.d
is configured in package
anon-gw-anonymizer-config, /usr/share/anon-gw-base-files/gateway
is
appropriate.
iry:
To make anon-connection-wizard not Whonix specific, repair_torrc() now only gurantee the existence of:
- /etc/torrc.d/
- /etc/tor/torrc
- â%include /etc/torrc.dâ line in /etc/tor/torrc file
With anon-connection-wizard installed, in Whonix, the parsing path will be:
/etc/tor/torrc
â/etc/torrc.d/
â/etc/torrc.d/95_whonix.torrc
â/usr/local/etc/torrc.d
â/usr/local/etc/torrc.d/40_anon_connection_wizard.torrc
â/usr/local/etc/torrc.d/50_user.torrc
With anon-connection-wizard installed, in Debian, the parsing path will be:
/etc/tor/torrc
â/etc/torrc.d/
â/etc/torrc.d/40_anon_connection_wizard.torrc
â/etc/torrc.d/50_user.torrc
Perfect!
iry:
I agree we should keep
DisableNetwork 0
in50_user.torrc
which can
both be modified by users and anon-connection-wizard.
I donât think _user should be modified by a program. It could detect it,
parse all files, and report, but should stick to its own files.
Otherwise we start mixing things.
The user should decide. Manual or by tool.
Hi Patirck!
Currently, all anon-connection-wizard does to 50_users.torrc is remove or add the #
to the DisableNetwork 0
. I think it should be fine as long as we keep the operation as the operation to 50_users.torrc ?
Because removing or adding the #
is kind of still the decision from users?
Another advantage of making 50_users.torrc
the only place containing DisableNetwork 0
is all the user should have 50_users.torrc
but only anon-connection-wizard users will have 40_anon_connection_wizard.torrc
file. It does not make much sense for a user who does not use anon-connectoin-wiezard to put DisableNetwork 0
in 40_anon_connection_wizard.torrc
.
What do you think?
Thank you so much, Patrick!
Done. Now anon-connection-wizard will use different paths according to wether in Whonix or not.
- anon-connection-wizard should have different behavior on Whonix and non-Whonix now
- Move DisableNetwork line to 50_user.torrc
- Better error information when Tor fails to start
I think the only TODO left for anon-connection-wizard so far is:
- use
gettext
for translation
Would anyone please help me to do some testing on anon-connection-wizard to make sure it works perfectly in Whonix 14 please? I really appreciate the help!
Please fetch and merge, made some changes. Fortunately we had no merge conflict.
There is a bug.
cat /usr/local/etc/torrc.d/40_anon_connection_wizard.torrc
# This file is generated by and should ONLY be used by anon-connection-wizard.
# User configuration should go to /usr/local/etc/torrc.d/50_user.torrc, not here. Because:
# 1. This file can be easily overwritten by anon-connection-wizard.
# 2. Even a single character change in this file may cause error.
# However, deleting this file will be fine since a new plain file will be generated the next time you run anon-connection-wizard.
DisableNetwork 0
UseBridges 1
ClientTransportPlugin meek_lite exec /usr/bin/obfs4proxy
bridge meek_lite 0.0.2.0:3 97700DFE9F483596DDA6264C4D7DF7641E1E39CE url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com
Traceback (most recent call last):
File "/usr/bin/anon-connection-wizard", line 4, in <module>
anon_connection_wizard.main()
File "/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py", line 1606, in main
wizard = AnonConnectionWizard()
File "/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py", line 1043, in __init__
self.bridge_wizard_page_2 = BridgesWizardPage2()
File "/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py", line 312, in __init__
self.setupUi()
File "/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py", line 382, in setupUi
self.comboBox.setCurrentIndex(self.bridges.index(Common.bridge_type_with_comment))
ValueError: 'obfs4 (works in China)' is not in list
That is for sure.
- Users should only touch 50_user.torrc and leave 40_anon_connection_wizard.torrc aside (at maximum delete it)
- anon-connection-wizard should only touch 40_anon_connection_wizard.torrc
What I want here is a clean separation. Some files are written to by users only but not by tools.
Imagine some user claiming âWhonix enabled Tor for me but I didnât want toâ. Claiming it was a bug. If we donât mention 50_user.torrc literally in the source code with write access, such claims are easily refuted.
The only way 50_user.torrc should be used is read-only by anon-connection-wizard. Not with special read code but with the normal code for parsing all the Tor config files looking for DisableNetwork 1 or 0.
By default there wonât be an adding/removing anymore since 50_users.torrc does not exist by default. However, any Tor config file equal or higher 50_ should only be touched by the user, not by tools, so always the userâs wish is respected as last word with no surprises.
Users who donât with to use anon-connection-wizard to enable Tor have very, very low priority. These can be very, very vocal users as well, while other âengineers degree peopleâ still donât manage to use Whonix. These geeks are only a few and itâs not worth to exhaust ourselves to handle such corner cases. Their freedom isnât restricted which is great but we also donât need to improve usability for them.
To disable Tor, the anon-connection-wizard tool can also be used. All reasonable use cases are covered by gui and still very easily accessible by cli as well. Either manual or by sudo whonixsetup
(cli) (updated today).
Thank you for your advice! I will remember that!
Sorry for my carelessness. Fixed in one line:
No worries, Almost no one writes bug free software. New bug.
Job for tor@default.service failed because the control process exited with error code.
See "systemctl status tor@default.service" and "journalctl -xe" for details.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py", line 1293, in next_button_clicked
sys.stderr.write('tor_status: ' + self.tor_status + self.tor_status_code)
TypeError: Can't convert 'int' object to str implicitly