How to use Tor HTTPTunnelPort in Whonix Workstation?

I’ve read about HTTPTunnelPort in Stream isolation chapter.
This seems a good alternative for apps that don’t support SOCKS natively - in addition to torsocks.

So tried it out with curl as example (inside Workstation):

curl.anondist-orig \
  -x http://$(qubesdb-read /qubes-gateway):9220 \
  https://check.torproject.org
# curl: (28) Failed to connect to 10.137.0.12 port 9220: 
# Connection timed out

Port 9220 should be open HTTPTunnelPort according to /usr/share/tor/tor-service-defaults-torrc.anondist in the gateway.

Whereas SOCKS works as usual:

curl.anondist-orig \
  -x socks5h://$(qubesdb-read /qubes-gateway):9162 \
  https://check.torproject.org

curl does support HTTPS CONNECT method. Is there something else to do?

My environment is Qubes Whonix 16 with transparent proxying being disabled in gateway:

WORKSTATION_TRANSPARENT_TCP=0
WORKSTATION_TRANSPARENT_DNS=0

Syntax seems correct.

If Tor is stopped using the following command on Whonix-Gateway:

sudo systemctl stop tor

Then in Whonix-Workstation:

curl.anondist-orig --head http://$(qubesdb-read /qubes-gateway):9228

curl: (7) Failed to connect to 10.137.0.14 port 9228: Connection refused

So let’s restart Tor in Whonix-Gateway.

sudo systemctl restart tor

Then try again in Whonix-Workstation:

curl.anondist-orig --head http://$(qubesdb-read /qubes-gateway):9228

curl: (56) Recv failure: Connection reset by peer

Conclusion: Not a Whonix firewall issue. The port is reachable.

I don’t know why it’s not working.

Could you try please if Tor HTTPTunnelPort is currently functional outside of Whonix?

Generic Bug Reproduction is most likely required here. See Tor Generic Bug Reproduction.

1 Like

Sure - I’ll try to reproduce on a vanilla qube with just Tor installed. Can’t say exactly, when I have time again for the setup.

1 Like

Test case 1: Vanilla Tor on Debian

sudo apt install --no-install-recommends tor

/etc/tor/torrc:

SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
SocksPort 9100 IsolateDestAddr IsolateDestPort
HTTPTunnelPort 9220 IsolateDestAddr IsolateDestPort
HTTPTunnelPort 9230

All these commands work:

curl -x socks5h://localhost:9050 https://check.torproject.org
curl -x socks5h://localhost:9100 https://check.torproject.org
curl -x http://localhost:9220 https://check.torproject.org
curl -x http://localhost:9230 https://check.torproject.org

Verbose curl output:

*   Trying ::1:9220...
* connect to ::1 port 9220 failed: Connection refused
*   Trying 127.0.0.1:9220...
* Connected to localhost (127.0.0.1) port 9220 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to check.torproject.org:443
> CONNECT check.torproject.org:443 HTTP/1.1
> Host: check.torproject.org:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 OK
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
...

Test case 2: Whonix Gateway with transparent proxy

Install as usual.

Works (from Workstation):

curl.anondist-orig -x socks5h://$(qubesdb-read /qubes-gateway):9162 https://check.torproject.org

Fails:

curl.anondist-orig -x http://$(qubesdb-read /qubes-gateway):9220 https://check.torproject.org
curl.anondist-orig -x http://$(qubesdb-read /qubes-gateway):9190 https://check.torproject.org

curl: (56) Recv failure: Connection reset by peer

Verbose curl output:

*   Trying 10.137.0.160:9220...
* Connected to 10.137.0.160 (10.137.0.160) port 9220 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to check.torproject.org:443
> CONNECT check.torproject.org:443 HTTP/1.1
> Host: check.torproject.org:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
> 
* Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted

There is no further log in journalctl. Clearly, curl tried to use HTTP Connect method in the same way, but fails.

I guess, next step would be to analyze network traffic with tcpdump or so?

1 Like

Fix for this issue:

1 Like

Thank you! Merged.