[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Issue Setting up hidden services on Qubes

Steps taken so far:

  1. Clone gateway template.
  2. sudo nano /etc/tor/torrc
    2a. HiddenServiceDir /var/lib/tor/hidden_service
    2b. HiddenServicePort 80 WS-VM-IP**:80
  3. sudo service tor reload.
  4. sudo cat /var/lib/tor/hidden_service/hostname
    4-error. cat: /var/lib/tor/hidden_service/hostname: No such file or directory.
    4-debug-a: ls -la /var/lib/tor/hidden_service/
    error: ls: cannot access /var/lib/tor/hidden_service/: Permission denied
    4-debug-b: sudo chown debian-tor:debian-tor /var/lib/tor/hidden_service/
    error: chown cannot access `/var/lib/tor/hidden_service/’: No such file or directory

**workstation appvm ip address

Here is how to setup a hidden service in Qubes + Whonix…

The VirtualBox instructions here just need a couple changes:

  • Swap the Whonix-Workstation AppVM 10.137.X.X IP in for the 10.152.152.11 IP.
  • Open Firewall between Whonix-Gateway and Whonix-Workstation using iptables.

https://www.whonix.org/wiki/Hidden_Services#Hidden_Webserver

Will use a web server as an example on port 80, but one can change the port for their service application.

Also, you can (probably should) create clones of the Whonix-Gateway TemplateVM and Whonix-Workstation TemplateVM to establish your hidden service in. Then create a separate Whonix-Gateway ProxyVM and Whonix-Workstation AppVM for the live hidden service implementation.

Whonix-Gateway:

Open /etc/tor/torrc.

sudo nano /etc/tor/torrc

Read the comments. These explain where to find your .onion URL and to backup your hidden service keys. Comment in the following two lines.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 WHONIX-WORKSTATION-APPVM-IP:80

WHONIX-WORKSTATION-APPVM-IP = the 10.137.X.X IP address given to the Whonix-Workstation AppVM in Qubes. You can look this IP up in the Settings of the Qubes Manager or use “sudo ifconfig” to see the eth0 IP in the AppVM terminal.

If not setting up a web server, change the port number from 80 to whatever your app requires.

Restart Tor.

sudo service tor reload

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/hidden_service/hostname

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and you require root to access it.

/var/lib/tor/hidden_service/private_key

Whonix-Workstation:

Run the following commands to install lighttpd web server. Alternatively, you would replace a web server with a different hidden service application.

sudo apt-get update
sudo apt-get install lighttpd

Open firewall port access for your app between Whonix-Gateway and Whonix-Workstation.

sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

If not setting up a web server, change the port number from 80 to whatever your app requires.

To make the firewall rule persistent, add the rule to the rc.local file and make it executable.

Open /rw/config/rc.local:

sudo nano /rw/config/rc.local

Add the following in the rc.local file:

#!/bin/sh

sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

Make the rc.local file executable:

sudo chmod +x /rw/config/rc.local

All Done.

Note, that it may take up to 30 minutes (or so?) until a fresh .onion domain gets reachable.

Thanks for the breakout! Im still getting stuck at getting the hostname. I don’t think the hidden service is getting created at all.

It looks like it is a permissions issue with the TemplateVM that the ProxyVM doesn’t have.

I’ll have to look into it further later.

As a quick fix, you could set this up in a Whonix-Gateway ProxyVM initially, then manually create or copy the files over into a cloned TemplateVM afterwards.

Then run a ProxyVM based on that TemplateVM.

You may have to retroactively go back and change the AppVM IP once you know the final one.

Seems to me the Hidden Services wiki page should be updated accordingly? I was wondering how we handle documentation when those are slightly different for various platforms.

We could use the [Expand] button. Example use of expand button can be seen here:

Then we could write something like this…

If you are using VirtualBox […], press [Expand].

If you are using Qubes […], press [Expand].

[quote=“WhonixQubes, post:2, topic:901”] sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT [/quote]
Why is this required? Is Whonix-Workstation in Qubes firewalled by default?

[quote=“Patrick, post:5, topic:901”]Seems to me the Hidden Services wiki page should be updated accordingly? I was wondering how we handle documentation when those are slightly different for various platforms.

We could use the [Expand] button. Example use of expand button can be seen here:

Then we could write something like this…

If you are using VirtualBox […], press [Expand].

If you are using Qubes […], press [Expand].[/quote]

Great timing, as I am working on new documentation stuff right now.

I will create a new topic later to discuss this further.

[quote=“Patrick, post:5, topic:901”][quote author=WhonixQubes link=topic=1004.msg7238#msg7238 date=1425718293]

sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

[/quote]
Why is this required? Is Whonix-Workstation in Qubes firewalled by default?[/quote]

Yes, it seems to be firewalled by default for new unsolicited incoming packets.

Whonix-Workstation:

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

@igijo

Another easier option for you could be to use StandaloneVMs, instead of cloning TemplateVMs.

The loss here is that your root partition does not reset to a clean state with each VM restart.

The added convenience is that persistent configurations that don’t affect your other VMs is straightforward.

You can base it off of your normal Whonix TemplateVMs and check the “Standalone” box in Qubes Manager when creating a new ProxyVM / AppVM for your hidden service implementation.

[quote=“WhonixQubes, post:4, topic:901”][quote author=igijo link=topic=1004.msg7241#msg7241 date=1425751326]
Thanks for the breakout! Im still getting stuck at getting the hostname. I don’t think the hidden service is getting created at all.
[/quote]

It looks like it is a permissions issue with the TemplateVM that the ProxyVM doesn’t have.

I’ll have to look into it further later.

As a quick fix, you could set this up in a Whonix-Gateway ProxyVM initially, then manually create or copy the files over into a cloned TemplateVM afterwards.

Then run a ProxyVM based on that TemplateVM.

You may have to retroactively go back and change the AppVM IP once you know the final one.[/quote]

I managed to get the hostname/private keys in.

Steps:

Created tempproxyvm.
sudo nano /etc/tor/torrc
-HiddenServiceDir /var/lib/tor/hidden_service/
-HiddenServicePort 80 randomIP:80
exit
sudo service tor reload
i couldn’t navigate to the tor folder using the regular file browser, permissions issue I guess
sudo dolphin
navigate to /var/lib/tor/
copy/cut hidden_service folder
navigate to the 2gb drive (someone correct me here I cant remember what the folder path is) /usr/home?
paste hidden_service folder
sudo qvm-copy-to-vm gateway-clone-templatevm hidden_service
in gateway-clone-templatevm
sudo dolphin
copy hidden_service directory from /QubesIncoming/tempproxyvm/ to /var/lib/tor/

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]