Here is how to setup a hidden service in Qubes + Whonix…
The VirtualBox instructions here just need a couple changes:
- Swap the Whonix-Workstation AppVM 10.137.X.X IP in for the 10.152.152.11 IP.
- Open Firewall between Whonix-Gateway and Whonix-Workstation using iptables.
[b]Onion Services - Whonix
Will use a web server as an example on port 80, but one can change the port for their service application.
Also, you can (probably should) create clones of the Whonix-Gateway TemplateVM and Whonix-Workstation TemplateVM to establish your hidden service in. Then create a separate Whonix-Gateway ProxyVM and Whonix-Workstation AppVM for the live hidden service implementation.
Whonix-Gateway:
Open /etc/tor/torrc.
sudo nano /etc/tor/torrc
Read the comments. These explain where to find your .onion URL and to backup your hidden service keys. Comment in the following two lines.
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 WHONIX-WORKSTATION-APPVM-IP:80
WHONIX-WORKSTATION-APPVM-IP = the 10.137.X.X IP address given to the Whonix-Workstation AppVM in Qubes. You can look this IP up in the Settings of the Qubes Manager or use “sudo ifconfig” to see the eth0 IP in the AppVM terminal.
If not setting up a web server, change the port number from 80 to whatever your app requires.
Restart Tor.
sudo service tor reload
Reminder: To get your hidden service url.
sudo cat /var/lib/tor/hidden_service/hostname
Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and you require root to access it.
/var/lib/tor/hidden_service/private_key
Whonix-Workstation:
Run the following commands to install lighttpd web server. Alternatively, you would replace a web server with a different hidden service application.
sudo apt-get update
sudo apt-get install lighttpd
Open firewall port access for your app between Whonix-Gateway and Whonix-Workstation.
sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
If not setting up a web server, change the port number from 80 to whatever your app requires.
To make the firewall rule persistent, add the rule to the rc.local file and make it executable.
Open /rw/config/rc.local:
sudo nano /rw/config/rc.local
Add the following in the rc.local file:
#!/bin/sh
sudo iptables -I INPUT 5 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
Make the rc.local file executable:
sudo chmod +x /rw/config/rc.local
All Done.
Note, that it may take up to 30 minutes (or so?) until a fresh .onion domain gets reachable.