Long Wiki Edit Thread

Website
761

0brand:

I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and curl must be run under user clearnet for both temporary or permanent deactivation.

Is this what is expected?

Whonix 14:

Have a look at the end what really happens. Only the latest exec calls matters.

uwtwrapper_verbose=1 curl something

Expected:

Using uwt / torsocks / stream isolation.

Result:

exec torsocks /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something

I.e. torsocks gets prepended before running curl.

uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl something

Expected:

Not using torsocks / stream isolation.

Result:

exec /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something

I.e. torsocks does not get prepeneded. curl gets run as is. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.

/usr/bin/curl.anondist-orig is the real curl binary. I.e. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.

Running /usr/bin/curl.anondist-orig directly circumvents all the uwt logic.

I more question

curl can be run from user clearnet without appending .anondist-org (works)

Should users be warned not to do this even if it seems to works?
Warn against what?

  • It’s still torified - we could even call this a bug?
  • It’s to be expected to be using clearnet when using Whonix-Gateway and logging in at user clearnet.
  • It’s not something happening by accident.
  • We don’t document this light heartily.

.

clearnet@host:/home/user$ uwtwrapper_verbose=1 curl https://check.torproject.org

exec torsocks /usr/lib/uwtexec https://check.torproject.org
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig https://check.torproject.org

So to reach actual clearnet, one still has to disable uwtrapper(s).

When using user clearnet on Whonix-Gateway and it’s expected to be reaching clearnet.

2 Likes
762

Advanced Security Guide split → Fixed

(internal links on those pages not fixed yet; mega-page not deleted so as not to break existing links everywhere)

Computer Security Guide split is next, then a large clean up of incorrect links (not fun :tired_face: ) from this set of 3 splits.

2 Likes
763

@Patrick

Thank You!

I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for curl in new /Dev/tech chapter.

1 Like
764

0brand:

I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for curl in new /Dev/tech chapter.

That should be already documented, belongs here…?

The rest of my explanations from my previous post may also be a good candidate for copying with modifications to anon-ws-disable-stacked-tor.

765

No problem. :slight_smile:

I though you might have wanted deactivate stream isolation temporarily and permanently also with https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor

Makes more sense just to add link to

2 Likes
766

From Frequently Asked Questions - Whonix FAQ could you please mention and reference Self Support First Policy for Whonix and The User Co-developer Concept ?

1 Like
767

No problem

Originally referenced Co-developer Concept but I took it out. Oops :slight_smile:

2 Likes
768

Done!

Debugging with curl

Trying to use curl rather than curl.anondist-org is a common mistake when debugging Whonix network issues.

curl is a symlink to curl.anondist. In turn, this symlinks to uwt which runs curl under torsocks. torksocks then forces Tor to run on localhost for stream isolation.

To use curl

  • The uwt steam isolation wrapper must be deactivated
  • The command must be run under user clearnet

In Whonix-Gateway or sys-whonix (Qube-Whonix)

1. Change to user clearnet

sudo su clearnet

2. Deactivate uwt stream isolation wrapper by appending .anondist-orig to curl

curl.anondist-orig <your_url>

Using curl in Whonix 14

curl must be run under user clearnet the same as in Whonix 13

In the following examples, the exec calls from the command output shows the difference between running curl with the uwtwrapper both enabled and disabled.

Example 1

curl is run with the uwtwrapper enabled.

uwtwrapper_verbose=1 curl <your_url>

This results in the following exec calls. Only the latest (most recent) call matters which shows torsocks is prepended before running curl.

exec torsocks /usr/lib/uwtexec something <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>

Example 2

curl is run with the uwtwrapper disabled.

uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>

This command results in the following exec calls which show torsocks does not get prepended before curl. Since curl does not run under torsocks, local connections are not hindered and there is no stream isolation

exec /usr/lib/uwtexec <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>

The output from the previous commands establish the following

  • /usr/bin/curl is symbolically linked to /usr/bin/curl.anondist-orig. This demonstrates /usr/bin/curl.anondist-orig is the actual (real) curl binary.

  • When /usr/bin/curl.anondist-orig is run with the uwtwrapper disabled all uwt logic is circumvented.

Users can either run curl under user clearnet or deactivate the uwt stream isolation
wrapper either permanently or temporary

Links:

https://www.whonix.org/wiki/Stream_Isolation
https://www.whonix.org/wiki/Stream_Isolation/Disable_Easy

Done!

https://whonix.org/w/index.php?title=FAQ&oldid=34364&diff=cur

1 minor edit in stream isolation chapter

https://whonix.org/w/index.php?title=Stream_Isolation&oldid=34458&diff=cur

2 Likes
769

Whonix 13 / 14, there is no difference. You always need to run under user clearnet.

Well, it actually depends (but not on 13 / 14).

If you want to reach clearnet → user clearnet.

For location connections → any user.

1 Like
770

I must be doing something wrong sys-whonix (Whonix 14)?

anon-info

INFO: /etc/apt/sources.list.d/torproject.list does not exist.
INFO: version of the 'tor' package: 0.3.3.7-1~d90.stretch+1

sudo su clearnet
user@host:~$

sys-whonix (Whonix 13)

sudo su clearnet
clearnet@host:/home/user$
1 Like
771

New proposed edits reflect Whonix 14 requires user clearnet

Please let me know if any changes are necessary

Note: spacing in some areas are a little wide i.e. spacing between bullet lists and next text block

https://whonix.org/w/index.php?title=Dev/anon-ws-disable-stacked-tor&oldid=33749&diff=cur

Edit: Bullet spacing already reported https://phabricator.whonix.org/T809

2 Likes
772

Some mistakes by me earlier.

  • I’ve changed the wording to circumvent / disable as two different things.
  • It’s not either user clearnet or circumvent/disable uwt. circumvent/disable uwt is always required when trying to reach localhost or clearnet. Running under user clearnet is only required when trying to reach clearnet or local LAN.
1 Like
773

Hi 0brand,

Go ahead and please remove that excess bold you identified for a specific wiki page in that other tread. It does look horrible.

2 Likes
774

I’ll have it done a little latter on today :slight_smile:

I’m starting on screenshots (finally). I was trying to think of what is asked most often on the forum. Any screenshots that would help users config Qubes R-4 specific Whonix stuff?

If you can think of any let me know → https://whonix.org/t/updated-screenshots-images-thread/5371

2 Likes
775

Done!

https://www.whonix.org/w/index.php?title=Tor&oldid=33867&diff=cur

Whonix 14 release notes

Removed link to sandboxed Tor Browser (Depricated)

https://www.whonix.org/w/index.php?title=Whonix_Release_Notes&oldid=34585&diff=cur

Tor Browser

  • Removed link to sandboxed Tor Browser (Deprecated)
  • fixed link “Do Not Tor over Tor”

https://www.whonix.org/w/index.php?title=Tor_Browser&oldid=34462&diff=cur

2 Likes
776

Hi 0brand,

All fixed, except:

  • Updated whonixcheck GUI (success message)
  • Updated whonixcheck progress meter (requires Whonix 14 for nice successful message)
  • Updated leak tests with Flash installed

That would be great if you could knock those off. I already added Tor Controller GUI and a bunch of others.

For bonus points, maybe add:

  • Whonix Repository GUI
  • Reload Tor GUI (?)
  • Reload Firewall GUI (?)
  • Restart Tor GUI (?)
  • Anything else @Patrick ?
1 Like
777

Computer Security Education split → Fixed

Please accept all the main ToC changes to reflect this, plus I nitpicked the whole thing, listed it alphabetically, and created new sections where required.

Probably the Tor Browser stuff is another candidate for chopping down to size in the new “Anonymous Browsing” section I created, but lets focus on fixing links first.

2 Likes
778

document multiple Qubes TemplateVMs:

779

Was able to get

  • whonixcheck progress meter. I never saw a successful message. I think it flashes on and off the screen to quick to see.
  • Whonix Repository GUI x 2
  • Reload Tor GUI (I’m counting it since it starts from the GUI) Use it or not. :slight_smile:
  • Reload Firewall GUI (Same as above. Not really GUI but usable?)
  • 2 new Arm controller screenshots i.e. without large “W” in sys-whonix

Not able to get

  • whonixcheck GUI success message. Not sure what successful message you are referring to? (using unaltered TemplateVM)
  • Flash leak test. I see why this was not completed. I’ll get it done :wink:
  • Restart Tor GUI .png was corrupted

Good idea for Whonix 14 rolling releases since users will want to use multiple repositories.

I’ll put this at the top of my TODO. Shouldn’t take to long to complete

2 Likes
780

Not ready for a call for testers but would appreciate if you could revise the wording.