Thank you for your awesome work! It looks great to me!
torjunkie
Whonix 14 blog release is impeccable. Great work!
What do you think about adding this step by step guide to wiki/Tor? Then have a step in the Whonix 14 testers blog that has users copy and paste Tor State File from sys-whonix-13 to sys-whonix-14. ( and also has a link to these instructions?)
Copying Tor State to secondary sys-whonix
torjunkie
: the language in this guide is not complete. Just wanted to get your opinion before I went any further. Aslo these instructions assume sys-whonix is based on Whonix-14 and sys-whonix-13 (obvious)
-
In
sys-whonix
stop Tor.sudo systemctl stop tor@default
-
In
sys-whonix
remove Tor State File. Note: Its likely that this command will complain that the process is busy. This can be ignored.sudo rm -r /var/lib/tor
-
In
sys-whonix
, ensure/var/lib/tor
is empty. This command should produce no output.sudo ls /var/lib/tor
-
In
sys-whonix-13
, stop tor.sudo systemctl stop tor@default
-
In
sys-whonix-13
, copy the Tor State File tosys-whonix
. Users must upgrade to a root prompt (root@host:# ) for the command to exit successfully.Note: If users encounter this error it can be ignored. qfile-agent: Fatal error: stat “VM” (error type: No such file or directory) . Hit “OK” when prompted
sudo su
qvm-copy /var/lib/tor sys-whonix
-
In
sys-whonix
, list the QubesIncoming directory to ensure Tor State File was copied over successfully.ls ~/QubesIncoming/sys-whonix-13/tor
The output should include these files:
cached-certs cached-microdescs lock
cached-microdesc-consensus cached-microdescs.new state
-
In
sys-whonix
, move Tor State File to/var/lib/tor
.sudo mv ~/QubesIncoming/sys-whonix-13/tor/* /var/lib/tor
-
In
sys-whonix
, ensure all files listed in step 6 are now in/var/lib/tor
and have the proper ownership. For Tor to function, files in this directory should be owned bydebian-tor
. If files do not have proper ownership, proceed to step 9. Otherwise skip to step 10.sudo ls -l /var/lib/tor
Note: The first 2 lines of the output should look similar to this. Notice the proper file ownership ‘
debian-tor debian-tor
’.-rw------- 1 debian-tor debian-tor 20442 Feb 22 21:22 cached-certs
-rw------- 1 debian-tor debian-tor 1985454 Apr 4 00:04 cached-microdesc-consensus
-
In
sys-whonix
, change ownership of the Tor State File todebian-tor
.sudo chown debian-tor: -R /var/lib/tor
-
In
sys-whonix
, verify Tor State file is owned bydebian-tor
.sudo ls -l /var/lib/tor
-
In
sys-whonix
, start Tor.sudo systemctl start tor@default
-
In
sys-whonix
, verify Tor is functioning properly.whonixcheck -v
Excellent work 0brand and great idea to add to the wiki!
Then your blog post only needs to refer to the wiki link. i.e. something like →
Step X: Copy the Whonix 13 Tor state to the secondary sys-whonix
Users are recommended to copy their Whonix 13 Tor state to the secondary (Whonix 14) sys-whonix to maintain the same Tor entry guard and defend against tracking attempts by advanced adversaries.
Follow the instructions at the following link:
Note:
- Steps 1 & 2 have same commands.
- The rest of it looks logical to me, but I haven’t tested it.
Does it work okay for you?
These instructions can live under the Advanced Topics section of the Tor chapter with an appropriate title.
I moved a few things around to group sys-whonix
commands together after this guide was copied to this thread. Didn’t realize step 2 was a repeat of step 1. Fixed!
Thanks for pointing that out!
Yes, tested:
sys-whonix-13 → sys-whonix-13
sys-whonix-14 → sys-whonix-14
sys-whonix-13 → sys-whonix-14 and visa versa
The first round of testing I kept getting errors and Tor wouldn’t start. After about an hour and a half I realized my mistake. I went back and ran sudo chown debian-tor: -R /var/lib/tor
in all sys-whonix VMs and Tor functioned properly.
I should have this guide completed later today and the testers blog updated.
Or should I wait until this wiki entry is approved by Patrick before adding this step to testers blog?
I will add (Step X: Copy the Whonix 13 Tor state to the secondary sys-whonix) to the blog post with a note stating instructions will be added shortly to the wiki?
Chapter “Copy Tor State File to Fresh sys-whonix VM” added to wiki/Tor.
https://whonix.org/wiki/w/index.php?title=Tor&oldid=33071&diff=cur
Not sure if I like chapter title. I saw this terminology used under the “Rotation of Entry Guards” chpater and I tried to copy the language.
On occasion, users may be tempted to create a new Whonix-Gateway (Qubes-Whonix: sys-whonix) because:
- One of the fallback primary entry guards.
- A configured bridge.
- Possibly combine tunnels with Tor.
- Creating a fresh Whonix-Gateway (sys-whonix), and copying across the Tor state file.
Also, In the instructions, what would be the correct terminology to use - Tor state, Tor state file(s), Tor state folder? It seem different terminology should be used depending on the context of the instructions.
If any changes are necessary please let me know.
Almost forgot, Qubes-Whonix 14 Testers blog instructions have been update.
Very good!
torjunkie:
sandbox: Failed to find Adwaita gtk-2.0 theme.
Since this theme is probably installed in standard Tor Browser (the running Sandboxed Tor Browser instance does look a little different), perhaps we should recommend users install it, as it may otherwise pose a fingerprinting vector(?).
Guess:
Good to have it installed (from Debian package sources), if avaialble.
Should:
Not matter.
Real answer:
Only Tor Browser developers are capable to answer that.
Excellent work 0brand - I think I can happily retire now
I edited your stuff, plus the rest of the Tor chapter, which had various entries (not yours) that was irritating me for language/expression.
I was thinking the exact same thing. I’m not sure. I gather “Tor state” is the generic expression, but I left it mostly as is.
Thanks again, that is very useful to have extra steps in there.
OK - will add a step there when I get a chance.
Reminder to self: also fix AppArmor parameter for Qubes-Whonix.
The Tor chapter looks awesome! Thanks for the help!
Reminder to myself: fix Apparmor parameters before torjunkie gets to it.
Sorry about that. I was a little side tracked with the Tor wiki chapter.
That will be completed and ready for your review later on today.
Done!
https://whonix.org/w/index.php?title=Template:Qubes_AppArmor&oldid=33430&diff=cur
Changed Apparmor qvm-prefs
option from ‘-l
’ to ‘-g
’ . I didn’t see the need to change the ‘-s
’ option for R4 since it is ignored.
Language changes were necessary in the introduction IMO. It was very hard to understand. Plus minor language changes in the instructions.
I’m sure the template could use further changes/polishing. Let me know if I can help!
Off topic:
Just saw this post by Patrick. Should the new chapter in wiki/Tor that was just created use this command to stop Tor? This command works in Whonix 13 ( just tested it ). Maybe wait for his guidance when he reviews the new chapter?
Noticed sys-whonix-A
and sys-whonix-B
in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of course
I will fix later on today along with using /lib/systemd/system/tor@service.d
, as per Patrick.
0brand:
Noticed
sys-whonix-A
andsys-whonix-B
in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of courseI will fix later on today along with using
/lib/systemd/system/tor@service.d
, as per Patrick.
It’s a research ticket. It’s not yet clear we want that. Needs testing /
figuring out. If it works, then all ok.
OnionShare in Qubes-Whonix 14
@Patrick - please point out the faults in this method below if it is unsafe or not canonical.
Building OnionShare from Source
Whonix recommends against APT pinning because it has previously broken functionality. For example, on one occasion templates thought they were not connected to Whonix Gateway; see Dev/APT Pinning - Kicksecure.
Therefore, this procedure builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux
To install OnionShare in Whonix 14:
1. Create an anon-onionshare
AppVM based on the whonix-ws
(14) template.
2. Open a terminal and navigate to the persistent home directory; this avoids polluting the TemplateVM upon which it is based.
cd /home/user
3. Install git which is not available by default in the AppVM.
sudo apt-get install git
4. Clone the OnionShare directory.
5. Change into the OnionShare directory.
cd onionshare
6. Retrieve Micah Lee’s PGP key using the long key ID.
Note: This key ID is taken from www.micahflee.com
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73
7. Examine the available git tags, and verify the latest version and its commit (v1.3 at the time of writing). Good signature messages should appear for each verify command below.
git tag
git verify-tag v1.3
git verify-commit v1.3^{commit}
8. Install OnionShare dependencies.
Warning: Do not proceed unless signatures were good for the two git verification steps.
The user must install the following dependencies.
sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy
9. Extend the onion-grater whitelist on sys-whonix
(14).
Steps 9-10 are sourced from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare
In sys-whonix
(14), open Konsole and create the following directory.
sudo mkdir -p /usr/local/etc/onion-grater-merger.d/
Symlink the onion-grater profile to the onion-grater settings folder.
sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/
Restart onion-grater.
sudo service onion-grater restart
10. Modify the anon-onionshare
user firewall settings and reload them.
In Konsole, first make sure the folder /rw/config/whonix_firewall.d exists.
sudo mkdir -p /rw/config/whonix_firewall.d
Create the necessary user.conf
file.
sudo nano /etc/whonix_firewall.d/50_user.conf
Add ports that are required by OnionShare.
EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "
Save and exit.
11. Start the OnionShare GUI in anon-onionshare
.
./dev_scripts/onionshare-gui
12. Select the settings button/icon (cog symbol) in the OnionShare GUI.
Under “How should OnionShare connect to Tor?” select “Connect using socket file”, and set the socket file to /var/run/tor/control.
Under “Tor authentication options” select “No authentication, or cookie authentication”.
13. Test the OnionShare settings.
Click the “Test Settings” button. If all steps were completed correctly, Tor will successfully connect.
The GUI should say it supports both ephemeral onion services and stealth onion services.
Check “Create stealth onion services” to make OnionShare operations more secure.
Actual Test
After doing all these steps above, it worked!
I was able to share a dummy file with one sentence of text in it, that was made available at a random onion address.
The same instructions can be used for non-Qubes-Whonix, except each instance of sys-whonix
and anon-onionshare
is substituted with Whonix-Gateway and Whonix-Workstation instead.
Conclusion
OnionShare, a piece of cake in Whonix
AppArmor Consideration
@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?
Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub
Tor wiki chapter “Copy the Tor State File to Another sys-whonix Instance”
Mistakes fixed
https://whonix.org/w/index.php?title=Tor&oldid=33454&diff=cur
TODO
-
Anything that take priority as per Patrick, torjunkie
-
Whonix 14 Call for testers blog post. Update as needed
- think of a more catchy page name:
- also more catchy og:description
-
Come up with a new name for the attack as per: Long Wiki Edits Thread - #494 by Patrick
This all I have so far. Could use some ideas.
- domU clock skew correlation through domX compromise
- clock skew correlation through sister domain compromise
-
- add instructions to change repos back to using http://URI (clearnet) servers.
- good to have if .onions go down again. Also for users with slow connections and can’t update system etc.
-
Fix broken link user reported in Multiple Tor Browsers safe setup in Whonix - #3 by clockworld
-
Add Qubes specific install instructions for “Using Tor Browser without Tor” chapter
torjunkie:
OnionShare in Whonix 14
@Patrick - please point out the faults in this method below if it is unsafe or not canonical.
Building OnionShare from Source
Whonix recommends against APT pinning because it has previously broken functionality.
No. I wouldn’t go so far. Pinning is fine. Just needs to be done right.
Not using generic codenames (stable, testing). Using specific codenames
(jessie, stretch, buster).
For example, on one occasion, templates thought they were not connected to Whonix Gateway; see Dev/APT Pinning - Kicksecure.
Unrelated to apt pinning.
Therefore, this test builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux
To install OnionShare in Whonix 14:
1. Create an
anon-onionshare
AppVM based on thewhonix-ws
(14) template.
Ok, it’s user choice (optional) but good practice.
2. Open a terminal and switch to the persistent directory; this avoids polluting the TemplateVM upon which it is based.
cd /home/user
3. Install git which is not available by default in the AppVM.
sudo apt-get install git
4. Clone the OnionShare directory.
5. Change into the OnionShare directory.
cd onionshare
6. Receive Micah Lee’s PGP key using the long-ID key version.
Note: This key ID is taken from www.micahflee.com
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73
7. Examine the git tags available, and verify the latest version and it’s commit (v1.3 at the time of writing). Good signature messages should appear for the second and third steps.
git tag
git verify-tag v1.3
git verify-commit v1.3^{commit}
8. Install OnionShare dependencies.
Warning: Do not proceed unless signatures were good for the two git verification steps.
The user must install the following dependencies, except Tor, which is already installed by Whonix.
sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy
9. Extend the onion-grater whitelist on
whonix-gw
(14).Follow the directions from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare
Ok.
That is, first create a new directory via Konsole in whonix-gw.
Can be done in sys-whonix. (Covered by bind-dirs.) (Maybe onion-grater
add wiki template needs improvement?)
Doing in whonix-gw TemplateVM is okay too but then it applies for all
Whonix-Gateway ProxyVMs based on sys-whonix. Probably not needed.
sudo mkdir -p /usr/local/etc/onion-grater-merger.d/
Symlink the onion-grater profile to the onion-grater settings folder.
sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/
Please use the existing wiki template,
Restart onion-grater.
sudo service onion-grater restart
10. Modify the Whonix-Workstation User Firewall Settings and reload them.
In Konsole in
whonix-ws
(copying instructions from the link above), first make sure the folder /rw/config/whonix_firewall.d exists.sudo mkdir -p /rw/config/whonix_firewall.d
Create the necessary user conf file.
sudo nano /etc/whonix_firewall.d/50_user.conf
Add ports that are required by OnionShare.
EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "
Save and exit.
11. Start the OnionShare GUI in
whonix-ws
../dev_scripts/onionshare-gui
12. Select the settings button/icon (cog symbol) in the OnionShare GUI.
Under “How should OnionShare connect to Tor?” choose “Connect using socket file”, and set the socket file to /var/run/tor/control.
Under “Tor authentication options” choose “No authentication, or cookie authentication”.
13. Test the OnionShare settings.
Click the “Test Settings” button. If all has gone well, you should see a successful connection to Tor.
The GUI should say it supports both ephemeral onion services and stealth onion services.
Check “Create stealth onion services” if you want to make OnionShare more secure.
Actual Test
Well I did all these steps above, and it worked!
Good.
I was able to share a dummy file with one sentence of text in it, that went to a random onion address.
Note
I skipped this step below, because OnionShare works anyway. It is unclear why it isn’t needed in Whonix i.e. allowing OnionShare to connect to the system Tor socket file explicitly, but perhaps the GUI step is sufficient:
Package anon-ws-disable-stacked-tor makes it appear as if Tor is running
in Whonix-Workstation, “Tor emulation”. Even though Tor is not running
there. And forwards to Whonix-Gateway. ( Need of update:
anon-ws-disable-stacked-tor )
Connecting to Tor · onionshare/onionshare Wiki · GitHub
sudo usermod -a -G debian-tor username
Should be also done already by anon-ws-disable-stacked-tor.
But, who gives a shit if it works.
Conclusion
OnionShare, a piece of cake in Whonix
AppArmor Consideration
@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?
Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub
Doesn’t onionshare ship a profile by its own already?
Some nitpicks…
Maybe change to sys-whonix-old / sys-whonix-new. Better than a and b. Always clearer.
sys-whonix-new: after stopping Tor, also delete Tor state folder.
Why: imagine sys-whonix-new has a Tor state file that sys-whonix-old did not have. In that case it would not be a clean migration of the same. It would have an extraneous file.
Is sudo su
required? Would sudo
work?
sudo ls -l /var/lib/tor
- not useful to run before fixing permissions using chown
. After using chown
usually we shouldn’t need to check. I think we can trust chown
if no errors were shown. sudo ls -l /var/lib/tor
is only useful for debugging. (Perhaps keep as footnote.)
whonixcheck -v
: the -v
shouldn’t be encouraged for most users. It’s non-verbose by default to keep the generated confusion from any whonixcheck output low. Please mention [[whonixcheck]]
(where -v
could be documented.).
Clarification: stopping Tor is required in both VMs old and new. Deleting Tor state files is required in new VM.
OnionShare wiki entry → Done.
Is this page linked on the main documentation page somewhere?
Anyway, will create the draft of the Whonix 14 blog post tomorrow, now that this is finally done. It will be ready for publishing EXCEPT for the date field right at the top which has April XX at the moment.
Then, I’m moving onto tempest’s encrypted email stuff for the blank wiki page I created already. Should be relatively easy cut and paste job (?).
Buddy, you do anything you like - your contributions are very much valued.
Editing is a bug, once you get it, it’s hard to shake…
Done!
It only needs sudo
. When first tested it required sudo su
. I could have made an error.
Done!
Done!
After stopping Tor, /var/lib/tor
had to be unmounted before it could be removed. When moving new Tor folder back into /var/lib
, the new folder did not need to be mounted for Tor to start. Should it be mounted anyways?
New steps (note: some of the comments in the actual wiki are excluded for simplicity)
1. In sys-whonix-new
, stop Tor
sudo systemctl stop tor@default
2. In sys-whonix-new
, remove the Tor state folder. First the /var/lib/tor directory must be unmounted
sudo umount /var/lib/tor
sudo rm -r /var/lib/tor
3. In sys-whonix-old,
stop Tor
sudo systemctl stop tor@default
4. In sys-whonix-old
, copy the Tor state file across to sys-whonix-new
sudo qvm-copy /var/lib/tor sys-whonix-new
5. In sys-whonix-new
, list the QubesIncoming directory to ensure the Tor state file was copied over successfully.
ls ~/QubesIncoming/sys-whonix-old/tor
6. In sys-whonix-new
, move the newly copied Tor state file to /var/lib/tor
sudo mv ~/QubesIncoming/sys-whonix-old/tor /var/lib
7. In sys-whonix-new
, change ownership of all files in the Tor state folder to debian-tor
sudo chown -R debian-tor:debian-tor /var/lib/tor
8. In sys-whonix-new
, start Tor
sudo systemctl start tor@default
9. In sys-whonix-new
, run whonixcheck to verify Tor is functioning properly
whonixcheck
https://whonix.org/w/index.php?title=Tor&oldid=33463&diff=cur
Knew I was in trouble when I started carrying around a pocket notebook to jot down ideas for content throughout the day.