[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Long Wiki Edits Thread

I moved a few things around to group sys-whonix commands together after this guide was copied to this thread. Didn’t realize step 2 was a repeat of step 1. Fixed!

Thanks for pointing that out!

Yes, tested:

sys-whonix-13 -> sys-whonix-13
sys-whonix-14 -> sys-whonix-14
sys-whonix-13 -> sys-whonix-14 and visa versa

The first round of testing I kept getting errors and Tor wouldn’t start. After about an hour and a half I realized my mistake. I went back and ran sudo chown debian-tor: -R /var/lib/tor in all sys-whonix VMs and Tor functioned properly. :smile:

I should have this guide completed later today and the testers blog updated.

Or should I wait until this wiki entry is approved by Patrick before adding this step to testers blog?

I will add (Step X: Copy the Whonix 13 Tor state to the secondary sys-whonix) to the blog post with a note stating instructions will be added shortly to the wiki?

1 Like

Chapter “Copy Tor State File to Fresh sys-whonix VM” added to wiki/Tor.

https://whonix.org/wiki/w/index.php?title=Tor&oldid=33071&diff=cur

Not sure if I like chapter title. I saw this terminology used under the “Rotation of Entry Guards” chpater and I tried to copy the language.

On occasion, users may be tempted to create a new Whonix-Gateway (Qubes-Whonix: sys-whonix) because:

  • One of the fallback primary entry guards.
  • A configured bridge.
  • Possibly combine tunnels with Tor.
  • Creating a fresh Whonix-Gateway (sys-whonix), and copying across the Tor state file.

Also, In the instructions, what would be the correct terminology to use - Tor state, Tor state file(s), Tor state folder? It seem different terminology should be used depending on the context of the instructions.

If any changes are necessary please let me know.

Almost forgot, Qubes-Whonix 14 Testers blog instructions have been update.

1 Like

Very good!

torjunkie:

sandbox: Failed to find Adwaita gtk-2.0 theme.

Since this theme is probably installed in standard Tor Browser (the running Sandboxed Tor Browser instance does look a little different), perhaps we should recommend users install it, as it may otherwise pose a fingerprinting vector(?).

Guess:
Good to have it installed (from Debian package sources), if avaialble.

Should:
Not matter.

Real answer:
Only Tor Browser developers are capable to answer that.

1 Like

Excellent work 0brand - I think I can happily retire now :smile:

I edited your stuff, plus the rest of the Tor chapter, which had various entries (not yours) that was irritating me for language/expression.

I was thinking the exact same thing. I’m not sure. I gather “Tor state” is the generic expression, but I left it mostly as is.

Thanks again, that is very useful to have extra steps in there.

OK - will add a step there when I get a chance.

Reminder to self: also fix AppArmor parameter for Qubes-Whonix.

2 Likes

The Tor chapter looks awesome! Thanks for the help!

Reminder to myself: fix Apparmor parameters before torjunkie gets to it. :smile:

Sorry about that. I was a little side tracked with the Tor wiki chapter.

That will be completed and ready for your review later on today.

2 Likes

Done!

https://whonix.org/w/index.php?title=Template:Qubes_AppArmor&oldid=33430&diff=cur

Changed Apparmor qvm-prefs option from ‘-l’ to ‘-g’ . I didn’t see the need to change the ‘-s’ option for R4 since it is ignored.

Language changes were necessary in the introduction IMO. It was very hard to understand. Plus minor language changes in the instructions.

I’m sure the template could use further changes/polishing. Let me know if I can help!

Off topic:

Just saw this post by Patrick. Should the new chapter in wiki/Tor that was just created use this command to stop Tor? This command works in Whonix 13 ( just tested it ). Maybe wait for his guidance when he reviews the new chapter?

1 Like

Use /lib/systemd/system/tor@service.d instead
https://phabricator.whonix.org/T785

1 Like

Noticed sys-whonix-A and sys-whonix-B in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of course :blush:

I will fix later on today along with using /lib/systemd/system/tor@service.d , as per Patrick.

1 Like

0brand:

Noticed sys-whonix-A and sys-whonix-B in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of course :blush:

I will fix later on today along with using /lib/systemd/system/tor@service.d , as per Patrick.

It’s a research ticket. It’s not yet clear we want that. Needs testing /
figuring out. If it works, then all ok.

1 Like

OnionShare in Qubes-Whonix 14

@Patrick - please point out the faults in this method below if it is unsafe or not canonical.

Building OnionShare from Source

Whonix recommends against APT pinning because it has previously broken functionality. For example, on one occasion templates thought they were not connected to Whonix Gateway; see https://www.whonix.org/wiki/Dev/APT_Pinning.

Therefore, this procedure builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux

To install OnionShare in Whonix 14:

1. Create an anon-onionshare AppVM based on the whonix-ws (14) template.

2. Open a terminal and navigate to the persistent home directory; this avoids polluting the TemplateVM upon which it is based.

cd /home/user

3. Install git which is not available by default in the AppVM.

sudo apt-get install git

4. Clone the OnionShare directory.

git clone https://github.com/micahflee/onionshare.git

5. Change into the OnionShare directory.

cd onionshare

6. Retrieve Micah Lee’s PGP key using the long key ID.

Note: This key ID is taken from www.micahflee.com

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73

7. Examine the available git tags, and verify the latest version and its commit (v1.3 at the time of writing). Good signature messages should appear for each verify command below.

git tag

git verify-tag v1.3

git verify-commit v1.3^{commit}

8. Install OnionShare dependencies.

Warning: Do not proceed unless signatures were good for the two git verification steps.

The user must install the following dependencies.

sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy

9. Extend the onion-grater whitelist on sys-whonix (14).

Steps 9-10 are sourced from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare

In sys-whonix (14), open Konsole and create the following directory.

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

Symlink the onion-grater profile to the onion-grater settings folder.

sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/

Restart onion-grater.

sudo service onion-grater restart

10. Modify the anon-onionshare user firewall settings and reload them.

In Konsole, first make sure the folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Create the necessary user.conf file.

sudo nano /etc/whonix_firewall.d/50_user.conf

Add ports that are required by OnionShare.

EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

Save and exit.

11. Start the OnionShare GUI in anon-onionshare.

./dev_scripts/onionshare-gui

12. Select the settings button/icon (cog symbol) in the OnionShare GUI.

Under “How should OnionShare connect to Tor?” select “Connect using socket file”, and set the socket file to /var/run/tor/control.

Under “Tor authentication options” select “No authentication, or cookie authentication”.

13. Test the OnionShare settings.

Click the “Test Settings” button. If all steps were completed correctly, Tor will successfully connect.

The GUI should say it supports both ephemeral onion services and stealth onion services.

Check “Create stealth onion services” to make OnionShare operations more secure.

Actual Test

After doing all these steps above, it worked! :smiley: :tada:

I was able to share a dummy file with one sentence of text in it, that was made available at a random onion address.

The same instructions can be used for non-Qubes-Whonix, except each instance of sys-whonix and anon-onionshare is substituted with Whonix-Gateway and Whonix-Workstation instead.

Conclusion

OnionShare, a piece of cake in Whonix :wink:

AppArmor Consideration

@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?

https://github.com/micahflee/onionshare/commit/6cceac3b3eca9ce2cc13cde4d16f7291b565c720

2 Likes

Tor wiki chapter “Copy the Tor State File to Another sys-whonix Instance

Mistakes fixed

https://whonix.org/w/index.php?title=Tor&oldid=33454&diff=cur


TODO

  1. Anything that take priority as per Patrick, torjunkie

  2. Whonix 14 Call for testers blog post. Update as needed

  3. https://www.whonix.org/wiki/Security_in_Real_World

  • think of a more catchy page name:
  • also more catchy og:description
  1. https://www.whonix.org/wiki/Dev/TimeSync#Clock_Correlation_Attack
  • Come up with a new name for the attack as per: Long Wiki Edits Thread

    This all I have so far. :grimacing: Could use some ideas.

    • domU clock skew correlation through domX compromise
    • clock skew correlation through sister domain compromise
  1. https://whonix.org/wiki/System_Hardening_Checklist#Onionizing_Repositories

    • add instructions to change repos back to using http://URI (clearnet) servers.
    • good to have if .onions go down again. Also for users with slow connections and can’t update system etc.
  2. Fix broken link user reported in Multiple Tor Browsers safe setup in Whonix

  3. Add Qubes specific install instructions for “Using Tor Browser without Tor” chapter

2 Likes

torjunkie:

OnionShare in Whonix 14

@Patrick - please point out the faults in this method below if it is unsafe or not canonical.

Building OnionShare from Source

Whonix recommends against APT pinning because it has previously broken functionality.

No. I wouldn’t go so far. Pinning is fine. Just needs to be done right.
Not using generic codenames (stable, testing). Using specific codenames
(jessie, stretch, buster).

For example, on one occasion, templates thought they were not connected to Whonix Gateway; see https://www.whonix.org/wiki/Dev/APT_Pinning.

Unrelated to apt pinning.

Therefore, this test builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux

To install OnionShare in Whonix 14:

1. Create an anon-onionshare AppVM based on the whonix-ws (14) template.

Ok, it’s user choice (optional) but good practice.

2. Open a terminal and switch to the persistent directory; this avoids polluting the TemplateVM upon which it is based.

cd /home/user

3. Install git which is not available by default in the AppVM.

sudo apt-get install git

4. Clone the OnionShare directory.

git clone https://github.com/micahflee/onionshare.git

5. Change into the OnionShare directory.

cd onionshare

6. Receive Micah Lee’s PGP key using the long-ID key version.

Note: This key ID is taken from www.micahflee.com

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73

7. Examine the git tags available, and verify the latest version and it’s commit (v1.3 at the time of writing). Good signature messages should appear for the second and third steps.

git tag

git verify-tag v1.3

git verify-commit v1.3^{commit}

8. Install OnionShare dependencies.

Warning: Do not proceed unless signatures were good for the two git verification steps.

The user must install the following dependencies, except Tor, which is already installed by Whonix.

sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy

9. Extend the onion-grater whitelist on whonix-gw (14).

Follow the directions from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare

Ok.

That is, first create a new directory via Konsole in whonix-gw.

Can be done in sys-whonix. (Covered by bind-dirs.) (Maybe onion-grater
add wiki template needs improvement?)

Doing in whonix-gw TemplateVM is okay too but then it applies for all
Whonix-Gateway ProxyVMs based on sys-whonix. Probably not needed.

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

Symlink the onion-grater profile to the onion-grater settings folder.

sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/

Please use the existing wiki template,

Restart onion-grater.

sudo service onion-grater restart

10. Modify the Whonix-Workstation User Firewall Settings and reload them.

In Konsole in whonix-ws (copying instructions from the link above), first make sure the folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Create the necessary user conf file.

sudo nano /etc/whonix_firewall.d/50_user.conf

Add ports that are required by OnionShare.

EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "

Save and exit.

11. Start the OnionShare GUI in whonix-ws.

./dev_scripts/onionshare-gui

12. Select the settings button/icon (cog symbol) in the OnionShare GUI.

Under “How should OnionShare connect to Tor?” choose “Connect using socket file”, and set the socket file to /var/run/tor/control.

Under “Tor authentication options” choose “No authentication, or cookie authentication”.

13. Test the OnionShare settings.

Click the “Test Settings” button. If all has gone well, you should see a successful connection to Tor.

The GUI should say it supports both ephemeral onion services and stealth onion services.

Check “Create stealth onion services” if you want to make OnionShare more secure.

Actual Test

Well I did all these steps above, and it worked! :smiley: :tada:

Good.

I was able to share a dummy file with one sentence of text in it, that went to a random onion address.

Note

I skipped this step below, because OnionShare works anyway. It is unclear why it isn’t needed in Whonix i.e. allowing OnionShare to connect to the system Tor socket file explicitly, but perhaps the GUI step is sufficient:

Package anon-ws-disable-stacked-tor makes it appear as if Tor is running
in Whonix-Workstation, “Tor emulation”. Even though Tor is not running
there. And forwards to Whonix-Gateway. ( Need of update:
https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor )

https://github.com/micahflee/onionshare/wiki/Connecting-to-Tor

sudo usermod -a -G debian-tor username

Should be also done already by anon-ws-disable-stacked-tor.

But, who gives a shit if it works.

Conclusion

OnionShare, a piece of cake in Whonix :wink:

AppArmor Consideration

@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?

https://github.com/micahflee/onionshare/commit/6cceac3b3eca9ce2cc13cde4d16f7291b565c720

Doesn’t onionshare ship a profile by its own already?

1 Like

Some nitpicks…

Maybe change to sys-whonix-old / sys-whonix-new. Better than a and b. Always clearer.

sys-whonix-new: after stopping Tor, also delete Tor state folder.

Why: imagine sys-whonix-new has a Tor state file that sys-whonix-old did not have. In that case it would not be a clean migration of the same. It would have an extraneous file.

Is sudo su required? Would sudo work?

sudo ls -l /var/lib/tor - not useful to run before fixing permissions using chown. After using chown usually we shouldn’t need to check. I think we can trust chown if no errors were shown. sudo ls -l /var/lib/tor is only useful for debugging. (Perhaps keep as footnote.)

whonixcheck -v: the -v shouldn’t be encouraged for most users. It’s non-verbose by default to keep the generated confusion from any whonixcheck output low. Please mention [[whonixcheck]] (where -v could be documented.).

2 Likes

Clarification: stopping Tor is required in both VMs old and new. Deleting Tor state files is required in new VM.

OnionShare wiki entry -> Done.

Is this page linked on the main documentation page somewhere?

Anyway, will create the draft of the Whonix 14 blog post tomorrow, now that this is finally done. It will be ready for publishing EXCEPT for the date field right at the top which has April XX at the moment.

Then, I’m moving onto tempest’s encrypted email stuff for the blank wiki page I created already. Should be relatively easy cut and paste job (?).

Buddy, you do anything you like - your contributions are very much valued. :slight_smile:

Editing is a bug, once you get it, it’s hard to shake…

Done!

It only needs sudo. When first tested it required sudo su. I could have made an error.

Done!

Done!

After stopping Tor, /var/lib/tor had to be unmounted before it could be removed. When moving new Tor folder back into /var/lib, the new folder did not need to be mounted for Tor to start. Should it be mounted anyways?

New steps (note: some of the comments in the actual wiki are excluded for simplicity)

1. In sys-whonix-new, stop Tor

sudo systemctl stop tor@default

2. In sys-whonix-new, remove the Tor state folder. First the /var/lib/tor directory must be unmounted

sudo umount /var/lib/tor

sudo rm -r /var/lib/tor

3. In sys-whonix-old, stop Tor

sudo systemctl stop tor@default

4. In sys-whonix-old, copy the Tor state file across to sys-whonix-new

sudo qvm-copy /var/lib/tor sys-whonix-new

5. In sys-whonix-new, list the QubesIncoming directory to ensure the Tor state file was copied over successfully.

ls ~/QubesIncoming/sys-whonix-old/tor

6. In sys-whonix-new, move the newly copied Tor state file to /var/lib/tor

sudo mv ~/QubesIncoming/sys-whonix-old/tor /var/lib

7. In sys-whonix-new, change ownership of all files in the Tor state folder to debian-tor

sudo chown -R debian-tor:debian-tor /var/lib/tor

8. In sys-whonix-new, start Tor

sudo systemctl start tor@default

9. In sys-whonix-new, run whonixcheck to verify Tor is functioning properly

whonixcheck

https://whonix.org/w/index.php?title=Tor&oldid=33463&diff=cur


Knew I was in trouble when I started carrying around a pocket notebook to jot down ideas for content throughout the day. :grin:

1 Like

LOL. :laughing:

You might also want to put yourself on the contributors list next to my name re: wiki documentation audit if you’re going to be here for a while.

@Patrick

In my hunting for missing images on wiki pages, I noticed the following.

1. The following wiki pages link to nothing (virtually empty pages) on the main wiki TOC:

  • Whonix.org Site Security”. It used to have ratings of various website features etc.

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix:Privacy_policy#Technical_Information

  • “Disclaimer” - dead redirects. Suggesting removing or fixing whatever it is meant to link to (I’m not sure what resource it should pull in).

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix:General_disclaimer

2. Also, do you want the “Expand or Collapse All” widget embedded on each of the main wiki documentation pages i.e. this? ->

{{#widget:Expand or Collapse All}}

3. The following page is definitely an old version. I remember editing the text about different repositories to improve it i.e. remove folksy language.

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-APT-Repository

4. I see there are old edits awaiting approval for the “Tor Browser without Tor” page. Probably missed in all the action.

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser_without_Tor

Not sure who did that, but they look good. Suggest you approve that.

Dumb question since I rarely do blog posts, where is the button/link/login section to do that again? :blush: (via forums? via doc page login? don’t see it)

Looking high and low and I don’t see it anywhere. Let me know, and I’ll draft up the HTML markdown version for Whonix 14 release.

I don’t plan on going anywhere in foreseeable future. You’re stuck with me.:stuck_out_tongue_winking_eye:

I think having your name on the contributors list is a privilege that is earned. I have a ways to go on that? I guess you could say I’m a padawan learner of sorts.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]