This nails it perfectly! Please add to the wiki. Where? Good question, next question… 
Certainly it needs to be referenced from Free Support for Whonix ™ so that chapter is better justified.
1 Like
This chapter could definitely use some beautification. No rush 
BTW if fixed a few mistakes. There are always a few stragglers.
Done!
Added to Wiki/FAQ . I will add link from Free Support Principal after the chapter is pushed to the wiki. Also, I made a new name up for the chapter. Any better suggestions?
https://www.whonix.org/w/index.php?title=FAQ&oldid=33949&diff=cur
2 Likes
I made a couple syntax errors when adding references in Wiki/FAQ
Fixed (with admin privileges)
https://whonix.org/wiki/w/index.php?title=FAQ&diff=34352&oldid=34350
1 Like
Done!
I think this is what you were looking for.
If any changes are needed please let me know.
https://www.whonix.org/w/index.php?title=Support&oldid=34299&diff=cur
Our Qubes Dispvm instructions where pushed to the Qubes docs
Great work!! 
https://github.com/QubesOS/qubes-doc/pull/643
The instruction numbering was somehow messed. All steps are numbered “1.” instead of 1,2,3…
I will ask what need to be done. Maybe make another pull request to fix.
2 Likes
Thanks for all this work 0brand! Keep it up.
2 Likes
Done!
Please let me know if any changes are necessary
Debugging with curl
Trying to use curl rather than
curl.anondist-orgis a common mistake when debugging Whonix network issues.
curlis a symlink →curl.anondistwhich is a symlink →uwtwhich runscurlundertorsockswhich then makes it use Tor running onlocalhostfor stream isolation.To use curl
- command must be run under user
clearnet- uwt steam isolation wrapper must be deactivated
In Whonix-Gateway or
sys-whonix(Qube-Whonix)1. Change to user
clearnet
sudo su clearnet2. Deactivate
uwtstream isolation wrapper by appending.anondist-origtocurl
curl.anondist-org <your_url>
Edit
Note to self: Remove sandboxed Tor Browser link from Whonix 14 release notes
2 Likes
Great! Nits:
Suggestion:
curlis a symlink tocurl.anondist. In turn, this symlinks touwtwhich runscurlundertorsocks. torksocks then forces Tor to run on localhost for stream isolation.
Suggestion:
To use curl:
- The command must be run under user
clearnet.- The uwt stream isolation wrapper must be deactivated.
The rest looks good. 
1 Like
torjunkie:
Great! Nits:
Suggestion:
curlis a symlink tocurl.anondist. In turn, this symlinks touwtwhich runscurlundertorsocks. torksocks then forces Tor to run on localhost for stream isolation.Suggestion:
To use curl:
- The command must be run under user
clearnet.- The uwt stream isolation wrapper must be deactivated.
Either run under user clearnet or deactivate uwt steam isolation
wrapper. Either permanently or temporary.
Links:
1 Like
I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and curl must be run under user clearnet for both temporary or permanent deactivation.
Is this what is expected?
I ran through more testing.
The only way I could run curl from user@host:~$
In whonix-gw Template, run.
sudo nano /etc/uwt.d/50_user.conf
Add
UWT_DEV_PASSTHROUGH="1"
Then.
In sys-whonix run
user@host:~$curl <some_url>
I more question
curl can be run from user clearnet without appending .anondist-org (works)
Should users be warned not to do this even if it seems to works?
2 Likes
0brand:
I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and
curlmust be run under userclearnetfor both temporary or permanent deactivation.Is this what is expected?
Whonix 14:
Have a look at the end what really happens. Only the latest exec calls matters.
uwtwrapper_verbose=1 curl something
Expected:
Using uwt / torsocks / stream isolation.
Result:
exec torsocks /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something
I.e. torsocks gets prepended before running curl.
uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl something
Expected:
Not using torsocks / stream isolation.
Result:
exec /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something
I.e. torsocks does not get prepeneded. curl gets run as is. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.
/usr/bin/curl.anondist-orig is the real curl binary. I.e. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.
Running /usr/bin/curl.anondist-orig directly circumvents all the uwt logic.
I more question
curlcan be run from userclearnetwithout appending.anondist-org(works)Should users be warned not to do this even if it seems to works?
Warn against what?
- It’s still torified - we could even call this a bug?
- It’s to be expected to be using clearnet when using Whonix-Gateway and logging in at user
clearnet. - It’s not something happening by accident.
- We don’t document this light heartily.
.
clearnet@host:/home/user$ uwtwrapper_verbose=1 curl https://check.torproject.org
exec torsocks /usr/lib/uwtexec https://check.torproject.org
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig https://check.torproject.org
So to reach actual clearnet, one still has to disable uwtrapper(s).
When using user clearnet on Whonix-Gateway and it’s expected to be reaching clearnet.
2 Likes
Advanced Security Guide split -> Fixed
(internal links on those pages not fixed yet; mega-page not deleted so as not to break existing links everywhere)
Computer Security Guide split is next, then a large clean up of incorrect links (not fun 
) from this set of 3 splits.
2 Likes
Thank You!
I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for curl in new /Dev/tech chapter.
1 Like
0brand:
I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for
curlin new /Dev/tech chapter.
That should be already documented, belongs here…?
- probably: Stream Isolation
- probably not: Disable Stream Isolation: Easy
The rest of my explanations from my previous post may also be a good candidate for copying with modifications to Dev/anon-ws-disable-stacked-tor - Whonix.
No problem.
I though you might have wanted deactivate stream isolation temporarily and permanently also with https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor
Makes more sense just to add link to
2 Likes
From Frequently Asked Questions - Whonix ™ FAQ could you please mention and reference Free Support for Whonix ™ and The User Co-developer Concept ?
1 Like
No problem
Originally referenced Co-developer Concept but I took it out. Oops
2 Likes
Done!
Debugging with curl
Trying to use curl rather than curl.anondist-org is a common mistake when debugging Whonix network issues.
curlis a symlink tocurl.anondist. In turn, this symlinks touwtwhich runs curl undertorsocks.torksocksthen forces Tor to run onlocalhostfor stream isolation.To use curl
- The
uwtsteam isolation wrapper must be deactivated- The command must be run under user
clearnetIn Whonix-Gateway or sys-whonix (Qube-Whonix)
1. Change to user
clearnet
sudo su clearnet2. Deactivate
uwtstream isolation wrapper by appending.anondist-origtocurl
curl.anondist-orig <your_url>Using curl in Whonix 14
curlmust be run under userclearnetthe same as in Whonix 13In the following examples, the
execcalls from the command output shows the difference between runningcurlwith theuwtwrapperboth enabled and disabled.Example 1
curlis run with theuwtwrapperenabled.
uwtwrapper_verbose=1 curl <your_url>This results in the following
execcalls. Only the latest (most recent) call matters which showstorsocksis prepended before runningcurl.
exec torsocks /usr/lib/uwtexec something <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>Example 2
curlis run with theuwtwrapperdisabled.
uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>This command results in the following
execcalls which showtorsocksdoes not get prepended beforecurl. Sincecurldoes not run undertorsocks, local connections are not hindered and there is no stream isolation
exec /usr/lib/uwtexec <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>The output from the previous commands establish the following
/usr/bin/curlis symbolically linked to/usr/bin/curl.anondist-orig. This demonstrates/usr/bin/curl.anondist-origis the actual (real)curlbinary.When
/usr/bin/curl.anondist-origis run with theuwtwrapperdisabled alluwtlogic is circumvented.Users can either run
curlunder userclearnetor deactivate theuwtstream isolation
wrapper either permanently or temporaryLinks:
https://www.whonix.org/wiki/Stream_Isolation
https://www.whonix.org/wiki/Stream_Isolation/Disable_Easy
Done!
https://whonix.org/w/index.php?title=FAQ&oldid=34364&diff=cur
1 minor edit in stream isolation chapter
https://whonix.org/w/index.php?title=Stream_Isolation&oldid=34458&diff=cur
2 Likes
Whonix 13 / 14, there is no difference. You always need to run under user clearnet.
Well, it actually depends (but not on 13 / 14).
If you want to reach clearnet -> user clearnet.
For location connections -> any user.
1 Like
I must be doing something wrong sys-whonix (Whonix 14)?
anon-info
INFO: /etc/apt/sources.list.d/torproject.list does not exist.
INFO: version of the 'tor' package: 0.3.3.7-1~d90.stretch+1
sudo su clearnet
user@host:~$
sys-whonix (Whonix 13)
sudo su clearnet
clearnet@host:/home/user$
1 Like
New proposed edits reflect Whonix 14 requires user clearnet
Please let me know if any changes are necessary
Note: spacing in some areas are a little wide i.e. spacing between bullet lists and next text block
https://whonix.org/w/index.php?title=Dev/anon-ws-disable-stacked-tor&oldid=33749&diff=cur
Edit: Bullet spacing already reported https://phabricator.whonix.org/T809
2 Likes