Done!
I think this is what you were looking for.
If any changes are needed please let me know.
https://www.whonix.org/w/index.php?title=Support&oldid=34299&diff=cur
Our Qubes Dispvm instructions where pushed to the Qubes docs
Great work!! 
https://github.com/QubesOS/qubes-doc/pull/643
The instruction numbering was somehow messed. All steps are numbered “1.” instead of 1,2,3…
I will ask what need to be done. Maybe make another pull request to fix.
Thanks for all this work 0brand! Keep it up.
Done!
Please let me know if any changes are necessary
Debugging with curl
Trying to use curl rather than
curl.anondist-orgis a common mistake when debugging Whonix network issues.
curlis a symlink →curl.anondistwhich is a symlink →uwtwhich runscurlundertorsockswhich then makes it use Tor running onlocalhostfor stream isolation.To use curl
- command must be run under user
clearnet- uwt steam isolation wrapper must be deactivated
In Whonix-Gateway or
sys-whonix(Qube-Whonix)1. Change to user
clearnet
sudo su clearnet2. Deactivate
uwtstream isolation wrapper by appending.anondist-origtocurl
curl.anondist-org <your_url>
Edit
Note to self: Remove sandboxed Tor Browser link from Whonix 14 release notes
Great! Nits:
Suggestion:
curlis a symlink tocurl.anondist. In turn, this symlinks touwtwhich runscurlundertorsocks. torksocks then forces Tor to run on localhost for stream isolation.
Suggestion:
To use curl:
- The command must be run under user
clearnet.- The uwt stream isolation wrapper must be deactivated.
The rest looks good. 
torjunkie:
Great! Nits:
Suggestion:
curlis a symlink tocurl.anondist. In turn, this symlinks touwtwhich runscurlundertorsocks. torksocks then forces Tor to run on localhost for stream isolation.Suggestion:
To use curl:
- The command must be run under user
clearnet.- The uwt stream isolation wrapper must be deactivated.
Either run under user clearnet or deactivate uwt steam isolation
wrapper. Either permanently or temporary.
Links:
I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and curl must be run under user clearnet for both temporary or permanent deactivation.
Is this what is expected?
I ran through more testing.
The only way I could run curl from user@host:~$
In whonix-gw Template, run.
sudo nano /etc/uwt.d/50_user.conf
Add
UWT_DEV_PASSTHROUGH="1"
Then.
In sys-whonix run
user@host:~$curl <some_url>
I more question
curl can be run from user clearnet without appending .anondist-org (works)
Should users be warned not to do this even if it seems to works?
0brand:
I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and
curlmust be run under userclearnetfor both temporary or permanent deactivation.Is this what is expected?
Whonix 14:
Have a look at the end what really happens. Only the latest exec calls matters.
uwtwrapper_verbose=1 curl something
Expected:
Using uwt / torsocks / stream isolation.
Result:
exec torsocks /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something
I.e. torsocks gets prepended before running curl.
uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl something
Expected:
Not using torsocks / stream isolation.
Result:
exec /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something
I.e. torsocks does not get prepeneded. curl gets run as is. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.
/usr/bin/curl.anondist-orig is the real curl binary. I.e. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.
Running /usr/bin/curl.anondist-orig directly circumvents all the uwt logic.
I more question
curlcan be run from userclearnetwithout appending.anondist-org(works)Should users be warned not to do this even if it seems to works?
Warn against what?
clearnet..
clearnet@host:/home/user$ uwtwrapper_verbose=1 curl https://check.torproject.org
exec torsocks /usr/lib/uwtexec https://check.torproject.org
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig https://check.torproject.org
So to reach actual clearnet, one still has to disable uwtrapper(s).
When using user clearnet on Whonix-Gateway and it’s expected to be reaching clearnet.
Advanced Security Guide split -> Fixed
(internal links on those pages not fixed yet; mega-page not deleted so as not to break existing links everywhere)
Computer Security Guide split is next, then a large clean up of incorrect links (not fun 
) from this set of 3 splits.
Thank You!
I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for curl in new /Dev/tech chapter.
0brand:
I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for
curlin new /Dev/tech chapter.
That should be already documented, belongs here…?
The rest of my explanations from my previous post may also be a good candidate for copying with modifications to anon-ws-disable-stacked-tor.
No problem.
I though you might have wanted deactivate stream isolation temporarily and permanently also with https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor
Makes more sense just to add link to
From Frequently Asked Questions - Whonix ™ FAQ could you please mention and reference Free Support for Whonix ™ and The User Co-developer Concept ?
No problem
Originally referenced Co-developer Concept but I took it out. Oops
Done!
Debugging with curl
Trying to use curl rather than curl.anondist-org is a common mistake when debugging Whonix network issues.
curlis a symlink tocurl.anondist. In turn, this symlinks touwtwhich runs curl undertorsocks.torksocksthen forces Tor to run onlocalhostfor stream isolation.To use curl
- The
uwtsteam isolation wrapper must be deactivated- The command must be run under user
clearnetIn Whonix-Gateway or sys-whonix (Qube-Whonix)
1. Change to user
clearnet
sudo su clearnet2. Deactivate
uwtstream isolation wrapper by appending.anondist-origtocurl
curl.anondist-orig <your_url>Using curl in Whonix 14
curlmust be run under userclearnetthe same as in Whonix 13In the following examples, the
execcalls from the command output shows the difference between runningcurlwith theuwtwrapperboth enabled and disabled.Example 1
curlis run with theuwtwrapperenabled.
uwtwrapper_verbose=1 curl <your_url>This results in the following
execcalls. Only the latest (most recent) call matters which showstorsocksis prepended before runningcurl.
exec torsocks /usr/lib/uwtexec something <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>Example 2
curlis run with theuwtwrapperdisabled.
uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>This command results in the following
execcalls which showtorsocksdoes not get prepended beforecurl. Sincecurldoes not run undertorsocks, local connections are not hindered and there is no stream isolation
exec /usr/lib/uwtexec <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>The output from the previous commands establish the following
/usr/bin/curlis symbolically linked to/usr/bin/curl.anondist-orig. This demonstrates/usr/bin/curl.anondist-origis the actual (real)curlbinary.When
/usr/bin/curl.anondist-origis run with theuwtwrapperdisabled alluwtlogic is circumvented.Users can either run
curlunder userclearnetor deactivate theuwtstream isolation
wrapper either permanently or temporaryLinks:
https://www.whonix.org/wiki/Stream_Isolation
https://www.whonix.org/wiki/Stream_Isolation/Disable_Easy
Done!
https://whonix.org/w/index.php?title=FAQ&oldid=34364&diff=cur
1 minor edit in stream isolation chapter
https://whonix.org/w/index.php?title=Stream_Isolation&oldid=34458&diff=cur
Whonix 13 / 14, there is no difference. You always need to run under user clearnet.
Well, it actually depends (but not on 13 / 14).
If you want to reach clearnet -> user clearnet.
For location connections -> any user.
I must be doing something wrong sys-whonix (Whonix 14)?
anon-info
INFO: /etc/apt/sources.list.d/torproject.list does not exist.
INFO: version of the 'tor' package: 0.3.3.7-1~d90.stretch+1
sudo su clearnet
user@host:~$
sys-whonix (Whonix 13)
sudo su clearnet
clearnet@host:/home/user$
New proposed edits reflect Whonix 14 requires user clearnet
Please let me know if any changes are necessary
Note: spacing in some areas are a little wide i.e. spacing between bullet lists and next text block
https://whonix.org/w/index.php?title=Dev/anon-ws-disable-stacked-tor&oldid=33749&diff=cur
Edit: Bullet spacing already reported https://phabricator.whonix.org/T809
Some mistakes by me earlier.
circumvent/disable uwt. circumvent/disable uwt is always required when trying to reach localhost or clearnet. Running under user clearnet is only required when trying to reach clearnet or local LAN.Hi 0brand,
Go ahead and please remove that excess bold you identified for a specific wiki page in that other tread. It does look horrible.
I’ll have it done a little latter on today
I’m starting on screenshots (finally). I was trying to think of what is asked most often on the forum. Any screenshots that would help users config Qubes R-4 specific Whonix stuff?
If you can think of any let me know → https://whonix.org/t/updated-screenshots-images-thread/5371