Long Wiki Edits Thread

Done!

I think this is what you were looking for.

If any changes are needed please let me know.

https://www.whonix.org/w/index.php?title=Support&oldid=34299&diff=cur

@torjunkie

Our Qubes Dispvm instructions where pushed to the Qubes docs

Great work!! :slightly_smiling_face:

https://github.com/QubesOS/qubes-doc/pull/643

The instruction numbering was somehow messed. All steps are numbered “1.” instead of 1,2,3…

I will ask what need to be done. Maybe make another pull request to fix.

https://www.qubes-os.org/doc/dispvm-customization/#create-custom-sys-net-sys-firewall-and-sys-usb-dispvms

2 Likes

Thanks for all this work 0brand! Keep it up.

2 Likes

Done!

Please let me know if any changes are necessary

Debugging with curl

Trying to use curl rather than curl.anondist-org is a common mistake when debugging Whonix network issues.

curl is a symlink → curl.anondist which is a symlink → uwt which runs curl under torsocks which then makes it use Tor running on localhost for stream isolation.

To use curl

  • command must be run under user clearnet
  • uwt steam isolation wrapper must be deactivated

In Whonix-Gateway or sys-whonix (Qube-Whonix)

1. Change to user clearnet

sudo su clearnet

2. Deactivate uwt stream isolation wrapper by appending .anondist-orig to curl

curl.anondist-org <your_url>

Edit

Note to self: Remove sandboxed Tor Browser link from Whonix 14 release notes

2 Likes

Great! Nits:

Suggestion:

curl is a symlink to curl.anondist. In turn, this symlinks to uwt which runs curl under torsocks. torksocks then forces Tor to run on localhost for stream isolation.

Suggestion:

To use curl:

  • The command must be run under user clearnet.
  • The uwt stream isolation wrapper must be deactivated.

The rest looks good. :slight_smile:

1 Like

torjunkie:

Great! Nits:

Suggestion:

curl is a symlink to curl.anondist. In turn, this symlinks to uwt which runs curl under torsocks. torksocks then forces Tor to run on localhost for stream isolation.

Suggestion:

To use curl:

  • The command must be run under user clearnet.
  • The uwt stream isolation wrapper must be deactivated.

Either run under user clearnet or deactivate uwt steam isolation
wrapper. Either permanently or temporary.

Links:

1 Like

I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and curl must be run under user clearnet for both temporary or permanent deactivation.

Is this what is expected?

I ran through more testing.

The only way I could run curl from user@host:~$

In whonix-gw Template, run.

sudo nano /etc/uwt.d/50_user.conf

Add

UWT_DEV_PASSTHROUGH="1"

Then.

In sys-whonix run

user@host:~$curl <some_url>

I more question

curl can be run from user clearnet without appending .anondist-org (works)

Should users be warned not to do this even if it seems to works?

2 Likes

0brand:

I followed all the steps from the links you provided (in sys-whonix and whonix-gw Template when appropriate) and curl must be run under user clearnet for both temporary or permanent deactivation.

Is this what is expected?

Whonix 14:

Have a look at the end what really happens. Only the latest exec calls matters.

uwtwrapper_verbose=1 curl something

Expected:

Using uwt / torsocks / stream isolation.

Result:

exec torsocks /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something

I.e. torsocks gets prepended before running curl.


uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl something

Expected:

Not using torsocks / stream isolation.

Result:

exec /usr/lib/uwtexec something
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig something

I.e. torsocks does not get prepeneded. curl gets run as is. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.

/usr/bin/curl.anondist-orig is the real curl binary. I.e. No stream isolation. Local connections unhindered. Same effect as running curl if uwt wasn’t installed.

Running /usr/bin/curl.anondist-orig directly circumvents all the uwt logic.


I more question

curl can be run from user clearnet without appending .anondist-org (works)

Should users be warned not to do this even if it seems to works?
Warn against what?

  • It’s still torified - we could even call this a bug?
  • It’s to be expected to be using clearnet when using Whonix-Gateway and logging in at user clearnet.
  • It’s not something happening by accident.
  • We don’t document this light heartily.

.

clearnet@host:/home/user$ uwtwrapper_verbose=1 curl https://check.torproject.org
exec torsocks /usr/lib/uwtexec https://check.torproject.org
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig https://check.torproject.org

So to reach actual clearnet, one still has to disable uwtrapper(s).

When using user clearnet on Whonix-Gateway and it’s expected to be reaching clearnet.

2 Likes

Advanced Security Guide split -> Fixed

(internal links on those pages not fixed yet; mega-page not deleted so as not to break existing links everywhere)

Computer Security Guide split is next, then a large clean up of incorrect links (not fun :tired_face: ) from this set of 3 splits.

2 Likes

@Patrick

Thank You!

I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for curl in new /Dev/tech chapter.

1 Like

0brand:

I’ll get to work adding new steps to permanently or temporary deactivate stream isolation for curl in new /Dev/tech chapter.

That should be already documented, belongs here…?

The rest of my explanations from my previous post may also be a good candidate for copying with modifications to anon-ws-disable-stacked-tor.

No problem. :slight_smile:

I though you might have wanted deactivate stream isolation temporarily and permanently also with https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor

Makes more sense just to add link to

2 Likes

From Frequently Asked Questions - Whonix ™ FAQ could you please mention and reference Free Support for Whonix ™ and The User Co-developer Concept ?

1 Like

No problem

Originally referenced Co-developer Concept but I took it out. Oops :slight_smile:

2 Likes

Done!

Debugging with curl

Trying to use curl rather than curl.anondist-org is a common mistake when debugging Whonix network issues.

curl is a symlink to curl.anondist. In turn, this symlinks to uwt which runs curl under torsocks. torksocks then forces Tor to run on localhost for stream isolation.

To use curl

  • The uwt steam isolation wrapper must be deactivated
  • The command must be run under user clearnet

In Whonix-Gateway or sys-whonix (Qube-Whonix)

1. Change to user clearnet

sudo su clearnet

2. Deactivate uwt stream isolation wrapper by appending .anondist-orig to curl

curl.anondist-orig <your_url>

Using curl in Whonix 14

curl must be run under user clearnet the same as in Whonix 13

In the following examples, the exec calls from the command output shows the difference between running curl with the uwtwrapper both enabled and disabled.

Example 1

curl is run with the uwtwrapper enabled.

uwtwrapper_verbose=1 curl <your_url>

This results in the following exec calls. Only the latest (most recent) call matters which shows torsocks is prepended before running curl.

exec torsocks /usr/lib/uwtexec something <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>

Example 2

curl is run with the uwtwrapper disabled.

uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl <your_url>

This command results in the following exec calls which show torsocks does not get prepended before curl. Since curl does not run under torsocks, local connections are not hindered and there is no stream isolation

exec /usr/lib/uwtexec <your_url>
exec -a /usr/bin/curl /usr/bin/curl.anondist-orig <your_url>

The output from the previous commands establish the following

  • /usr/bin/curl is symbolically linked to /usr/bin/curl.anondist-orig. This demonstrates /usr/bin/curl.anondist-orig is the actual (real) curl binary.

  • When /usr/bin/curl.anondist-orig is run with the uwtwrapper disabled all uwt logic is circumvented.

Users can either run curl under user clearnet or deactivate the uwt stream isolation
wrapper either permanently or temporary

Links:

https://www.whonix.org/wiki/Stream_Isolation
https://www.whonix.org/wiki/Stream_Isolation/Disable_Easy

Done!

https://whonix.org/w/index.php?title=FAQ&oldid=34364&diff=cur


1 minor edit in stream isolation chapter

https://whonix.org/w/index.php?title=Stream_Isolation&oldid=34458&diff=cur

2 Likes

Whonix 13 / 14, there is no difference. You always need to run under user clearnet.

Well, it actually depends (but not on 13 / 14).

If you want to reach clearnet -> user clearnet.

For location connections -> any user.

1 Like

I must be doing something wrong sys-whonix (Whonix 14)?

anon-info

INFO: /etc/apt/sources.list.d/torproject.list does not exist.
INFO: version of the 'tor' package: 0.3.3.7-1~d90.stretch+1

sudo su clearnet
user@host:~$

sys-whonix (Whonix 13)

sudo su clearnet
clearnet@host:/home/user$ 
1 Like

New proposed edits reflect Whonix 14 requires user clearnet

Please let me know if any changes are necessary

Note: spacing in some areas are a little wide i.e. spacing between bullet lists and next text block

https://whonix.org/w/index.php?title=Dev/anon-ws-disable-stacked-tor&oldid=33749&diff=cur

Edit: Bullet spacing already reported https://phabricator.whonix.org/T809

2 Likes

Some mistakes by me earlier.

  • I’ve changed the wording to circumvent / disable as two different things.
  • It’s not either user clearnet or circumvent/disable uwt. circumvent/disable uwt is always required when trying to reach localhost or clearnet. Running under user clearnet is only required when trying to reach clearnet or local LAN.
1 Like

Hi 0brand,

Go ahead and please remove that excess bold you identified for a specific wiki page in that other tread. It does look horrible.

2 Likes

I’ll have it done a little latter on today :slight_smile:

I’m starting on screenshots (finally). I was trying to think of what is asked most often on the forum. Any screenshots that would help users config Qubes R-4 specific Whonix stuff?

If you can think of any let me know → https://whonix.org/t/updated-screenshots-images-thread/5371

2 Likes