My configuration torrc

I just install whonix 13 don’t even download tor browser.
My torrc file is
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
bridge obfs4 …
bridge obfs4 …
Sandbox 1
ConnectionPadding 1
DisableNetwork 0

And it says Failed to start anonymizing
When I comment Sandbox and ConnectionPadding it is connecting to Tor.

Also I’ve done this https://www.whonix.org/wiki/Advanced_Security_Guide#Disable_Control_Port_Filter_Proxy

Is there a way to make it work with ConnectionPadding and Sandbox, where could be the error ?

Hi Kowi

Could you please run this command in Whonix-Gateway Konsole and post the results

anon-info

INFO: /etc/apt/sources.list.d/torproject.list uncommented lines:
deb http;//sdscoq7snqtznauu.onion/torproject.org jessie main
INFO: version of the ‘tor’ package: 0.2.9.8-2~d80.jessie+1

Problem is because between http and // is ; and not : ?
It was like that by default I think, I do not remember how I changed it

Not the problem. Could you try using only Sandbox 1 and see if Tor connects. Then do the same with using only ConnectionPadding 1

Could you also post any pertinent Tor logs being careful to redact any sensitive information. You can use either arm or:

In Whonix-Gateway konsole, run.

tail -f /var/run/tor/log

It’s not working without ConnectionPadding and Sandbox.
arm says New connection opened from 127.0.0.1. [alot of duplicates hidden]

I’m using KVM

Could you please post the output of the following command. (with both Sandbox 1 and ConnectionPadding 1 added to torrc)

In Whonix-Gateway konsole, run.

sudo -u debian-tor tor --verify-config

Edit:

Could you please briefly comment out all options that you set in the following:

https://www.whonix.org/wiki/Advanced_Security_Guide#Disable_Control_Port_Filter_Proxy

Then restart Tor with Sandbox, ConnectionPadding and post any error messages (Full error messages please)

I don’t think it’s whonix gateway or whonix workstation problem.
I had same problem in Tails in KVM, after I installed NTP at host problem got solved and I could connect to Tor. So problem got fixed for Tails, but not for Whonix. Whonix and Tails use different network sources

Tails/KVM - With only bridges connected with not problem

Tails/KVM - With bridges and SandBox 1 , ConnectionPadding 1 would not connect.

Tail/KVM - After you installed NTP on host you were able to connect with Sandbox and ConnectionPadding.

Is this all correct?

You will not know until you troubleshoot. I don’t think the problem is with sdwdate.

If you would like help troubleshooting could you please. All in Whonix-Gateway (with both sandbox and connectionpadding in torrc)

1. Briefly comment out Disable Control Port Filter Proxy

2. Start arm

3. In Whonix-Gateway konsole run, (post results)

   sudo -u debian-tor tor --verify-config

4. In Whonix-Gateway konsole, restart Tor

   sudo systemctl restart tor@default

5. Post any error messages

6. In Whonix-Gateway konsole, run whonixcheck. (post error messages)

   whonixcheck --verbose

7. Comment out Sandbox 1 and ConnectionPadding 1 and repeat steps 4-6.

Same erros with sandbox and and without

When I start control port
Failed to start control-port-filter-proxy-python.service: Unit control-port-filter-proxy-python.service failed to load: No such file or directory.

Failed to parse/validate config: Unknown option ‘ConnectionPadding’. Failing.

The torrc differs from what tor’s using. You can issue a sighup to reload the torrc values by pressing x.

• configuration values are missing from the torrc: HiddenServiceStatistics, RunAsDaemon

Could you please try the debug instructions again. There are a few more step needed to enable CPFP which I added to the instructions. This should produce more error messages when whonixcheck is run.

When following the steps 1-8 for the first time Sandbox and ConnectionPadding is added to your torrc. The second time remove both options to see if Tor connects.

1. In Whonix-Gateway konsole, activate CPFP.

   sudo nano /etc/whonix_firewall.d/50_user.conf

   Add the following content

   CONTROL_PORT_FILTER_PROXY_ENABLE=1

2. In Whonix-Gateway konsole, enable autostart of CPFP.

   sudo systemctl unmask control-port-filter-proxy-python

   Reboot

3. In Whonix-Gateway konsole, Check if CPFP is still running or disabled.

   ps aux

   You should see the following output.

   debian-+ 1005 0.2 1.8 46096 13216 ? Ss 20:46 0:00 /usr/bin/python /usr/sbin/cpfpd start

4. In Whonix-Gateway konsole, start arm.

   arm

5. In Whonix-Gateway konsole verify Tor configuration file. (post results)

   sudo -u debian-tor tor --verify-config

6. In Whonix-Gateway konsole, restart Tor (Post any error messages)

   sudo systemctl restart tor@default

7. In Whonix-Gateway konsole, run whonixcheck. (post error messages)

   whonixcheck --verbose

8. Remove both Sandbox 1 and ConnectionPadding 1 then repeat steps 5-7.

Did you alter any settings in Whonix-Gateway not specified in the Whonix Documentation?

On arm start

  [NOTICE] New control connection opened from 127.0.0.1. [1 duplicate hidden]
 [ARM_NOTICE] Unable to prepopulate bandwidth information (insufficient uptime)
 [ARM_WARN] The torrc differs from what tor's using. You can issue a sighup to reload the torrc values by pressing x.
   - configuration values are missing from the torrc: HiddenServiceStatistics, RunAsDaemon

On validaton ther is no error messages
Configuration was valid

~$ whonixcheck --verbose
[INFO] [whonixcheck] | Whonix-Gateway |
[INFO] [whonixcheck] Input Detection: INPUT_AUTO=true CLI=true GUI=false
stdin connected to terminal. Using cli output. Not using gui output.
Alternatively, if want to run from command line, but still use the graphical user interface for input, you could add to command line: --gui
[INFO] [whonixcheck] Root Check Result: Ok, not running as root.
[INFO] [whonixcheck] Pin torproject.org certificate: disabled.
[INFO] [whonixcheck] Qubes Settings Test Result: Skipped, because Qubes not detected.
[INFO] [whonixcheck] Check Kernel Messages Test Result: Found nothing remarkable, ok.
[INFO] [whonixcheck] Check whonixsetup Result: done, ok.
[INFO] [whonixcheck] Check Package Manager Running Result: None running, ok.
[INFO] [whonixcheck] check network interfaces Result: Ok.
[INFO] [whonixcheck] Tor Check Result: “DisableNetwork 1” in /etc/tor/torrc commented out, ok.
[INFO] [whonixcheck] Tor Config Check Result: /etc/tor/torrc, ok.
[INFO] [whonixcheck] Tor Pid Check Result: Pid 2180 running., ok.
[INFO] [whonixcheck] Control Port Filter Proxy Test Result: OK
[INFO] [whonixcheck] check_anondate_do debugging information:

tor_consensus_status       : verified
current_time_in_valid_range: false

tor_cert_lifetime_output   : 
tor_cert_lifetime_valid    : true
tor_cert_valid_after       : 
[INFO] [whonixcheck] Tor SocksPort Reachability Test Result: Reachable. (curl exit code: 22 | curl status message: [22] - [HTTP page not retrieved. The requested url was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.])
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 0 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 2 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 5 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 7 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 9 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 11 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 13 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 16 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 18 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 20 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"
[INFO] [whonixcheck] Tor Bootstrap Result: Bootstrapping for 22 seconds. 10 % done. Tor Circuit: not established. Tor reports: NOTICE BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY="Finishing handshake with directory server"

I should have caught this sooner. You’re using Tor 0.2.9.8. Connection Padding is supported only in Tor version 0.3.1.7 and later.

Have you updated your system? Or are you using a non-default Tor setup? (torproject.list uncommented?) This could also explain why seccomp is not functioning.

Using default one.
I cannot update because tor I cannot connect to tor even without seccomp and ConnectionPadding.
I’ve should import whonix image after that update and then start changing settings ?
What I done is - I imported whonix 13 images and start configuring using Whonix Documentation

What??

You stated that Whonix-Gateway could connect to Tor without seccomp or connectionpadding.

I think we may have been talking past one another. We will have to start over. This is why I wanted to try both with sandbox,connectionpadding and without. That way the differences could be compared.

Lets focus on Whonix-Gateway without secommp or connection padding and leave Control Port Filter Proxy enabled. The latter will help with troubleshooting.

I don’t think you have been able to connect to Tor either with or without seccomp , connection padding. With CPFP disabled there is no notification when Tor does not fully bootstrap (connect)

Bridges are normally for use in areas where:

• Tor could be considered suspicious or dangerous
• Tor use is censored

If you fall into one of those 2 groups, it limits the the methods you can use to troubleshoot. If you don’t, troubleshooting will be a bit easier.

You’ve already eliminated a few possibilities so you can start here:

https://whonix.org/wiki/Bridges#Troubleshooting

The last step is trying bridges that use ports 80 or 443.That may help.

After that I said that

Where I can get a list of bridges that use 80 and 443 ? On bridges.torproject.org they are giving only 2 random bridges per request

Connects to Tor initially, then doesn’t connect to Tor would indicate a different problem. Thats what I thought happened.

But not important. I should have seen that you were using a older version of Tor when anon-info was posted.

The only other way I know would be to ask someone you know and trust if they have a private obfs bridge that you could use. Otherwise you can follow these instructions…

Another way to get bridges is to send an email to bridges@torproject.org. Please note that you must send the email using an address from one of the following email providers: Riseup, Gmail or Yahoo.

Its a PITA but its set up like that for a reason.

@Kowi

Are you using Tor versioning found in the Security Guide? Your anon-info shows that as being uncommented. This could break connectivity.

INFO: /etc/apt/sources.list.d/torproject.list uncommented lines:

https://whonix.org/wiki/Security_Guide#Whonix_and_Debian_Packages

https://whonix.org/wiki/Security_Guide#Tor_Versioning

Note: This action risks breaking connectivity, for instance if the latest Tor version from deb.torproject.org has not been fully tested by Whonix developers at a specific point in time.

I changed sources.list.d, but didn’t update/upgrade.
I tried to remove all setting, remove bridges as well and I get this
[NOTICE] New control connection opened from 127.0.0.1. [3 duplicates hidden]
[WARN] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Network is unreachable; NOROUTE; count 9; reco-
mmendation warn; host B84F248233FEA90CAD439F292556A3139F6E1B82 at 85.248.227.164:9002) [1 duplicate hidden]
[ARM_NOTICE] Unable to prepopulate bandwidth information (insufficient uptime)
[ARM_WARN] The torrc differs from what tor’s using. You can issue a sighup to reload the torrc values by pressing x.

• configuration values are missing from the torrc: HiddenServiceStatistics, RunAsDaemon
  [ARM_NOTICE] Tor is preventing system utilities like netstat and lsof from working. This means that arm can’t provide you
  with connection information. You can change this by adding ‘DisableDebuggerAttachment 0’ to your torrc and restarting tor. For
  more information see…
  https://trac.torproject.org/3313
  [ARM_NOTICE] No armrc loaded, using defaults. You can customize arm by placing a configuration file at ‘/home/user/.arm/ar-
  mrc’ (see the armrc.sample for its options).

Many of the errors you posted are arm usability bugs and nothing to worry about.

https://www.whonix.org/wiki/Arm#Arm_FAQ

There is one error that indicates that it a problem with your network connection.

Network is unreachable; NOROUTE;

Possible reasons are

• Whonix/host misconfiguration
• a problem with your network connection
• your Tor traffic is being censored by ISP

You can try the following to narrow down the possibilities. (this all assumes you have networking in your host )

1. Create a Debian OS VM in KVM and see if you have networking. If you can connect, proceed to step 2.
2. Since you made changes to Whonix, download and verify fresh Whonix VM images. Try connecting without making changes to Whonix

If you are not able to connect, in Whonix-Gateway konsole run.

whonixcheck