No access to onion sites!?

Maximus · November 21, 2016, 7:13pm

As a beginner in Qubes and whonix my question may seem a bit odd - but after searching online for quite some time (and also here in the forum) I still could not figure out how to access onion sites while running a whonix based VM in Qubes…

What I currently have is the default Qubes configuration which routes all my traffic based on the whonix VMs through Tor. Of course access is much slower but generally speaking everything works fine as long as I am accessing clear-web sites.

But when I try to access any onion site I get a connection time out like my traffic simply is being blocked by the whonix setup?

What I successfully tried is to set up another VM in Qubes which is not using whonix for networking but instead manually installed the Tor browser bundle. This way access to any onion site as well as clear-net sites works fluently - but this approach of course is not a solution at all!

What do I get wrong?

Is there a tutorial how to configure at least one of my Qubes VMs in a way that I can access hidden services?

Thank you all in advance,
Maximus

Ego · November 21, 2016, 7:27pm

Good day,

Per default, everything should usually work. Did you try reloading the connection?

Have a nice day,

Ego

Dezimus · November 23, 2016, 11:17pm

Hi Ego!

Thank you for your last reply and please dont be surprised about my name change here on the board - I got a new account due to data loss…

During the last days I again experimented but still face the same problem: I can access any clear-net site via tor but no onion sites!

What I did in the last days:
1.) again got myself the latest copy of v3.2 Qubes OS
2.) Flashed a USB drive as boot device with it
3.) Deleted the harddrive and set up the entire workstation again
4.) during the installation routine i entered a password for disk encryption, created an admin user and of course also defined to use whonix / tor for any internet connection per default
5.) After setup, (during the initial startup) everything got configured using the supposed defaults - i simply rebooted and logged in
6.) Top right it then says “network connection established” (i am using wired ethernet to connect the workstation with a repeater and from there directly to my router and further to the ISP)
7.) i dont face any tor blockings here so everything should work well!
8.) soon after another popup appears top right again telling me the connection with tor to be successfully established
9.) I then started my “untrusted” VM or better said mozilla in the untrusted VM and opened https://check.torproject.org in order to check if i am really behind tor
10.) The site tells me I am using tor, however I am not using the tor browser bundle - which should be fine and is exactly as expected!
11.) I then tried so check out some default clear-web sites which worked well besides a way slower access which we all know to come along with tor… so basically it looked fine!
12.) the final test then was to try access some known and reliable onion sites - for example the duckduckgo onion site:
http://3g2upl4pq6kufc4m.onion
or torch the tor search engine:
http://xmh57jrzrnw6insl.onion/

In both cases (and many more) the browser responds “Server not found” - “Firefox can’t find the server at www.3g2upl4pq6kufc4m.onion” and “problems loading page”

In other words I simply cannot access any hidden service!

All my efforts did not change anything in comparison to my last post - i still got the same problem…

I then restarted all VMs, I disconnected and reconnected the eth0 interfaces and also carried out the “sys-whonix: Whonix check” which too came to the conclusion that I am successfully connected to tor!

How is all that possible?
I really dont get it =/!

Thanks for any further help,
Dezimus

entr0py · November 24, 2016, 4:52am

@Dezimus: You may not be completely crazy

I was working on something unrelated but found myself in a similar situation - where onion addresses would not resolve properly but I had access to clearnet addresses. I’m trying to figure out why before @Patrick tells me. Here’s how I did it:

Created Debian-9 HVM connected to Whonix-GW. It had no connectivity at all.
I realized I needed a new IP address because it still had the old template IP. sudo ifconfig eth0 10.137.x.x
This gave me access to clearnet addresses but no onion addresses.
I set netVM to none. Then set netVM back to whonix-gw. Both clearnet and onion addresses resolve properly now.

Can you provide more details? Especially which template you are using. Please try changing netVMs. That causes the proxyVM to rewrite iptables and routing tables.

entr0py · November 24, 2016, 6:56am

Normally an nslookup for an onion address returns:
** server can't find 3g2upl4pq6kufc4m.onion: NXDOMAIN
However, in this case, the malfunctioning onion receives a non-sensical private IP address as a reply from Whonix-Gateway. For example: 10.245.x.x. Then the appVM has no route to host because it can not receive / query the proper arp address.
Where is this IP coming from?
(Non-onion addresses resolve to their proper IPs).

completely irrelevant

I give up… what else is changing besides iptables & routing in the gateway??? (actually, iptables & routing rules don’t change at all by attaching a vm to the gateway.)

Dezimus · November 24, 2016, 6:37pm

Hi entr0py!

I just spent another few hours experimenting aroung with my VMs, changing settings, starting and stopping them - still no success ;P…

My configuration is the default configuraiton as I did not customize anything after initial install as I wanted to make sure to everything work as intended first…

So what I got is:
1.) dom0 (Template: AdminVM)
2.) sys-net (Template: fedora-23, ip: none, gw: none)
3.) sys-usb (Template: fedora-23, ip: none, gw: none)
4.) sys-firewall (Template: fedora-23, ip: 10.137.1.8, gw: 10.137.1.1)
5.) sys-whonix (Template: whonix-gw, ip: 10.137.2.10, gw: 10.137.2.1)
6.) anon-whonix (Template: whonix-ws, ip: 10.137.3.11, gw: 10.137.3.1)
7.) fedora-23 (Template: “TemplateVM”, ip: 10.137.3.3, gw: 10.137.3.1)
8.) debian-8 (Template: “TemplateVM”, ip: 10.137.3.4, gw: 10.137.3.1)
9.) whonix-ws (Template: “TemplateVM”, ip: 10.137.3.5, gw: 10.137.3.1)
10.) whonix-gw (Template: “TemplateVM”, ip: 10.137.3.6, gw: 10.137.3.1)
11.) untrusted (Template: fedora-23, ip: 10.137.3.9, gw: 10.137.3.1)
12.) personal (Template: fedora-23, ip: 10.137.3.13, gw: 10.137.3.1)
13.) work (Template: fedora-23, ip: 10.137.3.15, gw: 10.137.3.1)
14.) vault (Template: fedora-23, ip: none, gw: none)

These are all VMs currently available in the Qubes VM Manager (DOM 0) configured as they were as part of the Qubes default installation.

I tried browsing onion sites using VMs number 11,12, 13 and with all of them I failed (no matter if I set the NetVM no none and then to whonix again…)!

Does that somehow help or do I even make it more complicated ;P?

Thanks,
Dezimus

Patrick · November 24, 2016, 8:33pm

entr0py:

Normally an nslookup for an onion address returns:

** server can't find 3g2upl4pq6kufc4m.onion: NXDOMAIN

However, in this case, the malfunctioning onion receives a non-sensical private IP address as a reply from Whonix-Gateway. For example: 10.245.x.x. Then the appVM has no route to host because it can not receive / query the proper arp address.

That also happens during times where DNS resolution (if it can be called
that) for onion domains is functional.

Where is this IP coming from?

Assigned by Tor.

github.com

Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist#L115


      
          # legacy
          SocksPort 10.152.152.10:9100
          
          # IRC: HexChat
          # People are normally not connected to too many IRC servers,
          # so they can use one circuit per server.
          SocksPort 10.152.152.10:9101 IsolateDestAddr IsolateDestPort
          
          # Mail: Thunderbird (previously with TorBirdy)
          # (Mentioning TorBirdy so this can be discovered through search.)
          # Not used by too many people. Most users do not connect to
          # too many servers.
          SocksPort 10.152.152.10:9102 IsolateDestAddr IsolateDestPort
          
          # Instant Messenger (IM)
          # People are normally not connected to too many IM servers,
          # so they can use one circuit per server.
          SocksPort 10.152.152.10:9103 IsolateDestAddr IsolateDestPort
          
          # Operating system updates: apt-get
          # Not using IsolateDestAddr IsolateDestPort, because too much

VirtualAddrNetwork 10.192.0.0/10

Test

nslookup kkkkkkkkkk63ava6.onion

Result

Server:         10.137.6.1
Address:        10.137.6.1#53

Non-authoritative answer:
Name:   kkkkkkkkkk63ava6.onion
Address: 10.218.1.195

entr0py · November 25, 2016, 4:48am

@Dezimus, we most probably do not have the same issue. I don’t know what the Qubes default configuration for Whonix looks like because I’ve always done it manually. So this reply might just be a waste of time for both of us…

Please review how each VM is connected to each other. Your details did not include the name of the netVM for each of your VMs. For proper Whonix operation, your setup should look like this:

sys-net (netvm: none)
sys-firewall (netvm: sys-net)
sys-whonix (netvm: sys-firewall)
anyVM (netvm: sys-whonix)

Now look closely. If you reverse the positions of sys-firewall and sys-whonix, like this:

sys-net (netvm: none)
sys-whonix (netvm: sys-net)
sys-firewall (netvm: sys-whonix)
anyVM (netvm: sys-firewall)

then you will reproduce the symptoms that you are experiencing:

clearnet connections successful
onion connections do not work
tbb in appvm works for both clearnet and onion addresses

This is because your firewall vm has no idea what to do with onion addresses, but tbb (in non-whonix VMs) runs its own instance of tor and will use that to connect to onion sites.

My problem is unrelated. Probably has to do with VM being HVM and not having qubes-core scripts installed. Question for some other time…

entr0py · November 25, 2016, 6:25am

If you were indeed connected directly to sys-whonix (and not whonix-gw template), then disregard above post.

Were you able to access onion sites using VM#6 (anon-whonix) with Tor Browser?

In VM#11 you used firefox. Did that have any proxy settings enabled? Try in VM#11 Terminal to do wget http://3g2upl4pq6kufc4m.onion/

Dezimus · November 25, 2016, 8:49pm

@Patrick: If your post was considered to help - unfortunately I did not get the point ;P…

@entr0py: Again thank you very much for your replies!
Yes - all the VMs are connected with each other as they are supposed to be described in your first post:
sys-net (netvm: none)
sys-firewall (netvm: sys-net)
sys-whonix (netvm: sys-firewall)
anyVM (netvm: sys-whonix)

And again Yes - I changed the NetVMs of VMs 11,12,13 to none, and then back to whonix (default) in order to find out if setup changes - but that was not the case! Still no connection to onion sites just to clearnet via tor!

Concerning your hints in your second post:
I started the tor browser in VM#6 (anon-whonix) as suggested by you and found that:

I am again able to access any clearnet site via tor
Couldnt access any onion site with the error message that “the connection has timed out”

I suppose obviously thats a bad sign ;P?

Then I checked the proxy settings and found that:

VM#11 (unprotected) does not have any proxy defined in the settings
VM#6 (anon-whonix) of course got a proxy configured which refers to localhost (127.0.0.1) on port 9150 which should be fine I guess?

In the end I did the wget:

VM#11 (unprotected) returned an IP, said connected and downloaded an index.html page - in other words it looks alright!
VM#6 (anon-whonix) worked as well as VM#11 (unprotected)

Thanks,
Dezimus

Dezimus · November 25, 2016, 9:05pm

@entr0py:

Addition to my last post:
I tried the wget command several more times from VM#11 and VM#6 - again the commands were successfully carried out but it took several minutes for the commands to be finished this time. The connection gets established immediately but the responses take way too long if you ask me…

As soon as the response is here the index.html page of that given url is downloaded within 0.1sec or so…

Strange!

Any Idea?

Thanks,
Dezimus

Patrick · November 25, 2016, 9:44pm

No surprise. I haven’t started yet absorbing all of this thread. Just answered a small part where the answer was simpler than this whole thread. Didn’t state that earlier, I should have.

Answering another small part only…

Tor Browser in anon-whonix indeed is correctly configured to use 127.0.0.1 9150. (Up to version 6.5a4 where Tor Project changed it to be using SocksSocket unix domain sockets. https://phabricator.whonix.org/T192 ) (From there it gets redirected to Whonix-Workstation by anon-ws-disable-stacked-tor / rinetd.)

Patrick · November 25, 2016, 10:41pm

Is your dom0 clock reasonable correct?

That’s not a default. That is an opt-in in Qubes installer.

Whonix does not block it on purpose.

No. Since this is generally quite simple. Start anon-whonix (connected to sys-whonix), start Tor Browser in anon-whonix and enter some onion domain such as http://kkkkkkkkkk63ava6.onion. Done.

Don’t do this. Don’t use Mozilla Firefox. Use Tor Browser in an AppVM that is based on whonix-ws TemplateVM. (reasons: Tor Browser Essentials)

I tested this myself with a Debian based AppVM. Right. Mozilla Firefox refuses to connect to onions. Chromium works.

wget http://kkkkkkkkkk63ava6.onion works for me.
nslookup kkkkkkkkkk63ava6.onion works for me.
Do these both work for you?

Firefox apparently blocks onions by default. Look into about:config. Search for network.dns.blockDotOnion. It by default is set to true. So I guess if you set this to false it will restore access to onions from firefox. (Still recommended to use anon-whonix with Tor Browser.)