I tried something else. This time I set the Socks5Proxy directive to make it connect through a proxy in an attempt to circumvent any possible DPI on the ISP’s side, yet it’s still not working.
I tested the same directive in a non-Qubes-Whonix Tor and it worked fine.
Socks does not necessarily beat DPI. What would be interesting would be
connecting though a socks proxy service that is both encrypted (such as
Tor, JonDo) that is already working on the host.
Tor would lead to Tor over Tor, but perhaps JonDo https proxy in another
VM would work? As per:
Hi Patrick,
I was of the impression Socks is an encrypted tunnel.
In any case, I tried Tor over JonDo, and it took some time, but it worked, and I’m even more puzzled than before…
- the local connection from ws to gw (any socks) is unencrypted
- once Tor accepted the socks connection and forwards it to the Tor network it will be encrypted with 3 layers (onion layers)
- however, Tor traffic is not that difficult to detect. Encrypted does not mean hard to block by DPI. That requires traffic obfuscation. (documented here: Configure (Private) (Obfuscated) Tor Bridges)
- other and “regular” socks proxies are unencrypted (more info: Whonix versus Proxies)
Possiblities:
-
a) some DPI is blocking Tor but not JonDo (much less popular), not so likely
-
b) port blocking
-
Tor in the Debian VM happened to pick ports for entry guards that are not blocked
-
Tor in Whonix-Gateway VM happened to pick ports for entry guards that are blocked
-
JonDo uses ports not blocked
-
and when tunneling Tor through JonDo, it does no longer matter that the ports of your entry guards are blocked by your router (which might be happening)
To strengthen the b) hypothesis, I propose the following.
- temporarily disable tunneling through JonDo
- configure Tor to use specific ports only using Tor’s
FascistFirewall 1setting - that is documented in this very chapter: Configure (Private) (Obfuscated) Tor Bridges
I added to torrc ReachableAddresses accept *:9001 and it bootstrapped fine, and circuits were shown in arm, but it took at least an hour to get browsing in the WS. On the other hand, iirc sometimes after I got Qubes-Whonix-GW to bootstrap, either by flushing iptables rules, or by bypassing going through the network normally, it worked normally for a while right after. I never have issues connecting to Tor in non-Qubes-Whonix, so how can it be only a port change made a difference?
Hi Patrick et el,
The Whonix Qubes Gateway connects to Tor through JonDoe, but I’d like to test connecting to Tor using ssh since this is too slow to be practical. How can I set a NetVM as a proxy using a ssh server? I tried doing something similar to how we set up JonDoe, but my attempts failed. I could use the ssh proxy locally in NetVM but not from whonix-gw where I set the ip and port in the torrc.
I also looked in the VPN Qubes how-to but it’s a bit advanced for me.
This is a good opportunity to thank you for your important work which works well for most people it seems.
P.S. I couldn’td update the whonix-gw TemplateVM for quite a long while, until I tried to restart networking in it, maybe it could be related…
1 Like
One thing that will help during figuring that out:
Don’t try connecting to the ssh ProxyVM from sys-whonix. Test it with a non-Whonix VM first. That helps to exclude a layer of complexity. Once that works, re-add Whonix to the mix.
You must make ssh listen (sometimes called bind) on the external interface of the ProxyVM. In case of Qubes it may be simpler and sufficient to say “listen on all interfaces”.
You probably have something like this:
ssh -D 1080 your.ssh.server
I guess you would need something like this:
ssh -D 0.0.0.0:1080 your.ssh.server
Btw figuring that out would be great so we can properly document this here.
I also do appreciate your interest in Whonix, constructiveness and great patience with the strange issue you are experiencing.
Hi Pat,
I’ve had difficulties setting up ssh before tor so I haven’t really tested anything yet, but I did notice remote ssh connections drop very quickly, which leads me to speculate some default firewall rules are to be blamed since when I flush iptables in whonix-gw it’s working fine (as I previously reported).
This is hard to debug but I hope I’ll test things more thoroughly soon.
1 Like