onion-grater development

Tor Controller is not on the list but this onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix should be moved entirely to Control and Monitor Tor

The Control Proxy, or onion-grater should only have documentation related to its filter, the controller page should have the controller commands, the filter page should have explanation on how to filter, how to allow via profile etc, but not on how to connect.

Also, I fixed a bug recently on tor-ctrl to be able to run from the Workstation, so if you wish to test if a command is filtered or not, you can do through the command line to see what onion-grater lets through.

Simple plan

  • will be the last one to be done so after the Dev wording is done for the
    other pages, the simpler version can contain everything important for the
    user in an easy vocabulary
  • most important to mention onion-grater-add and onion-grater-remove and
    onion-grater-list, this is what an user faces with already compatible
  • source code not so important in the user facing page, maybe just keep it on
    the Dev/onio-grater page.
  • make the footnotes a topic, they are too big to be on the footnotes
  • maybe merge this page with Dev/Control_Port_Filter_Proxy because the only
    filter proxy is onion-grater
  • merge this page with Dev/Control_Port_Filter_Proxy
  • this page is difficult to find
  • it should be on its own section of its parent page

Also, to each page, a good introduction.

I will do the changes to the Control_Port_Filter_Proxy but I believe it should be renamed to Dev/Onion-Grater as it is the only control proxy we have.

1 Like

https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy#Talking_to_the_real_Tor_Control_Port (oneboxing failure)

Why is a password required, doesn’t it already authenticate via cookie? Can I switch the steps to use cookie path instead?

1 Like

@adrelanos ping

https://www.whonix.org/wiki/Tor_Controller#On_Whonix-Workstation (onebox failure)

I fixed tor-ctrl for the WS, can it be installed by default on the workstation so I can guide to use tor-ctrl on both Workstation and Gateway. The things is that only the tor-ctrl program will work, the others that requires stream, circuits, will be filtered, which is a good job by the onion-grater, but is a program installed that won’t work.

@Patrick correct ping

Excellent plan!

Sure. Just a short mention and link from one to another.

Ah. Yes. If a simpler way works with the cookie, then by all means. Please use the cookie. Probably is like it is before because I didn’t get the idea to research that socat could pass the cookie somehow. Surely that would be much nicer.

Yes. Absolutely can switch to simpler tor-ctrl method.

It needs to past the decoding of the cookie… which is not as easy as a password but does not require changing the torrc.

Then please add tor-ctrl to Workstation packages to be installed so documentation becomes correct.

1 Like

Meta package whonix-shared-packages-recommended-cli already has a Depends: on tor-ctrl. Already pre-installed. Included in Whonix - for VirtualBox - Point Release!. That has also reached stable upgrades already.

1 Like

Another thing is that cookie is on the GW, and not WS, but the WS receives


so it does not even require a cookie or password there.
And is better this way, WS, should have limited commands already by onion-grater proxying.

1 Like

Please make them uniform, I don’t believe I have rights to this.

Upper case o

onion-grater: a Tor Control Port Filter Proxy

Lower case o

onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix

1 Like

Please create templates for Remove and List just like there is for Add on Template:Control Port Filter Python Profile Add - Whonix

1 Like

That would be nice but MediaWiki has a limitation that doesn’t allow for lower case letters for the first letter in the article page name in a wiki link:


Done. Created Template:Control_Port_Filter_Python_Profile_List just now.

there is wiki/Onion-grater and wiki/Dev/onion-grater

Then both Onion-grater with capital o would be fine.

1 Like

Due to my native language background and this MediaWiki issue I actually personally prefer proper names starting with a capital letter

Upstream (Tails) decided to use the lower case variant onion-grater. So unless we change the name in Whonix’s for of onion-grater completely, forking the name to only change capitalization would be weird.

It’s only the URL where there is the upper case issue. The page title “onion-grater: a Tor Control Port Filter Proxy” is correct.

Maybe one day we should go for Manual:$wgCapitalLinks - MediaWiki. And then making all links always lower case by default. Writing links by hand is confusing because some letters are sometimes upper case.


  • functional: https://www.whonix.org/wiki/Onion-grater
  • functional: https://www.whonix.org/wiki/onion-grater
  • functional: https://www.whonix.org/wiki/Template:Control_Port_Filter_Python_Profile_Add
  • functional: https://www.whonix.org/wiki/Template:Control_Port_Filter_Python_Profile_Add
  • functional: https://www.whonix.org/wiki/template:control_Port_Filter_Python_Profile_Add
  • broken https://www.whonix.org/wiki/Template:control_port_filter_python_profile_add
  • broken https://www.whonix.org/wiki/template:control_port_filter_python_profile_add

But this would be a lot of effort. Would require automating changing the links all over the wiki. These two things would help:

So in summary the proper name is onion-grater as named by upstream. The capital O in the page name is considered a bug. It is a MediaWiki issue which is very time consuming to resolve. But by changing the name from lower capitalization to first letter capitalized we’d introduce more bugs.

Happens a lot when I try to type whonix wiki links.


1 Like

Since there’s no dedicated onion-grater forum thread yet, and maybe not worth having a seaprate one let’s increase scope of this one…?

Thanks for this pull request! @nyxnor

Merged, thanks!


1 Like

Does this points needs to be addressed on the filter proxy page? If yes, the I will categorize them, under which description?

1 Like

Why does it present vif interface for Qubes-Whonix-Gateway when eth1 is available for that gateway?

Also which vif interface? I see two anyway.

Total devices: lo, eth0, eth1, vifX, vifY


On another note, I didn’t manage to make the tcpdump command work with any device/interface.

1 Like


Says that requires extensive modifications to the default profiles and shows that profile.

But then is /usr/share/doc/onion-grater-merger/examples/40_onion_authentication.yml not enough? Not good enough?

1 Like

Improvement request to onion-grater-list
available, used

The available will list every available profile of couse and used the included ones. I think this helps people see which are the available profiles, just a wrapper to ls the examples dir.

1 Like