onion-grater development

Tor Controller is not on the list but this onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix should be moved entirely to Control and Monitor Tor

The Control Proxy, or onion-grater should only have documentation related to its filter, the controller page should have the controller commands, the filter page should have explanation on how to filter, how to allow via profile etc, but not on how to connect.

Also, I fixed a bug recently on tor-ctrl to be able to run from the Workstation, so if you wish to test if a command is filtered or not, you can do through the command line to see what onion-grater lets through.

Simple plan

• will be the last one to be done so after the Dev wording is done for the
  other pages, the simpler version can contain everything important for the
  user in an easy vocabulary
• most important to mention onion-grater-add and onion-grater-remove and
  onion-grater-list, this is what an user faces with already compatible
  applications
• source code not so important in the user facing page, maybe just keep it on
  the Dev/onio-grater page.
• make the footnotes a topic, they are too big to be on the footnotes

• maybe merge this page with Dev/Control_Port_Filter_Proxy because the only
  filter proxy is onion-grater

• improve debugging of onion-grater
• improve description of what commands do
• separate onion-grater to a distinct section
• s/qubes-netvm-gateway/qubes-gateway/
• remove mentions of Tor Control such as onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix
  because this is already done on
  Control and Monitor Tor

• merge this page with Dev/Control_Port_Filter_Proxy
• this page is difficult to find
• it should be on its own section of its parent page

Also, to each page, a good introduction.

I will do the changes to the Control_Port_Filter_Proxy but I believe it should be renamed to Dev/Onion-Grater as it is the only control proxy we have.

https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy#Talking_to_the_real_Tor_Control_Port (oneboxing failure)

Why is a password required, doesn’t it already authenticate via cookie? Can I switch the steps to use cookie path instead?

@adrelanos ping

https://www.whonix.org/wiki/Tor_Controller#On_Whonix-Workstation (onebox failure)

I fixed tor-ctrl for the WS, can it be installed by default on the workstation so I can guide to use tor-ctrl on both Workstation and Gateway. The things is that only the tor-ctrl program will work, the others that requires stream, circuits, will be filtered, which is a good job by the onion-grater, but is a program installed that won’t work.

@Patrick correct ping

Excellent plan!

Sure. Just a short mention and link from one to another.

Ah. Yes. If a simpler way works with the cookie, then by all means. Please use the cookie. Probably is like it is before because I didn’t get the idea to research that socat could pass the cookie somehow. Surely that would be much nicer.

Yes. Absolutely can switch to simpler tor-ctrl method.

It needs to past the decoding of the cookie… which is not as easy as a password but does not require changing the torrc.

Then please add tor-ctrl to Workstation packages to be installed so documentation becomes correct.

Meta package whonix-shared-packages-recommended-cli already has a Depends: on tor-ctrl. Already pre-installed. Included in Whonix 16.0.8.2 - for VirtualBox - Point Release!. That has also reached stable upgrades already.

Another thing is that cookie is on the GW, and not WS, but the WS receives

PROTOCOLINFO
250-PROTOCOLINFO 1
250-AUTH METHODS=NULL

so it does not even require a cookie or password there.
And is better this way, WS, should have limited commands already by onion-grater proxying.

Please make them uniform, I don’t believe I have rights to this.

Upper case o

onion-grater: a Tor Control Port Filter Proxy

Lower case o

onion-grater, a Tor Control Port Filter Proxy

Please create templates for Remove and List just like there is for Add on Template:Control Port Filter Python Profile Add - Whonix

That would be nice but MediaWiki has a limitation that doesn’t allow for lower case letters for the first letter in the article page name in a wiki link:

https://www.mediawiki.org/wiki/Manual:$wgCapitalLinks

Done. Created Template:Control_Port_Filter_Python_Profile_List just now.

there is wiki/Onion-grater and wiki/Dev/onion-grater

Then both Onion-grater with capital o would be fine.

Due to my native language background and this MediaWiki issue I actually personally prefer proper names starting with a capital letter

Upstream (Tails) decided to use the lower case variant onion-grater. So unless we change the name in Whonix’s for of onion-grater completely, forking the name to only change capitalization would be weird.

It’s only the URL where there is the upper case issue. The page title “onion-grater: a Tor Control Port Filter Proxy” is correct.

Maybe one day we should go for Manual:$wgCapitalLinks - MediaWiki. And then making all links always lower case by default. Writing links by hand is confusing because some letters are sometimes upper case.

Currently:

• functional: https://www.whonix.org/wiki/Onion-grater
• functional: https://www.whonix.org/wiki/onion-grater
• functional: https://www.whonix.org/wiki/Template:Control_Port_Filter_Python_Profile_Add
• functional: https://www.whonix.org/wiki/Template:Control_Port_Filter_Python_Profile_Add
• functional: https://www.whonix.org/wiki/template:control_Port_Filter_Python_Profile_Add
• broken https://www.whonix.org/wiki/Template:control_port_filter_python_profile_add
• broken https://www.whonix.org/wiki/template:control_port_filter_python_profile_add

But this would be a lot of effort. Would require automating changing the links all over the wiki. These two things would help:

• Extension:Replace Text - MediaWiki
• GitHub - adrelanos/mediawiki-shell: Fetch and edit mediawiki pages from the shell

So in summary the proper name is onion-grater as named by upstream. The capital O in the page name is considered a bug. It is a MediaWiki issue which is very time consuming to resolve. But by changing the name from lower capitalization to first letter capitalized we’d introduce more bugs.

Happens a lot when I try to type whonix wiki links.

Since there’s no dedicated onion-grater forum thread yet, and maybe not worth having a seaprate one let’s increase scope of this one…?

Thanks for this pull request! @nyxnor

Merged, thanks!

Yes

Does this points needs to be addressed on the filter proxy page? If yes, the I will categorize them, under which description?

• UI_for_ExitNode_country_selection_in_tor-launcher

• feedback_mechanism_for_clock-skew_and_other_bad_problems

Why does it present vif interface for Qubes-Whonix-Gateway when eth1 is available for that gateway?

Also which vif interface? I see two anyway.

Total devices: lo, eth0, eth1, vifX, vifY

Dev/Control_Port_Filter_Proxy#tcpdump_-_Less_Important)

On another note, I didn’t manage to make the tcpdump command work with any device/interface.

Dev/Control_Port_Filter_Proxy#onion_client_auth_add

Says that requires extensive modifications to the default profiles and shows that profile.

But then is /usr/share/doc/onion-grater-merger/examples/40_onion_authentication.yml not enough? Not good enough?

Improvement request to onion-grater-list
available, used

The available will list every available profile of couse and used the included ones. I think this helps people see which are the available profiles, just a wrapper to ls the examples dir.