onion-grater development

https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy#Talking_to_the_real_Tor_Control_Port (oneboxing failure)

Why is a password required, doesn’t it already authenticate via cookie? Can I switch the steps to use cookie path instead?

1 Like

@adrelanos ping

https://www.whonix.org/wiki/Tor_Controller#On_Whonix-Workstation (onebox failure)

I fixed tor-ctrl for the WS, can it be installed by default on the workstation so I can guide to use tor-ctrl on both Workstation and Gateway. The things is that only the tor-ctrl program will work, the others that requires stream, circuits, will be filtered, which is a good job by the onion-grater, but is a program installed that won’t work.

@Patrick correct ping

Excellent plan!

Sure. Just a short mention and link from one to another.

Ah. Yes. If a simpler way works with the cookie, then by all means. Please use the cookie. Probably is like it is before because I didn’t get the idea to research that socat could pass the cookie somehow. Surely that would be much nicer.

Yes. Absolutely can switch to simpler tor-ctrl method.

It needs to past the decoding of the cookie… which is not as easy as a password but does not require changing the torrc.

Then please add tor-ctrl to Workstation packages to be installed so documentation becomes correct.

1 Like

Meta package whonix-shared-packages-recommended-cli already has a Depends: on tor-ctrl. Already pre-installed. Included in Whonix - for VirtualBox - Point Release!. That has also reached stable upgrades already.

1 Like

Another thing is that cookie is on the GW, and not WS, but the WS receives


so it does not even require a cookie or password there.
And is better this way, WS, should have limited commands already by onion-grater proxying.

1 Like

Please make them uniform, I don’t believe I have rights to this.

Upper case o

onion-grater: a Tor Control Port Filter Proxy

Lower case o

onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix

1 Like

Please create templates for Remove and List just like there is for Add on Template:Control Port Filter Python Profile Add - Whonix

1 Like

That would be nice but MediaWiki has a limitation that doesn’t allow for lower case letters for the first letter in the article page name in a wiki link:


Done. Created Template:Control_Port_Filter_Python_Profile_List just now.

there is wiki/Onion-grater and wiki/Dev/onion-grater

Then both Onion-grater with capital o would be fine.

1 Like

Due to my native language background and this MediaWiki issue I actually personally prefer proper names starting with a capital letter

Upstream (Tails) decided to use the lower case variant onion-grater. So unless we change the name in Whonix’s for of onion-grater completely, forking the name to only change capitalization would be weird.

It’s only the URL where there is the upper case issue. The page title “onion-grater: a Tor Control Port Filter Proxy” is correct.

Maybe one day we should go for Manual:$wgCapitalLinks - MediaWiki. And then making all links always lower case by default. Writing links by hand is confusing because some letters are sometimes upper case.


  • functional: https://www.whonix.org/wiki/Onion-grater
  • functional: https://www.whonix.org/wiki/onion-grater
  • functional: https://www.whonix.org/wiki/Template:Control_Port_Filter_Python_Profile_Add
  • functional: https://www.whonix.org/wiki/Template:Control_Port_Filter_Python_Profile_Add
  • functional: https://www.whonix.org/wiki/template:control_Port_Filter_Python_Profile_Add
  • broken https://www.whonix.org/wiki/Template:control_port_filter_python_profile_add
  • broken https://www.whonix.org/wiki/template:control_port_filter_python_profile_add

But this would be a lot of effort. Would require automating changing the links all over the wiki. These two things would help:

So in summary the proper name is onion-grater as named by upstream. The capital O in the page name is considered a bug. It is a MediaWiki issue which is very time consuming to resolve. But by changing the name from lower capitalization to first letter capitalized we’d introduce more bugs.

Happens a lot when I try to type whonix wiki links.


1 Like

Since there’s no dedicated onion-grater forum thread yet, and maybe not worth having a seaprate one let’s increase scope of this one…?

Thanks for this pull request! @nyxnor

Merged, thanks!


1 Like

Does this points needs to be addressed on the filter proxy page? If yes, the I will categorize them, under which description?

1 Like

Why does it present vif interface for Qubes-Whonix-Gateway when eth1 is available for that gateway?

Also which vif interface? I see two anyway.

Total devices: lo, eth0, eth1, vifX, vifY


On another note, I didn’t manage to make the tcpdump command work with any device/interface.

1 Like


Says that requires extensive modifications to the default profiles and shows that profile.

But then is /usr/share/doc/onion-grater-merger/examples/40_onion_authentication.yml not enough? Not good enough?

1 Like

Improvement request to onion-grater-list
available, used

The available will list every available profile of couse and used the included ones. I think this helps people see which are the available profiles, just a wrapper to ls the examples dir.

1 Like

This is important because not allowing this in Tor Browser might result in Tor Browser being broken one day. Then we would have to address it with onion-grater… Which could be difficult → onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation - Whonix
Therefore good to mention.

Depends. What was the follow-up of

? Is there no a clockskew related Tor control protocol command or some other change in result of that ticket?