It turns out ConnectionPadding 1 will not cause any trouble.
Using Sandbox 1 will git the following complains:
Apr 02 00:35:24.000 [notice] Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Apr 02 00:35:24.000 [notice] Read configuration file “/etc/tor/torrc”.
Apr 02 00:35:24.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /etc/torrc.d/95_whonix.conf (on Tor 0.3.2.10 )
Apr 02 00:35:24.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /etc/torrc.d/95_whonix.conf (on Tor 0.3.2.10 )
Apr 02 00:35:24.000 [warn] Could not open “/etc/torrc.d/95_whonix.conf”: Permission denied
Apr 02 00:35:24.000 [warn] Error reading included configuration file or directory: “/etc/torrc.d/95_whonix.conf”.
Apr 02 00:35:24.000 [err] Reading config failed–see warnings above. For usage, try -h.
Apr 02 00:35:24.000 [warn] Restart failed (config error?). Exiting
I do not know what does “No interned sandbox parameter” means. Would you
like to ask on the tor-talk@ mailing list?
Looks like you’ve covered everything off (now you know why I dodged this task ).
I guess it’s up to the core team to decide now ie whether the simple testers guide as per no1’s 3 steps is preferred, or the full blown guide as per your entry. Or, the blog post could be a combination of:
Easy - quick testers guide with 3 steps
Advanced - full testers guide with 8 steps
I’m happy to further test Whonix 14 for full functionality, but it would be good for the experts to chime in with a simple yah or neh whether some of the things we are identifying are security risks or nothing to worry about e.g:
plethora of socks ports listening
“anon vm” tag issues in Qubes 4 with manual creation of VMs when not resorting to salt
Could call it false positives. This warnings don’t apply to Whonix. Many
SocksPorts for stream isolation. Listening on non-localhost so these are
reachable from Whonix-Workstations.
apparmor warnings on some profiles
Low priority. Might have been previously discussed. Please report
separately to Whonix AppArmor forums.
“anon vm” tag issues in Qubes 4 with manual creation of VMs when not
resorting to salt
For a “Testers Wanted” , its assumed users come to the table with the basic knowledge on how to use Qubes-Whonix – IMHO. The way the blog is written know is similar to how a wiki chapter is written. It would be helpful for inexperienced users but for the most part unnecessary. That is if you look at the current testers reporting back with issues. I’m not sure they need a detailed guide? Well, maybe unman but thats about it .
@0brand - Realized that for greater tester safety, we really should have a step where they explicitly copy & paste the Tor state file from Whonix 13 into the Whonix 14 VM before any Tor connections are made, to resist adversary efforts in tracking testers i.e. maintain same Tor guard.
I guess Whonix-Setup-Wizard will soon become deprecated (correct? @Patrick ). Currently, its behaviors are as follows:
kdesudo whonix-setup-wizard setup will:
if it is in Whonix-Gateway, start anon-connection-wizard
if it is in Whonix-Workstation, do nothing
kdesudo whonix-setup-wizard repository will open Whonix Repository whose shortcut has been provided separately.
kdesudo whonix-setup-wizard locale_settings will open locale settings, which are not very helpful considering Whonix does not support multi-languages currently.
I guess Whonix-Setup-Wizard will soon become deprecated (correct? @Patrick ). Currently, its behaviors are as follows:
We discussed in the ACW thread what it’s still needed for.
What the source files of https://github.com/Whonix/whonix-setup-wizard do is not implemented elsewhere. Not sure it should be implemented elsewhere. If implemented in ACW (possible of course) then ACW could become too Whonix specific. ACW source code would get bigger and less beautiful. At the moment the Whonix specific parts are as much as possible nicely sourced out to WSW.
I tried all four available repository via kdesudo whonix-repository-wizard. The only repository suffers from this problem is stretch-proposed-updates InRelease.
user@host:~$ sudo apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease
Hit:2 http://deb.torproject.org/torproject.org stretch InRelease
Hit:3 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:4 http://deb.qubes-os.org/r3.2/vm stretch InRelease
Get:5 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch-proposed-updates InRelease [13.2 kB]
Ign:6 http://ftp.us.debian.org/debian stretch InRelease
Ign:7 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease
Get:8 http://deb.whonix.org stretch-proposed-updates InRelease [13.2 kB]
Hit:9 http://ftp.us.debian.org/debian stretch Release
Hit:10 tor+http://vwakviie2ienjx6t.onion/debian stretch Release
Reading package lists... Done
E: Release file for tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/dists/stretch-proposed-updates/InRelease is expired (invalid since 5d 10h 31min 55s). Updates for this repository will not be applied.
E: Release file for http://deb.whonix.org/dists/stretch-proposed-updates/InRelease is expired (invalid since 5d 10h 31min 55s). Updates for this repository will not be applied.