Qubes-Whonix CORRIDOR: where to insert the bridges?

Hey, I hope u’re all doing good.

@Patrick @HulaHoop I know u’re busy guys so here’s the short story:

Following the guide at kkkkkkkkkk63ava6.onion/wiki/Corridor
at the step to install corridor (“sudo apt-get install corridor”) I get errors at the end, which I wont even post since I think it’s obvious why I get them:
I use obfs4 bridges, and using the guide the biggest part of the bridges set-up is missing: where to store the bridge lines???

at etc/tor/torrc the config is completely different than the normal torrc whonix-gateway config, I looked everywhere (corridor github, whonix blog, this forum) and still have no clue about where to insert the bridge lines.

//cc @rustybird

???
Last time ‘rustybird’ logged in was March 3 2017 at 5:56 PM.
So he’s obviously not able to answer.
You @Patrick and @HulaHoop are the ones that were working at this project, not rustybird (by project I mean the qubes-whonix-corridor/whonix-corridor project, not the corridor project alone).

I beg to differ ;). Patrick’s CC appeared as an e-mail notification.

You can copy your torrc bridge lines into a new .conf file in sys-corridor’s /etc/corridor.d/, in the following format:

BRIDGES="Bridge obfs4 ...
Bridge obfs4 ...
Bridge obfs4 ..."

Alright, deep apologies to @Patrick . Thank you.
Thank you @rustybird for your answer, though it completely failed :sweat_smile: though It gave me the right clue, I guess, on how to do it.
I managed to make it work on my own!! almost can’t believe it!!!
Also the way to store the bridges you said is not correct, in fact if you issue the command “grep -Ei ‘^[[:space:]]*Bridge[[:space:]]’ /etc/tor/torrc” you’ll see it only returns 2 bridges out of the 3 you usually insert (to make the command work the bridges must be in /etc/tor/torrc, it’s all explained in the guide I wrote below). To fix that I modified your code (if u want u can see in the little guide I posted below).

You may want to add this thread to kkkkkkkkkk63ava6.onion/wiki/Corridor I suppose, to help next users.

Here are the outputs of sys-corridor once it was working (no errors; 2nd and last output had the green point, the rest black):

heresmyuser@sys-corridor:~$ sudo systemctl status corridor-data
● corridor-data.service - corridor’s relay list
Loaded: loaded (/lib/systemd/system/corridor-data.service; enabled)
Drop-In: /lib/systemd/system/corridor-data.service.d
└─qubes-service.conf, qubes.conf
Active: inactive (dead) since Thu 2017-07-13 11:23:58 EDT; 13s ago
Process: 672 ExecStart=/usr/sbin/corridor-data (code=exited, status=0/SUCCESS)
Main PID: 672 (code=exited, status=0/SUCCESS)

Jul 13 11:23:58 sys-corridor systemd[1]: Starting corridor’s relay list…
Jul 13 11:23:58 sys-corridor systemd[1]: Started corridor’s relay list.
Jul 13 11:23:58 sys-corridor corridor-data[672]: corridor_relays updated.
heresmyuser@sys-corridor:~$ sudo systemctl status corridor-init-forwarding
● corridor-init-forwarding.service - corridor’s forwarding
Loaded: loaded (/lib/systemd/system/corridor-init-forwarding.service; enabled)
Drop-In: /lib/systemd/system/corridor-init-forwarding.service.d
└─qubes-service.conf, qubes.conf
Active: active (exited) since Thu 2017-07-13 11:23:55 EDT; 27s ago
Process: 407 ExecStart=/bin/rm -f /var/run/qubes-service/qubes-firewall (code=exited, status=0/SUCCESS)
Process: 337 ExecStart=/usr/sbin/corridor-init-forwarding (code=exited, status=0/SUCCESS)
Main PID: 407 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/corridor-init-forwarding.service

Jul 13 11:23:54 localhost systemd[1]: Starting corridor’s forwarding…
Jul 13 11:23:55 localhost corridor-init-forwarding[337]: net.ipv4.ip_forward = 1
Jul 13 11:23:55 localhost corridor-init-forwarding[337]: net.ipv6.conf.all.fo…
Jul 13 11:23:55 localhost systemd[1]: Started corridor’s forwarding.
Hint: Some lines were ellipsized, use -l to show in full.
heresmyuser@sys-corridor:~$ sudo systemctl status corridor-init-logged
● corridor-init-logged.service - corridor’s logging
Loaded: loaded (/lib/systemd/system/corridor-init-logged.service; enabled)
Drop-In: /lib/systemd/system/corridor-init-logged.service.d
└─qubes-service.conf, qubes.conf
Active: inactive (dead) since Thu 2017-07-13 11:23:58 EDT; 32s ago
Process: 697 ExecStart=/usr/sbin/corridor-init-logged (code=exited, status=0/SUCCESS)
Main PID: 697 (code=exited, status=0/SUCCESS)

Jul 13 11:23:58 sys-corridor corridor-init-logged[697]: corridor_logged updated.
Jul 13 11:23:58 sys-corridor systemd[1]: Started corridor’s logging.
Hint: Some lines were ellipsized, use -l to show in full.
heresmyuser@sys-corridor:~$ sudo systemctl status corridor-init-snat
● corridor-init-snat.service - corridor’s source NAT
Loaded: loaded (/lib/systemd/system/corridor-init-snat.service; enabled)
Drop-In: /lib/systemd/system/corridor-init-snat.service.d
└─qubes-service.conf, qubes.conf
Active: active (exited) since Thu 2017-07-13 11:23:58 EDT; 1min 9s ago
Process: 722 ExecStart=/usr/sbin/corridor-init-snat (code=exited, status=0/SUCCESS)
Main PID: 722 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/corridor-init-snat.service

Jul 13 11:23:58 sys-corridor systemd[1]: Started corridor’s source NAT.
heresmyuser@sys-corridor:~$


I wrote a small but quite detailed guide for the next users who are stuck at the same problem, HERE IT GOES:


create the sys-corridor as shown in the steps of the whonix guide
once you turn it on, before you do anything execute ‘sudo nano /etc/apt/sources.list.d/qubes-r3.list’ or just issue ‘sudo nano herethequbeslist’ to whatever qubes list is at /etc/apt/sources.list.d and make sure you’re using the clearnet repositories.
sudo apt-get update
sudo apt-get upgrade
(this is to update your debian sys-corridor in case your debian template was not updated, btw you should update it)
cd /etc
sudo mkdir corridor.d
cd corridor.d

Now following the guide at kkkkkkkkkk63ava6.onion/wiki/Corridor from the step where it says to edit ‘sudo nano /etc/corridor.d/21-bridges-user.conf’ and insert the code it says to insert.
NOW DOWNLOAD THE Whonix Signing Key: NOTE: if your sys-corridor is using sys-firewall as the NetVM than you must know that you are going to get the whonix key over the clear, which means your ISP will know you are probably gonna use whonix after that. If you wish this to not happen you could theoretically change your netVM to sys-whonix, BUT since after you downloaded the key, add the key, you’re gonna have to download the corridor whonix package from the whonix repo, and you’re still going to use sys-whonix in the meantime, the problem is that when installing the corridor package, it is automatically run, thus you’re gonna end up with bridges over guards (tor over tor) (bridges in case your sys-whonix is set up to use bridges), THUS BE CAREFUL. after that you still could replace sys-whonix with sys-firewall netVM of your sys-corridor, and it should get back to work normally as it should. This has not been tested, so if you want to test be careful and keep in mind that it might fail, or even worse bug something, so make sure if u wanna follow this path to make the proper backups, and do not do this if it’s a big risk for you in case it bugs and exposes you, or I don’t know what else, you should ask someone that knows more than me about this.

So now download, add the key, add the whonix apt repository, update your packages again, and install corridor as described at the whonix guide.
(don’t worry if during corridor’s installation you get errors like : ‘corridor-init-logged.service failed’)
Once you have installed corridor, wait before moving forward, you don’t need to make the check with sudo systemctl right now (in case you did relax, you didn’t break anything).

it’s time to add the bridges in the right way:
sudo nano /etc/tor/torrc
scroll to the bottom of the file
at the very end after the very last comment INSERT THIS CODE IN THIS EXACT SYNTAXT (replacing only your bridge lines of course)
(so basically just leave untouched the 1st and last line of this code):

BRIDGES="
Bridge obfs4 ip:port… bla bla bla…
Bridge obfs4 ip:port… bla bla bla…
Bridge obfs4 ip:port… bla bla bla…
"
then as before press ‘ctrl’+‘x’, type ‘Y’, and press enter.

TO MAKE SURE THE SYNTAX IS CORRECT YOU CAN ISSUE this command in your terminal:
grep -Ei ‘^[[:space:]]*Bridge[[:space:]]’ /etc/tor/torrc

If it corretly returns your bridge lines then you did good. In case it doesn’t then try again.

now issue the command:
sudo nano /etc/corridor.d/20-bridges-auto.conf
and remove the character ‘#’ at the first line (to uncomment that code line) (btw the file contains only 1 line don’t worry)
then as before press ‘ctrl’+‘x’, type ‘Y’, and press enter.

now issue the command:
sudo rm /etc/corridor.d/21-bridges-user.conf

now issue the command:
sudo reboot

once sys-corridor is shutted down, you can start it again from the qubes VM Manager
once it’s loaded open a terminal (in sys-corridor of course)
at this point you can move forward in the whonix guide, the systemctl commands should turn the following outputs:
the 1st one (corridor-data) should be ‘Loaded’ but with the black big dot
the 2nd one (corridor-init-forwarding) should be ‘Active’ with the green big dot
the 3d one (corridor-init-logged) should be should be ‘Loaded’ but with the black big dot
the 4th one (corridor-init-snat) should be should be ‘Active’ with the green big dot

At least those were the outputs for me. More important is that it doesn’t show any errors.
Now if you want you can keep following the whonix guide, with steps such as ‘test corridor’ and/or ‘test logging’, ‘interpreting the results’, ‘configure sys-whonix’.

I personally tested with both the tor browser bundle, and then opening firefox to see if it could got clearnet access. It all worked as expected from there, e.g. no clearnet access, only tor access through bridges. In fact issuing ‘sudo ipset list corridor_relays’ inside sys-corridor terminal showed that the only ips were the bridge ones, with their relative ports, and allowing only TCP protocol.

I also tested on sys-whonix, it works.
I also tested to disable the bridges in sys-whonix, It successfully failed to connect to tor as expected!