[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

tor meek bridge connection stuck at 10% handshake in vitualbox

Hi

i manage to make the ordinary torbrowser work in an utmost censuring country :wink: with one of the meek bridges (obfs4 isn’t working at all, even with the alternative bridges provided from tor’s website).

In order to augment anonymity, I would like to run tor from whonix in virtualbox using the same settings (running whonix 14). So when launching the gateway and configuring the tor setup, I’m using the same kind of settings in the ordinary torbrowser, but the handshake to the directory gets stuck at 10% and never gets any further. Why so ?

Do I need to make any further special settings in my network or ethernet settings in whonix ?

I’m on windows 7.

I eagerly would like to make this work through whonix so thanks for any help.

Hi whonix

Have you tried meek_lite?

https://whonix.org/wiki/Bridges#Additional_Information_and_Recommendations

Whonix does not modify Tor Browser. The one you were previously using and the one downloaded in Whonix are the same.

https://whonix.org/wiki/FAQ#Does_Whonix_Modify_Tor.3F

There are some common reasons for not being able to connect.

2 Likes

yep. That’s the only way for me to get the standalone torwbrowser to work !

i tried to switch off the UTC option in the gateway, so it should be on local time. But when connecting, i’m still stuck at 10%.
When cancelling I’m getting the following message :

WARNING: Tor Check Result: Tor is disabled. Therefore you most likely can not connect to the internet.

(Debugging information: Could not find DisableNetwork 0 in Tor config.)

_Please close this window and enable Tor using Whonix Setup! _
Start Menu -> Applications -> System -> Whonix Setup
or in Terminal: sudo whonixsetup

_or manually (If you know about the public Tor network!) and open /usr/local/etc/torrc.d/50_user.conf with root rights (Start Menu -> Applications -> System -> Torrc) and set: _
DisableNetwork 0
Then run whonixcheck again.

That brings up two questions for me :

  1. could it have something to do with the network settings? If so what should i check ? Under the options of network card 1 (which is activated) there’s like 6 options to choose from. Which one is the right one ? NAT ? Under promiscuity it says authorize the VMs. Is this ok ? Then the second ethernet card has as name whonix and access mode is internel network, promiscuity is refused.
  2. when i manually try to edit my Torrc file in order to add the DisableNetwork 0 thing, whonix asks me for my password, but i haven’t set any so i get stuck at this stage.

I dunno whether this has anything to do with it, but when launching the gateway first time i had a case (which i left unchecked) saying reinitialize MAC address of all the ethernet cards (application is not signed).

Thanks for any further help …


Ps are there any lists available of private obfuscated bridges for tor?

Hi whonix

Do only what is stated in the instructions. Do not do anything else unless you know what you are doing.

Your host is set to local time. The output of date -u shows your host time converted to UTC. You then go to the site I posted to check if your host time (in UTC) matches up to the UTC time on the site. A few seconds is no big deal.

If all is good with the host. Use the website clock to set the correct UTC time in Whonix-Gateway.

I think it is due to Tor not being enabled.

Follow the post install security advice (shows the default password)

After changing to more secure account passwords go ahead and add DisableNetwork 0 to your torrc.

In Whonix-Gateway konsole, run.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add the following text

DisableNetwork 0

Save and exit.

Now verify your torrc is configured correctly.

In Whonix-Gateway konsole, run.

sudo -u debian-tor tor --verify-config

The bottom line of the output should read:

Configuration was valid

Now restart Tor.

In Whonix-Gateway konsole, run.

sudo systemctl restart tor@default

After giving Tor enough time to bootstrap. Run whonixcheck.

In Whonix-Gateway konsole, run.

whonixcheck

Not that I know of.

1 Like

Hi and thanks for the feedback.

I just reinstalled vbox and the VMs from scratch just to undo whatever i could have done wrong, then followed the steps you detailed. I had already manually set both the gateway and host to UTC.

Basically, all goes will until this step (included) :

Then, i wasn’t exactly sure whether i had to first run the tor@default command and then launch the anon wizard or the other way around, so i did both. Either way, the bootstrapping process still gets stuck to 10%. Again, in order for me to make tor work i need meek_lite (so i wonder whether i must edit this explicitly in the Torrc file and if so, how ?

FWIW, i can past some lines from the whonixcheck verbose command :

INFO: Tor SocksPort Reachability Test Result: Reachable. (curl exit code: 22 | curl status message: [22] - [HTTP page not retrieved. The requested url was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.])
ERROR: Tor Connection Result:
Whonixcheck gave up waiting.
Tor Circuit: not established
Connection 10 % done. Tor reports: WARN BOOTSTRAP PROGRESS=10 TAG=handshake_dir SUMMARY=“Finishing handshake with directory server” WARNING=“DONE” REASON=DONE COUNT=7 RECOMMENDATION=warn HOSTID=“977*****” HOSTADDR=“0.0.2.0:3”

How can i move on from here. The thing i don’t get is why the ordinary torbrowser does work, but not the one with the same settings here in whonix.

Network settings are default : NAT with promiscuity mode off.

Hi whonix

The Tor Bowser you were using and the Tor Browser used in Whonix are one in the same (no difference). However it is likely that you are using a different Tor entry guard than used previously. You may want to try changing your entry guard temporarily to see if that helps.

https://whonix.org/wiki/FAQ#Whonix_has_Slowed_Tor_Connections_Dramatically.21

Use:

a) Easy: Whonix-Gateway Clone

Keep in mind that Amazon and Google have pulled domain fronting which is needed for pluggable transports such as meek and meek_lite. Microsoft’s Azure Cloud will soon be pulling the plug as well. This also could be affecting your ability to connect.

https://blog.torproject.org/domain-fronting-critical-open-web


Something else you can try is creating a Debian VM in VirtualBox and see if you can connect to the internet.

1 Like

Conceptually there cannot be. Otherwise they’re no longer private.

NETWORK ISSUES

As I couldn’t understand why at least some of the special obfs4 bridges provides at tor’s site and one of the meek bridges worked in the standard TBB worked but not in Whonix, I wanted to check connectivity issues. I had already set both the host and the whonix gateway to UHT.

On the initial whonix gateway (WG) installation I had kept my wifi connection and let the network on WG on the default (NAT). I had followed the steps you outlined editing the torcc file yielding me a configuration ok, but still no go…

So I hooked up an ethernet cable and set the WG settings on local bridge. I tried internet connectivity with firefox on a freshly installed Debian 9.3.0 VM in Virtualbox (VB) and bingo, that went well. At least that confirmed those network settings were ok and the problem wasn’t in VB.

Now, when I tried out the anon wizard in WG again, there was still no go : not the meek_lite nor the special obfs4…

So, that makes me think there a problem with the meek_lite thing. As is stated on the following url :

https://forums.whonix.org/t/meek-lite-a-new-pluggable-transport-in-whonix-14/4500

there are actually some differences between the TBB meek bridges and the meek_lite ones, especially with TLS in the latter case, which doesn’t seem to be entirely implemented. So I wonder whether that’s not the problem ? Otherwise I simply don’t see how the same settings do work in the standard TBB and not in the WG.

Did anyone actually managed to get Tor work in the WG in highly censuring countries ? Thanks for any feedback on this. If I don’t manage to set this up properly, would TAILS be an alternative ? I think it uses the standalone TBB while still assuring anonymity.

I would also like to know what the existing options are in order to obfuscate my connection to the entry guard, just in case this one is compromised. Surely I could use a VPN for that, but that kinda deanonymizes my Tor connection. Is it possible to set my entry guard manually and avoiding it to be in my country ? If so, can this be done with an app as AdVor? But I would prefer to run Tor from whonix.

Did you try changing your exit node in Whonix? Maybe using the same exit node as in your other TBB instance?

(entry node) That is likey the difference. Also it is very difficult to connect to Tor in highly censored countries. Even while using pluggable transports. You can still be blocked.

https://torproject/docs/pluggable-transports.html.en

Most users only report problems connecting.

Different use case (Tails is amnesic). Whonix is more secure IMO.

Just for testing purposes I would try installing TBB in a VirtualBox Debian VM and try connecting with meek_light. Does that work??

Yes.

EntryNodes node , node ,

A list of identity fingerprints and country codes of nodes to use for the first hop in your normal circuits. Normal circuits include all circuits except for direct connections to directory servers. The Bridge option overrides this option; if you have configured bridges and UseBridges is 1, the Bridges are used as your entry nodes.

The ExcludeNodes option overrides this option: any node listed in both EntryNodes and ExcludeNodes is treated as excluded. See the ExcludeNodes option for more information on how to specify nodes.

https://torproject.org/docs/tor-manual.html.en

This is not likely to be effective since state censors don’t just block relays in their own country. Since Tor relays addresses are publicly available. They try to block all of them.

1 Like

How can i do this if whonix gateway doesn’t even manage to connect me to Tor ?

This is indeed my bet. Otherwise no reason the same obfs4 and/or meek bridge works in TBB but not in whonix. Is there a way to ask this to the person who implemented the meek_lite bridge in the first place ? Why not having implemented the full thing ?

ok. Worth a try indeed. As I’m a total linux noob, i don’t even know how to copy paste the TBB in my Debian VM. sigh sigh… If i read the virtualbox docs righly, bidirectional drag&drop isn’t yet supported yet on Linux, only one-directional. But even when I set the VM config to “host to VM”, it doesn’t work. So, sorry for the stupid question, but how do I get the TBB in my debian VM ?

For the non-tech savvy, could this be easily done with AdVor (at least it has a GUI)…

Ok, basically this is the only real weak point for my, because I mainly intend to browse .onion sites. If i understand well, these can never be deanonymized right ? So it’s just the entry point I need to secure. But how so ? I could do so with a VPN, but then i have to trust the provider and i also make my ISP and state censorship know I’m using a VPN which is prohibited. They probably don’t even need DPI for that… So how can I obfuscate the fact I’m connecting to the TOR network, securing my entry node ? I guess the fact I’m using a bridge (meek or obfs4) is supposed to hide the fact I’m connecting to TOR, but is that really the case ? Even so, I need to protect my entry node without notifying my ISP of doing so… Not easy ?

Is there some kind of anonymous non-VPN and non-Tor proxy bridge for that? F.ex. i2p ?
Could i2p be used as a anonymizing proxy gateway to the Tor network ? I read that there was experimental support for selecting i2p in the whonix gateway rather than tor, but that project seems in deep coma now…

So thanks for any hint on that.

UPDATE

I’m trying to get the standard TBB installed in Debian. But I’m a total linux noob. Used firefox with proxy. But I can’t find it anywhere. So how to complete installation in order to test ?

Other question : can PSIPHON be used to act as a proxy with TOR ?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]