Use a .onion address from a Whonix Workstation?

rob75 · December 22, 2018, 10:54pm

Forgive my naive question, but how would I go about using a .onion address from Firefox in a Whonix Workstation?

Keep in mind that I’m not using the Tor browser, just regular Firefox (albeit with NoScript).

My Whonix setup is:

User -> VPN -> Tor -> Internet

So I’m already on the Tor network, shouldn’t I be able to access hidden .onion sites?

If I try to access e.g. the DuckDuckGo hidden site, I don’t get anywhere.

0brand · December 23, 2018, 12:27am

In Firefox address bar:

about:config → I accept the risk! → network.dns.blockDotOnion → toggle to false

You should only use Tor Browser with Whonix

https://whonix.org/wiki/Tor_Browser#Anonymity_vs_Pseudonymity

0brand · December 23, 2018, 2:56am

2 posts were split to a new topic: If I install Tor Browser in a custom Whonix-Workstation will it lead to Tor over Tor?

Patrick · December 23, 2018, 6:27am

https://www.whonix.org/wiki/TunnelsConnecting_to_a_VPN_before_Tor#Terminology_for_Support_Requests

rob75 · December 24, 2018, 2:20am

Sorry, I’m confused.

Also sorry about not using the correct terminology, I edited my question.

So should I use the Tor Browser from within the Workstation, but prevent the Tor Browser from connecting to Tor (to avoid Tor over Tor)? Or should I let the Tor Browser use SocksPort?

Patrick · December 24, 2018, 6:08am

Use Tor Browser.

What @0brand said in Use a .onion address from a Whonix Workstation? - #2 by 0brand is correct if you insist on using Firefox. This is because Firefox blocks connections to onions by default - because the correct way to connect to onions is using Tor Browser.

If you use Tor Browser in Whonix-Workstation, there won’t be Tor over Tor. No configuration needed. All pre-configured for you by Whonix already. Just connect to onions.

Tor Browser Essentials

Technical details:

rob75 · December 24, 2018, 3:05pm

Thanks Patrick.

I’m doing this mostly to learn. So I’m really curious how I can use .onion services safely from a custom Whonix workstation, say Gentoo or Arch. I also prefer Arch and Gentoo, probably no surprise.

rob75 · December 25, 2018, 1:00am

Is it possible to install the Whonix Tor Browser, i.e. the special version of Tor Browser that comes bundled with Whonix Workstation, in a different distro (custom Whonix Workstation)?

0brand · December 25, 2018, 1:16am

No, its not just Tor Browser. There are environmental variables that are required. So no .tar file etc. is available.

0brand · December 25, 2018, 2:14am

There is no “Special” Tor Browser package but there is:

Patrick · December 25, 2018, 5:03am

Patrick · December 25, 2018, 5:07am

The above last 3 posts are developer material.

Below’s link described how to use Tor Browser without Tor over Tor in a Whonix-Custom-Linux-Workstation.

Tor Browser Advanced Topics

These instructions may or may not work anymore.

Possibly broken:
Connectivity. (Due to SocksSocket introduction.)

Likely functional:
No Tor over Tor. (Due to TOR_SKIP_LAUNCH=1 still same.)

Please report if it worked for you (and with which Tor Browser version).

rob75 · December 27, 2018, 1:29am

Thanks!

How would I know if it works? I need some way to test if I’m using Tor over Tor, or not.

0brand · December 27, 2018, 2:15am

Hi rob75

You might be able to see using,

Arm (Hit right arrow key to see circuits)
onioncircuits

I’m not sure if it would show Tor over Tor circuits. Meaning may only show 3 hops (maybe a default?) even if using 2 circuits (6 hops).

Patrick · December 27, 2018, 11:35am

Test connectivity.

In workstation:

ps aux | grep tor

Ignore grep / unrelated. Compare with output on gateway to figure out how it would look if Tor was running.

This works only for Tor Browser and is not a general way to check for Tor over Tor. (Because Tor Browser uses the tor binary. Other applications may be implementing Tor in other ways such as bisq if I remember right.)

arm wouldn’t show it. It only shows information on Tor but not monitor outgoing connection to any servers (Tor or not).

0brand · December 29, 2018, 3:09am

Qubes-Whonix
Debian 9 VM
Tor Browser 8.0.4

I don’t think these instruction prevent Tor over Tor. There should not be Tor bootstrap success in Debian VM.

In Custom Whonix-Workstation

user@tor-deb:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf
   Active: inactive (dead) since Fri 2018-12-28 21:57:17 EST; 7s ago
  Process: 664 ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 (code=exited, status=0/SUCCESS)
  Process: 621 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
  Process: 602 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
 Main PID: 664 (code=exited, status=0/SUCCESS)

Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 66%: Loading relay descriptors
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 72%: Loading relay descriptors
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 80%: Connecting to the Tor network
Dec 28 21:44:57 tor-deb Tor[664]: Bootstrapped 85%: Finishing handshake with first hop
Dec 28 21:44:58 tor-deb Tor[664]: Bootstrapped 90%: Establishing a Tor circuit
Dec 28 21:44:59 tor-deb Tor[664]: Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 28 21:44:59 tor-deb Tor[664]: Bootstrapped 100%: Done

Comparing output of ps aux | grep tor was almost the same. Will test further.

rob75 · December 29, 2018, 11:12pm

So this is disturbing, on a default (non-custom) Whonix Workstation, I have

/bin/bash /usr/bin/tor --defaults-torrc /usr/share/tor/tor-.service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

I have the exact same thing on my Whonix Gateway.

Is this normal? I don’t understand how this ps aux |grep tor test should work.

0brand · December 30, 2018, 3:04am

Created a Tor Browser without Tor “VM” and Tor daemon returns the same result as the above post. Meaning that test was invalid.

Edit: The VM that I used was created some time ago with a mix of Tor Browser (GUI) and CLI instructions from the previous wiki page. (meaning instructions are a little different now). IIRC the $HOME/.tb/path/to/user.js edits were not sufficient.

Note: will be referring to this VM as “tor-browser-test”

user@tor-browser-test:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf
   Active: active (running) since Sat 2018-12-29 21:15:39 EST; 35s ago
  Process: 633 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-ser
  Process: 609 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian
 Main PID: 707 (tor)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-tor.slice/tor@default.service
           └─707 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaul

Dec 29 21:15:45 tor-browser-test Tor[707]: Bootstrapped 50%: Loading relay descr
Dec 29 21:15:45 tor-browser-test Tor[707]: The current consensus contains exit n
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 55%: Loading relay descr
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 62%: Loading relay descr
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 68%: Loading relay descr
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 78%: Loading relay descr
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 80%: Connecting to the T
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 90%: Establishing a Tor 
Dec 29 21:15:48 tor-browser-test Tor[707]: Tor has successfully opened a circuit
Dec 29 21:15:48 tor-browser-test Tor[707]: Bootstrapped 100%: Done

When sys-firewall was set as NetVM for tor-browser-test , there were no issues with clearnet connectivity. However, even after setting network.dns.blockDotOnion in about:config , I was not able to connect to any .onion sites (whonix, qubes, torproject).

Also of note, I received the warning:

Something Went Wrong! Tor is not working in this browser.

Output of: ps aux | grep tor

debian-+   707  0.1  0.9  89320 36400 ?        Ss   21:15   0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

When sys-whonix was set to NetVM I was able to connect to onion sites. However, I did not receive the warning “Something Went Wrong! Tor is not working in this browser.”

For clarity, for now this is just for testing to use for comparson. If anyone would like to use these instructions this should be kept that in mind.

0brand · December 31, 2018, 3:12am

Qubes-Whonix
Debian 9 StandaloneVM (NetVM sys-whonix)
Tor Browser 8.0.4

1. I went ahead an installed anon-ws-disable-stacked-tor in the StandaloneVM using apt-get as per the instructions on that page.
2. Created /home/user/.tb and installed Tor Browser using the instructions found in Manually Download Tor Browser.
3. Extracted Tor Browser in ~/.tb

4. When first starting Tor Browser it will fail. Rebooting the VM was necessary for Tor Browser to start but this only needed to be done once. This happened with both VMs tested.
5. After reboot, Tor Browser starts and connects with no issues and as expected the Tor daemon was not started.

sudo systemctl status tor@default

Unit tor@default.service could not be found.

Also:

ps aux | grep tor

user       905  0.0  0.0  11220  3024 pts/0    S+   21:32   0:00 bash ./start-tor-browser
user       977  0.1  4.2 1754276 169028 pts/0  Sl+  21:32   0:03 /home/user/.tb/tor-browser_en-US/Browser/firefox.real -contentproc -childID 1 -isForBrowser -boolPrefs 301:0| -stringPrefs 287:36;e2382d91-3846-4dd1-a346-ebb6723f542f| -schedulerPrefs 0001,2 -greomni /home/user/.tb/tor-browser_en-US/Browser/omni.ja -appomni /home/user/.tb/tor-browser_en-US/Browser/browser/omni.ja -appdir /home/user/.tb/tor-browser_en-US/Browser/browser 917 tab
user      1043  0.0  1.7 1466780 68112 pts/0   Sl+  21:32   0:00 /home/user/.tb/tor-browser_en-US/Browser/firefox.real -contentproc -childID 2 -isForBrowser -boolPrefs 301:0| -stringPrefs 287:36;e2382d91-3846-4dd1-a346-ebb6723f542f| -schedulerPrefs 0001,2 -greomni /home/user/.tb/tor-browser_en-US/Browser/omni.ja -appomni /home/user/.tb/tor-browser_en-US/Browser/browser/omni.ja -appdir /home/user/.tb/tor-browser_en-US/Browser/browser 917 tab

So it looks like there is no Tor-over-Tor.

Patrick · December 31, 2018, 7:10am

Good point.

Prevent Tor over Tor for Tor Browser by Tor Browser only by settings. Only for Tor Browser’s internal Tor.

This is not a stronger (but still non-perfect) prevention like anon-ws-disable-stacked-tor. So installing torbrowser-launcher (Tor Browser Advanced Topics) will lead to Tor over Tor since this is using system-tor i.e. the debian tor package.

So Tor Browser Advanced Topics is short sighted on that very subject. Not keeping in mind the wider context of Tor over Tor by system-tor and Anonymize Other Operating Systems.

Wiki enhancements welcome. If worse comes to worse just a link to the most related/first post in this thread.

Means Tor is running in both so Tor over Tor.

One reason could be that anon-ws-disable-stacked-tor env vars are not applied right after installation. Reboot required for now. I wouldn’t know how to technically change env vars for already running sessions. Not thinking much about it either. [Patches welcome.](https://www.whonix.org/wiki/FAQ#Patches_are_Welcome)

Looks correct.