Use a .onion address from a Whonix Workstation?

Thanks Patrick.

I’m doing this mostly to learn. So I’m really curious how I can use .onion services safely from a custom Whonix workstation, say Gentoo or Arch. I also prefer Arch and Gentoo, probably no surprise.

Is it possible to install the Whonix Tor Browser, i.e. the special version of Tor Browser that comes bundled with Whonix Workstation, in a different distro (custom Whonix Workstation)?

No, its not just Tor Browser. There are environmental variables that are required. So no .tar file etc. is available.

1 Like

There is no “Special” Tor Browser package but there is:

1 Like

The above last 3 posts are developer material.

Below’s link described how to use Tor Browser without Tor over Tor in a Whonix-Custom-Linux-Workstation.

Tor Browser Advanced Topics

These instructions may or may not work anymore.

Possibly broken:
Connectivity. (Due to SocksSocket introduction.)

Likely functional:
No Tor over Tor. (Due to TOR_SKIP_LAUNCH=1 still same.)

Please report if it worked for you (and with which Tor Browser version).

Thanks!

How would I know if it works? I need some way to test if I’m using Tor over Tor, or not.

Hi rob75

You might be able to see using,

I’m not sure if it would show Tor over Tor circuits. Meaning may only show 3 hops (maybe a default?) even if using 2 circuits (6 hops).

Test connectivity.

In workstation:

ps aux | grep tor

Ignore grep / unrelated. Compare with output on gateway to figure out how it would look if Tor was running.

This works only for Tor Browser and is not a general way to check for Tor over Tor. (Because Tor Browser uses the tor binary. Other applications may be implementing Tor in other ways such as bisq if I remember right.)

arm wouldn’t show it. It only shows information on Tor but not monitor outgoing connection to any servers (Tor or not).

1 Like

Qubes-Whonix
Debian 9 VM
Tor Browser 8.0.4

I don’t think these instruction prevent Tor over Tor. There should not be Tor bootstrap success in Debian VM.

In Custom Whonix-Workstation

user@tor-deb:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf
   Active: inactive (dead) since Fri 2018-12-28 21:57:17 EST; 7s ago
  Process: 664 ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 (code=exited, status=0/SUCCESS)
  Process: 621 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
  Process: 602 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
 Main PID: 664 (code=exited, status=0/SUCCESS)

Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 66%: Loading relay descriptors
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 72%: Loading relay descriptors
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 80%: Connecting to the Tor network
Dec 28 21:44:57 tor-deb Tor[664]: Bootstrapped 85%: Finishing handshake with first hop
Dec 28 21:44:58 tor-deb Tor[664]: Bootstrapped 90%: Establishing a Tor circuit
Dec 28 21:44:59 tor-deb Tor[664]: Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 28 21:44:59 tor-deb Tor[664]: Bootstrapped 100%: Done

Comparing output of ps aux | grep tor was almost the same. Will test further.

1 Like

So this is disturbing, on a default (non-custom) Whonix Workstation, I have

/bin/bash /usr/bin/tor --defaults-torrc /usr/share/tor/tor-.service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

I have the exact same thing on my Whonix Gateway.

Is this normal? I don’t understand how this ps aux |grep tor test should work.

Created a Tor Browser without Tor “VM” and Tor daemon returns the same result as the above post. Meaning that test was invalid.

Edit: The VM that I used was created some time ago with a mix of Tor Browser (GUI) and CLI instructions from the previous wiki page. (meaning instructions are a little different now). IIRC the $HOME/.tb/path/to/user.js edits were not sufficient.

Note: will be referring to this VM as “tor-browser-test

user@tor-browser-test:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf
   Active: active (running) since Sat 2018-12-29 21:15:39 EST; 35s ago
  Process: 633 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-ser
  Process: 609 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian
 Main PID: 707 (tor)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-tor.slice/tor@default.service
           └─707 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaul

Dec 29 21:15:45 tor-browser-test Tor[707]: Bootstrapped 50%: Loading relay descr
Dec 29 21:15:45 tor-browser-test Tor[707]: The current consensus contains exit n
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 55%: Loading relay descr
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 62%: Loading relay descr
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 68%: Loading relay descr
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 78%: Loading relay descr
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 80%: Connecting to the T
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 90%: Establishing a Tor 
Dec 29 21:15:48 tor-browser-test Tor[707]: Tor has successfully opened a circuit
Dec 29 21:15:48 tor-browser-test Tor[707]: Bootstrapped 100%: Done

When sys-firewall was set as NetVM for tor-browser-test , there were no issues with clearnet connectivity. However, even after setting network.dns.blockDotOnion in about:config , I was not able to connect to any .onion sites (whonix, qubes, torproject).

Also of note, I received the warning:

Something Went Wrong! Tor is not working in this browser.

Output of: ps aux | grep tor

debian-+   707  0.1  0.9  89320 36400 ?        Ss   21:15   0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0


When sys-whonix was set to NetVM I was able to connect to onion sites. However, I did not receive the warning “Something Went Wrong! Tor is not working in this browser.

For clarity, for now this is just for testing to use for comparson. If anyone would like to use these instructions this should be kept that in mind.

1 Like

Qubes-Whonix
Debian 9 StandaloneVM (NetVM sys-whonix)
Tor Browser 8.0.4

1. I went ahead an installed anon-ws-disable-stacked-tor in the StandaloneVM using apt-get as per the instructions on that page.
2. Created /home/user/.tb and installed Tor Browser using the instructions found in Manually Download Tor Browser.
3. Extracted Tor Browser in ~/.tb

4. When first starting Tor Browser it will fail. Rebooting the VM was necessary for Tor Browser to start but this only needed to be done once. This happened with both VMs tested.
5. After reboot, Tor Browser starts and connects with no issues and as expected the Tor daemon was not started.

sudo systemctl status tor@default

Unit tor@default.service could not be found.

Also:

ps aux | grep tor

user       905  0.0  0.0  11220  3024 pts/0    S+   21:32   0:00 bash ./start-tor-browser
user       977  0.1  4.2 1754276 169028 pts/0  Sl+  21:32   0:03 /home/user/.tb/tor-browser_en-US/Browser/firefox.real -contentproc -childID 1 -isForBrowser -boolPrefs 301:0| -stringPrefs 287:36;e2382d91-3846-4dd1-a346-ebb6723f542f| -schedulerPrefs 0001,2 -greomni /home/user/.tb/tor-browser_en-US/Browser/omni.ja -appomni /home/user/.tb/tor-browser_en-US/Browser/browser/omni.ja -appdir /home/user/.tb/tor-browser_en-US/Browser/browser 917 tab
user      1043  0.0  1.7 1466780 68112 pts/0   Sl+  21:32   0:00 /home/user/.tb/tor-browser_en-US/Browser/firefox.real -contentproc -childID 2 -isForBrowser -boolPrefs 301:0| -stringPrefs 287:36;e2382d91-3846-4dd1-a346-ebb6723f542f| -schedulerPrefs 0001,2 -greomni /home/user/.tb/tor-browser_en-US/Browser/omni.ja -appomni /home/user/.tb/tor-browser_en-US/Browser/browser/omni.ja -appdir /home/user/.tb/tor-browser_en-US/Browser/browser 917 tab

So it looks like there is no Tor-over-Tor.

1 Like

Good point.

Prevent Tor over Tor for Tor Browser by Tor Browser only by settings. Only for Tor Browser’s internal Tor.

This is not a stronger (but still non-perfect) prevention like anon-ws-disable-stacked-tor. So installing torbrowser-launcher (Tor Browser Advanced Topics) will lead to Tor over Tor since this is using system-tor i.e. the debian tor package.

So Tor Browser Advanced Topics is short sighted on that very subject. Not keeping in mind the wider context of Tor over Tor by system-tor and Anonymize Other Operating Systems.

Wiki enhancements welcome. If worse comes to worse just a link to the most related/first post in this thread.

Means Tor is running in both so Tor over Tor.

One reason could be that anon-ws-disable-stacked-tor env vars are not applied right after installation. Reboot required for now. I wouldn’t know how to technically change env vars for already running sessions. Not thinking much about it either. [Patches welcome.](https://www.whonix.org/wiki/FAQ#Patches_are_Welcome)

Looks correct.

1 Like

To prevent system-tor from starting. (most of the popular Linux distros use systemd)

sudo systemctl mask tor

Now:

 sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf
   Active: inactive (dead)

And ps should only return grep tor

ps aux | grep tor

user 1053 0.0 0.0 12724 948 pts/1 S+ 20:22 0:00 grep tor


I’ll update Tor Browser Advanced Topics.

1 Like

Done!

https://whonix.org/w/index.php?title=Tor_Browser/Advanced_Users&oldid=40377&diff=cur

Didn’t think ps aux | grep tor was needed for testing since system-tor is disabled. Are there any other tests needed?

1 Like

Could you please mention that any upgrade of system-tor or TBB may break this?

Could you please move all of it to Anonymize Other Operating Systems and just leave a link? Reason: at the moment documentation is split by technical component but from the user’s point of view it’s better to have documentation is arranged by topic they’re currently interested in.

Also since the system-tor advice applies to Anonymize Other Operating Systems whether using TBB or not.

Advisable anyhow. The implementation on how system-tor is started is likely to change in future. (They want to improve multi-instance Tor systemd setups.)

No problem. I’ll have this completed a little later on today.

1 Like

Done. I’ll have to double check that links are functional once edits are pushed.

Removed and added links.

https://whonix.org/w/index.php?title=Tor_Browser/Advanced_Users&oldid=40391&diff=cur

Migrated to.

https://whonix.org/w/index.php?title=Other_Operating_Systems&oldid=40207&diff=cur

One question. How to get CodeSelect to work correctly when a pipe " | " is used in the command?

ps aux | grep tor

(only shows) ps aux. So I had to use </pre.>

1 Like

Documentation for Kicksecure Wiki Devs