Thanks Patrick.
I’m doing this mostly to learn. So I’m really curious how I can use .onion services safely from a custom Whonix workstation, say Gentoo or Arch. I also prefer Arch and Gentoo, probably no surprise.
Thanks Patrick.
I’m doing this mostly to learn. So I’m really curious how I can use .onion services safely from a custom Whonix workstation, say Gentoo or Arch. I also prefer Arch and Gentoo, probably no surprise.
Is it possible to install the Whonix Tor Browser, i.e. the special version of Tor Browser that comes bundled with Whonix Workstation, in a different distro (custom Whonix Workstation)?
No, its not just Tor Browser. There are environmental variables that are required. So no .tar
file etc. is available.
There is no “Special” Tor Browser package but there is:
The above last 3 posts are developer material.
Below’s link described how to use Tor Browser without Tor over Tor in a Whonix-Custom-Linux-Workstation
.
These instructions may or may not work anymore.
Possibly broken:
Connectivity. (Due to SocksSocket
introduction.)
Likely functional:
No Tor over Tor. (Due to TOR_SKIP_LAUNCH=1
still same.)
Please report if it worked for you (and with which Tor Browser version).
Thanks!
How would I know if it works? I need some way to test if I’m using Tor over Tor, or not.
Hi rob75
You might be able to see using,
I’m not sure if it would show Tor over Tor circuits. Meaning may only show 3 hops (maybe a default?) even if using 2 circuits (6 hops).
Test connectivity.
In workstation:
ps aux | grep tor
Ignore grep / unrelated. Compare with output on gateway to figure out how it would look if Tor was running.
This works only for Tor Browser and is not a general way to check for Tor over Tor. (Because Tor Browser uses the tor
binary. Other applications may be implementing Tor in other ways such as bisq if I remember right.)
arm wouldn’t show it. It only shows information on Tor but not monitor outgoing connection to any servers (Tor or not).
Qubes-Whonix
Debian 9 VM
Tor Browser 8.0.4
I don’t think these instruction prevent Tor over Tor. There should not be Tor bootstrap success in Debian VM.
In Custom Whonix-Workstation
user@tor-deb:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
Drop-In: /lib/systemd/system/tor@default.service.d
└─30_qubes.conf
Active: inactive (dead) since Fri 2018-12-28 21:57:17 EST; 7s ago
Process: 664 ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 (code=exited, status=0/SUCCESS)
Process: 621 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
Process: 602 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
Main PID: 664 (code=exited, status=0/SUCCESS)
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 66%: Loading relay descriptors
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 72%: Loading relay descriptors
Dec 28 21:44:56 tor-deb Tor[664]: Bootstrapped 80%: Connecting to the Tor network
Dec 28 21:44:57 tor-deb Tor[664]: Bootstrapped 85%: Finishing handshake with first hop
Dec 28 21:44:58 tor-deb Tor[664]: Bootstrapped 90%: Establishing a Tor circuit
Dec 28 21:44:59 tor-deb Tor[664]: Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 28 21:44:59 tor-deb Tor[664]: Bootstrapped 100%: Done
Comparing output of ps aux | grep tor
was almost
the same. Will test further.
So this is disturbing, on a default (non-custom) Whonix Workstation, I have
/bin/bash /usr/bin/tor --defaults-torrc /usr/share/tor/tor-.service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
I have the exact same thing on my Whonix Gateway.
Is this normal? I don’t understand how this ps aux |grep tor test should work.
Created a Tor Browser without Tor “VM” and Tor daemon returns the same result as the above post. Meaning that test was invalid.
Edit: The VM that I used was created some time ago with a mix of Tor Browser (GUI) and CLI instructions from the previous wiki page. (meaning instructions are a little different now). IIRC the $HOME/.tb/path/to/user.js
edits were not sufficient.
Note: will be referring to this VM as “tor-browser-test
”
user@tor-browser-test:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
Drop-In: /lib/systemd/system/tor@default.service.d
└─30_qubes.conf
Active: active (running) since Sat 2018-12-29 21:15:39 EST; 35s ago
Process: 633 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-ser
Process: 609 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian
Main PID: 707 (tor)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/system-tor.slice/tor@default.service
└─707 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaul
Dec 29 21:15:45 tor-browser-test Tor[707]: Bootstrapped 50%: Loading relay descr
Dec 29 21:15:45 tor-browser-test Tor[707]: The current consensus contains exit n
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 55%: Loading relay descr
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 62%: Loading relay descr
Dec 29 21:15:46 tor-browser-test Tor[707]: Bootstrapped 68%: Loading relay descr
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 78%: Loading relay descr
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 80%: Connecting to the T
Dec 29 21:15:47 tor-browser-test Tor[707]: Bootstrapped 90%: Establishing a Tor
Dec 29 21:15:48 tor-browser-test Tor[707]: Tor has successfully opened a circuit
Dec 29 21:15:48 tor-browser-test Tor[707]: Bootstrapped 100%: Done
When sys-firewall
was set as NetVM for tor-browser-test
, there were no issues with clearnet connectivity. However, even after setting network.dns.blockDotOnion
in about:config
, I was not able to connect to any .onion sites (whonix, qubes, torproject).
Also of note, I received the warning:
Something Went Wrong! Tor is not working in this browser.
Output of: ps aux | grep tor
debian-+ 707 0.1 0.9 89320 36400 ? Ss 21:15 0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
When sys-whonix
was set to NetVM I was able to connect to onion sites. However, I did not receive the warning “Something Went Wrong! Tor is not working in this browser.”
For clarity, for now this is just for testing to use for comparson. If anyone would like to use these instructions this should be kept that in mind.
Qubes-Whonix
Debian 9 StandaloneVM (NetVM sys-whonix
)
Tor Browser 8.0.4
1. I went ahead an installed anon-ws-disable-stacked-tor in the StandaloneVM using apt-get
as per the instructions on that page.
2. Created /home/user/.tb
and installed Tor Browser using the instructions found in Manually Download Tor Browser.
3. Extracted Tor Browser in ~/.tb
4. When first starting Tor Browser it will fail. Rebooting the VM was necessary for Tor Browser to start but this only needed to be done once. This happened with both VMs tested.
5. After reboot, Tor Browser starts and connects with no issues and as expected the Tor daemon was not started.
sudo systemctl status tor@default
Unit tor@default.service could not be found.
Also:
ps aux | grep tor
user 905 0.0 0.0 11220 3024 pts/0 S+ 21:32 0:00 bash ./start-tor-browser
user 977 0.1 4.2 1754276 169028 pts/0 Sl+ 21:32 0:03 /home/user/.tb/tor-browser_en-US/Browser/firefox.real -contentproc -childID 1 -isForBrowser -boolPrefs 301:0| -stringPrefs 287:36;e2382d91-3846-4dd1-a346-ebb6723f542f| -schedulerPrefs 0001,2 -greomni /home/user/.tb/tor-browser_en-US/Browser/omni.ja -appomni /home/user/.tb/tor-browser_en-US/Browser/browser/omni.ja -appdir /home/user/.tb/tor-browser_en-US/Browser/browser 917 tab
user 1043 0.0 1.7 1466780 68112 pts/0 Sl+ 21:32 0:00 /home/user/.tb/tor-browser_en-US/Browser/firefox.real -contentproc -childID 2 -isForBrowser -boolPrefs 301:0| -stringPrefs 287:36;e2382d91-3846-4dd1-a346-ebb6723f542f| -schedulerPrefs 0001,2 -greomni /home/user/.tb/tor-browser_en-US/Browser/omni.ja -appomni /home/user/.tb/tor-browser_en-US/Browser/browser/omni.ja -appdir /home/user/.tb/tor-browser_en-US/Browser/browser 917 tab
So it looks like there is no Tor-over-Tor.
Good point.
Prevent Tor over Tor for Tor Browser by Tor Browser only by settings. Only for Tor Browser’s internal Tor.
This is not a stronger (but still non-perfect) prevention like anon-ws-disable-stacked-tor. So installing torbrowser-launcher (Tor Browser Advanced Topics) will lead to Tor over Tor since this is using system-tor i.e. the debian tor
package.
So Tor Browser Advanced Topics is short sighted on that very subject. Not keeping in mind the wider context of Tor over Tor by system-tor and Anonymize Other Operating Systems.
Wiki enhancements welcome. If worse comes to worse just a link to the most related/first post in this thread.
Means Tor is running in both so Tor over Tor.
One reason could be that anon-ws-disable-stacked-tor env vars are not applied right after installation. Reboot required for now. I wouldn’t know how to technically change env vars for already running sessions. Not thinking much about it either. [Patches welcome.](https://www.whonix.org/wiki/FAQ#Patches_are_Welcome)
Looks correct.
To prevent system-tor from starting. (most of the popular Linux distros use systemd)
sudo systemctl mask tor
Now:
sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
Drop-In: /lib/systemd/system/tor@default.service.d
└─30_qubes.conf
Active: inactive (dead)
And ps
should only return grep tor
ps aux | grep tor
user 1053 0.0 0.0 12724 948 pts/1 S+ 20:22 0:00 grep tor
I’ll update Tor Browser Advanced Topics.
Done!
https://whonix.org/w/index.php?title=Tor_Browser/Advanced_Users&oldid=40377&diff=cur
Didn’t think ps aux | grep tor
was needed for testing since system-tor is disabled. Are there any other tests needed?
Could you please mention that any upgrade of system-tor or TBB may break this?
Could you please move all of it to Anonymize Other Operating Systems and just leave a link? Reason: at the moment documentation is split by technical component but from the user’s point of view it’s better to have documentation is arranged by topic they’re currently interested in.
Also since the system-tor advice applies to Anonymize Other Operating Systems whether using TBB or not.
Advisable anyhow. The implementation on how system-tor is started is likely to change in future. (They want to improve multi-instance Tor systemd setups.)
No problem. I’ll have this completed a little later on today.
Done. I’ll have to double check that links are functional once edits are pushed.
Removed and added links.
https://whonix.org/w/index.php?title=Tor_Browser/Advanced_Users&oldid=40391&diff=cur
Migrated to.
https://whonix.org/w/index.php?title=Other_Operating_Systems&oldid=40207&diff=cur
One question. How to get CodeSelect
to work correctly when a pipe " | " is used in the command?
ps aux | grep tor
(only shows) ps aux
. So I had to use </pre.>