In this guide, I will document how to setup Syncthing between a
Qubes-Whonix qube and an Android device running the Orbot app.
***** Android Orbot setup
****** Create a hidden service on Orbot
Download the Orbot app, preferably from the fdroid app store. Start
Orbot, connect to the tor network. Then, on tap on “More” on the
lower side of the screen. =Hosted Onion Services= > =Tap on + icon=:
- Name: enter a defining name for the hidden service. For my example,
I use, =hiden_service_media_qube=
- Local Port: decide on to which local port should the incoming
connections to our hidden service be forwarded. In my case, I enter
this as =22000= since this is the default =tcp://= port that the
syncthing program listens to.
- Onion Port: decide on which hidden service port should be opened.
For the sake of symmetry, I assign this value the same as the “Local
Port” value from the previous step. So, I enter ==22000= value for
that.
Tap on =Save=. We need to restart the Orbot app in order for it to
generate our newly-created hidden service keys and credentials. So,
get back to the main UI of Orbot app, stop the tor connection, then
press on exit. Restart the Orbot app. Check on the =Hosted Onion
Services= list. If you still not seeing your newly-created hidden
service in there, keep stopping, exiting and restarting the Orbot app.
It will eventually be seen there.
Once you see your newly-created hidden service listed, tap on it, can
copy its hidden service onion URL address. For the sake of brevity,
let’s call this URL as =mobile_hidden_url.onion=.
***** Qubes-Whonix setup
****** Create a hidden service on sys-whonix
On QubesOS, there is a Qubes applications menu, reached by clicking on
the =blue Q= icon, on the desktop panel. =Q menu= > =click on SERVICE
tab= > =Hover over the sys-whonix option= > =click on Tor User Config
option=. You will see a text editor window in front of you. If this
is your first time creating a hidden service inside sys-whonix this
file will be empty with some comments inside. Here, we will be typing
in the folllowing:
#+begin_quote
HiddenServiceDir /var/lib/tor/hidden_service_syncthing/
HiddenServicePort 22000 10.137.0.24:22000
#+end_quote
Here:
- =HiddenServiceDir= designates where in the filesystem should
sys-whonix keep the keys and credentials of the hidden service of
ours. We choose to store these in a pretty standard location,
=/var/lib/tor/hidden_service_INSERT-YOUR-NAME-HERE/=. Later on,
in case you choose to add one more hidden service to host to the
sys-whonix, you should pick another unique name.
- =HiddenServicePort= designates at which port should the hidden
service daemon listen in on the connections. Again, for the sake of
symmetry and simplicity, we keep using the port =22000= as we used
in Orbot setup. The IP address we put in there, =10.137.0.24= is
the internal IP address of the AppQube we are going to be running
the syncthing. In my case, that AppQube is named
=media-qube=. So, in order to see its internal QubesOS IP, I
open a terminal on that AppQube, and issue the following command:
#+begin_src sh
qubesdb-read /qubes-ip
#+end_src
It will stdout your AppQube’s internal IP. Then, we also designate
the port =:22000=, after the QubesOS internal IP of the AppQube, so
that the incoming connections are forwarded to that port inside the
AppQube, as well.
Once these edits are complete, press =Ctrl+S= (or however you save
your edits in your text editor) and then close the window.
Now, you need to restart/reload the tor in the sys-whonix, in order
for the tor daemon to create your keys and credentials for the hidden
service. For that, =Q menu= > =click on SERVICE tab= > =Hover over
the sys-whonix option= > =click on Reload Tor= option. After that,
open a terminal in sys-whonix, and use the following command to see
your hidden service address URL:
#+begin_src sh
sudo cat /var/lib/tor/hidden_service_syncthing/hostname
#+end_src
Change the =hidden_service_syncthing= part with the appropriate name
that you chose earlier. After that command, on the terminal, you
should be able to see a .onion address printed. If you are not seeing
it, and having an error, you should restart the sys-whonix. This is a
drastic measure that will surely reload our new configurations into
the tor daemon. repeat the abovementioned =cat= command and note down
the .onion address you see. For brevity, we will call this
=desktop_hidden_url.onion=.
****** Allow the specific port on your AppQube firewall
Now you need to make the whonix firewall to allow the connections on
the port we’ve specified in our setups. In my case, the name of the
AppQube I will be running the syncthing program is =media-qube=.
So, I open a terminal in that qube.
******* Create the /usr/local/etc/whonix_firewall.d/ directory
#+begin_src sh
sudo mkdir -p /usr/local/etc/whonix_firewall.d
#+end_src
******* Create and edit the /usr/local/etc/whonix_firewall.d/50_user.conf file
#+begin_src sh
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
#+end_src
in that file, input the following text:
#+begin_src sh
EXTERNAL_OPEN_PORTS+=" 22000 "
#+end_src
save the file and exit.
******* Reload the AppQube’s whonix firewall
#+begin_src sh
sudo whonix_firewall
#+end_src
***** Syncthing setup
****** On Android
Assuming you already have established a clearnet syncthing connection
between your mobile and your desktop devices, you should follow the
steps below in order to turn that clearnet conneciton into a Tor
network connection.
******* Enable Tor
Open the hamburger-sliding menu of syncthing app. Settings >
Experimental > Enable “Use Tor” option. This is all that’s needed, in
order to get syncthing working over Tor network.
******* Disable syncthing’s own intermediary servers
We won’t be using syncthing’s relay servers. Instead, we will use the
Tor network for a direct connection between our mobile and desktop
devices. Thanks to the Tor network, this direct connection will be
end-to-end encrypted and untraceable, or, in short: secure.
Syncthing app hamburger menu > Web GUI > Upper right side cog icon >
Settings > Connections: here UN-check the following options:
- Enable NAT traversal
- Local Discovery
- Global Discovery
- Enable Relaying
******* Specify the sync protocol listen addresses
We need to let syncthing app know that it has to listen in on the
localhost and the port number we setup our hidden services with. For
our example, this port number is =22000=. So, Syncthing app hamburger
menu > Web GUI > Upper right side cog icon > Settings > Connections:
under the “Sync Protocol Listen Addresses” enter this:
=tcp://0.0.0.0:22000=
This will let the syncthing app know that it should be on the lookout
for tcp connections on the localhost at port number 22000.
Click Save.
******* Change your device’s address into its onion URL
On the syncthing app UI, slide left, switch to the “Devices” list.
There, tap on your paired device, and tap on its field with the chain
icon which currently reads “dynamic”. Here, delete that, and insert
the following:
=tcp://desktop_hidden_url.onion:22000=
Then hit the back arrow button.
****** On AppQube (Qubes-Whonix)
Again, assuming you already have a clearnet pairing between your
desktop and mobile devices, follow these steps to turn that connection
into a Tor network one.
******* Note on Tor
Since we are already on an AppQube based on Qubes-Whonix template, we
don’t need to do anything special to make syncthing use Tor. It is
already using Tor.
******* Disable syncthing’s own intermediary servers
On your AppQube, open up a terminal. And type in the following in
order to open your Syncthing webUI:
#+begin_src sh
torbrowser 127.0.0.1:8384
#+end_src
If you get errors during this step, taka a look at the following
whonix wiki entry for allowing your Tor Browser access to local ports:
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser#Local_Connections
On the webUI for Syncthing > Upper right hand side cog icon Actions >
Settings > Connections: here UN-check the following options:
- Enable NAT traversal
- Local Discovery
- Global Discovery
- Enable Relaying
******* Specify the sync protocol listen addresses
Under the “Sync Protocol Listen Addresses” enter this:
=tcp://0.0.0.0:22000=
This will let the syncthing app know that it should be on the lookout
for tcp connections on the localhost at port number 22000.
Click Save.
******* Change your device’s address into its onion URL
On the syncthing webUI, see your “Remote Devices” list. There, click
on your paired device, and click “Edit” button > Advanced. Currently
the “Addresses” field reads “dynamic”. Here, delete that, and insert
the following: =tcp://mobile_hidden_url.onion:22000=
Then click on the “Save” button.
***** Complete
You are all set. From now on, as long as your Orbot on android keeps
working, the syncthing connection between your two devices will be
completely on the Tor network.
If you wish to add further new devices to sync to over Tor network,
remember to:
- create a new hidden service for it on the Orbot app
- make sure you use a different port number this time! Pick
something like =22002=.
- create a new hidden service fo rit on the sys-whonix
- make sure you use a different port number as well. Again, pick
=22002= or =22004=, depending on how many other custom hidden
services you have setup on your sys-whonix.
- setup the whonix firewall for that specific port number as we did
above in this guide
- MAKE SURE TO COMMAND SYNCTHING TO LISTEN IN ON THAT PORT NUMBER
- make sure you add =tcp://0.0.0.0:22002=, or,
=tcp://0.0.0.0:22004=, etc. to the “Sync Protocol Listen Address”
field. Otherwise, syncthing won’t be able to notice the
connection requests!
Useful? Toss some coins XMR:
85UdkqieUgV4sgRYtsZ8ePdG97GKpyfTsBpWgjm5GFYZX7vSrfQCSLtgdRTtgkjDtUAmniugQ2FDeLFgCZyuFEyo7Kd9kAT