Voip / Jitsi / Mumble

You’re right there is no other file. I was using the wrongly named file torcc all along :stuck_out_tongue: There is a single torrc and it works fine.

Any idea on what parameters for onioncat?

From what I’ve seen all onioncat needs is ocat <local onion address> to start. I don’t know for sure if thats all it takes. Documentation seems sparse.

Jitsi’s ipv6 seems broken. Everytime I add my other “contact” 's onioncat ipv6 address it blurts errors.

Linphone seems the way forward for future testing. So far its simple to configure to use ipv6 by checking the option in its settings dialog. The program automatically uses the ipv6 address assigned by onioncat’s tun0 interface.
Linphone feels much quicker and lighter, because its not written in Java.

Adding a contact is done by putting: JohnDoe@[fd87::]

The brackets must be used when specifying.

I have not been able to see my contact online or initiate calls successfully. I really welcome any comments or testing to see if i overlooked something. I feel this is close.

is ipv6 firewalling needed when running onioncat?

No idea.

I don’t know. At time I wrote https://www.whonix.org/wiki/OnionCat#Over_Tor I thought probably not.

Could you please do me a favor and ask the guys at TAILS the steps, approximately, they did to configure voip over onioncat (udp based)?

Also the security implications of ipv6 and if firewalling is needed.

They haven’t answered my last “Why OnionCat + Mumble - why not just Mumble?” mail yet. I don’t think it would be appropriate for me to ask another question on that topic at this time.

I think it would be best if you signed up for tails-dev since there seem to be quite a few cases where communication with tails-dev is desired. That way also not all the questions and displeasure is channeled through me.

Onioncat function for logging would be useful.

I think on Whonix-Gateway some firewall changes could be required for onioncat.
https://github.com/Whonix/Whonix/blob/Whonix8/whonix_gateway/usr/bin/whonix_firewall#L584

May be needed to comment in:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

Maybe be useful to comment in:

ip6tables -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
ip6tables -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
ip6tables -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "

Restart Whonix’s firewall

sudo whonix_firewall
tail -f /var/log/syslog

Might need to comment out.

https://github.com/Whonix/Whonix/blob/Whonix8/whonix_gateway/etc/sysctl.d/whonix-gateway-sysctl.conf#L15

#net.ipv6.conf.all.disable_ipv6 = 1

Reboot required or [dunno how to apply without reboot at the top of my head].

In summary, this looks difficult (still easy in comparison to assembler code). It might be best to get this working outside of Whonix to get ride of eventual additional issues and then port it to Whonix once functional. Trying to invent this on Whonix could be PITA.

They haven't answered my last "Why OnionCat + Mumble - why not just Mumble?" mail yet. I don't think it would be appropriate for me to ask another question on that topic at this time.

I think it would be best if you signed up for tails-dev since there seem to be quite a few cases where communication with tails-dev is desired. That way also not all the questions and displeasure is channeled through me.

I think they gave an answer related to their need for UDP mode or Mumble because it works better or something.

Anyway its not necessary to ask them anything else now. This page provides all the information I was looking for about Onioncat’s security implications. Could never find it indexed when searching for it. Please read it as its rather short. Its worth adding that information to the wiki.

https://www.cypherpunk.at/onioncat_trac/wiki/Security

Anyone running Onioncat would have something similar to a computer running directly on the internet.

I predict that the problems with voip is something to do with IPv6 firewalling. If that turns out to work, will you configure the IPv6 firewall to be active in some form or just tell people to deactivate?

Binding the kernel to use onioncat 's TUN interface could allow use of its generated ipv4 address. I have no idea how to do that but I mentioned it.

Running this command gives an ip4 address for onioncat, but it needs to be bound to first to work.

ocat -4 HSaddress

I followed your instructions for the firewall on the workstation.

The other instructions for the Gateway I didn’t because I don’t know the risks this present. Tor doesn’t support ipv6 itself so I’m not sure how it matters.

Ok.

I don’t think so.

I predict that the problems with voip is something to do with IPv6 firewalling.
Yes.
If that turns out to work, will you configure the IPv6 firewall to be active in some form or just tell people to deactivate?
In mid / long term we need allow IPv6 access anyway. Tor already supports IPv6 bridges.

Sounds good!

It only enables traffic on loopback device and blocks the rest. Should be safe.

Doesn’t matter for now. Just local IPv6 traffic.

Two news answers on tails-dev about mumble:
https://mailman.boum.org/pipermail/tails-dev/2014-August/thread.html#6623

I’ve asked some questions on the mailinglist and got positive responses. Its a complicated setup from what I understand but I’m not ready to give up yet.

Using ping6 to ping the other point hangs indefinitely with nothing saying if it failed or succeeded.

The paper https://www.cypherpunk.at/ocat/download/Docs/ocat_petcon09_main.pdf lists a ping service at ip: fd87:d87e:eb43:f947:ad24:ec81:8abe:753e
on the onioncat network thats supposed to respond to ping requests, and I get the same result.

ping.onion.aio (fd87:d87e:eb43:f947:ad24:ec81:8abe:753e) currently does nothing than just respond to echo requests.

I admit that I have not enabled that setting on the Gateway because this information makes me uneasy:

## We need to disable IPv6 because Tor does not support IPv6 yet and may create leaks. ## You can verify the setting applied by: cat /proc/sys/net/ipv6/conf/all/disable_ipv6, which should return 1. ## Advanced users only: If you were unwilling or unable to disable IPv6 you would have to create an IPv6 firewall. ## The firewall supplied by Whonix does only protect IPv4.

AFAIK Onioncat should work over Tor by default and has nothing to do with IPv6 support directly. Its on a layer over Tor.

ipv6.google.com gives unknown host as expected.

Pinging the domain I listed above gives:

PING fd87:d87e:eb43:f947:ad24:ec81:8abe:753e(fd87:d87e:eb43:f947:ad24:ec81:8abe:753e) 56 data bytes

Does that mean it works or not?

Playing around with the /usr/bin/whonix_firewall file in the workstation is safe right?

## We need to disable IPv6 because Tor does not support IPv6 yet and may create leaks. ## Advanced users only: If you were unwilling or unable to disable IPv6 you would have to create an IPv6 firewall. ## The firewall supplied by Whonix does only protect IPv4.
This is an outdated comment. Whonix's firewall now covers IPv6. Doesn't have many features, but that IPv6 kernel disable feature is now obsolete / extra paranoid.

Yes. Still, you need to allow local localhost IPv6 traffic.

Yes. It is not enabled by default anyway.

Last time I mention this, but I really have to know.

Since what version is the ipv6 firewall able and effective? Reason is I’m still on 8.2. Trying to understand if I am still safe.

At least since Whonix 7 (https://github.com/Whonix/Whonix/blob/Whonix_7/whonix_gateway/usr/bin/whonix_firewall#L507) if not earlier.

After updating Tor my Hidden Service webserver is now reachable