What is the best way to have more than one Tor instance in Whonix Gateway?

I want to run two hidden services but isolated from each other and, unless there is a better way to do it, I would like to have each hidden service with one independent Tor instance (if one Tor instance get overloaded for example, I have more chances the other service is not affected). Outside of Whonix this would be easy to achieve for example through KVM or Docker but because running Tor over Tor is a bad idea, how can achieve this on Whonix? Thanks

I really suggest you reading this whole page for host onion services on whonix, but if you know what you are doing, then go directly to edit the configuration

And if you really want isolated tor instances, than run multiple whonix gateways. Also this is not related to overloaded instances, it is related to isolated daemons.

If you want to manage overloaded instances, use OnionBalance and Vanguard as documented on the page above, but onionbalance is just really if you have a popular site and can host the backed on different locations.

You probably gonna have a lot of questions, the wiki and past forum threads are your friends.

Whonix does not route Tor over Tor because the workstation has a fake tor pkg and every connection is routed to the gateway, which has a functional tor.
You are gonna host your sites on the gateway and access them through the workstation.

I already know how to host several hidden services on whonix. I know that I can run multiple whonix gateways but I want to know if it is possible to have just one Whonix Workstation with more than one tor instances and assign different services to each instance

During the past weeks there is an active ddos attack against Tor Network, even if you do not have a popular service you can ending in a rely which is overloaded with new open circuits and cannot handle more new open circuits. Vanguards help but does not solve the problem, the same with OnionBalance; if you have your frontend pointing to your service in the same GW they will get overloaded too

I just mentioned Tor over Tor because there are ready options in Docker or kvm, but unless I am missing something, I understand that we cannot use those solutions in the GW

In short, I just want to know if I can apply the following in Whonix Gateway:
linux - How to run multiple Tor processes at once with different exit IPs? - Stack Overflow

I understand that we cannot use those solutions in the GW.

It is possible but not documented.

Imagine having multiple instances and trying to remember which one you should restart for the browser, which one for the package manager, which one for some application. I think this is a usability issue, but I don’t speak for whonix devs.

https://manpages.debian.org/bullseye/tor/tor-instance-create.8.en.html
https://sources.debian.org/src/tor/0.4.7.8-1/debian/tor-instance-create/
You also need to setup different systemd services to help you. e.g. tor@default.service, tor@server1.service, tor@server2.service, point them to different torrcs.

I haven’t done this on whonix, only plain debian, can’t assist more than this.

stackoverflow DOT com/questions/14321214/how-to-run-multiple-tor-processes-at-once-with-different-exit-ips (it does not let me to include links)

Format the link with " ` " (single quote).

stackoverflow.com/questions/14321214/how-to-run-multiple-tor-processes-at-once-with-different-exit-ips (it does not let me to include links)

If tor-instance-create can be used in Whonix Gateway I can try and document it here

Where I am a bit lost it is how Whonix Gateway would handle new torrc files? Because right now I see that the default tor is running using /usr/share/tor/tor-service-defaults-torrc (specifying the data directory) and /etc/tor/torrc (which includes files from /etc/torrc.d/ and where /etc/torrc.d/95_whonix.conf ends including the /usr/local/etc/torrc.d/50_user.conf where we specify all needed settings for our hidden services

So, when creating a new tor instance should I clone all current structure? Like /usr/share/tor/tor-service-defaults-torrc2, /etc/tor/torrc2 etc ? Or could I end breaking something? @Patrick

If the question is not enough clear please let me know

Format the link with " ` " (single quote).

Thanks for the tip! @nyxnor

You can post links now.

• I can confirm that tor-instance-create is functional on Debian. Using this for whonix.org server.
• tor-instance-create doesn’t have lots of documentation even for Debian. Haven’t seen step-by-step tor-instance-create instructions for Debian.
• tor-instance-create does not have tested step-by-step instructions for Whonix yet.

Basic systemd knowledge is certainly helpful.

tor-instance-create for sure isn’t trivial to use since also use of systemd multi instance is required. Makes sense to learn more about systemd multi instance on search engines.

Please document under https://www.whonix.org/wiki/Tor#Multiple_Tor_Daemons. Check out that link as it contains lots of suggestions how to use it.

This setup since only used by an advanced user, probably should use a single torrc file only and no .d drop-in / %include at least not until the basics have been worked out here.

Since this is a feature inherited from the tor Debian package, could you please try this on Debian first to avoid the extra complexity by Whonix while learning this?

No, if you copy/paste all of Whonix’s features all such as SocksPort, DnsPort, TransPort it will probably fail since additional Tor daemons cannot open the same ports which are already opened by any other Tor instance.

Could you please tidy up documentation? Once cleaned up, working, we can look into what settings are perhaps useful to copy over from “tor@default” (Whonix config) to “tor@extradaemon1”.

Eventually, I might add how to make tor@extradaemon1 even compatible with vanguards but basics need to be confirmed to be functional first.

Just don’t make a Tor multi instance re-use the same folder or port that tor@default is already using.

Perfect! Thanks for your reply! I will document and test everything on Debian first, once I have everything ready will go with Whonix and will post here everything so you can review it. I will try to have everything ready during the upcoming week, I will update here once it is done

Although a bit later, better than never. I am posting documented guides to run several tor instances in Debian and Whonix

How to use tor-instance-create on Debian

1. First of all, we need to have installed tor on Debian. For that we will follow official tor documentation: Tor Project | Debian / Ubuntu

2. Once we have installed tor, it will install automatically the tool tor-instance-create

3. For each new Tor’s instance it will create a new UNIX user with a home directory and a mostly empty tor configuration file.

How to use tor-instance-create?

tor-instance-create <name>
# torrc for new instance is in /etc/tor/instances/<name>/torrc
systemctl enable tor@<name> # create symlinks for auto-launch of the new instance
systemctl start tor@<name>

Optional, in case you want to disable the default tor service:
systemctl mask tor@default

For example:

tor-instance-create tor2
systemctl enable tor@tor2
systemctl start tor@tor2

If we check processes that are running through ps aux we will find this:

/usr/bin/tor --defaults-torrc /run/tor-instances/tor2.defaults -f /etc/tor/instances/tor2/torrc

If we check our /etc/passwd file we will find that a new user has been created:
_tor-tor2:x:108:114::/var/lib/tor-instances/tor2:/bin/false # It will create new user based in the name we have decided: _tor- with the data directory in /var/lib/tor-instances/

Each new tor instance will have a new torrc file in /etc/tor/instances//torrc with the following contents:

# This is the tor configuration file for tor instance <name>.
#
# To start/reload/etc this instance, run "systemctl start tor@<name>" (or reload, or..).
# This instance will run as user _tor-<name>; its data directory is /var/lib/tor-instances/<name>.
#
# Append to the list of socks interfaces configured via
# /usr/share/tor/tor-service-defaults-torrc-instances
# which is unix:/run/tor-instances/<name>/socks

+SocksPort auto

And the default /usr/share/tor/tor-service-defaults-torrc-instances contents is the following:

DataDirectory /var/lib/tor-instances/@@NAME@@
PidFile /run/tor-instances/@@NAME@@/tor.pid
RunAsDaemon 0
User _tor-@@NAME@@
SyslogIdentityTag @@NAME@@

ControlSocket /run/tor-instances/@@NAME@@/control GroupWritable RelaxDirModeCheck
SocksPort unix:/run/tor-instances/@@NAME@@/socks WorldWritable

CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /run/tor-instances/@@NAME@@/control.authcookie

Log notice syslog

If we want to run several tor instances in the same servers it can be useful to enable logs for each torrc file:
Log notice file /var/log/tor/-notices.log

4. In case we want to remove a tor’s instance, we need to stop the instance (in case it is running), delete the user and its directory

systemctl start tor@<name>
userdel <name>
userdel -r <name>

How to run several tor instances on Whonix

I am going to use extradaemon1 as the name for my extra tor instance, but it should be replaced with the you want for your extra tor instance

1. We will create a new user who will run and own related config files to the tor’s instance

adduser --quiet --system --disabled-password --home "/var/lib/tor-instances/extradaemon1" --no-create-home --shell /bin/false --group --force-badname "_tor-extradaemon1"
install -Z -d -m 02700 -o "_tor-extradaemon1" -g "_tor-extradaemon1" "/var/lib/tor-instances/extradaemon1" # Set SELinux security context, permission mode and ownership to the created user and group to the homedirectory
install -d "/etc/tor/instances/extradaemon1" # Honestly I don't know what it is doing this command

2. Once we have created our user, homedirectory and assigned the right permissions; we must create our torrc file for the new instance and enable the service

• In case you do not know how to run a hidden service on Whonix, you must check this documentation first: Onion Services - Whonix

sudoedit /etc/tor/instances/extradaemon1/torrc

Paste the following content. Example.

SocksPort 0

HiddenServiceDir /var/lib/tor-instances/extradaemon1/hidden_service/
HiddenServicePort 80 10.152.152.11:80
HiddenServiceVersion 3

Save and exit.

We create symlinks for auto-launch of the new instance

sudo systemctl enable "tor@extradaemon1.service"

We start the new tor instance:

sudo systemctl start "tor@extradaemon1.service"

And we can check if the new instance is running without any issue:

sudo systemctl status --no-block --no-pager "tor@extradaemon1.service"

On Debian several tor instances are working fine, but not on Whonix

Here you have logs from extra tor daemon on Whonix Gateway:

sudo systemctl status --no-block --no-pager "tor@extradaemon1.service"
● tor@extradaemon1.service - Anonymizing overlay network for TCP (instance extradaemon1)
     Loaded: loaded (/lib/systemd/system/tor@.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-08-03 20:49:04 UTC; 1h 28min ago
    Process: 59565 ExecStartPre=/usr/bin/install -Z -m 02755 -o _tor-extradaemon1 -g _tor-extradaemon1 -d /run/tor-instances/extradaemon1 (code=exited, status=0/SUCCESS)
    Process: 59566 ExecStartPre=/bin/sed -e s/@@NAME@@/extradaemon1/g; w /run/tor-instances/extradaemon1.defaults /usr/share/tor/tor-service-defaults-torrc-instances (code=exited, status=0/SUCCESS)
    Process: 59568 ExecStartPre=/usr/bin/tor --defaults-torrc /run/tor-instances/extradaemon1.defaults -f /etc/tor/instances/extradaemon1/torrc --verify-config (code=exited, status=0/SUCCESS)
   Main PID: 59569 (tor)
      Tasks: 1 (limit: 2604)
     Memory: 14.3M
        CPU: 4.093s
     CGroup: /system.slice/system-tor.slice/tor@extradaemon1.service
             └─59569 /usr/bin/tor --defaults-torrc /run/tor-instances/extradaemon1.defaults -f /etc/tor/instances/extradaemon1/torrc

Aug 03 21:45:08 host Tor-extradaemon1[59569]:  64 connections died in state connect()ing with SSL state (No SSL object)
Aug 03 21:47:54 host Tor-extradaemon1[59569]: Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (No route to host; NOROUTE; count 66; recommendation warn; host XXX at YYY:443)
Aug 03 21:47:54 host Tor-extradaemon1[59569]: 65 connections have failed:
Aug 03 21:47:54 host Tor-extradaemon1[59569]:  65 connections died in state connect()ing with SSL state (No SSL object)
Aug 03 21:57:25 host Tor-extradaemon1[59569]: Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (No route to host; NOROUTE; count 67; recommendation warn; host XXX at YYY:443)
Aug 03 21:57:25 host Tor-extradaemon1[59569]: 66 connections have failed:
Aug 03 21:57:25 host Tor-extradaemon1[59569]:  66 connections died in state connect()ing with SSL state (No SSL object)
Aug 03 22:09:04 host Tor-extradaemon1[59569]: Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (No route to host; NOROUTE; count 68; recommendation warn; host XXX at YYY:9001)
Aug 03 22:09:04 host Tor-extradaemon1[59569]: 67 connections have failed:
Aug 03 22:09:04 host Tor-extradaemon1[59569]:  67 connections died in state connect()ing with SSL state (No SSL object)

@Patrick any idea what could be failing?

Connectivity issues:
Probably a firewall settings change required that I just now added to the wiki.

Why is it different? Why not use the same steps as for Debian, that is using tor-instance-create as already in the wiki?

Yes! I can confirm that once I apply the firewall settings you have added to the wiki, the tor connection is fully established and the hidden service can be accessed through the browser. Also it is using the independent tor instance, I have verified that once I stop the extra tor instance but not the main tor instance the hidden service is not accessible anymore

I just wanted to make sure that I understood how tor-create-instance is working. So I have “extracted” the relevant information from the source code of the script: https://sources.debian.org/src/tor/0.4.7.8-1/debian/tor-instance-create/ Also I have verified that everything is working using the way I have posted for whonix or using the tool tor-instance-create on Whonix, both ways are working once the firewall settings are modified

I have one question about your example in the wiki, why did you specify SocksPort 0 instead of SocksPort auto?

Thanks for the report!

Would be good if the wiki documentation could be improved.

Next improvement that should be added when using multiple Tor daemons (specifically important when hosting Tor onion services): Vanguards - Tor Anonymity Improvement

auto seems not very useful and is random as far as I understand? Do you know which port Tor would choose and/or how to find that out? auto seems to be a Tor feature to accommodate Tor Browser but in the context of this forum thread I didn’t see how it’s useful.

So I’d shift the burden of proof back to you and justify why auto is useful.

You can copy paste my previous posts in the wiki, if there is something missing let me know and I will do it

About Vanrguards would it be enough to specify different ControlPort and execute different vanguards processes? Like vanguards --control_port ControlPort2

According to Tor’s doc:

Tor opens a SOCKS proxy on port 9050 by default -- even if you don't configure one below. Set "SOCKSPort 0" if you plan to run Tor only as a relay, and not make any local application connections yourself.

I did not verify it but I think it could assign to the next free port in case the default one is in use but not sure, also it would be useful only if the user wants to use tor as socks proxy but it would be interesting to have it on the docs for other people

Hey @Patrick Could you verify if this is working with the latest Whonix Gateway version? Same firewall settings specified in the wiki that worked before right now it seems not working or that it needs additional settings. The extra tor daemon says “Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (No route to host; NOROUTE; count 12;…”

I guess that although I have added the extradaemon user to the firewall and restarted it, it is still getting blocked.

I am not aware of any changes which might have broken this.

This is considered a feature request. Related: Community Feedback

Not going to happen unless contributed.

If someone wants to contribute a good first step would be this one:

I have submitted the documentation in the wiki, if I can do something else let me know. Also, I can do any test about this. I have downloaded the last Whonix Gateway and followed steps from the wiki, everything worked but even if I have added the new tor instance user to the Whonix firewall and restarted it, it seems it is still blocked.

Ideas:

1. Test something unrelated to onion services. For example a custom SocksPort.

2. Set up an onion service using the default Tor instance (outside the context of multiple Tor daemons) to confirm the “normal” process is functional (which should be but if there are issues there then it’s unrealted to the extra complexity of multiple To daemons).

Yes, I already have tested both. Also, when I am using the default Tor instance it is working without any issue. I also can configure hidden service, I am not sure if there is any to confirm or debug where the extra tor instance is getting blocked.