{{Header}}
{{title|title=
anon-ws-disable-stacked-tor
}}
{{#seo:
|description=Preventing Tor over Tor for Tor Browser, TorChat and others.
}}
{{intro|
Preventing Tor over Tor for Tor Browser, TorChat and others.
}}
= Introduction =
There is only 1 Tor daemon (long running process, program) running on {{project_name_gateway_long}}.
When starting Tor Browser in {{project_name_workstation_long}}, the integrated Tor which comes with the Tor Browser Bundle will not be started.
Therefore, there are no duplicate Tor daemons running in {{project_name_long}} by default except in case of [[#Limitations|some corner cases]]..
= Why? =
See [[Tips_on_Remaining_Anonymous#Prevent_Tor_over_Tor_scenarios|Prevent Tor over Tor Scenarios]].
[https://forums.whonix.org/t/anon-ws-disable-stacked-tor-considered-useless/8471 Rationale on implementation details, SocksSocket vs TCP, environment variables vs settings file]
= Implementation =
== Environmental Variable Adjustments ==
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/X11/Xsession.d/20torbrowser /etc/X11/Xsession.d/20torbrowser
]
* [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh
]
== providing virtual Tor package ==
Implemented in [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor anon-ws-disable-stacked-tor], [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/debian/control {{Code|debian/control}}]. The package uses the Provides: tor
fieldSee "7.5 Virtual packages - Provides" on https://www.debian.org/doc/debian-policy/ch-relationships.html, which should avoid any kinds of conflicts, in case upstream releases a higher version of Tor. This won't work for packages, which depend on an explicit version of Tor (such as TorChat). This is non-ideal, since for example the {{Code|torchat}} package will install Tor, but still acceptable, because of the following additional implementations.
== Tor binary replacement ==
Tor's binary was replaced (dpkg-diverted using config-package-dev) with dummy executables, so even if the real {{Code|tor}} package gets installed, it won't be automatically started.
* https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/bin/tor.anondist
* https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/sbin/tor.anondist
== systemd-socket-proxyd listening port redirection ==
[https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator Listening] using systemd-socket-proxyd
on the following listening ports:
* Tor's default listening ports. I.e.:
** system [[Tor]]'s SocksPort
s {{Code|127.0.0.1:9050}}, {{Code|127.0.0.1:9051}} and,
** [[Tor Browser]]'s SocksPort
s {{Code|127.0.0.1:9150}}, {{Code|127.0.0.1:9051}},
** [[Tor Messenger]]'s SocksPort
{{Code|127.0.0.1:9152}}
are redirected to the gateway.
Also applies to ControlPort
s:
* Tor's 9051
* Tor Browsers's 9151
These are redirected to Tor (actually control port filter proxy ([[onion-grater|onion-grater]]) on the gateway.
* and others, see [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator full list]
* Those listening ports forwarded to {{project_name_gateway_short}}.
* This prevents the default Tor Browser, Tor Messenger and/or Tor package by The Tor Project from opening these default ports, which will result in Tor failing to open its listening port and therefore exiting, thus preventing Tor over Tor.
TODO: describe
* systemd socket activation
* https://web.archive.org/web/20221128013446/https://phabricator.whonix.org/T357
== Unix Domain Socket File Redirection ==
Since Tor Browser, [[OnionShare]] ([https://cloud.githubusercontent.com/assets/156128/21556064/8ead0338-cdd2-11e6-918c-d4ca61724b52.png screenshot]) among more and more other applications require [https://phabricator.whonix.org/T192 SocksSocket]
* https://gitlab.torproject.org/legacy/trac/-/issues/14272#comment:3
* https://gitlab.torproject.org/legacy/trac/-/issues/20111#comment:5
, anon-ws-disable-stacked-tor is also providing:
* Tor Control Unix Domain Socket file: /var/run/tor/control
, which is redirected to Control Port Filter Proxy on {{project_name_gateway_short}}.
* [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/share/anon-ws-disable-stacked-tor/control.authcookie Tor Control Auth Cookie]: a functional /var/run/tor/control.authcookie
that works with [[Dev/onion-grater|onion-grater (Control Port Filter Proxy)]].
* Tor Socks Unix Domain Socket file: /var/run/tor/socks
that is redirected to {{project_name_gateway_short}} Tor port 9050
** [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf full list]
== Tor state file creation ==
All required state files which Tor would normally create in /var/run/tor
and /var/lib/tor
are being created by [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/state-files /usr/lib/anon-ws-disable-stacked-tor/state-files].
== bindp ==
TODO: describe
* bindp
* https://phabricator.whonix.org/T561
== socat ==
There are no socat
redirections by default in {{project_name_short}}.
Advanced setups such as [https://www.getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html Monero CLI Wallet/Daemon Isolation with {{q_project_name_long}}] are using things like EXEC
. From that example.
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"
systemd-socket-proxyd
does not support EXEC
, hence socat
is useful here.
= Limitations =
Not all arbitrary application with their own Tor integration have their internal Tor disabled.
* Applications installed from Debian package sources and manually installed applications have the "lowest risk" of Tor over Tor / "highest chance" of anon-ws-disable-stacked-tor being functional. If the application honors common environment variable TOR_SKIP_LAUNCH=1
, then there should be no issue.
* Applications shipped through Flatpak: There is currently no technical approach how anon-ws-disable-stacked-tor could disable application's internal chroot in the flatpak chroot. This matters for example for [[OnionShare]] if installed from Flatpak, see [[Dev/OnionShare]].
* Applications shipped through appimages: same as above.
= Debugging =
Run.
{{CodeSelect|code=
echo "$TOR_SOCKS_IPC_PATH"
}}
Should show the following.
/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock---- Run. {{CodeSelect|code= echo "$TOR_CONTROL_IPC_PATH" }} Should show the following.
/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sockAlso please run. {{CodeSelect|code= UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9150 }} Should show the following.
Tor is not an HTTP Proxy Tor is not an HTTP Proxy
It appears you have configured your web browser to use Tor as an HTTP proxy. This is not correct: Tor is a SOCKS proxy, not an HTTP proxy. Please configure your client accordingly.
See https://www.torproject.org/documentation.html for more information.
Run a similar command.echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sockShould show the same as above. ----- Next one to try. {{CodeSelect|code= UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9151 }} Should show the following.510 Request filtered ...Run a similar command.echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sockShould show.510 Request filtered= Debugging with curl = Trying to usecurl
rather thancurl.anondist-org
is a common mistake when debugging {{project_name_short}} network issues.curl
is a symlink tocurl.anondist-orig
. In turn, this symlinks touwtwrapper
which runscurl
undertorsocks
.torsocks
then forces Tor to run onlocalhost
for stream isolation. * Theuwt
steam isolation wrapper must be circumvented or disabled. * The command must be run under userclearnet
In {{project_name_gateway_short}} or{{project_name_gateway_vm}}
[[Qubes|{{q_project_name_short}}]] '''1.''' Switch to userclearnet
{{CodeSelect|code= sudo -su clearnet }} '''2.''' Circumventuwt
stream isolation wrapper by appending.anondist-orig
tocurl
{{CodeSelect|code= curl.anondist-orig}} In the following examples, the exec
calls from the command output shows the difference between runningcurl
with theuwtwrapper
both enabled and disabled. '''Example 1'''curl
is run with theuwtwrapper
enabled. {{CodeSelect|code= uwtwrapper_verbose=1 curl}} This results in the following exec
calls. Only the latest (most recent) call matters which showstorsocks
is prepended before runningcurl
.exec torsocks /usr/lib/uwtexec something'''Example 2'''exec -a /usr/bin/curl /usr/bin/curl.anondist-orig curl
is run with theuwtwrapper
disabled. {{CodeSelect|code= uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl}} This command results in the following exec
calls which showtorsocks
does not get prepended beforecurl
. Sincecurl
does not run undertorsocks
, local connections are not hindered and there is no stream isolation.exec /usr/lib/uwtexec'''The output from the previous commands establishes the following'''. *exec -a /usr/bin/curl /usr/bin/curl.anondist-orig /usr/bin/curl
is symbolically linked to/usr/bin/curl.anondist-orig
. This demonstrates/usr/bin/curl.anondist-orig
is the actual (real)curl
binary. * When/usr/bin/curl.anondist-orig
is run with theuwtwrapper
disabled alluwt
logic is circumvented. Users can either circumvent theuwt
stream isolation wrapper or disabled it either permanently or temporary. Links: * [[Stream_Isolation|Stream Isolation]] * [[Stream_Isolation/Disable_Easy|Stream Isolation/Disable Easy]] = Application Developers = * [[Dev/Project_friendly_applications_best_practices|{{project_name_short}} friendly applications best practices]] * [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/Tor_friendly_applications_best_practices Tor friendly applications best practices] = See Also = * [[Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway]] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Design]]