{{Header}} {{#seo: |description=Only one machine. Either a real or virtual machine (VM). All traffic is routed through Tor. An Anonymizing Transparent Proxy. }} {{title|title= UniStation - A Tor TransparentProxy with only One Machine }} {{intro| Only one machine. Either a real or virtual machine (VM). All traffic is routed through Tor. An Anonymizing Transparent Proxy. }} {{Testers-only}} {{Community Support}} = Introduction = [[About|{{project_name_long}}]] needs at least two systems. One running Tor, {{project_name_gateway_short}}. The other running clients that are routed through Tor, {{project_name_workstation_long}}. This ensures the highest possible security and isolation. We can implement this using different strategies: Two VMs (Gateway VM and Workstation VM) or bare metal. A different approach is to run Tor and applications all on the same machine. This can be either a VM or bare metal host. This site will guide you through all required steps to set up a UniStation. A machine which routes all traffic through the Tor anonymity network. This is an implementation of a [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy Tor TransparentProxy]. Advantages: * Only one machine required. * Lower system requirements. Disadvantages: * More difficult to install. * User might have to set the [[#interface|network interface setting]]. * If using VMs: Guest VM can see MAC address of host? * Less secure than {{project_name_short}} with {{project_name_gateway_short}} and {{project_name_workstation_short}}. * This is not as well polished, developed and thought through as {{project_name_short}} yet. * Enhancements that come with {{project_name_workstation_short}} such as: ** [[Tor Browser]] ** [https://github.com/Whonix/anon-apps-config anon-apps-config] ** [https://www.kicksecure.com/wiki/Systemcheck systemcheck] ** [[Whonix Live]] ** [[kloak]] ** [https://github.com/Kicksecure/tirdad tirdad] ** [[AppArmor]] ** [[Anon Connection Wizard]] ** [[sdwdate-gui]] ** [https://github.com/Kicksecure/open-link-confirmation open-link-confirmation] ** [[Bridges]] usability, [[Documentation]] ** and maybe [https://github.com/Whonix others] * have not been considered yet. * This will potentially not be maintained as well as {{project_name_short}}. = Prerequisites = {{kicksecure_Prerequisites}} = Installation = == Packages == Install gnupg. <ref> Required for Debian netinst "minimal" (no default system tools). </ref> {{CodeSelect|code= sudo apt install gnupg }} {{Project-APT-Repository-Add}} {{Box|text= {{Install Package|package= usability-misc }} }} <ref> apt-get-noninteractive to avoid asking this question. <pre> Setting up anon-base-files (3:4.6-1) ... Configuration file '/etc/machine-id' ==> File on system created by you or by a script. ==> File also in package provided by package contributor. What would you like to do about it ? Your options are: Y or I : install the package contributor's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** machine-id (Y/I/N/O/D/Z) [default=N] ? i </pre> </ref> {{CodeSelect|code= sudo apt-get-noninteractive install --no-install-recommends kicksecure-cli whonix-firewall uwt anon-gw-anonymizer-config }} == Firewall Settings == Find out your network interface name. You can learn about what interfaces you have by running. {{CodeSelect|code= sudo ifconfig }} Edit <code>/etc/whonix_firewall.d/50_user.conf</code>. {{CodeSelect|code= sudoedit /etc/whonix_firewall.d/50_user.conf }} Paste. {{anchor|interface}} You might have to change <code>#EXT_IF="eth0"</code> by removing the hash <code>#</code> in front of it and by setting it to the name of your network interface such as <code>wlan0</code>. I.e. the full line might look like this: <code>EXT_IF="wlan0"</code> Include it with the to be pasted text below. <ref> VirtualBox: <code>EXT_IF="enp0s3"</code> </ref> {{CodeSelect|code= ## 0: disabled ## 1: enabled ## External interface ## defaults to: #EXT_IF="eth0" WORKSTATION_TRANSPARENT_TCP=0 WORKSTATION_TRANSPARENT_UDP=0 WORKSTATION_TRANSPARENT_DNS=0 WORKSTATION_ALLOW_SOCKSIFIED=0 CONTROL_PORT_FILTER_PROXY_ENABLE=0 GATEWAY_TRANSPARENT_TCP=1 GATEWAY_TRANSPARENT_UDP=0 GATEWAY_TRANSPARENT_DNS=1 GATEWAY_ALLOW_INCOMING_ICMP=0 }} If you want port 22 to open for incoming SSH, also paste: {{CodeSelect|code= GATEWAY_ALLOW_INCOMING_SSH=1 }} Save. == Qubes == Qubes only. Does not hurt otherwise. {{CodeSelect|code= sudo systemctl mask qubes-iptables }} Qubes Debian based VMs would require further <code>/etc/whonix_firewall.d/50_user.conf</code> modifications. See footnote. <ref> This was required in Qubes to make Whonix-Gateways Own Traffic Transparent Proxy work. In that case, append to <code>/etc/whonix_firewall.d/50_user.conf</code>. {{CodeSelect|code= NON_TOR_GATEWAY="\ 127.0.0.0-127.0.0.24 \ 10.137.0.0-10.138.255.255 \ " }} </ref> == torsocks == torsocks config not required. uwt sets that up for us. * https://github.com/Whonix/uwt * https://github.com/Whonix/uwt/blob/master/etc/tor/torsocks.conf.anondist == Tor Configuration == Open Tor configuration file <code>/etc/tor/torrc</code> with root rights. {{CodeSelect|code= sudoedit /etc/tor/torrc }} Paste. <ref> <code>DisableNetwork 0</code> is required to make sdwdate work because the connectivity check locks at it. </ref> {{CodeSelect|code= TransPort 127.0.0.1:9041 DnsPort 127.0.0.1:5400 DisableNetwork 0 }} Save. Restart Tor. {{CodeSelect|code= sudo systemctl restart tor }} == APT == Check if there is something you need in <code>/etc/apt/sources.list</code>. Move original <code>/etc/apt/sources.list</code> out of the way because <code>/etc/apt/sources.list.d/debian.list</code> by {{kicksecure}} replaces it. {{CodeSelect|code= sudo mv /etc/apt/sources.list ~/ }} == Reboot == Reboot required. {{CodeSelect|code= sudo reboot }} = Usage = == check sdwdate == {{CodeSelect|code= sudo systemctl status sdwdate --no-pager }} == Updates == Update as per usual. See also [[Operating System Software and Updates]]. Thanks to [https://github.com/Whonix/uwt uwt] it is [[Stream Isolation|stream isolated]] (using Tor <code>SocksPort</code>). No need to use <code>torsocks</code>. <code>uwt</code> uses <code>torsocks</code> which is configued to use <code>IsolatePID 1</code>. {{CodeSelect|code= sudo apt update }} == Transparent DNS Functional == {{CodeSelect|code= nslookup torproject.org }} <pre> Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: torproject.org Address: 95.216.163.36 ** server can't find torproject.org: NXDOMAIN </pre> == Transparent DNS Functional == {{CodeSelect|code= cd /tmp }} {{CodeSelect|code= wget.anondist-orig torproject.org }} <pre> --2019-12-10 12:25:43-- http://torproject.org/ Resolving torproject.org (torproject.org)... 95.216.163.36 Connecting to torproject.org (torproject.org)|95.216.163.36|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://www.torproject.org/ [following] --2019-12-10 12:25:45-- https://www.torproject.org/ Resolving www.torproject.org (www.torproject.org)... 116.202.120.165 Connecting to www.torproject.org (www.torproject.org)|116.202.120.165|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 19623 (19K) [text/html] Saving to: ‘index.html’ index.html 100%[===========================================>] 19.16K 62.3KB/s in 0.3s 2019-12-10 12:25:47 (62.3 KB/s) - ‘index.html’ saved [19623/19623] </pre> = Troubleshooting = Depending on network configuration perhaps <code>/etc/whonix_firewall.d/50_user.conf</code> need to be appended. {{CodeSelect|code= NON_TOR_GATEWAY="\ 127.0.0.0-127.0.0.24 \ 10.137.0.0-10.138.255.255 \ " }} = Forum Discussion = https://forums.whonix.org/t/debian-onevm-anononevm-non-self-contained-host-depending-onevm-unistation-a-tor-transparentproxy-with-only-one-machine/5470 = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]