= Whonix-Gateway =
== anon-gw-anonymizer-config ==
* https://github.com/Whonix/anon-gw-anonymizer-config
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/debian/control debian/control]
=== Tor Configuration and Tweaks for Anonymity Distributions ===
Tor config file with distribution defaults (for stream isolation, etc.),
example user configurations and other tweaks required. The Tor binary
itself does not get modified.
Deactivates IPv4 forwarding using /etc/sysctl.d/
IPv4 forwarding is not required for a Tor based Anonymity Distribution
Gateways. Deactivating it as defense in depth to prevent leaks.
Deactivates IPv6 using /etc/sysctl.d/
There are no IPv6 Anonymity Distribution Gateways featuring an IPv6 firewall
yet. Therefore deactivating it to prevent leaks.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /etc/torrc.d/60_network.conf ===
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/torrc.d/60_network.conf /etc/torrc.d/60_network.conf]
* gateway only
Update: Tor is enabled by default nowadays.
https://forums.whonix.org/t/connect-to-public-tor-network-by-default-avoid-anon-connection-wizard-acw-popup-at-first-boot/17848
Tor is disabled by default.
Users are supposed to enable Tor through setup-dist which would
create file /usr/local/etc/torrc.d/40_tor_control_panel.conf with
"DisableNetwork 0" or by removing the hash ('#') in front of
"DisableNetwork 0" in /usr/local/etc/torrc.d/40_tor_control_panel.conf
* #DisableNetwork 1
* DormantTimeoutEnabled 0
* VirtualAddrNetworkIPv4 10.192.0.0/10
* VirtualAddrNetworkIPv6 [fc00::]/7
* AutomapHostsOnResolve 1
* ClientUseIPv6 1
* ClientUseIPv4 1
* Log notice file /run/tor/log
=== /etc/torrc.d/65_gateway.conf ===
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/torrc.d/65_gateway.conf /etc/torrc.d/65_gateway.conf]
* gateway only
Tor settings for Gateway: `ClientOnionAuthDir`, `SocksPort`s, `TransPort`,
`DnsPort`, `HTTPTunnelPort`s and stream isolation settings.
=== /usr/share/tor/tor-service-defaults-torrc.anondist.base ===
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist.base /usr/share/tor/tor-service-defaults-torrc.anondist.base]
* gateway only
Tor settings for Workstation and Gateway: `SocksPort`s, `TransPort`,
`DnsPort`, `HTTPTunnelPort`s and stream isolation settings.
IP HARDCODED unfortunately.
== whonix-gw-network-conf ==
* https://github.com/Whonix/whonix-gw-network-conf
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/debian/control debian/control]
=== Network Configuration for Whonix-Gateway ===
Includes etc/network/interfaces.d/30_non-qubes-whonix for
Non-Qubes-Whonix-Gateway.
Sets up two network interfaces, an external one eth0 and an internal one eth1.
Provides /usr/share/whonix-gw-network-conf/network_internal_ip.txt.
DNS configuration Anonymity Linux Distribution Gateways
* Pointing /etc/resolv.conf to 127.0.0.1.
* Whether a Anonymity Linux Distribution Gateway supports system DNS for its
own traffic in the clear or anonymized mainly depends on the Gateway's
firewall.
* Routing the workstation's system DNS through the anonymizer (also known as
Transparent DNS Proxy) or not is up to the Gateway's firewall as well.
=== /etc/resolv.conf.whonix ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/resolv.conf.whonix /etc/resolv.conf.whonix]
* gateway only
No DNS configuration.
Only comments.
Whonix-Gateway by default does not have system default DNS.
See https://www.whonix.org/wiki/Whonix-Gateway_Own_Traffic_Transparent_Proxy
and footnotes.
=== /etc/network/interfaces.d/30_non-qubes-whonix ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix /etc/network/interfaces.d/30_non-qubes-whonix]
* gateway only
* Non-Qubes-Whonix only
network interfaces configuration eth0 (external network interface) and eth1 (internal network interface)
static network configuration
IP HARDCODED below but comment only. No need to change.
eth0
* #address 10.0.2.15
* #netmask 255.255.255.0
* #gateway 10.0.2.2
eth1
* #address 10.152.152.10
* #netmask 255.255.192.0
=== /debian/whonix-gw-network-conf.links ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/debian/whonix-gw-network-conf.links /debian/whonix-gw-network-conf.links]
* gateway only
* Non-Qubes-Whonix only
Disable Predictable Network Interface Names as these are problematic.
https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4
Disabling them as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* /dev/null /etc/systemd/network/99-default.link
=== /debian/whonix-gw-network-conf.triggers ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/debian/whonix-gw-network-conf.triggers /debian/whonix-gw-network-conf.triggers]
* gateway only
* Non-Qubes-Whonix only
Required for /etc/systemd/network/99-default.link to take effect as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* activate-noawait update-initramfs
=== /usr/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/usr/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf /usr/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf]
* gateway only
* Non-Qubes-Whonix only
onion-grater systemd unit file extension
Run /usr/lib/onion-grater-merger as root to avoid permission
conflicts.
ExecStartPre=+/usr/lib/onion-grater-merger
Reconfigure onion-grater to listen on network interface
eth1.
= Whonix-Workstation =
== anon-apps-config ==
* https://github.com/Whonix/anon-apps-config
* [https://github.com/Whonix/anon-apps-config/blob/master/debian/control debian/control]
=== anonymity, privacy and security settings pre-configuration ===
Most settings take effect for newly created user account onlys, and not
for existing user accounts.
Sets timezone to UTC.
Enables Menubar in Dolphin by default.
gnupg configuration for Anonymity Distributions:
* Sets `use-tor` in `/etc/skel/.gnupg/dirmngr.conf`.
* Ships Thunderbird torbirdy configuration file
`/etc/thunderbird/pref/30_whonix.js` that allows torified keyserver access.
* Deactivates KGpg's first run wizard. Disables tip of the day.
Disables KGpg's systray. Disables key server. Reference:
"High-risk users should stop using the keyserver network immediately."
Double click instead of single click in KDE.
Deactivates maximize windows when moved to the top.
In context of anonymity it might be better not to maximize the browser window
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/7255).
To prevent users from accidentally maximizing their browser window, it is
better when KDE's feature to maximize windows when moved to the top is
disabled.
Deactivates KDE's system sounds.
Disables KDE graphics effects. Disables some background processes.
Stream Isolation (proxy) settings for KDE apps for Anonymity Distributions
Configures global proxy settings, which acts as a fallback if no other proxy
settings are set, for KDE applications to socks 10.152.152.10:9122.
IP HARDCODED above but no need to change since it is description only.
Otherwise unconfigured KDE applications would use no proxy settings
(Transparent Proxying) if the anonymity distribution features a transparent
proxy.
Useful to improve stream isolation.
On the other hand, anonymity distributions not featuring transparent proxying
should probably not install this package by default, because then unconfigured
KDE applications should by default not be able to connect.
Sets Unlimited Scrollback in Konsole.
Disables klipper clipboard history.
Deactivates automatic updates for Package Manager APT and Apper
Useful in context of networks with limited traffic quota, slow networks and
anonymity distributions.
In latter case, the default automatic updates interval would be too
predictable (expectable amount of traffic every X), thus eventually be
vulnerable for traffic fingerprinting.
Disabling Apper automatic updates only takes effect for newly created user
accounts. Not for existing user accounts. This is most useful to help Linux
distribution maintainers setting divergent defaults.
Longer Timeouts for Package Manager APT
Raising timeout and retries using configuration snippet. Useful in context of
slow networks and anonymity distributions.
Ships a configuration file /etc/apt/apt.conf.d/90longer-timeouts to configure
apt-get.
Ships a configuration file /etc/skel/.config/vlc/vlcrc to configure VLC to not
ask for network policy at start.
https://forums.whonix.org/t/disable-vlc-metadata-collection-by-default/18674
Disabled gajim update manager by default for better security since it does not
verify software signatures by hiding file
/usr/share/gajim/plugins/plugin_installer/__init__.py using
'config-package-dev' 'hide'.
Disables systemd-resolved during boot unless file /etc/dns-enable exists.
Disables systemd-resolved fallback DNS (which by default is set to Google).
Removes capabilities from `/bin/ping` if
[security-misc](https://github.com/Kicksecure/security-misc) is
installed as ping doesn't work with Tor anyway and its capabilities are just
unneeded attack surface.
Create a dummy Tor binary '/home/user/.local/share/Bisq/btc_mainnet/tor/tor'
to avoid Tor over Tor.
Improves HexChat Privacy Settings
* As per:
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/XChat
* Moves the following files:
- `/usr/lib/xchat/plugins/python.so`
- `/usr/lib/xchat/plugins/tcl.so`
- `/usr/lib/xchat/plugins/perl.so`
to `/usr/share/anon-apps-config`, so these plugins get disabled by
default.
Due to technical limitations some settings only take effect for applications
being started for the very first time, i.e. when the user config of that
application in the user's home folder does not exist yet. Works best for new
user accounts.
This package is most useful to help Linux distribution maintainers setting
divergent defaults.
=== /etc/apt/apt.conf.d/90longer-timeouts ===
* [https://github.com/Whonix/anon-apps-config/blob/master/etc/apt/apt.conf.d/90longer-timeouts /etc/apt/apt.conf.d/90longer-timeouts]
longer APT timeouts and more retires
=== /etc/skel/.xchat2/xchat.conf ===
* [https://github.com/Whonix/anon-apps-config/blob/master/etc/skel/.xchat2/xchat.conf /etc/skel/.xchat2/xchat.conf]
settings.
=== /etc/skel/.config/hexchat/hexchat.conf ===
* [https://github.com/Whonix/anon-apps-config/blob/master/etc/skel/.config/hexchat/hexchat.conf /etc/skel/.config/hexchat/hexchat.conf]
settings.
=== /usr/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf /usr/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf]
Disable systemd-resolved unless file
/etc/dns-enable exists.
=== /usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf /usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf]
do not default to using Google nameservers
https://forums.whonix.org/t/test-if-systemd-fallbackdns-is-really-disabled/18641
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658#216
https://www.freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html
https://forums.whonix.org/t/os-generated-network-traffic/5084
* [Resolve]
* FallbackDNS=
=== /usr/share/anon-apps-config/ksmserverrc ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/share/anon-apps-config/ksmserverrc /usr/share/anon-apps-config/ksmserverrc]
disable session saving
https://forums.whonix.org/t/kdesudo-error-popup-window-sdwdate-gui/5642
* loginMode=default
=== /usr/share/anon-apps-config/kioslaverc ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/share/anon-apps-config/kioslaverc /usr/share/anon-apps-config/kioslaverc]
KDE stream isolation settings.
* [Proxy Settings]
* NoProxyFor=127.0.0.1
* ProxyType=1
* ReversedException=false
IP HARDCODED
* socksProxy=http://10.152.152.10 9122
== anon-ws-disable-stacked-tor ==
* https://github.com/Whonix/anon-ws-disable-stacked-tor
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/debian/control debian/control]
=== Prevents Tor over Tor in Anonymity Distribution Workstations ===
Supposed to be installed on Workstations, which prevents installing the real
Tor package from upstream (ex: Debian, The Tor Project) APT repositories. Its
purpose is to prevent, running Tor over Tor.
It allows installation of packages, which depend on Tor, such as TorChat,
parcimonie and torbrowser-launcher.
This package uses the "Provides: tor" field[1], which should avoid any kinds of
conflicts, in case upstream releases a higher version of Tor. This won't work
for packages, which depend on an explicit version of Tor (such as TorChat).
This is non-ideal, since for example the torchat package will install Tor, but
still acceptable, because of the following additional implementations.
Binaries eventually installed (by the tor Debian package) /usr/bin/tor as well
as /usr/sbin/tor are replaced with a dummy wrapper that does nothing
(dpkg-diverted using config-package-dev).
systemd-socket-proxyd listens on Tor's default ports. system Tor's
127.0.0.1:9050, 127.0.0.1:9051 and TBB's 127.0.0.1:9150, 127.0.0.1:9051,
which prevents the
default Tor Browser Bundle or Tor package by The Tor Project from opening
these default ports, which will result in Tor failing to open its listening
port and therefore exiting, thus preventing Tor over Tor.
See also:
* https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor
* https://tor.stackexchange.com/questions/427/is-running-tor-over-tor-dangerous
[1] See "7.5 Virtual packages - Provides" on
https://www.debian.org/doc/debian-policy/ch-relationships.html
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf /etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf]
* workstation only
systemd-unit-files-generator and socat-unix-sockets configuration examples.
=== /etc/rsyslog.d/anon-ws-disable-stacked-tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/rsyslog.d/anon-ws-disable-stacked-tor.conf /etc/rsyslog.d/anon-ws-disable-stacked-tor.conf]
* workstation only
rsyslog configuration drop-in snippet
No longer required since no longer using rinetd.
Workaround for:
'rinetd fills up the logs until disk is full up if it cannot bind'
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796235
* :msg, contains, "accept(0): Socket operation on non-socket" stop
=== /etc/profile.d/20_torbrowser.sh ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/profile.d/20_torbrowser.sh /etc/profile.d/20_torbrowser.sh]
* workstation only
/etc/profile.d hook to source
/usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh
=== /debian/anon-ws-disable-stacked-tor.displace ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/debian/anon-ws-disable-stacked-tor.displace /debian/anon-ws-disable-stacked-tor.displace]
* workstation only
config-package-dev displace the following files:
* /etc/default/tor.anondist
* /usr/bin/tor.anondist
* /usr/sbin/tor.anondist
=== /debian/anon-ws-disable-stacked-tor.postinst ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/debian/anon-ws-disable-stacked-tor.postinst /debian/anon-ws-disable-stacked-tor.postinst]
* workstation only
/etc/X11/Xsession.d/ hook to source
/usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh
Add account "user" to the group "debian-tor", so account "user" can access Tor's control port.
Account "user" already exists thanks to the dist-base-files package.
* adduser --quiet user debian-tor
=== /usr/libexec/anon-ws-disable-stacked-tor/state-files ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/state-files /usr/libexec/anon-ws-disable-stacked-tor/state-files]
* workstation only
Emulates Tor by copying and chmodding the correct state files such as
/run/tor/control.authcookie.
=== /usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets /usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets]
* workstation only
socat-unix-sockets starter.
=== /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh /usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh]
* workstation only
Environment variables for Tor Browser integration.
Prevents Tor over Tor.
Deactivate tor-launcher,
a Vidalia replacement as browser extension,
to prevent running Tor over Tor.
https://gitlab.torproject.org/tpo/applications/tor-launcher/-/issues/6009
https://gitlab.torproject.org/tpo/applications/tor-launcher.git
* export TOR_SKIP_LAUNCH=1
tor-launcher is deactivated above but the following is required to avoid
"Firefox is offline" messages in Tor Browser 10.5a17 and above.
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27476
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40455
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40433
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/34345
* export TOR_USE_LEGACY_LAUNCHER=1
The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables
do not work flawlessly, due to an upstream bug in Tor Button:
"TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/8336
(As an alternative,
/home/user/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js
could be used.)
Fortunately, this is not required for Whonix by default anymore,
because systemd-socket-proxyd is configured to redirect
Whonix-Workstation ports
IP HARDCODED but no need to change since comment only.
127.0.0.1:9050 to Whonix-Gateway 10.152.152.10:9050
127.0.0.1:9051 to Whonix-Gateway 10.152.152.10:9051
127.0.0.1:9150 to Whonix-Gateway 10.152.152.10:9150
127.0.0.1:9151 to Whonix-Gateway 10.152.152.10:9151
* #export TOR_SOCKS_HOST="10.152.152.10"
* #export TOR_SOCKS_PORT="9150"
* #export TOR_CONTROL_HOST="127.0.0.1"
* #export TOR_CONTROL_PORT="9151"
this is to satisfy Tor Button just filled up with anything
* #export TOR_CONTROL_PASSWD='"password"'
We are not using TOR_TRANSPROXY=1 because that would break Tor Browser's
per tab stream isolation. (Tor Browser talks to a Tor SocksPort and sets a
socks user name and Tor is using IsolateSOCKSAuth by Tor default.)
* #export TOR_TRANSPROXY=1
Environment variable to configure Tor Browser to use a pre existing unix
domain socket file instead of creating its own one to avoid Tor over Tor and
to keep it being able to connect.
systemd-socket-proxyd is being used for creation of unix domain socket file
/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock and forwarding it to
to Whonix-Gateway port 9150.
https://forums.whonix.org/t/tbbs-use-of-sockssocket-will-break-whonixs-tor-browser-implementation/19207
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20111#note_2633535
TODO: IPv6 - Networking and IPv6 might not be available when this runs.
TODO: IPv6 - Needs testing.
* # if [[ "$(ip -o addr show scope global | awk '{print $3}')" =~ inet6 ]]; then
* # export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/::1_9150.sock"
* # export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/::1_9151.sock"
* # else
* # export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
* # export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"
* # fi
Using simpler, known stable implementation.
TODO: Remove this if implementing the above.
* export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
* export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"
environment variable to skip TorButton control port verification
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13079
* export TOR_SKIP_CONTROLPORTTEST=1
Environment variable to disable the "TorButton" ->
"Open Network Settings..." menu item. It is not useful and confusing to have
on a workstation, because Tor must be configured on the Whonix-Gateway, which is
for security reasons forbidden from the Whonix-Gateway.
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/14100
https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Open_Network_Settings
* export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
=== /usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator /usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator]
* workstation only
Generates systemd unit files in
/usr/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_* which
listen on common local ports used by popular Tor applications such as Tor
Browser.
Redirect Whonix-Workstation port 9050 to Whonix-Gateway port
9050 and so forth.
Create a unix domain socket files such as
/run/anon-ws-disable-stacked-tor/127.0.0.1_9050.sock and forward those
to $GATEWAY_IP:9150 etc. See also:
https://forums.whonix.org/t/tbbs-use-of-sockssocket-will-break-whonixs-tor-browser-implementation/19207
system Tor default SocksSocket is /run/tor/socks
redirect Whonix-Workstation unix domain socket file /run/tor/socks to Whonix-Gateway port 9050
Debian /usr/share/tor/tor-service-defaults-torrc uses '/run/tor/control' Tor ControlSocket
Redirect Whonix-Workstation unix domain socket file /run/tor/control to Whonix-Gateway port 9051
=== /usr/bin/tor.anondist ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/bin/tor.anondist /usr/bin/tor.anondist]
* workstation only
dummy Tor wrapper doing nothing but wait forever and
OnionShare support for configuration option "bundled Tor".
Bisq support.
=== /usr/sbin/tor.anondist ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/sbin/tor.anondist /usr/sbin/tor.anondist]
* workstation only
/usr/sbin/tor simply executes /usr/bin/tor.
=== /usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf /usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf]
* workstation only
Create folder /run/anon-ws-disable-stacked-tor.
* d /run/anon-ws-disable-stacked-tor 0775 root root -
* Z /run/anon-ws-disable-stacked-tor/* 0666 root root -
=== /usr/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf /usr/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf]
* workstation only
Make 'sudo service tor status' exit '0' for better compatibility.
* RemainAfterExit=yes
=== /usr/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf /usr/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf]
* workstation only
Qubes-Whonix:
Clear 'ConditionPathExists=' variables set by the qubes-whonix package,
which are useful on the gateway but not on the workstation.
In effect the dummy Tor service will run on Whonix-Workstation.
* ConditionPathExists=
=== /usr/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf /usr/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf]
* workstation only
Compatibility with system Tor package.
Overrides systemd unit file by system Tor package for compatibility so
the dummy Tor binary /usr/bin/tor gets load instead.
Makes all systemctl restart reload
status commands compatible with dummy Tor.
=== /usr/lib/systemd/system/anon-ws-disable-stacked-tor.service ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/anon-ws-disable-stacked-tor.service /usr/lib/systemd/system/anon-ws-disable-stacked-tor.service]
* workstation only
Runs /usr/libexec/anon-ws-disable-stacked-tor/state-files and
/usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets.
== bindp ==
* https://github.com/Kicksecure/bindp
* [https://github.com/Kicksecure/bindp/blob/master/debian/control debian/control]
=== Binding specific IP and Port for Linux Running Application ===
This package is probably most useful for Anonymity Distributions.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /debian/bindp.postinst ===
* [https://github.com/Kicksecure/bindp/blob/master/debian/bindp.postinst /debian/bindp.postinst]
* workstation only
Compiles /usr/lib/bindp.c to /usr/lib/libindp.so
during package installation using gcc.
== whonix-ws-network-conf ==
* https://github.com/Whonix/whonix-ws-network-conf
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/debian/control debian/control]
=== Network Configuration for Whonix-Workstation ===
Includes /etc/network/interfaces for Whonix-Workstation.
Sets up an internal network interface eth0.
DNS configuration Anonymity Linux Distribution Workstations
Whether a Anonymity Linux Distribution Gateway supports anonymized system DNS
for Workstation's traffic (also known as Transparent DNS Proxy) mainly depends
on the Gateway's firewall.
This package is simply installing /etc/resolv.conf which points to
10.152.152.10, where an Anon-Gateway is supposed to provide a DnsPort on port
53. IP HARDCODED but no need to change because only description.
Currently relevant for Non-Qubes-Whonix only.
=== /etc/resolv.conf.whonix ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/etc/resolv.conf.whonix /etc/resolv.conf.whonix]
set nameserver 10.152.152.10
This works different in Qubes-Whonix.
=== /etc/network/interfaces.d/30_non-qubes-whonix ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix /etc/network/interfaces.d/30_non-qubes-whonix]
* workstation only
* Non-Qubes-Whonix only
network interfaces configuration eth0 to communicate with Whonix-Gateway
static network configuration
IP HARDCODED but not need to change since only comment.
* #address 10.152.152.11
* #netmask 255.255.192.0
* #gateway 10.152.152.10
=== /debian/whonix-ws-network-conf.triggers ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/debian/whonix-ws-network-conf.triggers /debian/whonix-ws-network-conf.triggers]
* workstation only
* Non-Qubes-Whonix only
Required for /etc/systemd/network/99-default.link to take effect as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* activate-noawait update-initramfs
=== /debian/whonix-ws-network-conf.links ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/debian/whonix-ws-network-conf.links /debian/whonix-ws-network-conf.links]
* workstation only
* Non-Qubes-Whonix only
Disable Predictable Network Interface Names as these are problematic.
https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4
Disabling them as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* /dev/null /etc/systemd/network/99-default.link
= Shared by Whonix-Gateway and Whonix-Workstation =
== anon-apt-sources-list ==
* https://github.com/Kicksecure/anon-apt-sources-list
* [https://github.com/Kicksecure/anon-apt-sources-list/blob/master/debian/control debian/control]
=== Kicksecure APT and Flatpak Repository Configuration ===
Configuring APT and Flatpak sources:
- Includes Debian APT repositories (main, updates, backports, fasttrack,
security)
- Incorporates Debian APT components (main, contrib, non-free,
non-free-firmware)
- Integrates the Flathub repository (verified and floss subsets only)
Flatpak:
- Official Flathub repository only.
- Uses subset verified_floss, which means only verified applications and
freedom software can be installed by default.
Provides configuration files:
- /etc/apt/sources.list.d/debian.sources for APT sources
- /etc/flatpak/remotes.d/flathub.flatpakrepo for Flatpak sources
A Discussion on Distribution Maintenance Strategies:
The more standard
way would indeed be populating /etc/apt/sources.list at install or build time
and leaving /etc/apt/sources.list.d alone.
The idea of managing
/etc/apt/sources.list.d/debian.sources for the user is, the security-focused
distribution maintainers can decide when it is a better "change stable to
oldstable", "keep wheezy as long as needed to work out [eventual!] issues
that would break during upgrade to jessie" and such.
=== /etc/apt/sources.list.d/debian.sources ===
* [https://github.com/Kicksecure/anon-apt-sources-list/blob/master/etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian.sources]
Debian APT repository sources
Configured to use tor+https.
Technical notes:
- Why are sources (deb-src) disabled by default?
Because those are not required by most users, to save time while
running sudo apt update.
- See also: https://www.debian.org/security/
- See also: /etc/apt/sources.list.d/
- Same format as https://onion.debian.org
- https://fasttrack.debian.net/
== anon-shared-build-apt-sources-tpo ==
* https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo
* [https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo/blob/master/debian/control debian/control]
=== Adds TPO's APT repository to Derivative Linux Distributions ===
Comes with "deb http://deb.torproject.org/torproject.org stable main", The Tor
Project's APT signing key.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /etc/apt/sources.list.d/torproject.sources ===
* [https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo/blob/master/etc/apt/sources.list.d/torproject.sources /etc/apt/sources.list.d/torproject.sources]
* Not installed by default.
Tor Project APT repository sources file
== qubes-whonix ==
* https://github.com/Whonix/qubes-whonix
* [https://github.com/Whonix/qubes-whonix/blob/master/debian/control debian/control]
=== Qubes Configuration for Whonix-Gateway and Whonix-Workstation ===
This package contains all the scripts and configuration options to be able
to run Whonix-Gateway and Whonix-Workstation within a Qubes environment.
Whonix-Gateway should run as a ProxyVM.
Whonix-Workstation should run as an AppVM.
Template updates over Tor.
=== /etc/uwt.d/40_qubes.conf ===
* [https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf /etc/uwt.d/40_qubes.conf]
* Qubes-Whonix only
uwt Qubes-Whonix Integration
Runs only inside Qubes TemplateVM.
This configuration snippets configures [[#uwt|uwt]] to wait before running
apt until status file
/run/updatesproxycheck/whonix-secure-proxy or
status file
/run/updatesproxycheck/whonix-secure-proxy-check-done
exists. It will timeout after 120 seconds.
This is to determine if torified Qubes updates proxy was detected.
If torified Qubes updates proxy detection fails, it will prevent running
apt and show the following warning.
WARNING: Execution of apt prevented by @file_name@ because no torified Qubes updates proxy found.
If torified Qubes updates proxy detection succeeds, it will
disable apt uwtwrapper.
In other words, run apt normally. Run apt without torsocks.
Because apt config file.
/etc/apt/apt.conf.d/01qubes-proxy will already have http proxy
settings for qrexec based Qubes updates proxy.
Acquire::http::Proxy "http://127.0.0.1:8082/";
=== /etc/qubes/protected-files.d/qubes-whonix.conf ===
* [https://github.com/Whonix/qubes-whonix/blob/master/etc/qubes/protected-files.d/qubes-whonix.conf /etc/qubes/protected-files.d/qubes-whonix.conf]
* Qubes-Whonix only
Configure Qubes to not modify files shipped by Whonix:
* /etc/localtime
* /etc/timezone
* /etc/resolv.conf
== ro-mode-init ==
* https://github.com/Kicksecure/ro-mode-init
* [https://github.com/Kicksecure/ro-mode-init/blob/master/debian/control debian/control]
=== Detects read-only disks and automatically enables live-boot ===
Allows booting the system in live mode. Meaning, no persistent modifications
will be written to the disk. All changes stay in RAM.
No claims are made with regard to anti forensics.
=== /debian/ro-mode-init.triggers ===
* [https://github.com/Kicksecure/ro-mode-init/blob/master/debian/ro-mode-init.triggers /debian/ro-mode-init.triggers]
* workstation only
* Non-Qubes-Whonix only
Make changes by ro-mode-init take effect.
* activate-noawait update-initramfs
== sdwdate ==
* https://github.com/Kicksecure/sdwdate
* [https://github.com/Kicksecure/sdwdate/blob/master/debian/control debian/control]
=== Secure Distributed Network Time Synchronization ===
Time keeping is crucial for security, privacy, and anonymity. Sdwdate is a Tor
friendly replacement for rdate and ntpdate that sets the system's clock by
communicating via onion encrypted TCP with Tor onion webservers.
At randomized intervals, sdwdate connects to a variety of webservers and
extracts the time stamps from http headers (RFC 2616).
Using sclockadj option, time is gradually adjusted preventing bigger clock
jumps that could confuse logs, servers, Tor, i2p, etc.
This package contains the sdwdate time fetcher and daemon. No
installation on remote servers required. To avoid conflicts, this daemon
should not be enabled together with ntp or tlsdated.
=== /etc/qubes/suspend-pre.d/30_sdwdate.sh ===
* [https://github.com/Kicksecure/sdwdate/blob/master/etc/qubes/suspend-pre.d/30_sdwdate.sh /etc/qubes/suspend-pre.d/30_sdwdate.sh]
hook to run /usr/libexec/sdwdate/suspend-pre
in Qubes-Whonix.
=== /etc/qubes/suspend-post.d/30_sdwdate.sh ===
* [https://github.com/Kicksecure/sdwdate/blob/master/etc/qubes/suspend-post.d/30_sdwdate.sh /etc/qubes/suspend-post.d/30_sdwdate.sh]
hook to run /usr/libexec/sdwdate/suspend-post
in Qubes-Whonix.
== uwt ==
* https://github.com/Whonix/uwt
* [https://github.com/Whonix/uwt/blob/master/debian/control debian/control]
=== Use Applications over Tor with Stream Isolation and Time Privacy ===
Can add "torsocks" and/or "timeprivacy" before invocation of applications when
configured to do so. For example, when simply typing "apt-get" instead of
"torsocks apt-get", "apt-get" can still be routed over Tor.
The uwt package comes with the following applications pre-configured to use
uwtwrapper, Tor and stream isolation:
- apt
- apt-file
- apt-get
- aptitude-curses
- curl
- git
- gpg
- gpg2
- mixmaster-update
- rawdog
- ssh
- wget
- yum
- yumdownloader
- wormhole
To circumvent a uwt wrapper on a by case base, you append ".anondist-real" to
the command, for example "apt-get.anondist-real". You can also deactivate
specific or all uwt wrappers by using the stackable .d-style configuration
folder /etc/uwt.d.
Uwt can only work only as good as torsocks. If torsocks is unable to route all
of an application's traffic over Tor, ex. if there is an leak, there will
also be one when using uwt. For that reason, it is recommended to use
Anonymity Distributions, that prevent such leaks.
If an applications has native support for socks proxy settings, those should
be preferred over uwt. Also refer to the TorifyHOWTO and your distribution's
documentation.
Timeprivacy can keep your time private. You can create wrappers for
applications and timeprivacy will feed those applications with a fake time,
which obfuscates at which time you really used that applications (such as when
you made the git commit or when you signed that document). It does NOT set
your time zone to UTC.
This package is probably most useful for Anonymity Distributions.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /etc/uwt.d/30_uwt_default.conf ===
* [https://github.com/Whonix/uwt/blob/master/etc/uwt.d/30_uwt_default.conf /etc/uwt.d/30_uwt_default.conf]
uwt configuration
=== /etc/tor/torsocks.conf.anondist ===
* [https://github.com/Whonix/uwt/blob/master/etc/tor/torsocks.conf.anondist /etc/tor/torsocks.conf.anondist]
torsocks configuration
* AllowInbound 1
* AllowOutboundLocalhost 1
* IsolatePID 1
=== /etc/sudoers.d/uwt ===
* [https://github.com/Whonix/uwt/blob/master/etc/sudoers.d/uwt /etc/sudoers.d/uwt]
Disable torsocks warning spam such as.
[May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165)
https://forums.whonix.org/t/disable-torsocks-warning-spam/19084
No longer required.
* #Defaults:ALL env_keep += "TORSOCKS_LOG_LEVEL"
=== /etc/profile.d/20_uwt.sh ===
* [https://github.com/Whonix/uwt/blob/master/etc/profile.d/20_uwt.sh /etc/profile.d/20_uwt.sh]
/etc/profile.d hook to source /usr/libexec/uwt/uwt.sh
=== /debian/uwt.displace ===
* [https://github.com/Whonix/uwt/blob/master/debian/uwt.displace /debian/uwt.displace]
replace the following files with the uwt version
Using config-package-dev displace.
/etc/tor/torsocks configuration file
* /etc/tor/torsocks.conf.anondist
Replace apt, wget, curl,
ssh, onionshare, ricochet,
wormhole with uwt wrapper which then calls
/usr/libexec/uwt/uwtwrapper.
* /usr/bin/apt.anondist
* /usr/bin/apt-file.anondist
* /usr/bin/apt-get.anondist
* /usr/bin/aptitude-curses.anondist
* /usr/bin/curl.anondist
* /usr/bin/git.anondist
* /usr/bin/gpg.anondist
* /usr/bin/gpg2.anondist
* /usr/bin/mixmaster-update.anondist
* /usr/bin/rawdog.anondist
* /usr/bin/ssh.anondist
* /usr/bin/wget.anondist
* /usr/bin/yum.anondist
* /usr/bin/yumdownloader.anondist
* /usr/bin/dnf-3.anondist
* /usr/bin/onionshare.anondist
* /usr/bin/onionshare-gui.anondist
* /usr/bin/ricochet.anondist
* /usr/bin/wormhole.anondist
=== /usr/libexec/uwt/uwtexec ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwtexec /usr/libexec/uwt/uwtexec]
This script is used by uwtwrapper as a workaround to preserve the zeroth
argument when executing programs with other wrappers, such as faketime or torsocks.
=== /usr/libexec/uwt/uwtwrapper ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwtwrapper /usr/libexec/uwt/uwtwrapper]
When running uwt-wrapped applications (such as apt,
wget, curl, onionshare, or others)
automatically prepend torsocks or bindp, i.e.
When, for example, apt or curl is executed, what
really happens is running torsocks apt or
torsocks curl.
uwtwrappers and /usr/libexec/uwt/uwtwrapper are hacks to socksify applications
that do
not support native SOCKS proxy settings. Used to implement Stream Isolation.
https://www.whonix.org/wiki/Stream_Isolation
In essence, uwtwrappers are installed so users can type commands like
apt-get normally while transparently injecting torsocks, thereby stream
isolating them.
To better understand how uwt wrappers function, you could, for example, open
/usr/bin/apt-get.anondist in an editor.
Also useful to run:
ls -la /usr/bin/apt-get*
You will see that /usr/bin/apt-get has been replaced with a symlink to
/usr/bin/apt-get.anondist. (This was done using config-package-dev.)
/usr/bin/apt-get.anondist is a uwt wrapper.
/usr/bin/apt-get.anondist-orig is the original apt-get binary.
bindp is used to make applications which listen on the internal
IP by default, such as onionshare (which is the right thing to
do outside of Whonix), listen on the external IP instead. See also:
* https://github.com/Kicksecure/bindp
* https://forums.whonix.org/t/find-way-to-have-tor-ephermal-hidden-service-using-applications-in-whonix-workstation-bind-on-all-interfaces/18846
=== /usr/libexec/uwt/uwt.sh ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwt.sh /usr/libexec/uwt/uwt.sh]
Disable torsocks warning spam such as.
[May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165)
https://forums.whonix.org/t/disable-torsocks-warning-spam/19084
* export TORSOCKS_LOG_LEVEL=1
=== /usr/bin/uwt_settings_show ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/uwt_settings_show /usr/bin/uwt_settings_show]
* echo "uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:"
* echo "uwt INFO: https://www.whonix.org/wiki/Stream_Isolation/Easy"
=== /usr/bin/apt-get.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/apt-get.anondist /usr/bin/apt-get.anondist]
uwt wrapped application
=== /usr/bin/yumdownloader.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/yumdownloader.anondist /usr/bin/yumdownloader.anondist]
uwt wrapped application
=== /usr/bin/wormhole.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/wormhole.anondist /usr/bin/wormhole.anondist]
uwt wrapped application
=== /usr/bin/time_privacy ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/time_privacy /usr/bin/time_privacy]
Undocumented.
=== /usr/bin/rawdog.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/rawdog.anondist /usr/bin/rawdog.anondist]
uwt wrapped application
=== /usr/bin/ssh.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/ssh.anondist /usr/bin/ssh.anondist]
uwt wrapped application
=== /usr/bin/dnf-3.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/dnf-3.anondist /usr/bin/dnf-3.anondist]
dnf tor wrapper
=== /usr/bin/aptitude-curses.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/aptitude-curses.anondist /usr/bin/aptitude-curses.anondist]
uwt wrapped application
=== /usr/bin/gpg2.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/gpg2.anondist /usr/bin/gpg2.anondist]
uwt wrapped application
=== /usr/bin/mixmaster-update.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/mixmaster-update.anondist /usr/bin/mixmaster-update.anondist]
uwt wrapped application
=== /usr/bin/git.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/git.anondist /usr/bin/git.anondist]
uwt wrapped application
=== /usr/bin/apt.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/apt.anondist /usr/bin/apt.anondist]
uwt wrapped application
* export uwtwrapper_parent="${BASH_SOURCE[0]}"
* exec /usr/libexec/uwt/uwtwrapper "$@"
=== /usr/bin/onionshare-gui.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/onionshare-gui.anondist /usr/bin/onionshare-gui.anondist]
uwt wrapped application
=== /usr/bin/apt-file.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/apt-file.anondist /usr/bin/apt-file.anondist]
uwt wrapped application
=== /usr/bin/curl.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/curl.anondist /usr/bin/curl.anondist]
curl tor wrapper
=== /usr/bin/ricochet.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/ricochet.anondist /usr/bin/ricochet.anondist]
uwt wrapped application
ricochet does not have unix domain socket file support, therefore it depends
on the TOR_CONTROL_HOST and TOR_CONTROL_PORT environment variables being
set. Otherwise it would try to start its own Tor instance.
https://forums.whonix.org/t/test-if-ricochet-im-instructions-are-functional/18959
* TOR_CONTROL_HOST="127.0.0.1"
* TOR_CONTROL_PORT="9151"
* export TOR_CONTROL_HOST
* export TOR_CONTROL_PORT
* export uwtwrapper_parent="${BASH_SOURCE[0]}"
* exec /usr/libexec/uwt/uwtwrapper "$@"
=== /usr/bin/wget.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/wget.anondist /usr/bin/wget.anondist]
uwt wrapped application
=== /usr/bin/yum.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/yum.anondist /usr/bin/yum.anondist]
uwt wrapped application
== whonix-base-files ==
* https://github.com/Whonix/whonix-base-files
* [https://github.com/Whonix/whonix-base-files/blob/master/debian/control debian/control]
=== Whonix base system miscellaneous files ===
This package contains several important miscellaneous files, such as
/etc/issue, /etc/motd, /etc/dpkg/origins/whonix,
/usr/bin/whonix, and others.
Anonymized operating system user name `user`, `/etc/hostname`, `/etc/hosts`,
`/etc/machine-id`, `/var/lib/dbus/machine-id`, which should be shared among
all anonymity distributions. See also:
https://www.whonix.org/wiki/Hostnames#Anonymity_Distributions
Sets the WHONIX environment variable to 1 as well.
Ships marker files:
* /usr/share/whonix/marker
* /usr/share/anon-dist/marker
=== /etc/hosts.whonix ===
* [https://github.com/Whonix/whonix-base-files/blob/master/etc/hosts.whonix /etc/hosts.whonix]
Debian default /etc/hosts + Anonymity Distribution specific additions.
Currently only 127.0.0.1 host.localdomain host gets added.
=== /etc/qubes/protected-files.d/whonix-base-files.conf ===
* [https://github.com/Whonix/whonix-base-files/blob/master/etc/qubes/protected-files.d/whonix-base-files.conf /etc/qubes/protected-files.d/whonix-base-files.conf]
* Qubes-Whonix only
Configure Qubes to not modify files shipped by Whonix:
* /etc/hostname
* /etc/hosts
== whonix-firewall ==
* https://github.com/Whonix/whonix-firewall
* [https://github.com/Whonix/whonix-firewall/blob/master/debian/control debian/control]
=== Firewall for Whonix-Gateway and Whonix-Workstation ===
nftables rules script and firewall configuration file for Whonix-Gateway and
Whonix-Workstation.
Whonix-Gateway Firewall Features:
- transparent proxying
- stream isolation
- reject invalid packages
- fail closed mechanism
- optional VPN-Firewall
- optional isolating proxy
- optional incoming flash proxy
- optional Tor relay
Do not remove, unless you no longer wish to use Whonix.
=== /etc/whonix_firewall.d/30_whonix_gateway_default.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf /etc/whonix_firewall.d/30_whonix_gateway_default.conf]
* gateway only
Whonix firewall configuration file
=== /etc/whonix_firewall.d/30_whonix_host_default.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_host_default.conf /etc/whonix_firewall.d/30_whonix_host_default.conf]
undocumented
=== /etc/whonix_firewall.d/30_whonix_workstation_default.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf /etc/whonix_firewall.d/30_whonix_workstation_default.conf]
* workstation only
Whonix firewall configuration file
=== /debian/whonix-firewall.postinst ===
* [https://github.com/Whonix/whonix-firewall/blob/master/debian/whonix-firewall.postinst /debian/whonix-firewall.postinst]
Creates linux user accounts used by firewall script
clearnet tunnel notunnel systemcheck sdwdate updatesproxycheck.
Creates empty /etc/whonix_firewall.d/50_user.conf which is not owned
by any package if not existing.
=== /usr/libexec/whonix-firewall/enable-firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/libexec/whonix-firewall/enable-firewall /usr/libexec/whonix-firewall/enable-firewall]
Wrapper to start firewall and create failure status files on failure.
=== /usr/bin/whonix-workstation-firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall /usr/bin/whonix-workstation-firewall]
firewall script
=== /usr/bin/whonix_firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix_firewall /usr/bin/whonix_firewall]
firewall starter wrapper
=== /usr/bin/whonix-gateway-firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall /usr/bin/whonix-gateway-firewall]
firewall script
=== /usr/lib/systemd/system/whonix-firewall.service ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/lib/systemd/system/whonix-firewall.service /usr/lib/systemd/system/whonix-firewall.service]
Runs /usr/libexec/whonix-firewall/enable-firewall.
On Whonix-Gateway or Whonix-Workstation (if
/usr/share/anon-gw-base-files/gateway or
/usr/share/anon-ws-base-files/workstation exists),
loads Whonix Firewall.
(Does nothing inside Qubes TemplateVMs.)
If loading Whonix Firewall fails, creates
/run/anon-firewall/failed.status.
=== /usr/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf /usr/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf]
Fail Closed Mechanism.
When the Whonix firewall systemd service failed, do not bring up the
network.
TODO: does not cover Qubes-Whonix since Qubes does not use networking.service.
TODO: disabled, broken. Breaks networking on package upgrades.
https://forums.whonix.org/t/fix-fail-closed-mechanism/18563
* #[Unit]
* #After=whonix-firewall.service
* #Requires=whonix-firewall.service
=== /usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test /usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test]
stream isolation developer test script