= Whonix-Gateway =
== anon-gw-anonymizer-config ==
* https://github.com/Whonix/anon-gw-anonymizer-config
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/debian/control debian/control]
=== Tor Configuration and Tweaks for Anonymity Distributions ===
Tor config file with distribution defaults (for stream isolation, etc.),
example user configurations and other tweaks required. The Tor binary
itself does not get modified.
Deactivates IPv4 forwarding using /etc/sysctl.d/
IPv4 forwarding is not required for a Tor based Anonymity Distribution
Gateways. Deactivating it as defense in depth to prevent leaks.
Deactivates IPv6 using /etc/sysctl.d/
There are no IPv6 Anonymity Distribution Gateways featuring an IPv6 firewall
yet. Therefore deactivating it to prevent leaks.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /etc/torrc.d/60_network.conf ===
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/torrc.d/60_network.conf /etc/torrc.d/60_network.conf]
* ~/derivative-maker/packages/anon-gw-anonymizer-config/etc/torrc.d/60_network.conf
* gateway only
Tor is disabled by default.
Users are supposed to enable Tor through setup-dist which would
create file /usr/local/etc/torrc.d/40_tor_control_panel.conf with
"DisableNetwork 0" or by removing the hash ('#') in front of
"DisableNetwork 0" in /usr/local/etc/torrc.d/40_tor_control_panel.conf
* DisableNetwork 1
* VirtualAddrNetwork 10.192.0.0/10
* AutomapHostsOnResolve 1
* Log notice file /run/tor/log
=== /etc/torrc.d/65_gateway.conf ===
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/torrc.d/65_gateway.conf /etc/torrc.d/65_gateway.conf]
* ~/derivative-maker/packages/anon-gw-anonymizer-config/etc/torrc.d/65_gateway.conf
* gateway only
Tor settings for Gateway: `ClientOnionAuthDir`, `SocksPort`s, `TransPort`,
`DnsPort`, `HTTPTunnelPort`s and stream isolation settings.
=== /usr/share/tor/tor-service-defaults-torrc.anondist ===
* [https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist /usr/share/tor/tor-service-defaults-torrc.anondist]
* ~/derivative-maker/packages/anon-gw-anonymizer-config/usr/share/tor/tor-service-defaults-torrc.anondist
* gateway only
Tor settings for Workstation: `SocksPort`s, `TransPort`,
`DnsPort`, `HTTPTunnelPort`s and stream isolation settings.
IP HARDCODED unfortunately.
== whonix-gw-network-conf ==
* https://github.com/Whonix/whonix-gw-network-conf
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/debian/control debian/control]
=== Network Configuration for Whonix-Gateway ===
Includes etc/network/interfaces.d/30_non-qubes-whonix for
Non-Qubes-Whonix-Gateway.
Sets up two network interfaces, an external one eth0 and an internal one eth1.
Provides /usr/share/whonix-gw-network-conf/network_internal_ip.txt.
DNS configuration Anonymity Linux Distribution Gateways
* Pointing /etc/resolv.conf to 127.0.0.1.
* Whether a Anonymity Linux Distribution Gateway supports system DNS for its
own traffic in the clear or anonymized mainly depends on the Gateway's
firewall.
* Routing the workstation's system DNS through the anonymizer (also known as
Transparent DNS Proxy) or not is up to the Gateway's firewall as well.
=== /debian/whonix-gw-network-conf.links ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/debian/whonix-gw-network-conf.links /debian/whonix-gw-network-conf.links]
* ~/derivative-maker/packages/whonix-gw-network-conf/debian/whonix-gw-network-conf.links
* gateway only
* Non-Qubes-Whonix only
Disable Predictable Network Interface Names as these are problematic.
https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4
Disabling them as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* /dev/null /etc/systemd/network/99-default.link
=== /debian/whonix-gw-network-conf.triggers ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/debian/whonix-gw-network-conf.triggers /debian/whonix-gw-network-conf.triggers]
* ~/derivative-maker/packages/whonix-gw-network-conf/debian/whonix-gw-network-conf.triggers
* gateway only
* Non-Qubes-Whonix only
Required for /etc/systemd/network/99-default.link to take effect as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* activate-noawait update-initramfs
=== /etc/network/interfaces.d/30_non-qubes-whonix ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix /etc/network/interfaces.d/30_non-qubes-whonix]
* ~/derivative-maker/packages/whonix-gw-network-conf/etc/network/interfaces.d/30_non-qubes-whonix
* gateway only
* Non-Qubes-Whonix only
network interfaces configuration eth0 (external network interface) and eth1 (internal network interface)
static network configuration
IP HARDCODED below but comment only. No need to change.
eth0
#address 10.0.2.15
#netmask 255.255.255.0
#gateway 10.0.2.2
eth1
#address 10.152.152.10
#netmask 255.255.192.0
=== /etc/resolv.conf.whonix ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/resolv.conf.whonix /etc/resolv.conf.whonix]
* ~/derivative-maker/packages/whonix-gw-network-conf/etc/resolv.conf.whonix
* gateway only
No DNS configuration.
Only comments.
Whonix-Gateway by default does not have system default DNS.
See https://www.whonix.org/wiki/Whonix-Gateway_Own_Traffic_Transparent_Proxy
and footnotes.
=== /lib/systemd/system/onion-grater.service.d/30_cpfpy.conf ===
* [https://github.com/Whonix/whonix-gw-network-conf/blob/master/usr/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf /lib/systemd/system/onion-grater.service.d/30_cpfpy.conf]
* ~/derivative-maker/packages/whonix-gw-network-conf/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf
* gateway only
* Non-Qubes-Whonix only
onion-grater systemd unit file extension
Run /usr/lib/onion-grater-merger as root to avoid permission
conflicts.
ExecStartPre=+/usr/lib/onion-grater-merger
Reconfigure onion-grater to listen on network interface
eth1.
= Whonix-Workstation =
== anon-apps-config ==
* https://github.com/Whonix/anon-apps-config
* [https://github.com/Whonix/anon-apps-config/blob/master/debian/control debian/control]
=== anonymity, privacy and security settings pre-configuration ===
Most settings take effect for newly created user account onlys, and not
for existing user accounts.
Sets timezone to UTC.
Enables Menubar in Dolphin by default.
gnupg configuration for Anonymity Distributions:
* Sets `use-tor` in `/etc/skel/.gnupg/dirmngr.conf`.
* Ships Thunderbird torbirdy configuration file
`/etc/thunderbird/pref/30_whonix.js` that allows torified keyserver access.
* Deactivates KGpg's first run wizard. Disables tip of the day. Disables KGpg's systray.
Double click instead of single click in KDE.
Deactivates maximize windows when moved to the top.
In context of anonymity it might be better not to maximize the browser window
(https://gitlab.torproject.org/legacy/trac/-/issues/7255).
To prevent users from accidentally maximizing their browser window, it is
better when KDE's feature to maximize windows when moved to the top is
disabled.
Deactivates KDE's system sounds.
Disables KDE graphics effects. Disables some background processes.
Stream Isolation (proxy) settings for KDE apps for Anonymity Distributions
Configures global proxy settings, which acts as a fallback if no other proxy
settings are set, for KDE applications to socks 10.152.152.10:9122.
IP HARDCODED above but no need to change since it is description only.
Otherwise unconfigured KDE applications would use no proxy settings
(Transparent Proxying) if the anonymity distribution features a transparent
proxy.
Useful to improve stream isolation.
On the other hand, anonymity distributions not featuring transparent proxying
should probably not install this package by default, because then unconfigured
KDE applications should by default not be able to connect.
Sets Unlimited Scrollback in Konsole.
Disables klipper clipboard history.
Deactivates automatic updates for Package Manager APT and Apper
Useful in context of networks with limited traffic quota, slow networks and
anonymity distributions.
In latter case, the default automatic updates interval would be too
predictable (expectable amount of traffic every X), thus eventually be
vulnerable for traffic fingerprinting.
Disabling Apper automatic updates only takes effect for newly created user
accounts. Not for existing user accounts. This is most useful to help Linux
distribution maintainers setting divergent defaults.
Longer Timeouts for Package Manager APT
Raising timeout and retries using configuration snippet. Useful in context of
slow networks and anonymity distributions.
Ships a configuration file /etc/apt/apt.conf.d/90longer-timeouts to configure
apt-get.
Ships a configuration file /etc/skel/.config/vlc/vlcrc to configure VLC to not
ask for network policy at start and sets vout=xcb_x11 to enable VM
compatibility out-of-the-box.
Disabled gajim update manager by default for better security since it does not
verify software signatures by hiding file
/usr/share/gajim/plugins/plugin_installer/__init__.py using
'config-package-dev' 'hide'.
Disables systemd-resolved during boot unless file /etc/dns-enable exists.
Disables systemd-resolved fallback DNS (which by default is set to Google).
Removes capabilities from `/bin/ping` if
[security-misc](https://github.com/Kicksecure/security-misc) is
installed as ping doesn't work with Tor anyway and its capabilities are just
unneeded attack surface.
Create a dummy Tor binary '/home/user/.local/share/Bisq/btc_mainnet/tor/tor'
to avoid Tor over Tor.
Improves HexChat Privacy Settings
* As per: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/XChat
* Moves the following files:
- `/usr/lib/xchat/plugins/python.so`
- `/usr/lib/xchat/plugins/tcl.so`
- `/usr/lib/xchat/plugins/perl.so`
to `/usr/share/anon-apps-config`, so these plugins get disabled by
default.
Due to technical limitations some settings only take effect for applications
being started for the very first time, i.e. when the user config of that
application in the user's home folder does not exist yet. Works best for new
user accounts.
This package is most useful to help Linux distribution maintainers setting
divergent defaults.
=== /etc/apt/apt.conf.d/90longer-timeouts ===
* [https://github.com/Whonix/anon-apps-config/blob/master/etc/apt/apt.conf.d/90longer-timeouts /etc/apt/apt.conf.d/90longer-timeouts]
* ~/derivative-maker/packages/anon-apps-config/etc/apt/apt.conf.d/90longer-timeouts
longer APT timeouts and more retires
=== /lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf /lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf]
* ~/derivative-maker/packages/anon-apps-config/lib/systemd/system/systemd-resolved.service.d/40_anon-apps-config.conf
Disable systemd-resolved unless file
/etc/dns-enable exists.
=== /usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf /usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf]
* ~/derivative-maker/packages/anon-apps-config/usr/lib/systemd/resolved.conf.d/40_anon-apps-config.conf
do not default to using Google nameservers
https://phabricator.whonix.org/T793
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658#216
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
https://forums.whonix.org/t/os-generated-network-traffic
* [Resolve]
* FallbackDNS=
=== /usr/share/anon-apps-config/kioslaverc ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/share/anon-apps-config/kioslaverc /usr/share/anon-apps-config/kioslaverc]
* ~/derivative-maker/packages/anon-apps-config/usr/share/anon-apps-config/kioslaverc
KDE stream isolation settings.
* [Proxy Settings]
* NoProxyFor=127.0.0.1
* ProxyType=1
* ReversedException=false
IP HARDCODED
* socksProxy=http://10.152.152.10 9122
=== /usr/share/anon-apps-config/ksmserverrc ===
* [https://github.com/Whonix/anon-apps-config/blob/master/usr/share/anon-apps-config/ksmserverrc /usr/share/anon-apps-config/ksmserverrc]
* ~/derivative-maker/packages/anon-apps-config/usr/share/anon-apps-config/ksmserverrc
disable session saving
https://forums.whonix.org/t/kdesudo-error-popup-window-sdwdate-gui
* loginMode=default
== anon-ws-disable-stacked-tor ==
* https://github.com/Whonix/anon-ws-disable-stacked-tor
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/debian/control debian/control]
=== Prevents Tor over Tor in Anonymity Distribution Workstations ===
Supposed to be installed on Workstations, which prevents installing the real
Tor package from upstream (ex: Debian, The Tor Project) APT repositories. Its
purpose is to prevent, running Tor over Tor.
It allows installation of packages, which depend on Tor, such as TorChat,
parcimonie and torbrowser-launcher.
This package uses the "Provides: tor" field[1], which should avoid any kinds of
conflicts, in case upstream releases a higher version of Tor. This won't work
for packages, which depend on an explicit version of Tor (such as TorChat).
This is non-ideal, since for example the torchat package will install Tor, but
still acceptable, because of the following additional implementations.
Binaries eventually installed (by the tor Debian package) /usr/bin/tor as well
as /usr/sbin/tor are replaced with a dummy wrapper that does nothing
(dpkg-diverted using config-package-dev).
systemd-socket-proxyd listens on Tor's default ports. system Tor's
127.0.0.1:9050, 127.0.0.1:9051 and TBB's 127.0.0.1:9150, 127.0.0.1:9051,
which prevents the
default Tor Browser Bundle or Tor package by The Tor Project from opening
these default ports, which will result in Tor failing to open its listening
port and therefore exiting, thus preventing Tor over Tor.
See also:
* https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor
* https://tor.stackexchange.com/questions/427/is-running-tor-over-tor-dangerous
[1] See "7.5 Virtual packages - Provides" on
https://www.debian.org/doc/debian-policy/ch-relationships.html
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /debian/anon-ws-disable-stacked-tor.displace ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/debian/anon-ws-disable-stacked-tor.displace /debian/anon-ws-disable-stacked-tor.displace]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/debian/anon-ws-disable-stacked-tor.displace
* workstation only
config-package-dev displace the following files:
* /etc/default/tor.anondist
* /usr/bin/tor.anondist
* /usr/sbin/tor.anondist
=== /debian/anon-ws-disable-stacked-tor.postinst ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/debian/anon-ws-disable-stacked-tor.postinst /debian/anon-ws-disable-stacked-tor.postinst]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/debian/anon-ws-disable-stacked-tor.postinst
* workstation only
/etc/X11/Xsession.d/ hook to source
/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
Add user "user" to the group "debian-tor", so user "user" can access Tor's control port.
User "user" already exists thanks to the dist-base-files package.
* addgroup --quiet user debian-tor
=== /etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf /etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf
* workstation only
systemd-unit-files-generator and socat-unix-sockets configuration examples.
=== /etc/profile.d/20_torbrowser.sh ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/profile.d/20_torbrowser.sh /etc/profile.d/20_torbrowser.sh]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/etc/profile.d/20_torbrowser.sh
* workstation only
/etc/profile.d hook to source
/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
=== /etc/rsyslog.d/anon-ws-disable-stacked-tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/rsyslog.d/anon-ws-disable-stacked-tor.conf /etc/rsyslog.d/anon-ws-disable-stacked-tor.conf]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/etc/rsyslog.d/anon-ws-disable-stacked-tor.conf
* workstation only
rsyslog configuration drop-in snippet
No longer required since no longer using rinetd.
Workaround for:
'rinetd fills up the logs until disk is full up if it cannot bind'
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796235
* :msg, contains, "accept(0): Socket operation on non-socket" stop
=== /etc/X11/Xsession.d/20torbrowser ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/X11/Xsession.d/20torbrowser /etc/X11/Xsession.d/20torbrowser]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/etc/X11/Xsession.d/20torbrowser
* workstation only
/etc/X11/Xsession.d/ hook to source
/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
=== /lib/systemd/system/anon-ws-disable-stacked-tor.service ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/anon-ws-disable-stacked-tor.service /lib/systemd/system/anon-ws-disable-stacked-tor.service]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/lib/systemd/system/anon-ws-disable-stacked-tor.service
* workstation only
Runs /usr/lib/anon-ws-disable-stacked-tor/state-files and
/usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets.
=== /lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf /lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/lib/systemd/system/tor@default.service.d/50_anon_ws_disable_stacked_tor.conf
* workstation only
Qubes-Whonix:
Clear 'ConditionPathExists=/run/qubes-service/whonix-gateway' set by
the qubes-whonix package, which is useful on the gateway but not on the
workstation.
In effect the dummy Tor service will run on Whonix-Workstation.
* ConditionPathExists=
=== /lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf /lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/lib/systemd/system/tor@default.service.d/51_anon_ws_disable_stacked_tor.conf
* workstation only
Compatibility with system Tor package.
Overrides systemd unit file by system Tor package for compatibility so
the dummy Tor binary /usr/bin/tor gets load instead.
Makes all systemctl restart reload
status commands compatible with dummy Tor.
=== /lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf /lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/lib/systemd/system/tor.service.d/50_anon_ws_disable_stacked_tor.conf
* workstation only
Make 'sudo service tor status' exit '0' for better compatibility.
* RemainAfterExit=yes
=== /usr/bin/tor.anondist ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/bin/tor.anondist /usr/bin/tor.anondist]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/bin/tor.anondist
* workstation only
dummy Tor wrapper doing nothing but wait forever and
OnionShare support for configuration option "bundled Tor".
=== /usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/socat-unix-sockets /usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets
* workstation only
socat-unix-sockets starter.
=== /usr/lib/anon-ws-disable-stacked-tor/state-files ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/state-files /usr/lib/anon-ws-disable-stacked-tor/state-files]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/lib/anon-ws-disable-stacked-tor/state-files
* workstation only
Emulates Tor by copying and chmodding the correct state files such as
/run/tor/control.authcookie.
=== /usr/lib/anon-ws-disable-stacked-tor/systemd-unit-files-generator ===
* [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/systemd-unit-files-generator /usr/lib/anon-ws-disable-stacked-tor/systemd-unit-files-generator]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/lib/anon-ws-disable-stacked-tor/systemd-unit-files-generator
* workstation only
Generates systemd unit files in
/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_* which
listen on common local ports used by popular Tor applications such as Tor
Browser.
Redirect Whonix-Workstation port 9050 to Whonix-Gateway port
9050 and so forth.
Create a unix domain socket files such as
/run/anon-ws-disable-stacked-tor/127.0.0.1_9050.sock and forward those
to $GATEWAY_IP:9150 etc. See also:
https://phabricator.whonix.org/T192
system Tor default SocksSocket is /run/tor/socks
redirect Whonix-Workstation unix domain socket file /run/tor/socks to Whonix-Gateway port 9050
Debian /usr/share/tor/tor-service-defaults-torrc uses '/run/tor/control' Tor ControlSocket
Redirect Whonix-Workstation unix domain socket file /run/tor/control to Whonix-Gateway port 9051
=== /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh ===
* [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/libexec/anon-ws-disable-stacked-tor/torbrowser.sh /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
* workstation only
Environment variables for Tor Browser integration.
Prevents Tor over Tor.
Deactivate tor-launcher,
a Vidalia replacement as browser extension,
to prevent running Tor over Tor.
https://gitlab.torproject.org/legacy/trac/-/issues/6009
https://gitweb.torproject.org/tor-launcher.git
* export TOR_SKIP_LAUNCH=1
The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables
do not work flawlessly, due to an upstream bug in Tor Button:
"TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
https://gitlab.torproject.org/legacy/trac/-/issues/8336
(As an alternative,
/home/user/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js
could be used.)
Fortunately, this is not required for {{project_name_short}} by default anymore,
because systemd-socket-proxyd is configured to redirect
Whonix-Workstation ports
IP HARDCODED but no need to change since comment only.
127.0.0.1:9050 to Whonix-Gateway 10.152.152.10:9050
127.0.0.1:9051 to Whonix-Gateway 10.152.152.10:9051
127.0.0.1:9150 to Whonix-Gateway 10.152.152.10:9150
127.0.0.1:9151 to Whonix-Gateway 10.152.152.10:9151
#export TOR_SOCKS_HOST="10.152.152.10"
#export TOR_SOCKS_PORT="9150"
#export TOR_CONTROL_HOST="127.0.0.1"
#export TOR_CONTROL_PORT="9151"
this is to satisfy Tor Button just filled up with anything
#export TOR_CONTROL_PASSWD='"password"'
We are not using TOR_TRANSPROXY=1 because that would break Tor Browser's
per tab stream isolation. (Tor Browser talks to a Tor SocksPort and sets a
socks user name and Tor is using IsolateSOCKSAuth by Tor default.)
#export TOR_TRANSPROXY=1
Environment variable to configure Tor Browser to use a pre existing unix
domain socket file instead of creating its own one to avoid Tor over Tor and
to keep it being able to connect.
systemd-socket-proxyd is being used for creation of unix domain socket file
/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock and forwarding it to
to Whonix-Gateway port 9150.
https://phabricator.whonix.org/T192
https://gitlab.torproject.org/legacy/trac/-/issues/20111#comment:5
* export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
* export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"
environment variable to skip TorButton control port verification
https://gitlab.torproject.org/legacy/trac/-/issues/13079
* export TOR_SKIP_CONTROLPORTTEST=1
Environment variable to disable the "TorButton" ->
"Open Network Settings..." menu item. It is not useful and confusing to have
on a workstation, because Tor must be configured on the Whonix-Gateway, which is
for security reasons forbidden from the Whonix-Gateway.
https://gitlab.torproject.org/legacy/trac/-/issues/14100
https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Open_Network_Settings
* export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
=== /usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf /usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/lib/tmpfiles.d/anon-ws-disable-stacked-tor.conf
* workstation only
Create folder /run/anon-ws-disable-stacked-tor.
* d /run/anon-ws-disable-stacked-tor 0775 root root
=== /usr/sbin/tor.anondist ===
* [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/sbin/tor.anondist /usr/sbin/tor.anondist]
* ~/derivative-maker/packages/anon-ws-disable-stacked-tor/usr/sbin/tor.anondist
* workstation only
dummy Tor wrapper doing nothing but wait forever.
== bindp ==
* https://github.com/Whonix/bindp
* [https://github.com/Whonix/bindp/blob/master/debian/control debian/control]
=== Binding specific IP and Port for Linux Running Application ===
This package is probably most useful for Anonymity Distributions.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /debian/bindp.postinst ===
* [https://github.com/Whonix/bindp/blob/master/debian/bindp.postinst /debian/bindp.postinst]
* ~/derivative-maker/packages/bindp/debian/bindp.postinst
* workstation only
Compiles /usr/lib/bindp.c to /usr/lib/libindp.so
during package installation using gcc.
== whonix-ws-network-conf ==
* https://github.com/Whonix/whonix-ws-network-conf
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/debian/control debian/control]
=== Network Configuration for Whonix-Workstation ===
Includes /etc/network/interfaces for Whonix-Workstation.
Sets up an internal network interface eth0.
DNS configuration Anonymity Linux Distribution Workstations
Whether a Anonymity Linux Distribution Gateway supports anonymized system DNS
for Workstation's traffic (also known as Transparent DNS Proxy) mainly depends
on the Gateway's firewall.
This package is simply installing /etc/resolv.conf which points to
10.152.152.10, where an Anon-Gateway is supposed to provide a DnsPort on port
53. IP HARDCODED but no need to change because only description.
Currently relevant for Non-Qubes-Whonix only.
=== /debian/whonix-ws-network-conf.links ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/debian/whonix-ws-network-conf.links /debian/whonix-ws-network-conf.links]
* ~/derivative-maker/packages/whonix-ws-network-conf/debian/whonix-ws-network-conf.links
* workstation only
* Non-Qubes-Whonix only
Disable Predictable Network Interface Names as these are problematic.
https://forums.whonix.org/t/whonix-14-0-0-0-7-developers-only/3449/4
Disabling them as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* /dev/null /etc/systemd/network/99-default.link
=== /debian/whonix-ws-network-conf.triggers ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/debian/whonix-ws-network-conf.triggers /debian/whonix-ws-network-conf.triggers]
* ~/derivative-maker/packages/whonix-ws-network-conf/debian/whonix-ws-network-conf.triggers
* workstation only
* Non-Qubes-Whonix only
Required for /etc/systemd/network/99-default.link to take effect as per
'zless /usr/share/doc/udev/README.Debian.gz'.
* activate-noawait update-initramfs
=== /etc/network/interfaces.d/30_non-qubes-whonix ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix /etc/network/interfaces.d/30_non-qubes-whonix]
* ~/derivative-maker/packages/whonix-ws-network-conf/etc/network/interfaces.d/30_non-qubes-whonix
* workstation only
* Non-Qubes-Whonix only
network interfaces configuration eth0 to communicate with Whonix-Gateway
static network configuration
IP HARDCODED but not need to change since only comment.
#address 10.152.152.11
#netmask 255.255.192.0
#gateway 10.152.152.10
=== /etc/resolv.conf.whonix ===
* [https://github.com/Whonix/whonix-ws-network-conf/blob/master/etc/resolv.conf.whonix /etc/resolv.conf.whonix]
* ~/derivative-maker/packages/whonix-ws-network-conf/etc/resolv.conf.whonix
set nameserver 10.152.152.10
This works different in Qubes-Whonix.
= Shared by Whonix-Gateway and Whonix-Workstation =
== anon-apt-sources-list ==
* https://github.com/Kicksecure/anon-apt-sources-list
* [https://github.com/Kicksecure/anon-apt-sources-list/blob/master/debian/control debian/control]
=== /etc/apt/sources.list.d/debian.list for Anonymity Linux Distributions ===
A question of distribution maintenance strategies. The more standard
way would indeed be populating /etc/apt/sources.list at install or build time
and leaving /etc/apt/sources.list.d alone. The idea of managing
/etc/apt/sources.list.d/debian.list for the user is, the anonymity
distribution maintainers can decide when it is a better "change stable to
oldstable", "keep wheezy as long as needed to work out [eventual!] issues
that would break during upgrade to jessie" and such.
=== /etc/apt/sources.list.d/debian.list ===
* [https://github.com/Kicksecure/anon-apt-sources-list/blob/master/etc/apt/sources.list.d/debian.list /etc/apt/sources.list.d/debian.list]
* ~/derivative-maker/packages/anon-apt-sources-list/etc/apt/sources.list.d/debian.list
Debian APT repository sources.list
Configured to use tor+https.
Technical notes:
- Why are sources (deb-src) disabled by default?
Because those are not required by most users, to save time while
running sudo apt update.
- See also: https://www.debian.org/security/
- See also: /etc/apt/sources.list.d/
== anon-shared-build-apt-sources-tpo ==
* https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo
* [https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo/blob/master/debian/control debian/control]
=== Adds TPO's APT repository to Anonymity Linux Distributions ===
Comes with "deb https://deb.torproject.org/torproject.org stable main", The Tor
Project's APT signing key.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /etc/apt/sources.list.d/torproject.list ===
* [https://github.com/Kicksecure/anon-shared-build-apt-sources-tpo/blob/master/etc/apt/sources.list.d/torproject.list /etc/apt/sources.list.d/torproject.list]
* ~/derivative-maker/packages/anon-shared-build-apt-sources-tpo/etc/apt/sources.list.d/torproject.list
* Not installed by default.
Tor Project APT repository sources.list
== qubes-whonix ==
* https://github.com/Whonix/qubes-whonix
* [https://github.com/Whonix/qubes-whonix/blob/master/debian/control debian/control]
=== Qubes Configuration for Whonix-Gateway and Whonix-Workstation ===
This package contains all the scripts and configuration options to be able
to run Whonix-Gateway and Whonix-Workstation within a Qubes environment.
Whonix-Gateway should run as a ProxyVM.
Whonix-Workstation should run as an AppVM.
Template updates over Tor.
Package: qubes-whonix-shared-packages-recommended
Architecture: all
Depends: qubes-core-agent-passwordless-root | dummy-dependency,
qubes-kernel-vm-support, initramfs-tools, qubes-mgmt-salt-vm-connector,
qubes-usb-proxy, qubes-input-proxy-sender,
qubes-core-agent-thunar, qubes-core-agent-nautilus,
${misc:Depends}
Description: Recommended packages for Qubes-Whonix-Gateway and Qubes-Whonix-Workstation
=== Recommended packages for Qubes-Whonix-Gateway and Qubes-Whonix-Workstation ===
A metapackage, which includes recommended packages to ensure, Qubes-Whonix
standard tools are available and other useful recommended packages.
Safe to remove, if you know what you are doing.
Package: qubes-whonix-gateway-packages-recommended
Architecture: all
Depends: tinyproxy,
yum,
yum-utils,
qubes-core-agent-dom0-updates,
${misc:Depends}
Description: Recommended packages for Qubes-Whonix-Gateway
=== Recommended packages for Qubes-Whonix-Gateway ===
A metapackage, which installs packages, which are recommended for
Qubes-Whonix-Gateway.
Safe to remove, if you know what you are doing.
Package: qubes-whonix-workstation-packages-recommended
Architecture: all
Depends: qubes-thunderbird,
qubes-gpg-split,
qubes-pdf-converter,
qubes-img-converter,
pulseaudio-qubes,
${misc:Depends}
Description: Recommended packages for Qubes-Whonix-Workstation
=== Recommended packages for Qubes-Whonix-Workstation ===
A metapackage, which installs packages, which are recommended for
Qubes-Whonix-Workstation.
Feel free to remove, if you know what you are doing.
=== /etc/qubes/protected-files.d/qubes-whonix.conf ===
* [https://github.com/Whonix/qubes-whonix/blob/master/etc/qubes/protected-files.d/qubes-whonix.conf /etc/qubes/protected-files.d/qubes-whonix.conf]
* ~/derivative-maker/packages/qubes-whonix/etc/qubes/protected-files.d/qubes-whonix.conf
* Qubes-Whonix only
Configure Qubes to not modify files shipped by Whonix:
* /etc/hostname
* /etc/hosts
* /etc/localtime
* /etc/timezone
* /etc/resolv.conf
=== /etc/uwt.d/40_qubes.conf ===
* [https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf /etc/uwt.d/40_qubes.conf]
* ~/derivative-maker/packages/qubes-whonix/etc/uwt.d/40_qubes.conf
* Qubes-Whonix only
uwt Qubes-Whonix Integration
Runs only inside Qubes Template.
This configuration snippets configures [[#uwt|uwt]] to wait before running
apt until status file
/run/updatesproxycheck/whonix-secure-proxy or
status file
/run/updatesproxycheck/whonix-secure-proxy-check-done
exists. It will timeout after 120 seconds.
This is to determine if torified Qubes updates proxy was detected.
If torified Qubes updates proxy detection fails, it will prevent running
apt and show the following warning.
WARNING: Execution of apt prevented by @file_name@ because no torified Qubes updates proxy found.
If torified Qubes updates proxy detection succeeds, it will
disable apt uwtwrapper.
In other words, run apt normally. Run apt without torsocks.
Because apt config file.
/etc/apt/apt.conf.d/01qubes-proxy will already have http proxy
settings for TCP based Qubes Updates proxy
Acquire::http::Proxy "http://10.137.255.254:8082/";
or for qrexec based Qubes updates proxy.
Acquire::http::Proxy "http://127.0.0.1:8082/";
== ro-mode-init ==
* https://github.com/Whonix/ro-mode-init
* [https://github.com/Whonix/ro-mode-init/blob/master/debian/control debian/control]
=== Detects read-only disks and automatically enables live-boot ===
Allows booting the system in live mode. Meaning, no persistent modifications
will be written to the disk. All changes stay in RAM.
No claims are made with regard to anti forensics.
=== /debian/ro-mode-init.triggers ===
* [https://github.com/Whonix/ro-mode-init/blob/master/debian/ro-mode-init.triggers /debian/ro-mode-init.triggers]
* ~/derivative-maker/packages/ro-mode-init/debian/ro-mode-init.triggers
* workstation only
* Non-Qubes-Whonix only
Make changes by ro-mode-init take effect.
* activate-noawait update-initramfs
== sdwdate ==
* https://github.com/Kicksecure/sdwdate
* [https://github.com/Kicksecure/sdwdate/blob/master/debian/control debian/control]
=== Secure Distributed Network Time Synchronization ===
Time keeping is crucial for security, privacy, and anonymity. Sdwdate is a Tor
friendly replacement for rdate and ntpdate that sets the system's clock by
communicating via onion encrypted TCP with Tor onion webservers.
At randomized intervals, sdwdate connects to a variety of webservers and
extracts the time stamps from http headers (RFC 2616).
Using sclockadj option, time is gradually adjusted preventing bigger clock
jumps that could confuse logs, servers, Tor, i2p, etc.
This package contains the sdwdate time fetcher and daemon. No
installation on remote servers required. To avoid conflicts, this daemon
should not be enabled together with ntp or tlsdated.
=== /etc/qubes/suspend-post.d/30_sdwdate.sh ===
* [https://github.com/Kicksecure/sdwdate/blob/master/etc/qubes/suspend-post.d/30_sdwdate.sh /etc/qubes/suspend-post.d/30_sdwdate.sh]
* ~/derivative-maker/packages/sdwdate/etc/qubes/suspend-post.d/30_sdwdate.sh
hook to run /usr/lib/sdwdate/suspend-post
in Qubes-Whonix.
=== /etc/qubes/suspend-pre.d/30_sdwdate.sh ===
* [https://github.com/Kicksecure/sdwdate/blob/master/etc/qubes/suspend-pre.d/30_sdwdate.sh /etc/qubes/suspend-pre.d/30_sdwdate.sh]
* ~/derivative-maker/packages/sdwdate/etc/qubes/suspend-pre.d/30_sdwdate.sh
hook to run /usr/lib/sdwdate/suspend-pre
in Qubes-Whonix.
== security-misc ==
* https://github.com/Kicksecure/security-misc
* [https://github.com/Kicksecure/security-misc/blob/master/debian/control debian/control]
=== Enhances Miscellaneous Security Settings ===
https://github.com/Kicksecure/security-misc/blob/master/README.md
https://www.whonix.org/wiki/Security-misc
Discussion:
Happening primarily in {{project_name_short}} forums.
https://forums.whonix.org/t/kernel-hardening/7296
=== /etc/sysctl.d/30_security-misc.conf ===
* [https://github.com/Kicksecure/security-misc/blob/master/etc/sysctl.d/30_security-misc.conf /etc/sysctl.d/30_security-misc.conf]
* ~/derivative-maker/packages/security-misc/etc/sysctl.d/30_security-misc.conf
TCP/IP stack hardening
Protects against time-wait assassination.
It drops RST packets for sockets in the time-wait state.
* net.ipv4.tcp_rfc1337=1
Disables ICMP redirect acceptance.
* net.ipv4.conf.all.accept_redirects=0
* net.ipv4.conf.default.accept_redirects=0
* net.ipv4.conf.all.secure_redirects=0
* net.ipv4.conf.default.secure_redirects=0
* net.ipv6.conf.all.accept_redirects=0
* net.ipv6.conf.default.accept_redirects=0
Disables ICMP redirect sending.
* net.ipv4.conf.all.send_redirects=0
* net.ipv4.conf.default.send_redirects=0
* net.ipv6.conf.all.accept_redirects=0
* net.ipv6.conf.default.accept_redirects=0
Ignores ICMP requests.
* net.ipv4.icmp_echo_ignore_all=1
Enables TCP syncookies.
* net.ipv4.tcp_syncookies=1
Disable source routing.
* net.ipv4.conf.all.accept_source_route=0
* net.ipv4.conf.default.accept_source_route=0
* net.ipv6.conf.all.accept_source_route=0
* net.ipv6.conf.default.accept_source_route=0
Enable reverse path filtering to prevent IP spoofing and
mitigate vulnerabilities such as CVE-2019-14899.
https://forums.whonix.org/t/enable-reverse-path-filtering/8594
* net.ipv4.conf.default.rp_filter=1
* net.ipv4.conf.all.rp_filter=1
== uwt ==
* https://github.com/Whonix/uwt
* [https://github.com/Whonix/uwt/blob/master/debian/control debian/control]
=== Use Applications over Tor with Stream Isolation and Time Privacy ===
Can add "torsocks" and/or "timeprivacy" before invocation of applications when
configured to do so. For example, when simply typing "apt-get" instead of
"torsocks apt-get", "apt-get" can still be routed over Tor.
The uwt package comes with the following applications pre-configured to use
uwtwrapper, Tor and stream isolation:
- apt
- apt-file
- apt-get
- aptitude-curses
- curl
- git
- gpg
- gpg2
- mixmaster-update
- rawdog
- ssh
- wget
- yum
- yumdownloader
- wormhole
To circumvent a uwt wrapper on a by case base, you append ".anondist-real" to
the command, for example "apt-get.anondist-real". You can also deactivate
specific or all uwt wrappers by using the stackable .d-style configuration
folder /etc/uwt.d.
Uwt can only work only as good as torsocks. If torsocks is unable to route all
of an application's traffic over Tor, ex. if there is an leak, there will
also be one when using uwt. For that reason, it is recommended to use
Anonymity Distributions, that prevent such leaks.
If an applications has native support for socks proxy settings, those should
be preferred over uwt. Also refer to the TorifyHOWTO and your distribution's
documentation.
Timeprivacy can keep your time private. You can create wrappers for
applications and timeprivacy will feed those applications with a fake time,
which obfuscates at which time you really used that applications (such as when
you made the git commit or when you signed that document). It does NOT set
your time zone to UTC.
This package is probably most useful for Anonymity Distributions.
This package is produced independently of, and carries no guarantee from,
The Tor Project.
=== /debian/uwt.displace ===
* [https://github.com/Whonix/uwt/blob/master/debian/uwt.displace /debian/uwt.displace]
* ~/derivative-maker/packages/uwt/debian/uwt.displace
replace the following files with the uwt version
Using config-package-dev displace.
/etc/tor/torsocks configuration file
* /etc/tor/torsocks.conf.anondist
Replace apt, wget, curl,
ssh, onionshare, ricochet,
wormhole with uwt wrapper which then calls
/usr/lib/uwtwrapper.
* /usr/bin/apt.anondist
* /usr/bin/apt-file.anondist
* /usr/bin/apt-get.anondist
* /usr/bin/aptitude-curses.anondist
* /usr/bin/curl.anondist
* /usr/bin/git.anondist
* /usr/bin/gpg.anondist
* /usr/bin/gpg2.anondist
* /usr/bin/mixmaster-update.anondist
* /usr/bin/rawdog.anondist
* /usr/bin/ssh.anondist
* /usr/bin/wget.anondist
* /usr/bin/yum.anondist
* /usr/bin/yumdownloader.anondist
* /usr/bin/onionshare.anondist
* /usr/bin/onionshare-gui.anondist
* /usr/bin/ricochet.anondist
* /usr/bin/wormhole.anondist
=== /etc/profile.d/20_uwt.sh ===
* [https://github.com/Whonix/uwt/blob/master/etc/profile.d/20_uwt.sh /etc/profile.d/20_uwt.sh]
* ~/derivative-maker/packages/uwt/etc/profile.d/20_uwt.sh
/etc/profile.d hook to source /usr/lib/uwt/uwt.sh
=== /etc/sudoers.d/uwt ===
* [https://github.com/Whonix/uwt/blob/master/etc/sudoers.d/uwt /etc/sudoers.d/uwt]
* ~/derivative-maker/packages/uwt/etc/sudoers.d/uwt
Disable torsocks warning spam such as.
[May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165)
https://phabricator.whonix.org/T317
* Defaults:ALL env_keep += "TORSOCKS_LOG_LEVEL"
=== /etc/tor/torsocks.conf.anondist ===
* [https://github.com/Whonix/uwt/blob/master/etc/tor/torsocks.conf.anondist /etc/tor/torsocks.conf.anondist]
* ~/derivative-maker/packages/uwt/etc/tor/torsocks.conf.anondist
torsocks configuration
* AllowInbound 1
* AllowOutboundLocalhost 1
* IsolatePID 1
=== /etc/uwt.d/30_uwt_default.conf ===
* [https://github.com/Whonix/uwt/blob/master/etc/uwt.d/30_uwt_default.conf /etc/uwt.d/30_uwt_default.conf]
* ~/derivative-maker/packages/uwt/etc/uwt.d/30_uwt_default.conf
uwt configuration
=== /etc/X11/Xsession.d/20uwt ===
* [https://github.com/Whonix/uwt/blob/master/etc/profile.d/20_uwt.sh /etc/X11/Xsession.d/20uwt]
* ~/derivative-maker/packages/uwt/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d hook to source /usr/lib/uwt/uwt.sh
=== /usr/bin/apt.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/apt.anondist /usr/bin/apt.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/apt.anondist
uwt wrapped application
* export uwtwrapper_parent="${BASH_SOURCE[0]}"
* exec /usr/lib/uwtwrapper "$@"
=== /usr/bin/apt-file.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/apt-file.anondist /usr/bin/apt-file.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/apt-file.anondist
uwt wrapped application
=== /usr/bin/apt-get.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/apt-get.anondist /usr/bin/apt-get.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/apt-get.anondist
uwt wrapped application
=== /usr/bin/aptitude-curses.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/aptitude-curses.anondist /usr/bin/aptitude-curses.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/aptitude-curses.anondist
uwt wrapped application
=== /usr/bin/curl.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/curl.anondist /usr/bin/curl.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/curl.anondist
uwt wrapped application
* export uwtwrapper_parent="${BASH_SOURCE[0]}"
* exec /usr/lib/uwtwrapper "$@"
=== /usr/bin/git.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/git.anondist /usr/bin/git.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/git.anondist
uwt wrapped application
=== /usr/bin/gpg2.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/gpg2.anondist /usr/bin/gpg2.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/gpg2.anondist
uwt wrapped application
=== /usr/bin/mixmaster-update.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/mixmaster-update.anondist /usr/bin/mixmaster-update.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/mixmaster-update.anondist
uwt wrapped application
=== /usr/bin/onionshare-gui.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/onionshare-gui.anondist /usr/bin/onionshare-gui.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/onionshare-gui.anondist
uwt wrapped application
=== /usr/bin/rawdog.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/rawdog.anondist /usr/bin/rawdog.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/rawdog.anondist
uwt wrapped application
=== /usr/bin/ricochet.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/ricochet.anondist /usr/bin/ricochet.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/ricochet.anondist
uwt wrapped application
ricochet does not have unix domain socket file support, therefore it depends
on the TOR_CONTROL_HOST and TOR_CONTROL_PORT environment variables being
set. Otherwise it would try to start its own Tor instance.
https://phabricator.whonix.org/T444
* TOR_CONTROL_HOST="127.0.0.1"
* TOR_CONTROL_PORT="9151"
* export TOR_CONTROL_HOST
* export TOR_CONTROL_PORT
* export uwtwrapper_parent="${BASH_SOURCE[0]}"
* exec /usr/lib/uwtwrapper "$@"
=== /usr/bin/ssh.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/ssh.anondist /usr/bin/ssh.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/ssh.anondist
uwt wrapped application
=== /usr/bin/time_privacy ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/time_privacy /usr/bin/time_privacy]
* ~/derivative-maker/packages/uwt/usr/bin/time_privacy
undocumented
=== /usr/bin/wget.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/wget.anondist /usr/bin/wget.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/wget.anondist
uwt wrapped application
=== /usr/bin/wormhole.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/wormhole.anondist /usr/bin/wormhole.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/wormhole.anondist
uwt wrapped application
=== /usr/bin/yum.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/yum.anondist /usr/bin/yum.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/yum.anondist
uwt wrapped application
=== /usr/bin/yumdownloader.anondist ===
* [https://github.com/Whonix/uwt/blob/master/usr/bin/yumdownloader.anondist /usr/bin/yumdownloader.anondist]
* ~/derivative-maker/packages/uwt/usr/bin/yumdownloader.anondist
uwt wrapped application
=== /usr/lib/uwt/uwt.sh ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwt.sh /usr/lib/uwt/uwt.sh]
* ~/derivative-maker/packages/uwt/usr/lib/uwt/uwt.sh
Disable torsocks warning spam such as.
[May 20 11:45:27] WARNING torsocks[2645]: [syscall] Unsupported syscall number 224. Denying the call (in tsocks_syscall() at syscall.c:165)
https://phabricator.whonix.org/T317
* export TORSOCKS_LOG_LEVEL=1
=== /usr/lib/uwtexec ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwtexec /usr/lib/uwtexec]
* ~/derivative-maker/packages/uwt/usr/lib/uwtexec
This script is used by uwtwrapper as a workaround to preserve the zeroth
argument when executing programs with other wrappers like faketime or torsocks.
=== /usr/lib/uwt_settings_show ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwt_settings_show /usr/lib/uwt_settings_show]
* ~/derivative-maker/packages/uwt/usr/lib/uwt_settings_show
* echo "uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:"
* echo "uwt INFO: https://www.whonix.org/wiki/Stream_Isolation/Easy"
=== /usr/lib/uwtwrapper ===
* [https://github.com/Whonix/uwt/blob/master/usr/libexec/uwt/uwtwrapper /usr/lib/uwtwrapper]
* ~/derivative-maker/packages/uwt/usr/lib/uwtwrapper
When running uwt wrapped applications (such as apt,
wget, curl, onionshare or others)
automatically prepend torsocks or bindp. I.e.
When for example apt or curl is executed, what
really happens is running torsocks apt or
torsocks curl.
uwtwrappers and /usr/lib/uwtwrapper are hacks to socksify applications
that do
not support native socks proxy settings. Used to implement Stream Isolation.
https://www.whonix.org/wiki/Stream_Isolation
In essence, uwtwrappers are installed so users can type commands like
apt-get normally while transparently injecting torsocks, thereby stream
isolating them.
To understand better how uwt wrappers function, you could for example open
/usr/bin/apt-get.anondist in an editor.
Also useful to run:
ls -la /usr/bin/apt-get*
You will see, that /usr/bin/apt-get has been replaced with a symlink to
/usr/bin/apt-get.anondist. (This was done using config-package-dev.)
/usr/bin/apt-get.anondist is a uwt wrapper.
/usr/bin/apt-get.anondist-orig is the original apt-get binary.
bindp is used to make applications which listen on the internal
IP by default such as onionshare (which is the right thing to
outside of Whonix) listen on the external IP instead. See also:
* https://github.com/Whonix/bindp
* https://phabricator.whonix.org/T561
== whonix-base-files ==
* https://github.com/Whonix/whonix-base-files
* [https://github.com/Whonix/whonix-base-files/blob/master/debian/control debian/control]
=== {{project_name_short}} base system miscellaneous files ===
This package contains several important miscellaneous files, such as
/etc/issue, /etc/motd, /etc/dpkg/origins/whonix,
/etc/skel/.bashrc, /usr/bin/whonix, and others.
Anonymized operating system user name `user`, `/etc/hostname`, `/etc/hosts`,
`/etc/machine-id`, `/var/lib/dbus/machine-id`, which should be shared among
all anonymity distributions. See also:
* https://web.archive.org/web/20170630045108/https://mailman.boum.org/pipermail/tails-dev/2013-January/002457.html
* https://gitlab.tails.boum.org/tails/tails/-/issues/5655
* https://lists.autistici.org/message/20140627.215105.24023267.en.html
Sets the WHONIX environment variable to 1 as well.
Ships marker files:
* /usr/share/whonix/marker
* /usr/share/anon-dist/marker
=== /etc/hosts.whonix ===
* [https://github.com/Whonix/whonix-base-files/blob/master/etc/hosts.whonix /etc/hosts.whonix]
* ~/derivative-maker/packages/whonix-base-files/etc/hosts.whonix
Debian default /etc/hosts + Anonymity Distribution specific additions.
Currently only 127.0.0.1 host.localdomain host gets added.
== whonix-firewall ==
* https://github.com/Whonix/whonix-firewall
* [https://github.com/Whonix/whonix-firewall/blob/master/debian/control debian/control]
=== Firewall for Whonix-Gateway and Whonix-Workstation ===
iptables rules script and firewall configuration file for Whonix-Gateway and
Whonix-Workstation.
Whonix-Gateway Firewall Features:
- transparent proxying
- stream isolation
- reject invalid packages
- fail closed mechanism
- optional VPN-Firewall
- optional isolating proxy
- optional incoming flash proxy
- optional Tor relay
Do not remove, unless you no longer wish to use Whonix.
=== /debian/whonix-firewall.postinst ===
* [https://github.com/Whonix/whonix-firewall/blob/master/debian/whonix-firewall.postinst /debian/whonix-firewall.postinst]
* ~/derivative-maker/packages/whonix-firewall/debian/whonix-firewall.postinst
Creates linux user accounts used by firewall script
clearnet tunnel notunnel systemcheck sdwdate updatesproxycheck.
Creates empty /etc/whonix_firewall.d/50_user.conf which is not owned
by any package if not existing.
=== /etc/whonix_firewall.d/30_whonix_gateway_default.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf /etc/whonix_firewall.d/30_whonix_gateway_default.conf]
* ~/derivative-maker/packages/whonix-firewall/etc/whonix_firewall.d/30_whonix_gateway_default.conf
* gateway only
{{project_name_short}} firewall configuration file
=== /etc/whonix_firewall.d/30_whonix_host_default.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_host_default.conf /etc/whonix_firewall.d/30_whonix_host_default.conf]
* ~/derivative-maker/packages/whonix-firewall/etc/whonix_firewall.d/30_whonix_host_default.conf
undocumented
=== /etc/whonix_firewall.d/30_whonix_workstation_default.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_workstation_default.conf /etc/whonix_firewall.d/30_whonix_workstation_default.conf]
* ~/derivative-maker/packages/whonix-firewall/etc/whonix_firewall.d/30_whonix_workstation_default.conf
* workstation only
{{project_name_short}} firewall configuration file
=== /lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf /lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf]
* ~/derivative-maker/packages/whonix-firewall/lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf
Fail Closed Mechanism.
When the {{project_name_short}} firewall systemd service failed, do not bring up the
network.
TODO: does not cover Qubes-Whonix since Qubes does not use networking.service.
TODO: disabled, broken. Breaks networking on package upgrades.
https://phabricator.whonix.org/T875
#[Unit]
#After=whonix-firewall.service
#Requires=whonix-firewall.service
=== /lib/systemd/system/whonix-firewall.service ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/lib/systemd/system/whonix-firewall.service /lib/systemd/system/whonix-firewall.service]
* ~/derivative-maker/packages/whonix-firewall/lib/systemd/system/whonix-firewall.service
Runs /usr/lib/whonix-firewall/enable-firewall.
On Whonix-Gateway or Whonix-Workstation (if
/usr/share/anon-gw-base-files/gateway or
/usr/share/anon-ws-base-files/workstation exists),
loads {{project_name_short}} Firewall.
(Does nothing inside Qubes Templates.)
If loading {{project_name_short}} Firewall fails, creates
/run/anon-firewall/failed.status.
=== /usr/bin/whonix_firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix_firewall /usr/bin/whonix_firewall]
* ~/derivative-maker/packages/whonix-firewall/usr/bin/whonix_firewall
firewall starter wrapper
=== /usr/bin/whonix-gateway-firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall /usr/bin/whonix-gateway-firewall]
* ~/derivative-maker/packages/whonix-firewall/usr/bin/whonix-gateway-firewall
firewall script
=== /usr/bin/whonix-workstation-firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-workstation-firewall /usr/bin/whonix-workstation-firewall]
* ~/derivative-maker/packages/whonix-firewall/usr/bin/whonix-workstation-firewall
firewall script
=== /usr/lib/whonix-firewall/enable-firewall ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/libexec/whonix-firewall/enable-firewall /usr/lib/whonix-firewall/enable-firewall]
* ~/derivative-maker/packages/whonix-firewall/usr/lib/whonix-firewall/enable-firewall
Wrapper to start firewall and create failure status files on failure.
=== /usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test ===
* [https://github.com/Whonix/whonix-firewall/blob/master/usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test /usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test]
* ~/derivative-maker/packages/whonix-firewall/usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test
stream isolation developer test script