{{Header}} {{#seo: |description=Preventing Tor over Tor for Tor Browser, TorChat and others. }} = Why? = See [[DoNot#Prevent_Tor_over_Tor_scenarios.]] [https://forums.whonix.org/t/anon-ws-disable-stacked-tor-considered-useless/8471 Rationale on implementation details, SocksSocket vs TCP, environment variables vs settings file] = Implementation = == providing virtual Tor package == Implemented in [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor anon-ws-disable-stacked-tor], [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/debian/control {{Code|debian/control}}]. The package uses the Provides: tor fieldSee "7.5 Virtual packages - Provides" on http://www.debian.org/doc/debian-policy/ch-relationships.html, which should avoid any kinds of conflicts, in case upstream releases a higher version of Tor. This won't work for packages, which depend on an explicit version of Tor (such as TorChat). This is non-ideal, since for example the {{Code|torchat}} package will install Tor, but still acceptable, because of the following additional implementations. == Tor binary replacement == Tor's binary was replaced (dpkg-diverted using config-package-dev) with dummy executables, so even if the real {{Code|tor}} package gets installed, it won't be automatically started. * https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/bin/tor.anondist * https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/sbin/tor.anondist == systemd-socket-proxyd listening port redirection == [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/lib/anon-ws-disable-stacked-tor/systemd-unit-files-generator Listening] using systemd-socket-proxyd on the following listening ports: ** Tor's default listening ports. I.e.: *** system [[Tor]]'s {{Code|127.0.0.1:9050}}, {{Code|127.0.0.1:9051}} and, *** [[Tor Browser]]'s {{Code|127.0.0.1:9150}}, {{Code|127.0.0.1:9051}}, *** [[Tor Messenger]]'s {{Code|127.0.0.1:9152}} (SocksPort) -> gateway SocksPort 9153, {{Code|127.0.0.1:9153}} ControlPort -> gateway 9051 ControlPort (actually control port filter proxy, onion-grater) ** and others, see [https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/anon-ws-disable-stacked-tor/systemd-unit-files-generator full list] ** Those listening ports forwarded to {{gateway_product_name}}. ** This prevents the default Tor Browser, Tor Messenger and/or Tor package by The Tor Project from opening these default ports, which will result in Tor failing to open its listening port and therefore exiting, thus preventing Tor over Tor. TODO: describe * systemd socket activation * https://phabricator.whonix.org/T357 == Unix Domain Socket File Redirection == Since Tor Browser, [[OnionShare]] ([https://cloud.githubusercontent.com/assets/156128/21556064/8ead0338-cdd2-11e6-918c-d4ca61724b52.png screenshot]) among more and more other applications require [https://phabricator.whonix.org/T192 SocksSocket] * https://trac.torproject.org/projects/tor/ticket/14272#comment:3 * https://trac.torproject.org/projects/tor/ticket/20111#comment:5 , anon-ws-disable-stacked-tor is also providing: * Tor Control Unix Domain Socket file: /var/run/tor/control, which is redirected to Control Port Filter Proxy on {{gateway_product_name}}. * [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/share/anon-ws-disable-stacked-tor/control.authcookie Tor Control Auth Cookie]: a functional /var/run/tor/control.authcookie that works with [[Dev/Control_Port_Filter_Proxy|Control Port Filter Proxy]]. * Tor Socks Unix Domain Socket file: /var/run/tor/socks that is redirected to {{gateway_product_name}} Tor port 9050 ** [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf full list] == Tor state file creation == All required state files which Tor would normally create in /var/run/tor and /var/lib/tor are being created by [https://github.com/{{project_name_short}}/anon-ws-disable-stacked-tor/blob/master/usr/lib/anon-ws-disable-stacked-tor/state-files /usr/lib/anon-ws-disable-stacked-tor/state-files]. == bindp == TODO: describe * bindp * https://phabricator.whonix.org/T561 == socat == There are no socat redirections by default in {{project name}}. Advanced setups such as [https://getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html Monero CLI Wallet/Daemon Isolation with {{q_project_name}}] are using things like EXEC. From that example.
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"
systemd-socket-proxyd does not support EXEC, hence socat is useful here. = Debugging = Run. {{CodeSelect|code= echo "$TOR_SOCKS_IPC_PATH" }} Should show the following.
/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
---- Run. {{CodeSelect|code= echo "$TOR_CONTROL_IPC_PATH" }} Should show the following.
/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock
Also please run. {{CodeSelect|code= UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9150 }} Should show the following.


Tor is not an HTTP Proxy


Tor is not an HTTP Proxy

It appears you have configured your web browser to use Tor as an HTTP proxy. This is not correct: Tor is a SOCKS proxy, not an HTTP proxy. Please configure your client accordingly.

See https://www.torproject.org/documentation.html for more information.

Run a similar command.
echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
Should show the same as above. ----- Next one to try. {{CodeSelect|code= UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:9151 }} Should show the following.
510 Request filtered
...
Run a similar command.
echo GET | socat - UNIX-CONNECT:/var/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock
Should show.
510 Request filtered
= Debugging with curl = Trying to use curl rather than curl.anondist-org is a common mistake when debugging {{project name}} network issues. curl is a symlink to curl.anondist-orig. In turn, this symlinks to uwtwrapper which runs curl under torsocks. torsocks then forces Tor to run on localhost for stream isolation. ==== To use curl ==== * The uwt steam isolation wrapper must be circumvented or disabled. * The command must be run under user clearnet In {{gateway_product_name}} or sys-whonix [[{{q_project_name_short}}|{{q_project_name}}]] '''1.''' Change to user clearnet {{CodeSelect|code= sudo -su clearnet }} '''2.''' Circumvent uwt stream isolation wrapper by appending .anondist-orig to curl {{CodeSelect|code= curl.anondist-orig }} ==== Using curl in {{project name}} 14 ==== In the following examples, the exec calls from the command output shows the difference between running curl with the uwtwrapper both enabled and disabled. '''Example 1''' curl is run with the uwtwrapper enabled. {{CodeSelect|code= uwtwrapper_verbose=1 curl }} This results in the following exec calls. Only the latest (most recent) call matters which shows torsocks is prepended before running curl. exec torsocks /usr/lib/uwtexec something exec -a /usr/bin/curl /usr/bin/curl.anondist-orig '''Example 2''' curl is run with the uwtwrapper disabled. {{CodeSelect|code= uwtwrapper_verbose=1 UWT_DEV_PASSTHROUGH=1 curl }} This command results in the following exec calls which show torsocks does not get prepended before curl. Since curl does not run under torsocks, local connections are not hindered and there is no stream isolation. exec /usr/lib/uwtexec exec -a /usr/bin/curl /usr/bin/curl.anondist-orig '''The output from the previous commands establish the following'''. * /usr/bin/curl is symbolically linked to /usr/bin/curl.anondist-orig. This demonstrates /usr/bin/curl.anondist-orig is the actual (real) curl binary. * When /usr/bin/curl.anondist-orig is run with the uwtwrapper disabled all uwt logic is circumvented. Users can either circumvent the uwt stream isolation wrapper or disabled it either permanently or temporary. Links: * [[Stream_Isolation|Stream Isolation]] * [[Stream_Isolation/Disable_Easy|Stream Isolation/Disable Easy]] ----- = Application Developers = [[Dev/{{project_name_short}} friendly applications best practices]] = See Also = * [[Redirect Whonix-Workstation Ports or Unix Domain Socket Files to Whonix-Gateway]] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Design]]