Actions

Dev/Design-Workstation

From Whonix

< Dev




[edit]

Authoring Notes:

  • Start with a general description below each headline. Be as general as possible and try to avoid using terms like 'Tor'.
  • Next, carefully describe the Whonix ™ Example Implementation. Show exactly how Whonix ™ implements the goals stated above.
  • See Dev/Documentation_Guidelines for the preferred formatting style and grammatical considerations.


List of installed Packages[edit]

Whonix ™-Example-Implementation:

Files[edit]

Essential[edit]

Network Configuration[edit]

Configure the system resolver to use the Gateway to resolve DNS. (There can be no DNS leaks, because the Gateway firewall prevents that.) It shouldn't get used often, only for applications which are not configured to use Stream Isolation (SocksPort). Just as a general catch all for user installed applications to improve usability.

Whonix ™-Example-Implementation:

DummyTor[edit]

Since the anonymizer software runs on the Gateway, users could still accidental install the anonymizer software on the Workstation. This would lead into connecting to the anonymity network over the anonymity network itself. In best case it just doesn't work or is very slow and in worst case it leads to unknown consequences. Prevent that.

Whonix ™-Example-Implementation:

KDE / GNOME - application wide proxy settings[edit]

Whether KDE / GNOME will be used or not, in addition to stream isolation wrappers and other preconfigured applications for stream isolation, in addition it is useful to also configure KDE / GNOME - wide proxy settings. In case the user installs KDE or GNOME applications, which connect to the internet, which honor proxy settings, those won't go through Tor's TransPort, but through a dedicated SocksPort for further improved stream isolation. These settings are not system-wide, but KDE-wide / GNOME-wide.

Whonix ™-Example-Implementation:

Extra[edit]

second, optional, extra firewall[edit]

Optional.

Optional second, optional, extra firewall for advanced users as damage protection in case the Whonix-Gateway ™ gets ever compromised (Tor exploit).

Whonix ™-Example-Implementation:

Usability[edit]

Swap[edit]

Let the kernel only swap if it is absolutely necessary.

Whonix ™-Example-Implementation:

Environment Variables[edit]

Optional.

It is useful to have an environment variable announcing "I am a Workstation", so applications such as TorButton and TorBirdy can act accordingly. (I.e. not starting Tor/Vidalia on the Workstation; not using 127.0.0.1 as proxy, but therefore the Gateway.)

Whonix ™-Example-Implementation:

apt.conf[edit]

Optional.

Whonix ™-Example-Implementation:

http to socks converter[edit]

Optional.

Some applications don't support socks, but http. It is useful to have a http to socks converter.

Whonix ™-Example-Implementation:

Sending e-mails without registration[edit]

Optional.

Install a tool, which can send e-mails without registration.

Whonix ™-Example-Implementation:

GnuPG Configuration[edit]

Optional.

Using more secure defaults for GnuPG.

Whonix ™-Example-Implementation:

Project News Notification[edit]

Optional.

Whonix ™-Example-Implementation:

TorChat Configuration[edit]

Optional.

Using TorChat on a already torified Workstation while preventing Tor over Tor is not trivial. Therefore it is useful to ship required configuration files, preconfigured as much as possible by default to ease installation of TorChat.

Whonix ™-Example-Implementation:

IRC Client[edit]

Optional.

Secure IRC Client configuration and script for getting a new IRC identity.

Whonix ™-Example-Implementation:

Web Browser[edit]

Secure Web Browser, which doesn't suffer from likability and browser fingerprinting.

Whonix ™-Example-Implementation:

rinetd[edit]

Optional.

Whonix ™-Example-Implementation:

  • rinetd is configured to listen on local ports 9050 and 9150.
    • rinetd forwards port 127.0.0.1:9050 (Workstation) to 10.152.152.10:9050 (Gateway).
    • Forwards port 127.0.0.1:9150 (Workstation) to 10.152.152.10:9150 (Gateway).
    • https://github.com/Whonix/Whonix/blob/master/whonix_workstation/etc/rinetd.conf [archive]
    • This prevents Tor over Tor by just installing Tor or by using the complete Tor Browser Bundle, which starts Vidalia and Tor. This is because, it listens on port 9050 and 9150 and therefore lets a default Tor or TBB fail to start.
    • Should the Tor Browser update script ever break,
      • Whonix ™ users can download (and verify) the stock Tor Browser Bundle (TBB) from torproject.org,
      • unpack to /home/user/tor-browser_en-US and
      • start it from the desktop menu shortcut or from the start menu.
      • As long as The Tor Project will still ship Vidalia with TBB: Starting with the stock startup script /home/user/tor-browser_en-US/start-tor-browser will fail closed. Vidalia will report, that Tor won't connect, because port 9150 is already blocked by rinetd. This will be fixed as soon as The Tor Project merges a proposed patch https://gitlab.torproject.org/legacy/trac/-/issues/5611 [archive] for the start-tor-browser startup script, which adds an optional environment variable, once set, only starts Tor Browser and not the bundled Tor/Vidalia.
      • As soon as The Tor Project moved to tor-launcher and drops Vidalia: Starting stock TBB inside Whonix ™ should work out of the box, because https://github.com/Whonix/Whonix/blob/master/whonix_workstation/etc/profile.d/20_torbrowser.sh [archive] sets the required environment variables to deactivate tor-launcher.

Marker file[edit]

Optional.

Add a marker file so scripts you write can find out, whether they are running on the Gateway or inside the Workstation. There are probably different implementations possible to reach that goal.

Whonix ™-Example-Implementation:

Terminal Help[edit]

Optional.

Add a welcome and help message also to virtual terminals. (Those which can get started in graphical environments such as KDE and Konsole.)

Whonix ™-Example-Implementation:

Debugging[edit]

Leaktest script[edit]

Optional.

Have a script to try to produce a leak and check if there are any leaks.

Whonix ™-Example-Implementation:

Design-Shared[edit]

Changes from Dev/Design-Shared also have to be added to the Gateway.



Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Please help us to improve the Whonix ™ Wikipedia Page. Also see the feedback thread.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.