Lantern: Alternative Censorship Circumvention Tool
From Whonix
Introduction[edit]
Lantern [archive] is a censorship circumvention tool which can provide an alternative to Tor bridges. The design is similar to a VPN and encrypts all of a user's data through their servers and then proxies blocked sites. Note that Lantern in isolation is not an anonymity tool because it is technically possible to spy on user activity under this model. Another downside is that bandwidth limits also exist for non-subscribers: [1]
Lantern is designed to provide you with fast unfettered access to information online. Lantern is secure and encrypts your connection to blocked sites, but it is not an anonymity tool, so if you need or would like to be anonymous online, please use Tor. Otherwise, Lantern will give you faster access to blocked sites. ... To keep our free version running, we implemented a bandwidth limitation of 500 MB/ month. When the bandwidth limit is reached, the connection is slowed down and Free users are prompted to upgrade to Lantern Pro.
After bandwidth limits are reached the connection slows down to approximately 20KB/s, making Lantern virtually unusable. In order to remove this restriction, users must pay for the 'Lantern Pro' service. [2] The available options mean any payment is likely traceable, but this is not necessarily any more 'damaging' to privacy and/or anonymity than connecting to Lantern in the first place. [3] Interested readers can learn more at the Lantern forums [archive] and developers Q&A [archive].
Warning[edit]
Whonix ™ developer madaidan has expressed serious concerns about the Lantern software [archive]:
- There is limited documentation available describing how Lantern functions. Although it states it unblocks websites, this mechanism is undocumented. Further, the developer FAQ is empty.
- Lantern developers state they are based in Los Angeles, but their GitHub repositories, Twitter accounts and the Terms of Service have a lot of Chinese text.
- The primary GitHub repository has numerous stars and forks (even though it seems to be a small project) from what appears to be bot accounts, as many have no activity. The GitHub account also has hundreds of repositories that are completely irrelevant to Lantern.
- Links are provided to a forum which does not even exist.
- The privacy policy allows for logging of IP addresses, visited websites, device IDs, local files and much more; see footnote. [4]
The Wikipedia Lantern entry also notes: [5]
- User information can be shared with various third parties, including advertisers.
- Content blockers like uBlock Origin are ineffective in preventing data collection because Lantern operates at the TCP/IP stack layer.
- Personally identifiable information may be subject to disclosure to governments in the country of operation.
In summary, Lantern is not recommended unless the user has limited other options for censorship circumvention.
Connecting to Lantern before Tor[edit]
Testers only! Qubes-Whonix ™ only! [6]
It is possible to configure Tor to use Lantern as a proxy to establish the following tunnel: User
→ Lantern
→ Tor
→ Internet
Before applying the following instructions, it is recommended to first read:
- The warning section above.
- Combining Tunnels with Tor.
- Current limitations discussed in this blog post / forum discussion [archive].
1. Create a new standalone ProxyVM called Lantern-Gateway
based on the Debian-11
template.
2. Unload all firewall rules in Lantern-Gateway
ProxyVM.
The iptables rules must be unloaded.
If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.
sudo systemctl mask qubes-iptables sudo systemctl stop qubes-iptables sudo systemctl mask qubes-firewall sudo systemctl stop qubes-firewall
Open file ~/fw-unload
in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run.
mousepad ~/fw-unload
If you are using a terminal, run.
nano ~/fw-unload
Add.
#!/bin/bash ## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@whonix.org> ## See the file COPYING for copying conditions. set -o pipefail error_handler() { echo "ERROR!" >&2 exit 1 } trap "error_handler" ERR [ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait" [ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait" $iptables_cmd -P INPUT ACCEPT $iptables_cmd -P FORWARD ACCEPT $iptables_cmd -P OUTPUT ACCEPT $iptables_cmd -F $iptables_cmd -X $iptables_cmd -t nat -F $iptables_cmd -t nat -X $iptables_cmd -t mangle -F $iptables_cmd -t mangle -X $iptables_cmd -t raw -F $iptables_cmd -t raw -X $ip6tables_cmd -P INPUT ACCEPT $ip6tables_cmd -P OUTPUT ACCEPT $ip6tables_cmd -P FORWARD ACCEPT $ip6tables_cmd -F $ip6tables_cmd -X $ip6tables_cmd -t mangle -F $ip6tables_cmd -t mangle -X $ip6tables_cmd -t raw -F $ip6tables_cmd -t raw -X exit 0
Save.
Make ~/fw-unload executable.
chmod +x ~/fw-unload
Unload all iptables firewall rules.
sudo ~/fw-unload
After firewall unload, run the following command to see if all firewall rules are really unloaded.
sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'
The output should show.
*mangle :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *raw :PREROUTING ACCEPT [0,0] :OUTPUT ACCEPT [0,0] COMMIT *nat :PREROUTING ACCEPT [0,0] :INPUT ACCEPT [0,0] :OUTPUT ACCEPT [0,0] :POSTROUTING ACCEPT [0,0] COMMIT *filter :INPUT ACCEPT [0,0] :FORWARD ACCEPT [0,0] :OUTPUT ACCEPT [0,0] COMMIT
3. Disable IP Forwarding in the Lantern-Gateway
ProxyVM.
This should be disabled since it is not required.
sudo sysctl -w net.ipv4.ip_forward=0
4. Install a missing Lantern dependency. [7]
sudo apt install libappindicator3-1
5. Download and install Lantern.
Check if the path to the downloadable deb file is still correct. Navigate to https://getlantern.org/ [archive] and check for Linux desktop downloads.
curl --tlsv1.3 --proto =https https://s3.amazonaws.com/lantern/lantern-installer-beta-64-bit.deb --output ~/lantern-installer-beta-64-bit.deb
Install Lantern. [8]
sudo dpkg -i ~/lantern-installer-beta-64-bit.deb
6. Launch Lantern and configure HTTP proxy requests.
Start Lantern while listening on all, not just the internal network interfaces so it is reachable from sys-whonix
.
Let Lantern listen for HTTP proxy requests.
lantern -addr 0.0.0.0:8787
Or let Lantern listen for SOCKS5 proxy requests which is preferred.
lantern -socksaddr 0.0.0.0:8788
7. Test Lantern's HTTP or SOCKS port is functional.
In Lantern-Gateway
, check if Lantern's HTTP port is functional.
curl --tlsv1.3 --proto =https --proxytunnel --proxy 127.0.0.1:8788 https://check.torproject.org
Alternatively, in Lantern-Gateway
, check if Lantern's SOCKS port is functional.
curl --tlsv1.3 --proto =https --socks5-hostname socks5h://127.0.0.1:8788 https://check.torproject.org
8. Change sys-whonix
NetVM settings.
- Shut down
sys-whonix
if it is running. - Set the
sys-whonix
NetVM toLantern-Gateway
. - Restart
sys-whonix
.
9. Test if Tor can connect to Lantern's HTTP or SOCKS port.
In sys-whonix
, test if Tor is able to connect to the HTTP proxy that Lantern is providing.
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https --proxytunnel --proxy 10.137.11.1:8788 https://check.torproject.org
Alternatively, in sys-whonix
, test if Tor is able to connect to the SOCKS proxy that Lantern is providing.
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https --socks5-hostname socks5h://10.137.11.1:8788 https://check.torproject.org
10. Edit the Tor configuration file in sys-whonix
.
Open /usr/local/etc/torrc.d/50_user.conf
.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway ™, complete the following steps.
sudo nano /usr/local/etc/torrc.d/50_user.conf
Depending on the proxy type configured at step 6, add the relevant setting below. [9] [10]
10.137.11.1
is just an example and it must be replaced with the IP of the Lantern-Gateway
ProxyVM. To discover the Lantern-Gateway
ProxyVM IP, run the following command in sys-whonix
:
qubesdb-read /qubes-gateway
HTTPSProxy 10.137.11.1:8787
Socks5Proxy 10.137.11.1:8788
11. Reload Tor.
After editing /usr/local/etc/torrc.d/50_user.conf
, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf
and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')
→ Reload Tor
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ Reload Tor
If you are using a terminal-only Whonix-Gateway ™, click
HERE
for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
The procedure is complete and Tor will now use Lantern as a proxy.
Footnotes[edit]
- ↑ https://getlantern.org/en_US/faq.html [archive]
- ↑ In early-2019, this costs $32 (USD) for one year, or $48 (USD) for two years.
- ↑ This is because advanced adversaries can discover that a user connected to Lantern (via logs), and pluggable transports are incapable of successfully hiding Tor use in all cases. Therefore, a payment trail simply acts as another confirmation mechanism and is not necessarily 'worse' under the circumstances.
- ↑ Wikipedia [archive] notes the privacy policy states:
When you use our Services, we collect information sent to us by your computer, mobile phone or other access device. The information sent to us includes, but is not limited to, the following: data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information. We also collect information through our use of cookies and web beacons.
- ↑ https://en.wikipedia.org/wiki/Lantern_%28software%29#Privacy_Policy [archive]
- ↑ Non-Qubes-Whonix ™ is unsupported at present.
- ↑ Lack of a dependency declaration when installing Lantern on Debian [archive] - broken link.
- ↑
- Proper Debian deb package: https://github.com/getlantern/lantern/issues/4837 [archive]
- Debian APT repository with Lantern: https://github.com/getlantern/lantern/issues/4837 [archive]
- Add Lantern to official Debian repositories: https://github.com/getlantern/lantern/issues/4837 [archive]
- Debian Lantern RFP (request for packaging) [archive]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828932 [archive]
- ↑ SOCKS is considered to be better. According to this issue [archive], Lantern already has SOCKS support. Open issues: https://github.com/getlantern/lantern/issues/4838 [archive]
Socks5Proxy 10.137.11.1:8788
- ↑ Setup should now be easier (less need for IP changes) because Qubes has implemented optional static IP addresses [archive].
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
100px | |
Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
We are looking for contributors and developers.
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.