Ports
From Whonix
Introduction[edit]
There is a lot confusion surrounding this topic and before proceeding with opening ports, for your security, you are advised to understand the following writeup.
Opening Ports: Clearnet/Tor Impact and Security Issues[edit]
We have to clearly distinguish between opening when referring to clearnet versus referring to opening a port when using Tor.
Most times when talking generally about opening ports (clearnet, unrelated to Tor), technically one is referring to allow unsolicited incoming connections. Imagine a public web server. The websever is supposed to be able to reply to unsolicited incoming connections by clients. On the other hand however, clients usually (except when they are behind some corporate, national or similar firewall) can use any outgoing port. When a client is creating an outgoing connection, the operating system picks a random port where it expects the solicited incoming answer. Sometimes end users want to open a port such for example when they want to install a public webserver on their home connection. The end users have mostly unrestricted outgoing access, but unsolicited incoming connections are restricted by their home router's NAT firewall. Opening a port for them often means that they use their router's web interface, configure the port they want to open and forward it to a computer in their LAN network. Also when they are using a firewall that restricts unsolicited incoming connections, they need to open an incoming port in their firewall in order to make their server application reachable from the open internet. By doing so, the users real public IP address is exposed. You would not want to open a port using this method if you wish to stay anonymous.
When talking about Tor, the topic of opening ports often causes confusion. By default Tor works only as a client, which means it lets the user establish outgoing connections[1] and receives the solicited answers. The Tor software by default does not block any outgoing ports. However, some Tor exit relays restrict outgoing ports. In theory, if there was no Tor exit relay supporting outgoing port 22, then you could not exit the Tor network directly through that port. In these cases there would be no way to force open that port since that is a Tor relay, not Tor client setting.
Hosting Location Onion Services over Tor is possible. One way to accomplish this is using Onion Services. To oversimplify this, by configuration Tor it instructions the Tor network to open an incoming port at Tor relays for Tor onion hostname which gets forwarded to a port on the machine where Tor is running (called virtport). The users real public IP address remains hidden. That onion hostname is only reachable by other Tor clients.
At the time of writing, it makes limited sense to open a port. There are very few exceptions.
- Access Gateway Port From Host
- Hosting a (private) (obfuscated) bridge or (exit) relay
- In past, using the now deprecated censorship circumvention Tor pluggable transport flashproxy required opening a clearnet port to accept unsolicited clearnet incoming connections.
If you want to host a Tor onion service, you will need to open a port in Whonix-Workstation ™ firewall so Whonix-Gateway ™ can forward the incoming Tor onion service connection to Whonix-Workstation ™. This will be covered in Onion Services instructions.
When Tor users ask about how to open a port, they often do not need to and try to fix the wrong problem. Common issues are:
- Services such as IRC servers ban connections from Tor users. This cannot be remedied by opening any ports.
- Sometimes applications such as VPNs do not work. Either because one is trying to use UDP, while the Tor network does not support that [2] or because of VPN configuration issues, see Tunnels/Introduction.
- Sometimes applications such as OnionShare when run in Whonix-Workstation ™ expect Tor to be running on localhost because there are Tor-friendly applications, i.e. applications preconfigured to use Tor by the developer of the application. Now for OnionShare this is a non-issue because Whonix ™ developers preconfigured Whonix ™ using package anon-ws-disable-stacked-tor to make OnionShare work inside Whonix ™ without the user having to setup port redirections. See our Whonix ™ OnionShare instructions if you specifically care about OnionShare. Otherwise see Redirect Whonix-Workstation ™ Ports or Unix Domain Socket Files to Whonix-Gateway ™.
If you really need an anonymous incoming port your primary option is Tor Onion Services and some methods listed on Hosting Location Hidden Services.
How-to[edit]
Undocumented. Pointers:
- https://github.com/Whonix/whonix-firewall/blob/95bbe7fd32fef12ee8544a9e9132973532d6a41d/etc/whonix_firewall.d/30_whonix_gateway_default.conf#L75-L84 [archive]
- Access Gateway Port From Host
Open Whonix-Gateway ™ Port[edit]
Modify Whonix-Gateway ™ User Firewall Settings.
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf
appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Gateway ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d
exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ App Qube (commonly called sys-whonix)
→ Whonix ™ User Firewall Settings
If using a graphical Whonix-Gateway ™, complete these steps.
Start Menu
→ Applications
→ Settings
→ User Firewall Settings
If using a terminal-only Whonix-Gateway ™, complete these steps.
In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf
.
Note: The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf
contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When {{project_name}} is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q")
→ Template:
whonix-gw-16
→ Whonix Global Firewall Settings
If using a graphical Whonix-Gateway ™, complete these steps.
Start Menu
→ Applications
→ Settings
→ Global Firewall Settings
If using a terminal-only Whonix-Gateway ™, complete these steps.
In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
Add.
EXTERNAL_OPEN_PORTS+=" 80 "
Save.
Reload Whonix-Gateway ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)
→ Reload Whonix ™ Firewall
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ System
→ Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Gateway ™, run.
sudo whonix_firewall
Open Whonix-Workstation ™ Port[edit]
Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf
appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d
exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q")
→ Whonix-Workstation ™ App Qube (commonly called anon-whonix)
→ Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu
→ Applications
→ System
→ User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf
with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf
.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf
contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When {{project_name}} is updated, this ## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q")
→ Template:
whonix-ws-16
→ Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu
→ Applications
→ Settings
→ Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
Add.
EXTERNAL_OPEN_PORTS+=" 80 "
Save.
Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Workstation ™ App Qube (commonly named anon-whonix)
→ Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu
→ Applications
→ System
→ Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
Forum Discussion[edit]
https://forums.whonix.org/t/new-wiki-page-to-clear-up-confusion-about-opening-ports [archive]
See Also[edit]
- Whonix-Workstation Firewall
- Onion Services
- Hosting Location Hidden Services
- Redirect Whonix-Workstation ™ Ports or Unix Domain Socket Files to Whonix-Gateway ™
Footnotes[edit]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
100px | |
Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.