UniStation - A Tor TransparentProxy with only One Machine
From Whonix
Testers only!
Introduction[edit]
Whonix ™ needs at least two systems. One running Tor, Whonix-Gateway ™. The other running clients that are routed through Tor, Whonix-Workstation ™. This ensures the highest possible security and isolation. We can implement this using different strategies: Two VMs (Gateway VM and Workstation VM) or bare metal.
A different approach is to run Tor and applications all on the same machine. This can be either a VM or bare metal host.
This site will guide you through all required steps to set up a UniStation. A machine which routes all traffic through the Tor anonymity network. This is an implementation of a Tor TransparentProxy [archive].
Advantages:
- Only one machine required.
- Lower system requirements.
Disadvantages:
- More difficult to install.
- User might have to set the network interface setting.
- If using VMs: Guest VM can see MAC address of host?
- Less secure than Whonix ™ with Whonix-Gateway ™ and Whonix-Workstation ™.
- This is not as well polished, developed and thought through as Whonix ™ yet.
- Enhancements that come with Whonix-Workstation ™ such as:
- have not been considered yet.
- This will potentially not be maintained as well as Whonix ™.
Prerequisites[edit]
1. Confirm prerequisites are met.
- Debian
bullseyeis installed. - User account
userexists.
su -
3. Install sudo and adduser packages.
1. Update the package lists.
apt update
2. Upgrade the system.
apt full-upgrade
3. Install sudo and adduser packages.
apt install --no-install-recommends sudo adduser
4. Set user rights.
The following commands must be run either by root or using sudo.
Create group console.
addgroup --system console
Add user user to group console.
adduser user console
Add user user to group sudo.
adduser user sudo
5. Reboot. [3]
reboot
Installation[edit]
Packages[edit]
Install gnupg. [4]
sudo apt install gnupg
Complete the following steps to add the Whonix ™ Signing Key to the system's APT keyring.
Open a terminal.
Package curl needs to be installed.
Install curl.
1. Update the package lists.
sudo apt update
2. Upgrade the system.
sudo apt full-upgrade
3. Install the curl package.
Using apt command line parameter --no-install-recommends is in most cases optional.
sudo apt install --no-install-recommends curl
4. Done.
The procedure of installing curl is complete.
Download Whonix ™ Signing Key. [5]
If you are using Debian, run.
curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc
If you are using a Qubes Debian Template, run.
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc
Users can check Whonix ™ Signing Key for better security.
Add Whonix ™ signing key to APT trusted keys.
sudo cp derivative.asc /usr/share/keyrings/derivative.asc
The procedure of adding Whonix ™ signing key is now complete.
Add Whonix ™ Repository.
Choose either: Option A, Option B OR Option C.
Option A: Add Whonix ™ Onion Repository.
To add Whonix ™ Repository over Onion please press on expand on the right.
Install apt-transport-tor from the Debian repository.
sudo apt install apt-transport-tor
Add Whonix ™ APT repository for default Whonix ™ using Debian stable. At the time of writing this was bullseye.
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
Option B: Add Whonix ™ Clearnet Repository over Tor.
To add Whonix ™ Repository over torified clearnet please press on expand on the right.
Install apt-transport-tor from the Debian repository.
sudo apt install apt-transport-tor
Add Whonix ™ APT repository for default Whonix ™ using Debian stable. At the time of writing this was bullseye.
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
Option C: Add Whonix Clearnet Repository over clearnet.
To add Whonix ™ Repository over clearnet please press on expand on the right.
Add Whonix ™ APT repository for default Whonix ™ using Debian stable. At the time of writing this was bullseye.
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
Install usability-misc.
1. Update the package lists.
sudo apt update
2. Upgrade the system.
sudo apt full-upgrade
3. Install the usability-misc package.
Using apt command line parameter --no-install-recommends is in most cases optional.
sudo apt install --no-install-recommends usability-misc
4. Done.
The procedure of installing usability-misc is complete.
sudo apt-get-noninteractive install --no-install-recommends kicksecure-cli whonix-firewall uwt anon-gw-dns-conf ipv4-forward-disable ipv6-disable
Update: Packages anon-gw-dns-conf, ipv4-forward-disable, ipv6-disable are deprecated (merged into anon-gw-anonymizer-config) in Whonix ™ developers repository (upcoming stable) but these packages are so trivial that the 1 config file per package can be manually set up.
Firewall Settings[edit]
Find out your network interface name. You can learn about what interfaces you have by running.
sudo ifconfig
Edit /etc/whonix_firewall.d/50_user.conf.
sudoedit /etc/whonix_firewall.d/50_user.conf
Paste.
You might have to change #EXT_IF="eth0" by removing the hash # in front of it and by setting it to the name of your network interface such as wlan0. I.e. the full line might look like this: EXT_IF="wlan0" Include it with the to be pasted text below. [7]
## 0: disabled ## 1: enabled ## External interface ## defaults to: #EXT_IF="eth0" WORKSTATION_TRANSPARENT_TCP=0 WORKSTATION_TRANSPARENT_UDP=0 WORKSTATION_TRANSPARENT_DNS=0 WORKSTATION_ALLOW_SOCKSIFIED=0 CONTROL_PORT_FILTER_PROXY_ENABLE=0 GATEWAY_TRANSPARENT_TCP=1 GATEWAY_TRANSPARENT_UDP=0 GATEWAY_TRANSPARENT_DNS=1 GATEWAY_ALLOW_INCOMING_ICMP=0
If you want port 22 to open for incoming SSH, also paste:
GATEWAY_ALLOW_INCOMING_SSH=1
Save.
Qubes[edit]
Qubes only. Does not hurt otherwise.
sudo systemctl mask qubes-iptables
Qubes Debian based VMs would require further /etc/whonix_firewall.d/50_user.conf modifications. See footnote. [8]
torsocks[edit]
torsocks config not required. uwt sets that up for us.
- https://github.com/Whonix/uwt [archive]
- https://github.com/Whonix/uwt/blob/master/etc/tor/torsocks.conf.anondist [archive]
Tor Configuration[edit]
Open Tor configuration file /etc/tor/torrc with root rights.
sudoedit /etc/tor/torrc
Paste. [9]
TransPort 127.0.0.1:9041 DnsPort 127.0.0.1:5400 DisableNetwork 0
Save.
Restart Tor.
sudo systemctl restart tor
APT[edit]
Check if there is something you need in /etc/apt/sources.list.
Move original /etc/apt/sources.list out of the way because /etc/apt/sources.list.d/debian.list by Kicksecure ™ replaces it.
sudo mv /etc/apt/sources.list ~/
Reboot[edit]
Reboot required.
sudo reboot
Usage[edit]
check sdwdate[edit]
sudo systemctl status sdwdate --no-pager
Updates[edit]
Update as per usual. See also Operating System Software and Updates.
Thanks to uwt [archive] it is stream isolated (using Tor SocksPort). No need to use torsocks. uwt uses torsocks which is configued to use IsolatePID 1.
sudo apt update
Transparent DNS Functional[edit]
nslookup torproject.org
Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: torproject.org Address: 95.216.163.36 ** server can't find torproject.org: NXDOMAIN
Transparent DNS Functional[edit]
cd /tmp
wget.anondist-orig torproject.org
--2019-12-10 12:25:43-- http://torproject.org/ Resolving torproject.org (torproject.org)... 95.216.163.36 Connecting to torproject.org (torproject.org)|95.216.163.36|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://www.torproject.org/ [following] --2019-12-10 12:25:45-- https://www.torproject.org/ Resolving www.torproject.org (www.torproject.org)... 116.202.120.165 Connecting to www.torproject.org (www.torproject.org)|116.202.120.165|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 19623 (19K) [text/html] Saving to: ‘index.html’ index.html 100%[===========================================>] 19.16K 62.3KB/s in 0.3s 2019-12-10 12:25:47 (62.3 KB/s) - ‘index.html’ saved [19623/19623]
Troubleshooting[edit]
Depending on network configuration perhaps /etc/whonix_firewall.d/50_user.conf need to be appended.
NON_TOR_GATEWAY="\
127.0.0.0-127.0.0.24 \
10.137.0.0-10.138.255.255 \
"
Forum Discussion[edit]
https://forums.whonix.org/t/debian-onevm-anononevm-non-self-contained-host-depending-onevm-unistation-a-tor-transparentproxy-with-only-one-machine/5470 [archive]
Footnotes[edit]
- ↑
Parameter
-is required to set the correct paths to/usr/sbin. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833256 [archive] - ↑ Other methods are possible.
- ↑ Usability. Otherwise after installation is complete, user might not be able to login. Needs further testing if still required. Can be avoided for remote servers.
- ↑ Required for Debian netinst "minimal" (no default system tools).
- ↑
See Secure Downloads to understand why
curland the parameters--tlsv1.3 --proto =httpsare used instead ofwget. - ↑
apt-get-noninteractive to avoid asking this question.
Setting up anon-base-files (3:4.6-1) ... Configuration file '/etc/machine-id' ==> File on system created by you or by a script. ==> File also in package provided by package contributor. What would you like to do about it ? Your options are: Y or I : install the package contributor's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** machine-id (Y/I/N/O/D/Z) [default=N] ? i - ↑
VirtualBox:
EXT_IF="enp0s3" - ↑
This was required in Qubes to make Whonix-Gateways Own Traffic Transparent Proxy work. In that case, append to
/etc/whonix_firewall.d/50_user.conf.NON_TOR_GATEWAY="\ 127.0.0.0-127.0.0.24 \ 10.137.0.0-10.138.255.255 \ " - ↑
DisableNetwork 0is required to make sdwdate work because the connectivity check locks at it.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
100px |
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.