From 9736c73e57816b6f0f778dc44218a08bd5f4b93e Mon Sep 17 00:00:00 2001 From: nyxnor Date: Sat, 2 Sep 2023 20:00:38 +0000 Subject: [PATCH 1/4] Whonix doc --- docs/platforms/whonix.md | 191 ++++++++++++++++++++++++--------------- 1 file changed, 117 insertions(+), 74 deletions(-) diff --git a/docs/platforms/whonix.md b/docs/platforms/whonix.md index c9bfc554..89f17dfe 100644 --- a/docs/platforms/whonix.md +++ b/docs/platforms/whonix.md @@ -10,18 +10,116 @@ This functionality may be incomplete and/or dangerous if misused. Please help us ::: -Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard access to the control port. We have packaged -an oniongrater configuration `cwtch-whonix.yml` with Cwtch on Linux. +## Configure the Whonix-Gateway -When launching, Cwtch on Whonix should be passed the `CWTCH_TAILS=true` environment variables to automatically configure Cwtch for running in a Whonix-like environment: +The following steps should be done in the Whonix-Gateway. -`exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch` +### Onion Grater -Optionally, it may be desirable to pass either or both of two additional flags: +Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard access to the control port. We have packaged an onion-grater configuration `cwtch-whonix.yml` with Cwtch on Linux. -- `CWTCH_RESTRICT_PORTS` - forces connectivity to bind to a subset of ports `15000-15378` -- `CWTCH_BIND_EXTERNAL_WHONIX` - forces connectivity to bind to external interfaces (only supported/recommended on certain Whonix-based setups. Please open an issue if you think this should be expanded.) +The onion-grater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much further. +```yaml +# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern + +--- +- exe-paths: + - '' + users: + - '*' + hosts: + - '*' + commands: + AUTHCHALLENGE: + - 'SAFECOOKIE .*' + SETEVENTS: + - 'CIRC WARN ERR' + - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' + GETINFO: + - 'net/listeners/socks' + - '.*' + GETCONF: + - 'DisableNetwork' + SETCONF: + - 'DisableNetwork.*' + ADD_ONION: + ## {{{ Host: [::], Ports: 15000-15378 + - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])' + replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' + - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])' + replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' + - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])' + replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' + ## }}} + DEL_ONION: + - '.+' + HSFETCH: + - '.+' + events: + CIRC: + suppress: true + ORCONN: + suppress: true + INFO: + suppress: true + NOTICE: + suppress: true + WARN: + suppress: true + ERR: + suppress: true + HS_DESC: + response: + - pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)' + replacement: '650 HS_DESC CREATED {} {} {} redacted {}' + - pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*' + replacement: '650 HS_DESC UPLOAD {} {} redacted redacted' + - pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+' + replacement: '650 HS_DESC UPLOADED {} {} redacted' + - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH' + replacement: '650 HS_DESC REQUESTED {} NO_AUTH' + - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+' + replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted' + - pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+' + replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted' + - pattern: '.*' + replacement: '' + HS_DESC_CONTENT: + suppress: true +``` + +This file needs to be placed in `/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml`. + +To enable the Cwtch onion-grater profile, use: +```shell +sudo onion-grater-add 40_cwtch +``` + +## Configure the Whonix-Workstation + +The following steps should be done in the Whonix-Workstation. + +### Linux Firewall + +The Whonix-Workstation Firewall needs to have the possible Cwtch binding port open. Follow the [upstream firewall guide](https://www.whonix.org/wiki/Whonix-Workstation_Firewall#Open_an_Incoming_Port). + +Use the following configuration in the file `/usr/local/etc/whonix_firewall.d/50_user.conf`: +```shell +EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) " +``` + +### Running Cwtch + +When launching, Cwtch on Whonix, some environment variables must be set: +- `CWTCH_TAILS=true` - automatically configure Cwtch for running in a Whonix-like environment. +- `CWTCH_RESTRICT_PORTS=true` - forces connectivity to bind to a subset of ports `15000-15378`, easier to manage on the firewall configuration. +- `CWTCH_BIND_EXTERNAL_WHONIX=true` - forces connectivity to bind to external interfaces (only supported/recommended on for Whonix-based setups where the machine (Workstation) which is running Cwtch is firewalled, where the only source of network is through the Gateway. + +```shell +cd ~/.local/lib/cwtch +env LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true ~/.local/lib/cwtch/cwtch +``` :::info Install Location @@ -29,76 +127,21 @@ The above command, and the below onion grater configuration assume that Cwtch wa ::: -## Onion Grater Configuration +# Removing Cwtch -The oniongrater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much -further. +## Remove configuration from the Whonix-Gateway -This file needs to be placed in `/usr/share/doc/onion-grater-merger/examples/` on the **Whonix Gateway** portion of he system. +The following steps should be done in the Whonix-Gateway. -You can then use `sudo onion-grater-add cwtch-whonix` to enable the onion grater configuration. - -``` -# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern -- exe-paths: - - '' -users: - - '*' -hosts: - - '*' -commands: - AUTHCHALLENGE: - - 'SAFECOOKIE .*' - SETEVENTS: - - 'CIRC WARN ERR' - - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' - GETINFO: - - 'net/listeners/socks' - - '.*' - GETCONF: - - 'DisableNetwork' - SETCONF: - - 'DisableNetwork.*' - ADD_ONION: - - '.*' - DEL_ONION: - - '.+' - HSFETCH: - - '.+' -events: - CIRC: - suppress: true - ORCONN: - suppress: true - INFO: - suppress: true - NOTICE: - suppress: true - WARN: - suppress: true - ERR: - suppress: true - HS_DESC: - response: - - pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)' - replacement: '650 HS_DESC CREATED {} {} {} redacted {}' - - pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*' - replacement: '650 HS_DESC UPLOAD {} {} redacted redacted' - - pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+' - replacement: '650 HS_DESC UPLOADED {} {} redacted' - - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH' - replacement: '650 HS_DESC REQUESTED {} NO_AUTH' - - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+' - replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted' - - pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+' - replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted' - - pattern: '.*' - replacement: '' - HS_DESC_CONTENT: - suppress: true +Disable the Cwtch onion-grater profile: +```shell +sudo onion-grater-remove cwtch-whonix ``` -## Removing Cwtch +## Remove configuration from the Whonix-Workstation -You can use `sudo onion-grater-remove cwtch-whonix` to disable the Cwtch Onion Grater configuration, and then delete the Cwtch -application and the `$HOME/.cwtch` data directory. +The following steps should be done in the Whonix-Workstation. + +Delete the Cwtch application directory `$HOME/.local/lib/cwtch` and Cwtch data directory `$HOME/.cwtch`. + +The firewall ports should also be closed manually by removing the configuration added above and reloading the firewall. From b5cc3cf24c6c2e834c61d04c7988281c38977632 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Mon, 4 Sep 2023 02:43:06 +0000 Subject: [PATCH 2/4] Harden Whonix onion-grater profile --- docs/platforms/whonix.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/docs/platforms/whonix.md b/docs/platforms/whonix.md index 89f17dfe..cecdef88 100644 --- a/docs/platforms/whonix.md +++ b/docs/platforms/whonix.md @@ -21,28 +21,31 @@ Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard ac The onion-grater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much further. ```yaml -# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern - --- - exe-paths: - - '' + - '*' users: - '*' hosts: - '*' commands: - AUTHCHALLENGE: - - 'SAFECOOKIE .*' SETEVENTS: - 'CIRC WARN ERR' - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' GETINFO: - - 'net/listeners/socks' - - '.*' + - pattern: 'network-liveness' + response: + - pattern: '250-network-liveness=.*' + replacement: '250-network-liveness=up' + - pattern: 'status/bootstrap-phase' + response: + - pattern: '250-status/bootstrap-phase=*' + replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"' GETCONF: - - 'DisableNetwork' - SETCONF: - - 'DisableNetwork.*' + - pattern: 'DisableNetwork' + response: + - pattern: '250 DisableNetwork=.*' + replacement: '250 DisableNetwork=0' ADD_ONION: ## {{{ Host: [::], Ports: 15000-15378 - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])' From 760c004b73eb4ef191993cbde8a8a9ed7a800fcd Mon Sep 17 00:00:00 2001 From: nyxnor Date: Wed, 6 Sep 2023 00:03:41 +0000 Subject: [PATCH 3/4] Remove onion-grater profile from Whonix doc --- docs/platforms/whonix.md | 80 ++-------------------------------------- 1 file changed, 3 insertions(+), 77 deletions(-) diff --git a/docs/platforms/whonix.md b/docs/platforms/whonix.md index cecdef88..91d84805 100644 --- a/docs/platforms/whonix.md +++ b/docs/platforms/whonix.md @@ -16,85 +16,11 @@ The following steps should be done in the Whonix-Gateway. ### Onion Grater -Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard access to the control port. We have packaged an onion-grater configuration `cwtch-whonix.yml` with Cwtch on Linux. - -The onion-grater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much further. - -```yaml ---- -- exe-paths: - - '*' - users: - - '*' - hosts: - - '*' - commands: - SETEVENTS: - - 'CIRC WARN ERR' - - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT' - GETINFO: - - pattern: 'network-liveness' - response: - - pattern: '250-network-liveness=.*' - replacement: '250-network-liveness=up' - - pattern: 'status/bootstrap-phase' - response: - - pattern: '250-status/bootstrap-phase=*' - replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"' - GETCONF: - - pattern: 'DisableNetwork' - response: - - pattern: '250 DisableNetwork=.*' - replacement: '250 DisableNetwork=0' - ADD_ONION: - ## {{{ Host: [::], Ports: 15000-15378 - - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])' - replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' - - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])' - replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' - - pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])' - replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}' - ## }}} - DEL_ONION: - - '.+' - HSFETCH: - - '.+' - events: - CIRC: - suppress: true - ORCONN: - suppress: true - INFO: - suppress: true - NOTICE: - suppress: true - WARN: - suppress: true - ERR: - suppress: true - HS_DESC: - response: - - pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)' - replacement: '650 HS_DESC CREATED {} {} {} redacted {}' - - pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*' - replacement: '650 HS_DESC UPLOAD {} {} redacted redacted' - - pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+' - replacement: '650 HS_DESC UPLOADED {} {} redacted' - - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH' - replacement: '650 HS_DESC REQUESTED {} NO_AUTH' - - pattern: '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+' - replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted' - - pattern: '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+' - replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted' - - pattern: '.*' - replacement: '' - HS_DESC_CONTENT: - suppress: true -``` +Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard access to the control port. We have packaged an onion-grater configuration [`cwtch-whonix.yml` ](https://git.openprivacy.ca/cwtch.im/cwtch-ui/src/branch/trunk/linux/cwtch-whonix.yml) which is present in the root directory of the tarball. This file needs to be placed in `/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml`. -To enable the Cwtch onion-grater profile, use: +Enable the Cwtch onion-grater profile: ```shell sudo onion-grater-add 40_cwtch ``` @@ -130,7 +56,7 @@ The above command, and the below onion grater configuration assume that Cwtch wa ::: -# Removing Cwtch +# Removing Cwtch from Whonix ## Remove configuration from the Whonix-Gateway From aa4aa2230515f270fee27e99f849a0a2696cecb7 Mon Sep 17 00:00:00 2001 From: nyxnor Date: Wed, 6 Sep 2023 01:04:26 +0000 Subject: [PATCH 4/4] Whonix also packages the onion-grater profile --- docs/platforms/whonix.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/platforms/whonix.md b/docs/platforms/whonix.md index 91d84805..40f5892f 100644 --- a/docs/platforms/whonix.md +++ b/docs/platforms/whonix.md @@ -20,6 +20,8 @@ Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard ac This file needs to be placed in `/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml`. +Whonix has also packaged the profile [`40_cwtch.yml`_](https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml), therefore you can use either one. + Enable the Cwtch onion-grater profile: ```shell sudo onion-grater-add 40_cwtch