cwtch.im
/
docs.cwtch.im
4
0
Fork 3
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Whonix doc

This commit is contained in:
nyxnor 2023-09-02 20:00:38 +00:00
parent 06eb758b7b
commit 9736c73e57
1 changed files with 117 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
docs/platforms/whonix.md
View File

@ -10,43 +10,27 @@ This functionality may be incomplete and/or dangerous if misused. Please help us
:::
Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard access to the control port. We have packaged
an oniongrater configuration `cwtch-whonix.yml` with Cwtch on Linux.
## Configure the Whonix-Gateway
When launching, Cwtch on Whonix should be passed the `CWTCH_TAILS=true` environment variables to automatically configure Cwtch for running in a Whonix-like environment:
The following steps should be done in the Whonix-Gateway.
`exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch`
### Onion Grater
Optionally, it may be desirable to pass either or both of two additional flags:
Whonix uses [Onion Grater](https://www.whonix.org/wiki/Onion-grater) to guard access to the control port. We have packaged an onion-grater configuration `cwtch-whonix.yml` with Cwtch on Linux.
- `CWTCH_RESTRICT_PORTS` - forces connectivity to bind to a subset of ports `15000-15378`
- `CWTCH_BIND_EXTERNAL_WHONIX` - forces connectivity to bind to external interfaces (only supported/recommended on certain Whonix-based setups. Please open an issue if you think this should be expanded.)
The onion-grater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much further.
:::info Install Location
The above command, and the below onion grater configuration assume that Cwtch was installed in `~/.local/lib/cwtch/cwtch` - if Cwtch was installed somewhere else (or if you are running directly from the download folder) then you will need to adjust the commands.
:::
## Onion Grater Configuration
The oniongrater configuration `cwtch-whonix.yml` is reproduced below. As noted this configuration is can likely be restricted much
further.
This file needs to be placed in `/usr/share/doc/onion-grater-merger/examples/` on the **Whonix Gateway** portion of he system.
You can then use `sudo onion-grater-add cwtch-whonix` to enable the onion grater configuration.
```
```yaml
# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern
---
- exe-paths:
- ''
users:
users:
- '*'
hosts:
hosts:
- '*'
commands:
commands:
AUTHCHALLENGE:
- 'SAFECOOKIE .*'
SETEVENTS:
@ -60,12 +44,19 @@ commands:
SETCONF:
- 'DisableNetwork.*'
ADD_ONION:
- '.*'
## {{{ Host: [::], Ports: 15000-15378
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])'
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])'
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
- pattern: 'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])'
replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
## }}}
DEL_ONION:
- '.+'
HSFETCH:
- '.+'
events:
events:
CIRC:
suppress: true
ORCONN:
@ -98,7 +89,59 @@ events:
suppress: true
```
## Removing Cwtch
This file needs to be placed in `/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml`.
You can use `sudo onion-grater-remove cwtch-whonix` to disable the Cwtch Onion Grater configuration, and then delete the Cwtch
application and the `$HOME/.cwtch` data directory.
To enable the Cwtch onion-grater profile, use:
```shell
sudo onion-grater-add 40_cwtch
```
## Configure the Whonix-Workstation
The following steps should be done in the Whonix-Workstation.
### Linux Firewall
The Whonix-Workstation Firewall needs to have the possible Cwtch binding port open. Follow the [upstream firewall guide](https://www.whonix.org/wiki/Whonix-Workstation_Firewall#Open_an_Incoming_Port).
Use the following configuration in the file `/usr/local/etc/whonix_firewall.d/50_user.conf`:
```shell
EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "
```
### Running Cwtch
When launching, Cwtch on Whonix, some environment variables must be set:
- `CWTCH_TAILS=true` - automatically configure Cwtch for running in a Whonix-like environment.
- `CWTCH_RESTRICT_PORTS=true` - forces connectivity to bind to a subset of ports `15000-15378`, easier to manage on the firewall configuration.
- `CWTCH_BIND_EXTERNAL_WHONIX=true` - forces connectivity to bind to external interfaces (only supported/recommended on for Whonix-based setups where the machine (Workstation) which is running Cwtch is firewalled, where the only source of network is through the Gateway.
```shell
cd ~/.local/lib/cwtch
env LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true ~/.local/lib/cwtch/cwtch
```
:::info Install Location
The above command, and the below onion grater configuration assume that Cwtch was installed in `~/.local/lib/cwtch/cwtch` - if Cwtch was installed somewhere else (or if you are running directly from the download folder) then you will need to adjust the commands.
:::
# Removing Cwtch
## Remove configuration from the Whonix-Gateway
The following steps should be done in the Whonix-Gateway.
Disable the Cwtch onion-grater profile:
```shell
sudo onion-grater-remove cwtch-whonix
```
## Remove configuration from the Whonix-Workstation
The following steps should be done in the Whonix-Workstation.
Delete the Cwtch application directory `$HOME/.local/lib/cwtch` and Cwtch data directory `$HOME/.cwtch`.
The firewall ports should also be closed manually by removing the configuration added above and reloading the firewall.