cwtch.im
/
docs.cwtch.im
4
0
Fork 3
Code Issues 2 Pull Requests Projects Releases Wiki Activity
docs.cwtch.im/docs/platforms/whonix.md

3.1 KiB
Raw Permalink Blame History

sidebar_position
1

Running Cwtch on Whonix

:::warning New Feature

New in Cwtch 1.13

This functionality may be incomplete and/or dangerous if misused. Please help us to review, and test. :::

Configure the Whonix-Gateway

The following steps should be done in the Whonix-Gateway.

Onion Grater

Whonix uses Onion Grater to guard access to the control port. We have packaged an onion-grater configuration cwtch-whonix.yml which is present in the root directory of the tarball.

This file needs to be placed in /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml.

Whonix has also packaged the profile 40_cwtch.yml_, therefore you can use either one.

Enable the Cwtch onion-grater profile:

sudo onion-grater-add 40_cwtch

Configure the Whonix-Workstation

The following steps should be done in the Whonix-Workstation.

Linux Firewall

The Whonix-Workstation Firewall needs to have the possible Cwtch binding port open. Follow the upstream firewall guide.

Use the following configuration in the file /usr/local/etc/whonix_firewall.d/50_user.conf:

EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "

Running Cwtch

When launching, Cwtch on Whonix, some environment variables must be set:

  • CWTCH_TAILS=true - automatically configure Cwtch for running in a Whonix-like environment.
  • CWTCH_RESTRICT_PORTS=true - forces connectivity to bind to a subset of ports 15000-15378, easier to manage on the firewall configuration.
  • CWTCH_BIND_EXTERNAL_WHONIX=true - forces connectivity to bind to external interfaces (only supported/recommended on for Whonix-based setups where the machine (Workstation) which is running Cwtch is firewalled, where the only source of network is through the Gateway.
cd ~/.local/lib/cwtch
env LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true ~/.local/lib/cwtch/cwtch

:::info Install Location

The above command, and the below onion grater configuration assume that Cwtch was installed in ~/.local/lib/cwtch/cwtch - if Cwtch was installed somewhere else (or if you are running directly from the download folder) then you will need to adjust the commands.

:::

Removing Cwtch from Whonix

Remove configuration from the Whonix-Gateway

The following steps should be done in the Whonix-Gateway.

Disable the Cwtch onion-grater profile:

sudo onion-grater-remove cwtch-whonix

Remove configuration from the Whonix-Workstation

The following steps should be done in the Whonix-Workstation.

Delete the Cwtch application directory $HOME/.local/lib/cwtch and Cwtch data directory $HOME/.cwtch.

The firewall ports should also be closed manually by removing the configuration added above and reloading the firewall.