3.1 KiB
sidebar_position |
---|
1 |
Running Cwtch on Whonix
:::warning New Feature
New in Cwtch 1.13
This functionality may be incomplete and/or dangerous if misused. Please help us to review, and test. :::
Configure the Whonix-Gateway
The following steps should be done in the Whonix-Gateway.
Onion Grater
Whonix uses Onion Grater to guard access to the control port. We have packaged an onion-grater configuration cwtch-whonix.yml
which is present in the root directory of the tarball.
This file needs to be placed in /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml
.
Whonix has also packaged the profile 40_cwtch.yml
_, therefore you can use either one.
Enable the Cwtch onion-grater profile:
sudo onion-grater-add 40_cwtch
Configure the Whonix-Workstation
The following steps should be done in the Whonix-Workstation.
Linux Firewall
The Whonix-Workstation Firewall needs to have the possible Cwtch binding port open. Follow the upstream firewall guide.
Use the following configuration in the file /usr/local/etc/whonix_firewall.d/50_user.conf
:
EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "
Running Cwtch
When launching, Cwtch on Whonix, some environment variables must be set:
CWTCH_TAILS=true
- automatically configure Cwtch for running in a Whonix-like environment.CWTCH_RESTRICT_PORTS=true
- forces connectivity to bind to a subset of ports15000-15378
, easier to manage on the firewall configuration.CWTCH_BIND_EXTERNAL_WHONIX=true
- forces connectivity to bind to external interfaces (only supported/recommended on for Whonix-based setups where the machine (Workstation) which is running Cwtch is firewalled, where the only source of network is through the Gateway.
cd ~/.local/lib/cwtch
env LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true ~/.local/lib/cwtch/cwtch
:::info Install Location
The above command, and the below onion grater configuration assume that Cwtch was installed in ~/.local/lib/cwtch/cwtch
- if Cwtch was installed somewhere else (or if you are running directly from the download folder) then you will need to adjust the commands.
:::
Removing Cwtch from Whonix
Remove configuration from the Whonix-Gateway
The following steps should be done in the Whonix-Gateway.
Disable the Cwtch onion-grater profile:
sudo onion-grater-remove cwtch-whonix
Remove configuration from the Whonix-Workstation
The following steps should be done in the Whonix-Workstation.
Delete the Cwtch application directory $HOME/.local/lib/cwtch
and Cwtch data directory $HOME/.cwtch
.
The firewall ports should also be closed manually by removing the configuration added above and reloading the firewall.