



Tor makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. [...] other Tor users can connect to these onion services, formerly known as hidden services, each without knowing the other's network identity.

[1]

Tor Onion Services: Configuration [ edit ]

Introduction [ edit ]

Newcomers to this topic are recommended to first read the following Tor Project and Riseup documentation entries to better understand how onion services work, how they are safely configured outside of Whonix ™, and suggested best practices:

Note that onion services are always only reachable using Tor or tunnel services, such as tor2web [archive]; caution is warranted [archive] if using a tunnel service. Also, onion addresses do not require Secure Sockets Layer (SSL) or Transport Layer Security (TLS) [2], because connections to Tor onion services are end-to-end encrypted by default. [3] [4] This is handy, as it is unnecessary to bother with self signed certificates or certificate authorities.

Another interesting onion service property is they can serve as a drop-in Global Server Load Balancing and Layer 3 DDoS-resistance solution. [5] This raises the bar to withstanding attacks that the entire Tor network can tolerate; the same applies to I2P Eepsites. Tor can also be considered a very simple to configure, encrypted transport alternative to IPSec. [6]

Potential adversaries can detect whether the onion service (and presumably Tor) is up and running or not. Even if somebody hacks the hidden server software -- such as micro-httpd , nginx , or apache -- the attacker cannot steal the onion service key or bypass Tor; see Attack on Whonix ™. The reason is the key is stored on the Whonix-Gateway ™. Once the Whonix-Workstation ™ is cleaned, it is no longer possible for an adversary to impersonate the onion service.

An exception to this is if onion services are created by software running on Whonix-Workstation ™ (examples documented at the time of writing are ZeroNet, OnionShare and Bisq). [7] This is opt-in and not happening by default or accident. When following the instructions on this page, this exception does not apply.

For possible alternatives to onion services, see: Hosting Location Hidden Services.

Web Server Software Recommendations [ edit ]

If your needs are limited to hosting static pages, then look no further than micro-httpd which is available from Debian repositories. It is a bare-bones daemon made up of 150 lines of code. [8]

It is best to avoid the Apache web server because it has much more functionality, leak potential and attack surface than smaller and lighter alternatives. If the Apache web server will be used regardless, refer to the following footnotes. [9] [10]

The Nginx web server is a recommended alternative to Apache . If the Nginx web server will be used regardless, refer to the following footnotes. [11]

Security Recommendations [ edit ]

Credits: Some of these instructions are paraphrased from Sarah Jamie Lewis' write-up after running OnionScan [12] on the Onion web -- all credit goes to her. [13] OnionScan [archive] is an open source pen-testing suite that exposes misconfiguration errors that expose Hidden Servers. Do run it before your service goes live.

Table: Onion Service Security Recommendations

Hidden Webserver [ edit ]

Perform all the following steps on the Whonix-Gateway ™.

Step 1: Open Tor Configuration [ edit ]

On the Whonix-Gateway ™.

Open /usr/local/etc/torrc.d/50_user.conf .

If you are using Qubes-Whonix ™ , complete the following steps. Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc) If you are using a graphical Whonix-Gateway ™ , complete the following steps. Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf If you are using a terminal-only Whonix-Gateway ™ , complete the following steps. sudo nano /usr/local/etc/torrc.d/50_user.conf sudo nano /usr/local/etc/torrc.d/50_user.conf

Step 2: Edit Tor Configuration [ edit ]

On the Whonix-Gateway ™. This step is necessary for all Whonix ™ platforms. Three settings must be added to /usr/local/etc/torrc.d/50_user.conf : A HiddenServiceDir configuration directive declaring where onion services files (hostname file and private key file) should be stored.

configuration directive declaring where onion services files (hostname file and private key file) should be stored. A HiddenServicePort configuration directive declaring: the virtual port; and the IP and port of the Whonix-Workstation ™ that will run a server service that processes incoming onion service connections.

configuration directive declaring: HiddenServiceVersion configuration directive declaring which onion service version to utilize ( 2 or 3 ).

On the Whonix-Gateway ™. To specify necessary settings, add the following three lines. Qubes-Whonix ™: The IP of Qubes-Whonix ™ Whonix-Workstation ™ AppVM needs to be replaced with the actual IP address. To find out the IP address of the Qubes-Whonix ™ Whonix-Workstation ™ AppVM, the following command can be run within the Qubes-Whonix ™ Whonix-Workstation ™ AppVM: qubesdb-read /qubes-ip Make sure to replace IP-of-q-ws-AppVM with the actual IP address of the Whonix-Workstation ™. HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 IP-of-q-ws-AppVM:80 HiddenServiceVersion 3 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 IP-of-q-ws-AppVM:80 HiddenServiceVersion 3 Non-Qubes-Whonix ™: HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 10.152.152.11:80 HiddenServiceVersion 3 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 10.152.152.11:80 HiddenServiceVersion 3

In all Whonix ™ platforms, save the changes.

Step 3: Configure Onion Services Authentication [ edit ]

Optional: authenticated onion services. Onion services authentication is only possible for private onion services with a limited number of visitors. This is impossible for a public onion service. For a public onion service this step should be skipped. Each visitor needs to be provided with a key file. This chapter describes the server side. The client side is described further below in chapter Onion Service Authentication Client Setup. With v3 onions addresses it is no longer possible for adversaries to learn about their existence if they are not published -- this was not the case previously with v2 onion addresses. Therefore, some readers might wonder what is the purpose of onion services authentication for v3 onions. Authentication for v3 onions exists to eliminate the side risks of the onion address accidentally being leaked. This is feasible due to human error, a bug in the software using the onion address, or other yet unknown possibilities. By using onion services authentication, the onion service could not be accessed even if the onion address was leaked. Quote: [20] Also, if you have multiple users, having one v3 address with authentication is much better than multiple addresses, for the following reasons: easier management

easier to configure and easier to maintain the application behind it (web server or whatever it is)

less resources needed by the Tor daemon

less load on your guard(s) / bridge(s), thus more capacity and better experience for your clients / visitors (if you have multiple addresses you need to maintain active introduction point circuits for all of them, publish descriptors, etc.) On the Whonix-Gateway ™. sudo anon-auth-autogen sudo anon-auth-autogen Read the output. Example output. Will differ in your case. INFO: Created torconffile '/usr/local/etc/torrc.d/43_hidden_service_hs_autogen.conf'. INFO: Reloading Tor. INFO: Giving Tor 5 seconds to create hidden service file. INFO: Installed ".auth" file (public key) '/var/lib/tor_autogen/hidden_service/1.auth' to '/var/lib/tor_autogen/hidden_service/1.auth' to allow client '1' to access hsname 'hidden_service' onion_url 'r3yzyxa2iptypjd2db7wl2ju62kyl5aq7mjmwl3wj4eim2y7kafztiid.onion'. INFO: Reloading Tor again to activate ".auth" (public key) file for client '1'. INFO: You need to provide client '1' with ".auth_private" file (private key) '/var/lib/tor_autogen/hidden_service/1.auth_private'. INFO: Visitors that use Whonix could store '/var/lib/tor_autogen/hidden_service/1.auth_private' in '/home/user/1.auth_private' and then run 'sudo sourcefile=/home/user/1.auth_private anon-server-to-client-install'. In above example the onion hostname is r3yzyxa2iptypjd2db7wl2ju62kyl5aq7mjmwl3wj4eim2y7kafztiid.onion without any apostrophe (" ' ") at the beginning or end. Send the ".auth_private" file (private key) file /var/lib/tor_autogen/hidden_service/1.auth_private to the intended visitor of the authenticated onion v3 service. Related: File Transfer. [21] The visitor should follow instructions for the client side as described further below in chapter Onion Service Authentication Client Setup.

Step 4: Denial of Service Mitigation Options [ edit ]

Documentation for Denial of Service Mitigation Options is incomplete. Contributions are happily considered!

This step requires Tor 0.4.2.5 and above, see: Tor 0.4.25 release how can we upgrade [archive].

Also refer to the Tor manual [archive] and search for DENIAL OF SERVICE MITIGATION OPTIONS .

Nothing Whonix ™ specific regarding installation from source. As per:

See also: Onion Services DDOS Defense Tor 0.4.2.5 [archive]

Step 5: Make Tor Configuration Changes Take Effect [ edit ]

On the Whonix-Gateway ™.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf , Tor must be reloaded for changes to take effect. Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made. If you are using Qubes-Whonix ™ , complete the following steps. Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix') → Reload Tor If you are using a graphical Whonix-Gateway ™ , complete the following steps. Start Menu → Applications → Settings → Reload Tor If you are using a terminal-only Whonix-Gateway ™ , click HERE for instructions. Complete the following steps. Reload Tor. sudo service tor@default reload sudo service tor@default reload Check Tor's daemon status. sudo service tor@default status sudo service tor@default status It should include a a message saying. Active: active (running) since ... In case of issues, try the following debugging steps. Check Tor's config. sudo -u debian-tor tor --verify-config sudo -u debian-tor tor --verify-config The output should be similar to the following. Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid

Step 6: Retrieve the Onion Hostname [ edit ]

On the Whonix-Gateway ™.

To retrieve your Tor onion service url, run.

sudo cat /var/lib/tor/hidden_service/hostname sudo cat /var/lib/tor/hidden_service/hostname

Step 7: Backup the Tor Onion Service Private Key [ edit ]

On the Whonix-Gateway ™.

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.

/var/lib/tor/hidden_service/hs_ed25519_secret_key

Qubes-Whonix ™ Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/hidden_service/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm. sudo qvm-copy-to-vm vault /var/lib/tor/hidden_service/hs_ed25519_secret_key sudo qvm-copy-to-vm vault /var/lib/tor/hidden_service/hs_ed25519_secret_key The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM. /home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key /home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key Consider moving the file from the QubesIncoming folder to another preferred location. Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that. Non-Qubes-Whonix ™ TODO document

Also see: File Transfer.

Perform all the following steps on the Whonix-Workstation ™.

Step 1: Install Server Software [ edit ]

On the Whonix-Workstation ™.

Install either micro-httpd or nginx .

A) Run the following commands to install micro-httpd . OR

Install micro-httpd . 1. Update the package lists. sudo apt-get update sudo apt-get update 2. Upgrade the system. sudo apt-get dist-upgrade sudo apt-get dist-upgrade 3. Install the micro-httpd package. sudo apt-get install micro-httpd sudo apt-get install micro-httpd The procedure of installing micro-httpd is complete.

B) Run the following commands to install nginx .

Install nginx . 1. Update the package lists. sudo apt-get update sudo apt-get update 2. Upgrade the system. sudo apt-get dist-upgrade sudo apt-get dist-upgrade 3. Install the nginx package. sudo apt-get install nginx sudo apt-get install nginx The procedure of installing nginx is complete.

Step 2: Open Whonix-Workstation Firewall Port [ edit ]

On the Whonix-Workstation ™.

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected. If using Qubes-Whonix ™ , complete these steps.

In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists. sudo mkdir -p /usr/local/etc/whonix_firewall.d sudo mkdir -p /usr/local/etc/whonix_firewall.d Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly called anon-whonix) → Whonix User Firewall Settings If using a graphical Whonix-Workstation ™ , complete these steps. Start Menu → Applications → System → User Firewall Settings If using a terminal-only Whonix-Workstation ™ , complete these steps. Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights. sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf For more help, press on Expand on the right. Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf . The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings. ## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten. See also Whonix modular flexible .d style configuration folders. To view the file, follow these instructions. If using Qubes-Whonix ™ , complete these steps. Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-15 → Whonix Global Firewall Settings If using a graphical Whonix-Workstation ™ , complete these steps. Start Menu → Applications → Settings → Global Firewall Settings If using a terminal-only Whonix-Workstation ™ , complete these steps. In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add.

EXTERNAL_OPEN_PORTS+=" 80 " EXTERNAL_OPEN_PORTS+=" 80 "

Save.

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™ , complete the following steps. Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ AppVM (commonly named anon-whonix) → Reload Whonix Firewall If you are using a graphical Whonix-Workstation ™ , complete the following steps. Start Menu → Applications → System → Reload Whonix Firewall If you are using a terminal-only Whonix-Workstation ™ , run. sudo whonix_firewall sudo whonix_firewall

Step 3: Final Notes [ edit ]

The procedure is now complete.

Please note that it may take up to 30 minutes (or thereabouts) until a fresh .onion domain is reachable. Further, accessing 127.0.0.1 Local connections are no longer possible due to a change [archive] in Tor Browser by The Tor Project. Check Tor Browser, Local Connections for more information and a workaround.

Debugging [ edit ]

Check permissions.

sudo ls -la /var/lib/tor/hidden_service/ sudo ls -la /var/lib/tor/hidden_service/

In case you manually restored the hidden_service keys as root, Tor will fail to start. The folder must be owned by debian-tor . In that case, fix the permissions.

sudo chown debian-tor:debian-tor /var/lib/tor/hidden_service/ sudo chown debian-tor:debian-tor /var/lib/tor/hidden_service/

Check if the service is available on 127.0.0.1:80.

## Circumventing Whonix ™ curl stream isolation wrapper. UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:80 ## Circumventing Whonix ™ curl stream isolation wrapper. UWT_DEV_PASSTHROUGH=1 curl 127.0.0.1:80

Qubes-Whonix ™: In Qubes-Whonix ™ Whonix-Workstation ™, check if the service is available on Qubes-Whonix-Workstation ™ IP, port 80.

## Circumventing Whonix ™ curl stream isolation wrapper. UWT_DEV_PASSTHROUGH=1 curl $(qubesdb-read /qubes-ip):80 ## Circumventing Whonix ™ curl stream isolation wrapper. UWT_DEV_PASSTHROUGH=1 curl $(qubesdb-read /qubes-ip):80

Non-Qubes-Whonix ™: In Whonix-Workstation ™, check if the service is available on 10.152.152.11:80 .

## Circumventing Whonix ™ curl stream isolation wrapper. UWT_DEV_PASSTHROUGH=1 curl 10.152.152.11:80 ## Circumventing Whonix ™ curl stream isolation wrapper. UWT_DEV_PASSTHROUGH=1 curl 10.152.152.11:80

Note: Tor Browser will allow connections to 127.0.0.1:80 but not to 10.152.152.11:80 .

Setup Tips for any Onion Service [ edit ]

Please test the example Hidden Webserver above first; this helps in understanding the process in general and will ease debugging. The following material is quoted directly from the Tor manual [archive]:

HiddenServiceDir DIRECTORY Store data files for a hidden service in DIRECTORY. Every hidden service must have a separate directory. You may use this option multiple times to specify multiple services. If DIRECTORY does not exist, Tor will create it. Please note that you cannot add new Onion Service to already running Tor instance if Sandbox is enabled.





HiddenServicePort VIRTPORT [TARGET] Configure a virtual port VIRTPORT for a hidden service. You may use this option multiple times; each time applies to the service using the most recent HiddenServiceDir. By default, this option maps the virtual port to the same port on 127.0.0.1 over TCP. You may override the target port, address, or both by specifying a target of addr, port, addr:port, or unix:path. (You can specify an IPv6 target as [addr]:port. Unix paths may be quoted, and may use standard C escapes.) You may also have multiple lines with the same VIRTPORT: when a user connects to that VIRTPORT, one of the TARGETs from those lines will be chosen at random. Note that address-port pairs have to be comma-separated.

Hidden VoIP Server [ edit ]

On the VoIP page is an example for a Hidden VoIP Mumble Server.

Troubleshooting [ edit ]

Watch Logs [ edit ]

On Whonix-Gateway ™. Run the following command to watch both, vanguards and Tor's log output.

sudo journalctl -u vanguards -u tor@default -f sudo journalctl -u vanguards -u tor@default -f

Bug [ edit ]

torsocks curl http://onionv3redacted.onion torsocks curl http://onionv3redacted.onion

curl output might include:

1593531192 ERROR torsocks[2452]: Host unreachable (in socks5_recv_connect_reply() at socks5.c:539) curl: (7) Couldn't connect to server

Tor vanguards log might include:

Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 279088 (in state HS_SERVICE_REND HSSR_JOINED; old state HS_SERVICE_REND HSSR_CONNECTING) We force-closed circuit 281935 Tor bug #29699: Got 1 dropped cell on circ 281934 (in state HS_SERVICE_INTRO HSSI_ESTABLISHED; old state HS_SERVICE_INTRO HSSI_CONNECTING). We force-closed circuit 281934

https://trac.torproject.org/projects/tor/ticket/29699 [archive] -> https://trac.torproject.org/projects/tor/ticket/26806 [archive] ->

Tor Onion Services: Advanced Topics [ edit ]

Onion Services Security Enhancements [ edit ]

Over time, The Tor Project is steadily releasing additional features which enhance onion services security. Recent efforts to protect against guard enumeration attacks include the vanguards add-on and additional torrc options to pin the second and third hops of onion service circuits to a list of nodes. To learn more about these enhancements and their optional configuration, see:

How Onion Services Connections Work [ edit ]

To understand how onion services work, a simple overview of the process is outlined below. [22]

Step 1. Onion services advertise their existence in the Tor network. This is done by randomly picking some relays and building circuits, before asking these relays to act as introduction points by providing the service's public key. The onion server's location (IP address) is shielded.

Step 2. The onion service generates an onion service descriptor containing the public key and a summary of introduction points. This is signed with its private key and then uploaded to a distributed hash table, so users can find the service when searching for a .onion resource. [23] This also forms an important verification mechanism for the user to confirm they are talking to the right onion service.

Step 3. The user who learnt that the .onion resource exists requests more information from the database, by downloading the descriptor from the distributed hash table. If the descriptor exists, the user now knows the introduction points and the right public key to use. The user also creates a Tor circuit to another randomly picked relay to use as a rendezvous point (with a one-time secret).

Step 4. If the descriptor is present and the rendezvous point is ready, the user assembles an "introduce message". This is encrypted to the onion service's public key and includes the rendezvous point address and the one-time secret. The user requests this be delivered to the onion service (via a Tor circuit) anonymously, so the IP address remains hidden.

Step 5. The onion service decrypts the user's introduce message and finds the rendezvous point address and one-time secret in it. The service creates a circuit to the rendezvous point and sends the one-time secret to it in a rendezvous message. The onion service must use the same set of entry guards when creating circuits, to prevent attackers from forcing onion services to use corrupt relays as an entry node (and learning the onion server's IP address via timing analysis).

Step 6. The rendezvous point notifies the user the successful connection has been established. Both the user and onion service use their circuits to the rendezvous point for communication. The rendezvous point relays end-to-end encrypted messages from user to service and vice versa.

Use of .onion addresses leads to a 6 relay arrangement: 3 picked by the user (with the third used as a rendezvous point), and 3 picked by the onion service. The final successful connection between a user and an onion service is represented in the picture below.

Figure: Alice (User) and Bob (Onion Service) Successful Connection [24]

Onion Services Security [ edit ]

This is not a Whonix ™-specific issue. This section considers Tor and onion services security in general terms.

It is difficult to confirm exactly how safe Tor onion services are. Therefore, this section is intended as a repository of relevant facts, quotes and links to provide an estimation -- feel free to add further germane material.

Roger Dingledine, an original developer of Tor, addressed this issue in a 2013 tor-talk mailing list How easy are Tor hidden services to locate? [archive]:

Hidden services are definitely weaker than regular Tor circuits, a) because the adversary can induce them to speak, and b) because they stay at the same place over time. Mostly 'a'. That said, there are plenty of hidden services out there, and few stories of people breaking their anonymity by breaking Tor. So they're not foolproof for sure, but they're also not trivial to deanonymize. I'll turn it around, and ask "easy compared to what?"

Roger also added [archive]:

When you're a Tor client, you only use the Tor network when you choose to access it (e.g. by trying to fetch a web page). So if the attacker has some attack that works only a very small percentage of time, they have to wait for you to initiate connections. But for a hidden service, they can cause you to initiate a connection just by visiting the hidden service. And they can do it as often as they want. See http://freehaven.net/anonbib/#hs-attack06 [archive] for the original paper about this topic (and the reason we implemented entry guards). And then see http://freehaven.net/anonbib/#wpes12-cogs [archive] for a more recent example. The goal of that paper is to understand how long it takes in normal operation (with entry guards going offline and being replaced) before a typical user touches an adversary-controlled guard node. For simplicity, the paper assumes that you use your guards every minute of every day for however many weeks or months it takes. A realistic user doesn't do that, so the paper overestimates the risk. But a realistic hidden service *would* do that, if the adversary caused it to. --Roger

At the time of writing there are no known attacks used in the wild that consistently deanonymize Tor onion services. However, there is a plethora of Speculative Tor Attacks against the ecosystem that have been highlighted in research settings, including those that specifically target the server or client and server in combination. Therefore, Tor processes and anonymity protection might be seriously degraded under specific conditions.

A number of serious onion service concerns [25] have been mitigated since The Tor Project announced the release of v3 ( HiddenServiceVersion 3 ) onions in 2017, succeeding the original v2 onion service design, see: Tor's Fall Harvest: The Next Generation of Onion Services [archive].

Onion Service Authentication Client Setup [ edit ]

1. Receive ".auth_private" file (private key) (for example: 1.auth_private ) from authenticated onion v3 service provider. 2. Move to Whonix-Gateway ™ home folder /home/user . 3. Install ".auth_private" file (private key). sudo anon-server-to-client-install 1.auth_private sudo anon-server-to-client-install 1.auth_private Example output. INFO: Installed ".auth_private" file (private key) '/home/user/1.auth_private' to '/var/lib/tor/authdir/1.auth_private'. INFO: Created torconffile '/usr/local/etc/torrc.d/43_clientonionauthdir.conf'. INFO: Reloading Tor to activate ".auth_private" file (private key). INFO: Success. 4. Reload Tor. After editing /usr/local/etc/torrc.d/50_user.conf , Tor must be reloaded for changes to take effect. Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made. If you are using Qubes-Whonix ™ , complete the following steps. Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix') → Reload Tor If you are using a graphical Whonix-Gateway ™ , complete the following steps. Start Menu → Applications → Settings → Reload Tor If you are using a terminal-only Whonix-Gateway ™ , click HERE for instructions. Complete the following steps. Reload Tor. sudo service tor@default reload sudo service tor@default reload Check Tor's daemon status. sudo service tor@default status sudo service tor@default status It should include a a message saying. Active: active (running) since ... In case of issues, try the following debugging steps. Check Tor's config. sudo -u debian-tor tor --verify-config sudo -u debian-tor tor --verify-config The output should be similar to the following. Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid The procedure is complete.

Notes about End-to-end Security of Onion Services [ edit ]

Hidden services are not really encrypted "end-to-end", they are only encrypted "Tor-to-end" (or "Tor-to-Tor"). The communication between the browser or server and Tor is sent in clear text. This does not really constitute a security issue, as localhost (or Workstation to Gateway on an isolated network), is supposed to be secure. But this does pose some security implications.

Firstly, with onion services alone and no TLS enabled, the adversary only needs to compromise Whonix-Gateway ™ to gain knowledge of the content of the connection and the client's identity/location. To compromise the content of the connection, the adversary only needs to compromise either the gateway or the workstation.

With both onion services and TLS enabled, an adversary needs to compromise Whonix-Workstation ™ to gain knowledge of the content of the connection. To gain knowledge of the client's identity/location, the adversary would have to compromise Whonix-Gateway ™ as well.

Although it is possible to use onion services and TLS in combination -- that is, https://****************.onion [archive] -- there are very few onion services reachable over TLS. For example, DuckDuckGo search engine https://duckduckgo.com/ [archive] can be reached over https://3g2upl4pq6kufc4m.onion/ [archive]. But since this only offers benefits to users of Whonix ™ (and other Tor gateway implementations), there is little demand. However, it does provide some nice defense in depth because it eliminates a single point of failure.

This does raise the question as to how the TLS certificate can be verified. That is a simple process for private sites where the server and clients know each other; they simply verify it over a pre-shared secure channel, for example a meeting.

In regards to public onion services, certificate authorities previously refused to give out certificates for .onion sites, for example Startssl.com declined because .onion is no .gTLD, see: Bug #6116: apply for .onion gTLD at IANA [archive]. However, in DuckDuckGo's case, a certificate has been issued by DigiCert which confirms TLS certificates can be issued for people who can reasonably prove they own a .onion domain. Presumably evidence of domain control may include editing its contents upon their request. Nevertheless, little faith should be placed in certificate authorities, see: Transport Layer Security (TLS).

Finally, it should be noted that running onion services with Whonix ™ is safer than running Tor and the server software on the same host, because even when misconfigured, there cannot be any IP or DNS leaks (by design).

https://matt.traudt.xyz/posts/dont-https-your-o44SnkW2.html [archive]

High Traffic Onion Service Scalability Performance [ edit ]

Although mostly focused on non-anonymous onion services, the tor-dev mailing list discussion onionbalance useful on same server / for high-spec non-location hidden servers? [archive] contains interesting information on scalability and performance of high traffic onion services. The tor-dev mailing list [archive] (sign-up [archive]) is considered a useful resource for technical information since they are receptive to genuine inquiries.

Performance [ edit ]

See Also [ edit ]

References [ edit ]



Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow:

Donate:

Share: Twitter | Facebook

Please help in testing new features and bug fixes in Whonix ™.

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.