Preventing non-Tor connections

apparatus · October 6, 2024, 4:45am

Where do you get this error?
What and where have you changed, that this causes this error?

RUSTYGLINT · October 6, 2024, 12:35pm

Wow

Didn’t expect a hero to answer so fast on a old topic

It’s step install corridor

Then 2

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable whonix

apparatus · October 6, 2024, 1:09pm

I think there is an error in the guide, but I’m not sure, it’s better to double check it with Whonix developers on Whonix forum:
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/c/qubes-whonix/12

I think instead of:

Qubes-Whonix Template (whonix-workstation-17)
sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable whonix

It should be:

sys-corridor standalone terminal:
sudo extrepo enable whonix

Because the sys-corridor is not a template but a standalone qube and it’s connected to the network directly (e.g. sys-firewall) so no need to use the proxy.

RUSTYGLINT · October 6, 2024, 1:28pm

Sadly the link doesn’t work for me

I checked the installation guide again and the sudo extrepo enable whonix

Is exactly the next step if it was
A non qubes whonix

apparatus · October 6, 2024, 1:36pm

It’s an onion mirror of Whonix forum so you need to access it using Tor. You can use the clearnet link instead if you want to access it in clearnet:

RUSTYGLINT · October 7, 2024, 4:14am

Hello thanks for everything

I used a non qubes whonix for this part and got as far as

Daemon Status Test
While these instructions remain experimental, it is advised to run the following systemctl commands to check everything is functioning correctly.

Sadly most of the things in there will state failed failed failed and only 1 is enable got further but clearly still lacking alot of knowledge

apparatus · October 7, 2024, 5:20am

I think you should ask this on Whonix forum, provide the detailed steps that you took to setup sys-corribor and the systemd status output for services.

Quben · October 7, 2024, 6:21am

Wait what…? We need a corridor to use Whonix now? Why the fuck is Whonix making clearnet connections to begin with?

apparatus · October 7, 2024, 6:36am

This is not necessarily more anonymous, but it does provide an additional fail-safe – a Tor traffic whitelisting firewall that helps protect against accidental clearnet leaks (hypothetical clearnet leak bugs in Whonix). As corridor’s project description states: “… it cannot prevent malware on a client computer from finding out your clearnet IP address.”

corridor is mostly useful for developers and auditors of Whonix, along with advanced users who would like to have an additional safety net. Note that it cannot protect from hypothetical bugs affecting Qubes’ ProxyVM; a physically-isolated, standalone corridor-Gateway is necessary to cover that leak vector.

RUSTYGLINT · October 7, 2024, 10:27am

It isn’t a whonix qubes

It’s a Debian so I don’t know if this would help there

Maybe I will ask a more tech savy friend to help me install it

rustybird · October 7, 2024, 10:51am

corridor is indeed the wrong tool for this topic. (Unless it’s installed it on your router. In that case it’s a nice fail-safe mechanism that can also point out some misconfigurations of your e.g. Qubes OS device, allowing you to fix them before you use the device with a non-corridor router.)

To avoid making non-Tor connections on a Qubes OS device in the first place:

Set the system’s default net qube to sys-whonix or none, and don’t override it to sys-firewall or sys-net for individual qubes (except for sys-whonix itself, which usually should have sys-firewall as its net qube)
Set the clock qube to sys-whonix or none
Set the dom0 update proxy to sys-whonix
Set the template update proxy to sys-whonix for both Whonix and non-Whonix templates
sys-net and sys-firewall are special, because they are upstream from sys-whonix. Add nftables rules (ordered before the systemd network-pre.target) to prevent them from generating their own (non-loopback) output.

apparatus · October 7, 2024, 3:11pm

It’s a Whonix guide mainly aimed to be used in Qubes OS:

corridor configurations are only possible in Qubes-Whonix™. Non-Qubes-Whonix is unsupported at present. [1] [2]

So Whonix forum is a proper place to ask about using this guide.

RUSTYGLINT · October 7, 2024, 6:59pm

Damn I didn’t expect such a legend to comment here

It’s not about really needing it just about learning and understanding it

I love qubes as it is and want to learn further how to use it and make it kinda like how I want it

If anyone could help a beginner I would appreciate it

RUSTYGLINT · October 13, 2024, 10:31pm

How would someone that just started out go about doing this?

Im still in pursuit to get the corridor running but I think I’m just not good enough to get that working

Edit: I switched to qubes os since I got rid of all my high-end pcs and laptops and now just have a ThinkPad and I was sick of windows I tried fedora mint and so on but the concept of qubes just got me

apparatus · October 14, 2024, 5:04pm

Doy you mean about this?

Steps 1-4 can be done in Qubes Global Config.
Step 5 should be done by creating a systemd service in the sys-net and sys-firewall template that will be run before network-pre.target and it’ll run a script that’ll configure output firewall rules for qubes with the name “sys-net” and “sys-firewall”.
You can check the name of the qube inside the script using hostname command.
The firewall rules should be something like this:

nft add chain ip qubes output '{ type filter hook output priority 0; policy accept; }'
nft add rule ip qubes output oifname "lo" accept
nft add rule ip qubes output drop
nft add chain ip6 qubes output '{ type filter hook output priority 0; policy accept; }'
nft add rule ip6 qubes output oifname "lo" accept
nft add rule ip6 qubes output drop