-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[prod] sd-whonix torrc created with invalid config. #491
Comments
I can reproduce this issue on a clean install. After fully updating whonix-gw-15, i see those two lines in the torrc. However, after booting |
Confirmed. |
There's upstream discussion of breakage in Onion Service support for Whonix on their forums. It appears there's already a fix underway, judging by Kicksecure/anon-connection-wizard@2e19758 Initially, I struggled to reproduce the failure described in the OP. During a quick pairing session with @emkll, we determined that v2 Onion Services show the breakage, whereas v3 do not. @zenmonkeykstop given your use of "HidServAuth" it looks like you're using v2, as well, but please do confirm for everyone's benefit. Relatedly, @adrelanos was certainly correct that we'd do well to test upcoming Whonix changes in order to coordinate bugfixes (#451). 🙂 |
Confirmed that I was in v2 mode. That does look like the same error, so once it's fixed if we're sure to update whonix-gw-15 before the install we should be golden. |
In order to reliably reproduce, running One workaround I've tried using is /rw/config/rc.local to munge the torrc configuration: However, whenever anon-connection-wizard is run, it will restore the /etc/tor/torrc to the default value, and a reboot (or running of rc.local) is required. Perhaps we can set the script as a prerequisite to |
That seems to be our best bet as an immediate quickfix to unblock release QA. Commit's already appended to #489, so we can handle review over there. It's also worth noting that since upstream's already aware of the issue, we can evaluate version One major takeaway is that we're not testing nearly enough of the tor service config. Added some config tests specific to sd-whonix to https://github.com/freedomofpress/securedrop-workstation/tree/491-config-tests-for-whonix ; those can be cherry-pick into #489, will mention over there too. |
These fixes were migrated to Whonix stable repository just now. And in the recently released Qubes-Whonix testers-only release which will hopefully become a stable point release this is fixed as well. https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-testers-wanted/9093 Hope that helps. (Just backporting anon-connection-wizard might not have fixed this issue since also package anon-gw-anonymizer-config was modified.) |
Today I tested against |
Confirming resolved in the stable repos. Installed the prod environment on test hardware, specifically with a v2 Onion URL configured. Tor bootstrapped just fine, and was able to fetch submissions in the client. Many thanks for the very quick resolution on this one, @adrelanos! We'll discuss using the testers-only Whonix repos as part of our dev env, so we're more likely to catch these types of problems early on. |
Great! Btw this is also fixed in this stable point release: https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-point-release/9159 |
On a fresh 4.0.3 install, with an RPM built with the changes in #488,
/etc/tor/torrc
is created with two includes:This results in the JI HidServAuth being included twice, which breaks Tor's config and prevents it from starting.
The text was updated successfully, but these errors were encountered: