diff --git a/whonix_hiddenservice/image-1.png b/whonix_hiddenservice/image-1.png new file mode 100644 index 0000000..750e0c2 Binary files /dev/null and b/whonix_hiddenservice/image-1.png differ diff --git a/whonix_hiddenservice/image-2.png b/whonix_hiddenservice/image-2.png new file mode 100644 index 0000000..96ffcd1 Binary files /dev/null and b/whonix_hiddenservice/image-2.png differ diff --git a/whonix_hiddenservice/image-3.png b/whonix_hiddenservice/image-3.png new file mode 100644 index 0000000..c901127 Binary files /dev/null and b/whonix_hiddenservice/image-3.png differ diff --git a/whonix_hiddenservice/image-4.png b/whonix_hiddenservice/image-4.png new file mode 100644 index 0000000..3757b05 Binary files /dev/null and b/whonix_hiddenservice/image-4.png differ diff --git a/whonix_hiddenservice/image-5.png b/whonix_hiddenservice/image-5.png new file mode 100644 index 0000000..8b964e9 Binary files /dev/null and b/whonix_hiddenservice/image-5.png differ diff --git a/whonix_hiddenservice/image-6.png b/whonix_hiddenservice/image-6.png new file mode 100644 index 0000000..8e5a06a Binary files /dev/null and b/whonix_hiddenservice/image-6.png differ diff --git a/whonix_hiddenservice/image.png b/whonix_hiddenservice/image.png new file mode 100644 index 0000000..720b98e Binary files /dev/null and b/whonix_hiddenservice/image.png differ diff --git a/whonix_hiddenservice/index.md b/whonix_hiddenservice/index.md new file mode 100644 index 0000000..1501001 --- /dev/null +++ b/whonix_hiddenservice/index.md @@ -0,0 +1,118 @@ +--- +author: Nihilist +date: 2025-05-25 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/324" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why should I use Whonix for Self-hosted Hidden services ? + +Whonix by itself provides the following [security features](https://www.whonix.org/#security) : + +- Impossible to leak an IP address +- Discovery and traffic analysis attacks +- TCP ISN CPU INformation Leak Protection +- Time Attack Defenses + +Since the goal of self-hosting hidden services is to avoid revealing your home IP address, the IP address leak protection that Whonix provides is a paramount requirement. While this is not necessarily a concern when setting up hidden services on remote servers (VPSes) because the actual server's public IP address is not your home IP address anyway, **but when we're self hosting hidden services, IP Leaks becomes a main concern because an actual leak would lead to your home address directly**, hence the serverside Whonix VMs requirement. + +## Targeted Setup: + +![alt text](image.png) + +For this targeted setup, we're going to re-use a set of QEMU Whonix VMs on our homeserver, the nginx service with the local website are going to sit on the whonix workstation, meanwhile the actual Tor daemon will remain on the Whonix Gateway. We're going to follow the [official whonix documentation](https://www.whonix.org/wiki/Onion_Services#Hidden_Webserver) to do this setup. + +### Whonix Gateway Setup + +First in the whonix gateway, we setup the hidden service : + +```sh +[gateway user ~]% sudo vim /usr/local/etc/torrc.d/50_user.conf +[gateway user ~]% sudo cat /usr/local/etc/torrc.d/50_user.conf +# Tor user specific configuration file +# +# Add user modifications below this line: +############################################ + +HiddenServiceDir /var/lib/tor/hidden_service/ +HiddenServicePort 80 10.152.152.11:80 +HiddenServiceVersion 3 +``` +Then, we restart the tor daemon and get the hidden service address: +```sh +[gateway user ~]% sudo systemctl restart tor@default +[gateway user ~]% sudo cat /var/lib/tor/hidden_service/hostname +4fqigk23qhaa47kk7g3yzmi4xiutvbl774dee2in2fdiekxnbyuia6yd.onion +``` + + +### Whonix Workstation Setup + +![alt text](image-1.png) + +Once in the sysmaint session, we open up a terminal to setup the nginx webserver and configure it: + +![alt text](image-2.png) + +```sh +[workstation sysmaint ~]% sudo apt update -y ; sudo apt install nginx -y + +[workstation sysmaint ~]% cd /etc/nginx +[workstation sysmaint ~]% rm sites-*/default +[workstation sysmaint ~]% sudo vim sites-available/webservice +[workstation sysmaint ~]% cat sites-available/webservice + +server { + listen 80; + listen [::]:80; + server_name 4fqigk23qhaa47kk7g3yzmi4xiutvbl774dee2in2fdiekxnbyuia6yd.onion; + root /srv/webservice/; + +} + +:wq + +[workstation sysmaint ~]% sudo ln -s /etc/nginx/sites-available/webservice /etc/nginx/sites-enabled/ +[workstation sysmaint ~]% sudo nginx -t +nginx: the configuration file /etc/nginx/nginx.conf syntax is ok +nginx: configuration file /etc/nginx/nginx.conf test is successful + +[workstation sysmaint ~]% sudo vim /srv/webservice/index.html +[workstation sysmaint ~]% cat /srv/webservice/index.html +welcome to my self-hosted hidden service! +[workstation sysmaint ~]% sudo systemctl restart nginx +[workstation sysmaint ~]% sudo systemctl enable --now nginx +[workstation sysmaint ~]% curl 127.0.0.1:80 +welcome to my self-hosted hidden service! +``` +Now that the webservice is functional locally, we need to make sure that the whonix workstation firewall allows the connection from the local IP 10.152.152.11, as otherwise the whonix gateway cant redirect the traffic to the webserver: + +```sh +[workstation sysmaint ~]% curl 10.152.152.11:80 +curl: (7) Failed to connect to 10.152.152.11 port 80 after 0 ms: Couldn't connect to server +zsh: exit 7 curl 10.152.152.11:80 + +[workstation sysmaint ~]% sudo -i +[workstation root ~]# mkdir -p /usr/local/etc/whonix_firewall.d +[workstation root ~]# vim /usr/local/etc/whonix_firewall.d/50_user.conf +[workstation root ~]# cat /usr/local/etc/whonix_firewall.d/50_user.conf +EXTERNAL_OPEN_PORTS+=" 80 " + +[workstation root ~]# whonix_firewall +``` +![alt text](image-3.png) + +Now that the firewall has been configured correctly to allow the traffic to arrive on the local IP on port 80, we can test if the hidden service works as intended from the tor browser: +![alt text](image-4.png) + +And it works! Now let's reboot the whonix workstation back into user mode since we finished the maintenance, and check if the hidden service still works as intended: + +```sh +[workstation root ~]# reboot now +``` +![alt text](image-5.png) + +![alt text](image-6.png) + +After rebooting the whonix workstation we see that it is still accessible as intended! + +The point of going back into the regular user mode is that in case if the service were to get hacked, the whonix hardening features are going to make it impossible for the attacker to do anything. For example they can't get the onion hidden service keys because those sit on the Whonix gateway, rather than on the Workstation. \ No newline at end of file diff --git a/whonixqemuvms/index.md b/whonixqemuvms/index.md index aefe84e..93e9804 100644 --- a/whonixqemuvms/index.md +++ b/whonixqemuvms/index.md @@ -14,8 +14,6 @@ Whonix is an open-source set of 2 VMs (one being used for networking, and the ot ![alt text](image-7.png) - - ## _OPSEC Recommendations:_ 1. Hardware : (Personal Computer / Laptop) @@ -277,4 +275,6 @@ Then, after rebooting into the regular user mode, we see that neofetch is instal ![alt text](image-5.png) -And thats it! you now have a VM ready to be used for your Anonymous activities, \ No newline at end of file +And thats it! you now have a VM ready to be used for your Anonymous activities, + +Now if you want to remove the user and sysmaint separation, you can select the "Remove user-sysmaint-split - enable unrestricted admin mode" boot option like we did in the [Kicksecure Host OS tutorial.](../linux/index.md) \ No newline at end of file