sys-whonix can’t connect Proxy VM (use lantern proxy software)

[jians...@gmail.com]

I live somewhere that the goverment don't allow use tor ,so i use proxy software to connect onion network and break the net block.I use lantern (proxy software ,proxy port :127.0.0.1:8787).So my network is :sys-net -> sys-firewall -> my Proxy VM -> sys-whonix -> anon-whonix. I setup lantern in my Proxy VM between sys-firewall and sys-whonix,but sys-whonix seems can not connect network through Proxy VM,when i check tor connection use sys-whonix system-check,it shows:
ERROR: Tor Bootstrap Result:
Whonixcheck gave up waiting after 120 seconds.
Tor Circuit: not established
Bootstrapping 5 % done. Tor reports: WARN BOOTSTRAP PROGRESS=5 TAG=conn_dir SUMMARY="Connecting to directory server" WARNING="Connection timed out" REASON=TIMEOUT COUNT=11 RECOMMENDATION=warn HOSTID="847B1F850344D7876491A54892F904934E4EB85D" HOSTADDR=..............
my Proxy VM can connect the network ,but sys-whonix can't .
My Proxy VM ip:10.137.2.17
My sys-whonix ip:10.137.5.10
sys-whonix ping 10.137.2.17 it shows:
ING 10.137.2.17 (10.137.2.17) 56(84) bytes of data.
64 bytes from 10.137.2.17: icmp_seq=1 ttl=64 time=0.450 ms
64 bytes from 10.137.2.17: icmp_seq=2 ttl=64 time=0.207 ms
64 bytes from 10.137.2.17: icmp_seq=3 ttl=64 time=0.201 ms
64 bytes from 10.137.2.17: icmp_seq=4 ttl=64 time=0.209 ms
64 bytes from 10.137.2.17: icmp_seq=5 ttl=64 time=0.203 ms
64 bytes from 10.137.2.17: icmp_seq=6 ttl=64 time=0.208 ms
Proxy VM ping 10.137.5.10,it does't connect.
So :HOW TO USE lantern proxy software IN PROXY VM TO LET SYS-WHONIX CONNECT ONION NETWORK ?what about other proxy software ?Is there a tutorial for us to use lantern in Proxy VM to let sys-whonix connect onion network?
Anyone will help me ?

[Michael Carbone]

jians...@gmail.com:

From my initial tests Lantern doesn't seem to proxy traffic that goes
through it from another VM:

AppVM --> Lantern ProxyVM -> internet

doesn't work. which means sys-whonix --> lantern --> internet doesn't work.

Lantern does work in this configuration:

Lantern in AppVM --> internet

I created a ticket to track this:

https://github.com/QubesOS/qubes-issues/issues/1937

To solve your most immediate need, you may want to investigate adding
bridges to sys-whonix instead of chaining a Lantern proxy:

https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix

--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Michael Carbone:

> To solve your most immediate need, you may want to investigate
> adding bridges to sys-whonix instead of chaining a Lantern proxy:
>
> https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix
>

Michael makes a good point about bridges, but since Tor is prohibited
in your country, you should look specifically at *obfuscated* bridges,
since those would be harder for your government to identify that other
bridges.

https://www.torproject.org/docs/bridges#PluggableTransports
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXILzrAAoJEJh4Btx1RPV864sP/jqT4ZFlkzj+1vX4EsDHvG0v
yfDG2WnK4dfia5SFLEHrfxBj41Bl4bUrFd0SzfG5t3KSCU49ZtCJ3AeMYwr04F9E
huKInk9bQExIx/9E5s0bwfYEmA7jTnauO7Ce6AJaXvtxoIB6JRrRv9rcQ1RNVxUx
Y0sPnJHTtQqzG8cSp7r7crBErY3GYVFDsWNB4n6G64FZfL0V4BG8S5xSIUrWqawd
FMJy1U9uZJa7MUPYPcQqWg2eIMbQ+2+m/Ctt4mPQsLNwynlqgDTmGMPaEkB9gujr
GnpMVSQcLbOYTOF2HbJWNTkoMffQ6hT5MckGxXvx3k79DSSdaF0bp6uO6Vmniuh8
k/6Tju6lDFAvIE9OT6Cq5p76FLcN7ckzT3RMKC03jWJrFq1cm2wbtwuOwb3ee3vJ
SVRrJoZ+LAlageS3EtCS9vSCiloKTM5Q1r1ISpJSF2IFX1j44fJERY7VI4BvQ3hz
Km3G5TJv6aN/tv7Woi2SNiejQG/2sG/nx0rd+TtWD3cuI3Tb9wEMnOCT3+5+6+4X
ao04p35kyN5sWVc0Ymq4g6qnfKKoVv7MYkANaI/LypUxt9w6LDowQbB1+V2INfM1
1Bl8klP8zor9PR5sh1F0+IAXj0eBKcBN0H657d0Eq5K6jo5/AoDUhM4pbsyhzXWQ
0aAmvdwBG0KMGL98HGwG
=OKcx
-----END PGP SIGNATURE-----

[jians...@gmail.com]

You know somewhere in the world ,even the bridges are also blocked,even someone say something that the government don't want to listen,they will be arrest,all the proxy softwares will be blocked if they don't let the government censor the user.Lantern rely on it's technology,break the wall ,therefore we can breathe the free air and network,Lantern is the only software provide steady secure and free proxy service,I usually use it as proxy for Tor(whonix) in windows,but in Qubes os,I don't know, how to let it proxy Tor (sys-whonix).In windows,I let Lantern listen 0.0.0.0,use rinetd soft ware ,so I can use it proxy whonix,but now,I through the same way set up Lantern in my Proxy VM,and let it listen 0.0.0.0,I can't let sys-whonix connect the network,my Proxy VM is also debian-8

[jians...@gmail.com]

A lot of people can not use whonix because they can not connect the onion network directly,they bridges also good,but not that good,and ,sometimes bother，so there should be a way for someone like me to use proxy software,for example,Lantern, or some software like that to get connect to Tor in Qubes OS,it will make sense to a lot of people like me

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

jians...@gmail.com:

In case you (or anyone who might find this thread in their search
results in the future) have not already seen it, Patrick just replied
to a post in the Whonix forums on Lantern and sys-whonix:

https://forums.whonix.org/t/sys-whonix-cant-connect-proxy-vm-
use-lantern-proxy-software
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXIRhiAAoJEJh4Btx1RPV8VRYQAJDObR58ehfIxaq2gxo34WYt
JZZEe0a8FbcPxElKqkzfY/yqBWfm/6RiVHevnfgjImROpOMG2M7Nir7C49v+RdOu
gjPx5536/8N+md4yyZaVQD+6WcmiHtVYenVzOSPOF0zHKc6VicGGFX16jOoRHByv
MyJGAmRNrHjKUi2uyW4U1e4fQySq+6BEa670q8pz0kXBrEGVR/FTYFiWeV+Np9HH
9gtDOGWBteHjDakdPM+biUEnqI9eo1l8kDVsMQcOYNm68TIn016XhQT7/6fsB5zq
SakAl4MNrYJVPnyQLapS7AaljcVfH65aw5+MaLJx7/snEILB84od7iXpX7T9RsFd
6cm+jTKOWX+ALmPX4rA791LUcg2aPVHd9/Mjfh3dTaXOetGY0akHTqD9ejoXnYQw
3/EV92meIh6Pi2h74NYjEIDtXHzmCD+5SM3apkk7n28UQ5hBki4Bj2tHQuExItBX
0ZgGTw3S4834KYnDLHq3ZjEsRC3Z6FhBsjsGuSPftRzbot1OAfYU4fa3oYEggQ+d
vvlX3c+MYUvTu8Ph6jeMrwW6YL6lWYITfFyuqaIOTgsR415NjlzA1fKV8O3erVv2
Ct7u0QG1bMxpDvxZLyPsxuDqVTWPo6OSwfT4TRwEYRLEf4Jr3cYKaiaocON2w47Q
/dgQF7+kLKHpywh7i3ws
=K2um
-----END PGP SIGNATURE-----

[Unman]

I would have thought obfuscated bridges would be the solution.

If you want to use lantern, create a proxyVM, and start the proxy like this:
lantern --addr X.X.X.X:8787
where X.X.X.X is the backend IP addr.
(Make sure that nothing else is bound to the port you specify.)

Amend the lanternVM firewall to allow inbound traffic to tcp 8787 from vif+.

(I dont use whonix but the principle will be the same.)
Set your torVM to use lanternVM as netvm.
Change tor configuration to specify HTTPSProxy as X.X.X.X:8787.
I set FascistFirewall 1, but I dont think it is strictly necessary.

If you just want to use the proxy feature without tor, set
X.X.X.X:8787 as proxy in network settings/advanced for iceweasel in an
appvm with lanternVM as netvm.

That's all.

unman

[Michael Carbone]

Unman:

Agreed. I have created a separate ticket to track making that easier for
users (have a GUI, like the Tor Browser):

https://github.com/QubesOS/qubes-issues/issues/1938

[jians...@gmail.com]

but it don't work when i do as what you say

[Unman]

On Fri, Apr 29, 2016 at 05:18:14AM -0700, jians...@gmail.com wrote:
> but it don't work when i do as what you say

That isn't a very detailed error report.

Try some debugging:

Stop lantern.
Remove all downstream VMs from lanternVM.
Start firefox in dispVM and set lanternVM as its netvm.
Start lantern specifying IP and port.

In lanternVM, run netstat -nltp : Is lantern listening on the right IP
and port?
If not, fix it.

In lanternVM, run iptables -L -nv : Is there an input rule allowing
access to IP and port?
If not, fix it.

In dispVM browser under Preferences-advanced-Network-Settings, specify
lantern IP and Port for HTTP Proxy; select "Use this for all protocols"
and "Remote DNS" options.
Browse to website.
You will see activity in lantern output, and iptables -L -nv will show
count increasing on the permissive rule.


Once you have confirmed that the proxy is working, remove the dispVM,
and set whonix/TorVM downstream from the lanternVM.
Set Tor to use HTTPSProxy using the IP address and port that lantern is
listening on.
Repeat tests.

As I have said I dont use whonix, so there may be a whonix specific
issue. Raise bug with whonix folk if it still isn't working.
If you cant get help you can create a dedicated TorVM, set the proxy
there and use that as gateway to Tor.

unman