TOR Repos

704 views
Skip to first unread message

John Hoey

unread,
May 18, 2013, 2:21:27 PM5/18/13
to qubes...@googlegroups.com
I'm trying to follow the directions to set up TorVM but I keep getting one of 2 errors. Either the template vm won't connect to the internet through firewallvm and I have to use netvm or i've done something wrong. I've followed the directions to the letter. The only difference is that I have not been able to install qubes-tor-repo or qubes-tor or qubes-tor-init because yum cannot find them?

A lil help please? thanks!

John Hoey

unread,
May 18, 2013, 3:14:21 PM5/18/13
to qubes...@googlegroups.com
combining the information here:
http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
and the information in the qubes-os.org guide for TorVM I got tor working in my anon-web. check.torproject.org shows i am on tor. I was unable to install the init or repos in the template so even though the qubes-tor service is checked for my TorVM when i do a service qubes-tor status it tells me no such file found and when I try to restart it says it isn't running.

Thoughts?

Alex

unread,
Jun 10, 2013, 8:39:04 PM6/10/13
to qubes...@googlegroups.com


On Saturday, May 18, 2013 8:14:21 PM UTC+1, John Hoey wrote:
combining the information here:
http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
and the information in the qubes-os.org guide for TorVM I got tor working in my anon-web. check.torproject.org shows i am on tor. I was unable to install the init or repos in the template

I'm seeing the same behaviour:

[user@fedora-18-x64 ~]$ sudo yum install qubes-to*
Loaded plugins: langpacks, post-transaction-actions, presto, refresh-
              : packagekit, yum-qubes-hooks
No package qubes-to* available.
Error: Nothing to do
[user@fedora-18-x64 ~]$ 

Can someone knowledgeable enough please update http://qubes-os.org/trac/wiki/UserDoc/TorVM accordingly? As things stand, the TorVM article refers to repositories that don't exist, and Joanna's article is significantly older.

What is the officially blessed way of spinning up a TorVM? Given recent media coverage* I'd expect more and more people might be interested in this setup.

Thanks,

Alex

* http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html

Marek Marczykowski-Górecki

unread,
Jun 10, 2013, 8:43:44 PM6/10/13
to Alex, qubes...@googlegroups.com, Joanna Rutkowska
On 11.06.2013 02:39, Alex wrote:
>
>
> On Saturday, May 18, 2013 8:14:21 PM UTC+1, John Hoey wrote:
>>
>> combining the information here:
>>
>> http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
>> and the information in the qubes-os.org guide for TorVM I got tor working
>> in my anon-web. check.torproject.org shows i am on tor. I was unable to
>> install the init or repos in the template
>
>
> I'm seeing the same behaviour:
>
> [user@fedora-18-x64 ~]$ sudo yum install qubes-to*
> Loaded plugins: langpacks, post-transaction-actions, presto, refresh-
> : packagekit, yum-qubes-hooks
> No package qubes-to* available.
> Error: Nothing to do
> [user@fedora-18-x64 ~]$
>
> Can someone knowledgeable enough please update
> http://qubes-os.org/trac/wiki/UserDoc/TorVM accordingly? As things stand,
> the TorVM article refers to repositories that don't exist, and Joanna's
> article is significantly older.
>
> What is the officially blessed way of spinning up a TorVM? Given recent
> media coverage* I'd expect more and more people might be interested in this
> setup.

Looks like missing packages in the our repo again...
Joanna, can you upload qubes-app-* to the current repo?

--
Best Regards,
Marek Marczykowski
Invisible Things Lab

signature.asc

Joanna Rutkowska

unread,
Jun 11, 2013, 2:03:47 PM6/11/13
to Marek Marczykowski-Górecki, Alex, qubes...@googlegroups.com
Yeah, another result of us switching to this new repo naming and new
build enviroment after R2B2. Anyway, please try now, I just built and
uploaded the new packages.

j.

signature.asc

ix4...@gmail.com

unread,
Jun 11, 2013, 8:50:30 PM6/11/13
to Joanna Rutkowska, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Thanks, packages install fine now.

But, the init script of qubes-tor seems to fail to invoke tor:

[user@torvm ~]$ sudo service qubes-tor status
Redirecting to /bin/systemctl status  qubes-tor.service
qubes-tor.service - Qubes transparent tor proxy setup
   Loaded: loaded (/usr/lib/systemd/system/qubes-tor.service; enabled)
   Active: failed (Result: exit-code) since Wed 2013-06-12 01:46:17 BST; 28s ago
  Process: 668 ExecStart=/usr/lib/qubes-tor/start_tor_proxy.sh (code=exited, status=1/FAILURE)

Jun 12 01:46:16 torvm systemd[1]: Starting Qubes transparent tor proxy setup...
Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: Jun 12 01:46:16.976 [notice] Tor v0.2.3.25 (git-17c24b3118224d65) running on Linux.
Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: Jun 12 01:46:16.976 [notice] Tor can't help you if you use it wrong! Learn how to be safe a...#warning
Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: Jun 12 01:46:16.976 [notice] Read configuration file "/usr/lib/qubes-tor/torrc".
Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: Jun 12 01:46:16.978 [warn] Unable to open configuration file "/rw/usrlocal/etc/qubes-tor/torrc".
Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: Jun 12 01:46:16.978 [err] Reading config failed--see warnings above.
Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: qubes-tor: Error in Tor configuration
Jun 12 01:46:17 torvm start_tor_proxy.sh[668]: WARNING: The state match is obsolete. Use conntrack instead.
Jun 12 01:46:17 torvm start_tor_proxy.sh[668]: ls: cannot access /proc/sys/net/ipv6/conf/vif*/disable_ipv6: No such file or directory
Jun 12 01:46:17 torvm systemd[1]: qubes-tor.service: control process exited, code=exited status=1
Jun 12 01:46:17 torvm systemd[1]: Failed to start Qubes transparent tor proxy setup.
Jun 12 01:46:17 torvm systemd[1]: Unit qubes-tor.service entered failed state.
[user@torvm ~]$

This doesn't seem very enlightening to me... what logs should I be looking into to figure out why the service won't start?

Thanks

Alex

Marek Marczykowski-Górecki

unread,
Jun 11, 2013, 9:09:31 PM6/11/13
to ix4...@gmail.com, Joanna Rutkowska, qubes...@googlegroups.com, Abel Luck
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: Jun 12 01:46:16.978 [err]
> Reading config failed--see warnings above.
> Jun 12 01:46:16 torvm start_tor_proxy.sh[668]: qubes-tor: Error in Tor
> configuration
> Jun 12 01:46:17 torvm start_tor_proxy.sh[668]: WARNING: The state match is
> obsolete. Use conntrack instead.
> Jun 12 01:46:17 torvm start_tor_proxy.sh[668]: ls: cannot access
> /proc/sys/net/ipv6/conf/vif*/disable_ipv6: No such file or directory
> Jun 12 01:46:17 torvm systemd[1]: qubes-tor.service: control process
> exited, code=exited status=1
> Jun 12 01:46:17 torvm systemd[1]: Failed to start Qubes transparent tor
> proxy setup.
> Jun 12 01:46:17 torvm systemd[1]: Unit qubes-tor.service entered failed
> state.
> [user@torvm ~]$
>
> This doesn't seem very enlightening to me... what logs should I be looking
> into to figure out why the service won't start?

Looks like service don't want start without /rw/usrlocal/etc/qubes-tor/torrc.
Try create empty file.

Abel, perhaps the script shouldn't pass -f $USER_RC if file doesn't exists. Or
create empty/default one.

And one thing about /proc/sys/net/ipv6/conf/vif*/disable_ipv6: at TorVM
startup time most likely there will be no vif interfaces - they are created
when starting/connecting other VMs to the TorVM (so after service startup).
Better idea is to use /proc/sys/net/ipv6/conf/{default,all}.
signature.asc

ix4...@gmail.com

unread,
Jun 12, 2013, 3:49:53 PM6/12/13
to Marek Marczykowski-Górecki, Joanna Rutkowska, qubes...@googlegroups.com, Abel Luck
Marek, you were right - it was as easy as

[user@torvm ~]$ sudo mkdir /rw/usrlocal/etc/qubes-tor
[user@torvm ~]$ sudo touch /rw/usrlocal/etc/qubes-tor/torrc
[user@torvm ~]$ sudo service qubes-tor restart

...and now the Tor VM is up and running, and any AppVM using it is torrified, including (I like this part) Disposable VMs! Almost as cool as TAILS, with the convenience of Qubes.

At this point I only have one observation:
Jun 12 20:45:44 localhost Tor[1394]: You are running Tor as root. You don't need to, and you probably shouldn't.

Thank you for all your work on this - it's a great setup!

Alex



syd2...@gmail.com

unread,
Jun 12, 2013, 7:54:07 PM6/12/13
to qubes...@googlegroups.com, Marek Marczykowski-Górecki, Joanna Rutkowska, Abel Luck
Could the torVm userdoc be updated to reflect current installation procedure? I think as it is now several docs (qubes & tor) have to be consulted to get it to work?

thanks

Marek Marczykowski-Górecki

unread,
Jun 16, 2013, 8:04:20 AM6/16/13
to syd2...@gmail.com, qubes...@googlegroups.com, Joanna Rutkowska, Abel Luck
On 13.06.2013 01:54, syd2...@gmail.com wrote:
> Could the torVm userdoc be updated to reflect current installation procedure? I think as it is now several docs (qubes & tor) have to be consulted to get it to work?

Actually it is bug in script itself[1], not the instruction. For now will link
this discussion to the instruction as a workaround.

[1] http://wiki.qubes-os.org/trac/ticket/737

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

signature.asc

Qubes Fan

unread,
Jun 18, 2013, 6:38:19 AM6/18/13
to qubes...@googlegroups.com, Joanna Rutkowska, Marek Marczykowski-Górecki

I seem to be getting a different error. After following all the steps correctly:


[user@torvm ~]$ sudo service qubes-tor status
Redirecting to /bin/systemctl status  qubes-tor.service
qubes-tor.service - Qubes transparent tor proxy setup
      Loaded: loaded (/usr/lib/systemd/system/qubes-tor.service; enabled)
      Active: failed (Result: exit-code) since Tue 2013-06-18 03:28:01 PDT; 56s ago
     Process: 637 ExecStart=/usr/lib/qubes-tor/start_tor_proxy.sh (code=exited, status=1/FAILURE)

Jun 18 03:28:01 torvm start_tor_proxy.sh[637]: xenstore-read: couldn't read path qubes_ip
Jun 18 03:28:01 torvm start_tor_proxy.sh[637]: qubes-tor: Error getting qubes ip
Jun 18 03:28:01 torvm start_tor_proxy.sh[637]: WARNING: The state match is obsolete. Use conntrack instead.
Jun 18 03:28:01 torvm start_tor_proxy.sh[637]: ls: cannot access /proc/sys/net/ipv6/conf/vif*/disable_ipv6: No such file or directory
Jun 18 03:28:01 torvm systemd[1]: qubes-tor.service: control process exited, code=exited status=1
Jun 18 03:28:01 torvm systemd[1]: Failed to start Qubes transparent tor proxy setup.
Jun 18 03:28:01 torvm systemd[1]: Unit qubes-tor.service entered failed state

qubes ip? Does this have something to do with the firewall? (It should all be default on this system.) Can anyone shed light on this?

Marek Marczykowski-Górecki

unread,
Jun 18, 2013, 10:54:44 AM6/18/13
to Qubes Fan, qubes...@googlegroups.com, Joanna Rutkowska
On 18.06.2013 12:38, Qubes Fan wrote:
> I seem to be getting a different error. After following all the steps
> correctly:
>
> [user@torvm ~]$ sudo service qubes-tor status
> Redirecting to /bin/systemctl status qubes-tor.service
> qubes-tor.service - Qubes transparent tor proxy setup
> Loaded: loaded (/usr/lib/systemd/system/qubes-tor.service; enabled)
> Active: failed (Result: exit-code) since Tue 2013-06-18 03:28:01 PDT;
> 56s ago
> Process: 637 ExecStart=/usr/lib/qubes-tor/start_tor_proxy.sh
> (code=exited, status=1/FAILURE)
>
> Jun 18 03:28:01 torvm start_tor_proxy.sh[637]: xenstore-read: couldn't read
> path qubes_ip

(...)

> qubes ip? Does this have something to do with the firewall? (It should all
> be default on this system.) Can anyone shed light on this?

Strange, this shouldn't ever happen... What you get with 'xenstore-read
qubes_ip' in that VM?
signature.asc

Qubes Fan

unread,
Jun 18, 2013, 7:37:43 PM6/18/13
to qubes...@googlegroups.com, Qubes Fan, Joanna Rutkowska
On Tuesday, June 18, 2013 7:54:44 AM UTC-7, Marek Marczykowski-Górecki wrote:
Strange, this shouldn't ever happen... What you get with 'xenstore-read
qubes_ip' in that VM?

[user@torvm ~]$ xenstore-read qubes_ip

Marek Marczykowski-Górecki

unread,
Jun 18, 2013, 7:39:56 PM6/18/13
to Qubes Fan, qubes...@googlegroups.com, Joanna Rutkowska
Ok, so you've must done something wrong. Some ideas to check:
1. Did you created torvm as ProxyVM (not NetVM)?
2. Did you attached network to torvm (probably "netvm")?
signature.asc

Qubes Fan

unread,
Jun 18, 2013, 8:05:51 PM6/18/13
to qubes...@googlegroups.com, Qubes Fan, Joanna Rutkowska
On Tuesday, June 18, 2013 4:39:56 PM UTC-7, Marek Marczykowski-Górecki wrote:
Ok, so you've must done something wrong. Some ideas to check:
1. Did you created torvm as ProxyVM (not NetVM)?
2. Did you attached network to torvm (probably "netvm")?

Well, yes, I did #1, following the instructions here, by doing 'qvm-create -p torvm'. Isn't torvm supposed to be a ProxyVM?

Should I instead do 'qvm-create -n torvm'?

Qubes Fan

unread,
Jun 18, 2013, 8:14:13 PM6/18/13
to qubes...@googlegroups.com, Qubes Fan, Joanna Rutkowska

Oh! Sorry, I misunderstood you! Yes, it's working now! It was #2. I had neglected to set netvm as torvm's NetVM. (I didn't see this step in the instructions. Did I just miss it?) Thank you so much for you help, Marek.

Marek Marczykowski-Górecki

unread,
Jun 18, 2013, 8:14:01 PM6/18/13
to Qubes Fan, qubes...@googlegroups.com, Joanna Rutkowska
On 19.06.2013 02:05, Qubes Fan wrote:
> On Tuesday, June 18, 2013 4:39:56 PM UTC-7, Marek Marczykowski-Górecki
> wrote:
>>
>> Ok, so you've must done something wrong. Some ideas to check:
>> 1. Did you created torvm as ProxyVM (not NetVM)?
>> 2. Did you attached network to torvm (probably "netvm")?
>>
>
> Well, yes, I did #1, following the instructions here<http://qubes-os.org/trac/wiki/UserDoc/TorVM>,
> by doing 'qvm-create -p torvm'. Isn't torvm supposed to be a ProxyVM<http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html>
> ?
>
> Should I instead do 'qvm-create -n torvm'?

No, it should be ProxyVM. Just check with qvm-prefs torvm. This will also show
value of "netvm" setting - it must be set.
signature.asc

Qubes Fan

unread,
Jun 18, 2013, 8:25:26 PM6/18/13
to qubes...@googlegroups.com, Qubes Fan, Joanna Rutkowska
Yes, quite right. I really should have known better and thought of that after reading Joanna's post about how ProxyVMs work!

Marek Marczykowski-Górecki

unread,
Jun 18, 2013, 8:25:37 PM6/18/13
to Qubes Fan, qubes...@googlegroups.com, Joanna Rutkowska
On 19.06.2013 02:14, Qubes Fan wrote:
> On Tuesday, June 18, 2013 5:05:51 PM UTC-7, Qubes Fan wrote:
>>
>> On Tuesday, June 18, 2013 4:39:56 PM UTC-7, Marek Marczykowski-Górecki
>> wrote:
>>>
>>> Ok, so you've must done something wrong. Some ideas to check:
>>> 1. Did you created torvm as ProxyVM (not NetVM)?
>>> 2. Did you attached network to torvm (probably "netvm")?
>>>
>>
>> Well, yes, I did #1, following the instructions here<http://qubes-os.org/trac/wiki/UserDoc/TorVM>,
>> by doing 'qvm-create -p torvm'. Isn't torvm supposed to be a ProxyVM<http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html>
>> ?
>>
>> Should I instead do 'qvm-create -n torvm'?
>>
>
> Oh! Sorry, I misunderstood you! Yes, it's working now! It was #2. I had
> neglected to set netvm as torvm's NetVM. (I didn't see this step in the
> instructions. Did I just miss it?)

This should be default setting, so perhaps you've changed it manually.

> Thank you so much for you help, Marek.
>


signature.asc

Qubes Fan

unread,
Jun 18, 2013, 8:47:10 PM6/18/13
to qubes...@googlegroups.com, Qubes Fan, Joanna Rutkowska
On Tuesday, June 18, 2013 5:25:37 PM UTC-7, Marek Marczykowski-Górecki wrote:
On 19.06.2013 02:14, Qubes Fan wrote:
> On Tuesday, June 18, 2013 5:05:51 PM UTC-7, Qubes Fan wrote:
>>
>> On Tuesday, June 18, 2013 4:39:56 PM UTC-7, Marek Marczykowski-Górecki
>> wrote:
>>>
>>> Ok, so you've must done something wrong. Some ideas to check:
>>> 1. Did you created torvm as ProxyVM (not NetVM)?
>>> 2. Did you attached network to torvm (probably "netvm")?
>>>
>>
>> Well, yes, I did #1, following the instructions here<http://qubes-os.org/trac/wiki/UserDoc/TorVM>,
>> by doing 'qvm-create -p torvm'. Isn't torvm supposed to be a ProxyVM<http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html>
>> ?
>>
>> Should I instead do 'qvm-create -n torvm'?
>>
>
> Oh! Sorry, I misunderstood you! Yes, it's working now! It was #2. I had
> neglected to set netvm as torvm's NetVM. (I didn't see this step in the
> instructions. Did I just miss it?)

This should be default setting, so perhaps you've changed it manually.

Ah, I see. I probably changed it without realizing it somehow.

ix4...@gmail.com

unread,
Jul 17, 2013, 6:16:12 PM7/17/13
to Marek Marczykowski-Górecki, syd2...@gmail.com, qubes...@googlegroups.com, Joanna Rutkowska, Abel Luck
Ok, so http://qubes-os.org/trac/wiki/UserDoc/TorVM needs the following updates:

Between #5 and #6:
+ Shutdown templateVM.
+ Set prefs of torvm to use your default netvm as its NetVM

Between #6 and #7:

[user@torvm ~]$ sudo mkdir /rw/usrlocal/etc/qubes-tor
[user@torvm ~]$ sudo touch /rw/usrlocal/etc/qubes-tor/torrc
[user@torvm ~]$ sudo service qubes-tor restart

Alex


ix4...@gmail.com

unread,
Jul 17, 2013, 7:18:06 PM7/17/13
to qubes...@googlegroups.com, Marek Marczykowski-Górecki, syd2...@gmail.com, Joanna Rutkowska, Abel Luck
On 17 July 2013 23:16, <ix4...@gmail.com> wrote:
Ok, so http://qubes-os.org/trac/wiki/UserDoc/TorVM needs the following updates:

Between #5 and #6:
+ Shutdown templateVM.
+ Set prefs of torvm to use your default netvm as its NetVM
 
Sorry correction, thd above should probably be:
+ Set prefs of torvm to use your firewallvm as its NetVM

Qubes Fan

unread,
Jul 18, 2013, 12:19:09 AM7/18/13
to qubes...@googlegroups.com, Marek Marczykowski-Górecki, syd2...@gmail.com, Joanna Rutkowska, Abel Luck
On Wednesday, July 17, 2013 4:18:06 PM UTC-7, Alex wrote:
On 17 July 2013 23:16, <ix4...@gmail.com> wrote:
Ok, so http://qubes-os.org/trac/wiki/UserDoc/TorVM needs the following updates:

Between #5 and #6:
+ Shutdown templateVM.
+ Set prefs of torvm to use your default netvm as its NetVM
 
Sorry correction, thd above should probably be:
+ Set prefs of torvm to use your firewallvm as its NetVM

I have been wondering about this. Why should torvm use firewallvm as its NetVM instead of just netvm? Is it just in case you want to specify some firewall rules? (If you don't want to specify any, does it make any difference?)

Qubes Fan

unread,
Jul 18, 2013, 12:23:56 AM7/18/13
to qubes...@googlegroups.com, Marek Marczykowski-Górecki, syd2...@gmail.com, Joanna Rutkowska, Abel Luck

PS: I have my netvm as my torvm's NetVM ever since:


>> On Tuesday, June 18, 2013 4:39:56 PM UTC-7, Marek Marczykowski-Górecki
>> wrote:
>>>
>>> Ok, so you've must done something wrong. Some ideas to check:
>>> 1. Did you created torvm as ProxyVM (not NetVM)?
>>> 2. Did you attached network to torvm (probably "netvm")?

But I was wondering because in Joanna's blog post, torvm is connected to firewallvm, which is in turn connected to netvm.
Reply all
Reply to author
Forward
0 new messages