Running Cwtch on Whonix
New in Cwtch 1.13
This functionality may be incomplete and/or dangerous if misused. Please help us to review, and test.
Configure the Whonix-Gateway
The following steps should be done in the Whonix-Gateway.
Onion Grater
Whonix uses Onion Grater to guard access to the control port. We have packaged an onion-grater configuration cwtch-whonix.yml
which is present in the root directory of the tarball.
This file needs to be placed in /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml
.
Whonix has also packaged the profile 40_cwtch.yml
_, therefore you can use either one.
Enable the Cwtch onion-grater profile:
sudo onion-grater-add 40_cwtch
Configure the Whonix-Workstation
The following steps should be done in the Whonix-Workstation.
Linux Firewall
The Whonix-Workstation Firewall needs to have the possible Cwtch binding port open. Follow the upstream firewall guide.
Use the following configuration in the file /usr/local/etc/whonix_firewall.d/50_user.conf
:
EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "
Running Cwtch
When launching, Cwtch on Whonix, some environment variables must be set:
CWTCH_TAILS=true
- automatically configure Cwtch for running in a Whonix-like environment.CWTCH_RESTRICT_PORTS=true
- forces connectivity to bind to a subset of ports15000-15378
, easier to manage on the firewall configuration.CWTCH_BIND_EXTERNAL_WHONIX=true
- forces connectivity to bind to external interfaces (only supported/recommended on for Whonix-based setups where the machine (Workstation) which is running Cwtch is firewalled, where the only source of network is through the Gateway.
cd ~/.local/lib/cwtch
env LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true ~/.local/lib/cwtch/cwtch
The above command, and the below onion grater configuration assume that Cwtch was installed in ~/.local/lib/cwtch/cwtch
- if Cwtch was installed somewhere else (or if you are running directly from the download folder) then you will need to adjust the commands.
Removing Cwtch from Whonix
Remove configuration from the Whonix-Gateway
The following steps should be done in the Whonix-Gateway.
Disable the Cwtch onion-grater profile:
sudo onion-grater-remove cwtch-whonix
Remove configuration from the Whonix-Workstation
The following steps should be done in the Whonix-Workstation.
Delete the Cwtch application directory $HOME/.local/lib/cwtch
and Cwtch data directory $HOME/.cwtch
.
The firewall ports should also be closed manually by removing the configuration added above and reloading the firewall.