{{Header}}
{{Title|
title=corridor - Tor traffic whitelisting gateway
}}
{{#seo:
|description=Using corridor, a Tor traffic whitelisting gateway with {{project_name_long}}
|image=Corridor.jpg
}}
[[File:Corridor.jpg|thumb]]
{{intro|
Using corridor, a Tor traffic whitelisting gateway with {{project_name_short}}.
}}
= Introduction =
[https://github.com/rustybird/corridor corridor] is a Tor traffic whitelisting gateway. It is a filtering gateway, not a proxying gateway and can also be configured as a [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/BridgeFirewall BridgeFirewall].
= Connecting to corridor before Tor =
== Introduction ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = corridor configurations are only possible in [[Qubes|{{q_project_name_long}}]]. [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] is [[unsupported]] at present. [[https://phabricator.whonix.org/T524 Corridor for {{project_name_short}} KVM ticket].] [Without third party contributions to corridor, [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] is unlikely to be supported in the near future.]
}}
It is possible to configure {{project_name_gateway_long}} ({{project_name_gateway_vm}}) to use corridor as a local proxy to establish the following tunnel:
User → corridor → Tor → Internet
This is not necessarily more anonymous, but it does provide an additional fail-safe -- a Tor traffic whitelisting firewall that helps protect against accidental clearnet leaks (hypothetical clearnet leak bugs in {{project_name_short}}). As [https://github.com/rustybird/corridor corridor's project description] states: "... it cannot prevent malware on a client computer from finding out your clearnet IP address."
corridor is mostly useful for developers and auditors of {{project_name_short}}, along with advanced users who would like to have an additional safety net. Note that it cannot protect from hypothetical bugs affecting Qubes' ProxyVM; a [https://github.com/rustybird/corridor physically-isolated, standalone corridor-Gateway] is necessary to cover that leak vector.
corridor does not increase the tunnel length, meaning no more relays are added between a user and the destination. Users interested in this configuration should read [[Tunnels/Introduction]].
== Warning ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text =
By default, the following instructions will result in:
# The [https://packages.debian.org/{{Stable project version based on Debian codename}}/tor Debian tor package] being installed.
# Thereby automatically connecting to the [https://www.torproject.org Tor] public network.
# Downloading of corridor from [[Project-APT-Repository]].
}}
This behavior might be dangerous if users need / want to [[Hide Tor from your Internet Service Provider|hide Tor and {{project_name_short}} from the ISP]].
If {{project_name_short}} is already in use, then configuring a second running instance of [[Tor]] will ensure that it is independent of the one running inside {{project_name_gateway_short}} ({{project_name_gateway_vm}}). From the ISP's perspective, the user will have a different network [[Fingerprint]]. The anonymity impact should be no worse than running Tor Browser, or system-tor and {{project_name_short}} at the same time.
== dom0 Setup ==
Create a new standalone ProxyVM called {{Code2|sys-corridor}} based on the Debian {{Stable project version based on Debian codename}} template:
Qube Manager → Create new Qube → enable 'Standalone qube based on a template' → name: {{Code2|sys-corridor}} → template: debian → OK
Enable the {{Code2|corridor}} qvm service:
Qube Manager → left-click {{Code2|sys-corridor}} → right-click → Qube settings → services → type in the field → {{Code2|corridor}} → press {{Code2|+}} → press OK
== sys-corridor Setup ==
If a BridgeFirewall is required, [[#Optional:_BridgeFirewall_corridor_Configuration|first configure Tor to use bridges]] before installing corridor. All the following steps should be applied in [https://www.qubes-os.org Qubes'] [https://www.qubes-os.org/doc/templates/debian/ Debian template].
=== Install corridor ===
Start sys-corridor and open a terminal using Qubes start menu.
{{Project-APT-Repository-Add}}
{{Box|text=
Install corridor.
{{Install Package|package=
corridor
}}
}}
=== Configuration ===
=== Optional: BridgeFirewall corridor Configuration ===
TODO: BridgeFirewall corridor configuration is currently [[unsupported|untested]].
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = "Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards." [[https://lists.torproject.org/pipermail/tor-talk/2012-May/024378.html bridge vs non-bridge users anonymity].]
}}
In order to use corridor as a [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/BridgeFirewall BridgeFirewall], configure Tor to use [https://support.torproject.org/#censorship_censorship-7 bridges] before installing corridor. [The {{project_name_short}} [[Bridges]] page can help, but the steps do not apply one-to-one.]
{{Box|text=
'''1.''' Start sys-corridor and open a terminal using Qubes start menu.
'''2.''' Create folder {{Code2|/etc/corridor.d}} and configuration file {{Code2|/etc/corridor.d/21-bridges-user.conf}} first. [This skip is stepped if [https://support.torproject.org/#about_entry-guards Tor entry guards] are preferred.]
'''3.''' Create a bridges configuration file.
{{Open with root rights|filename=
/etc/corridor.d/21-bridges-user.conf
}}
'''4.''' Review {{project_name_gateway_short}} ({{project_name_gateway_vm}}) [[Bridges|Tor bridge]] settings.
Depending on how Tor bridges are configured on {{project_name_gateway_short}} ({{project_name_gateway_vm}}):
* if [[Anon Connection Wizard]] was used, see configuration file /usr/local/etc/torrc.d/40_tor_control_panel.conf.
* if [[Tor#Manual_Bridge_Configuration|manual Tor bridge configuration]] was done, see file /usr/local/etc/torrc.d/50_user.conf.
'''5.''' Add the following text. [
https://github.com/rustybird/corridor/issues/42
]
Syntax is similar as Tor configuration as reviewed in previous step. Replace the IPs and ports 1.2.3.4:443, 2.3.4.5:443 with the actual IPs and ports of the bridges in use. All Tor bridges from Tor configuration on {{project_name_gateway_short}} ({{project_name_gateway_vm}}) need to be added below too.
{{CodeSelect|code=
BRIDGES="\
Bridge 1.2.3.4:443
Bridge 2.3.4.5:443
Bridge 3.4.5.6:443
"
}}
Save.
'''6.''' Done.
BridgeFirewall corridor configuration is complete.
}}
== Daemon Status Test ==
While these instructions remain experimental, it is advised to run the following systemctl commands to check everything is functioning correctly.
{{CodeSelect|code=
sudo systemctl --no-pager --full status corridor-data
sudo systemctl --no-pager --full status corridor-init-forwarding
sudo systemctl --no-pager --full status corridor-init-logged
sudo systemctl --no-pager --full status corridor-init-snat
}}
== Restart corridor ==
Reboot {{Code2|sys-corridor}}.
Do another [[#Daemon Status Test|Daemon Status Test]].
== Test corridor ==
=== Test Preparation ===
# Run the [[#Install_corridor|above systemctl commands]] again.
# Create or use an appropriate existing AppVM named corridor-client (or similar).
# Install / run either system-tor (from Debian or Fedora package sources) or Tor Browser.
# Set Networking of corridor-client to sys-corridor. Tor should be still able to connect.
=== Testing Steps ===
Run a [[Tor#Log_Analysis|Tor log analysis]].
Then restart Tor.
{{CodeSelect|code=
sudo service tor restart
}}
Check if Tor is still able to connect.
To test Tor Browser:
# First check Tor Browser can make an initial connection to the Internet while Networking is still set to sys-firewall.
# Next set Networking to sys-corridor and confirm it is still able to connect. If so, that is a positive sign.
# Finally attempt an untorified connection by using an application like Chromium or Firefox browser. Untorified applications should fail to connect to the Internet.
== Test Logging ==
Whenever corridor blocks attempted actions (like the [[#Test_corridor|tests above]]), a message will appear in syslog. To inspect {{Code2|/var/log/syslog}}
{{Open with root rights|filename=
/var/log/syslog
}}
To check for blocks inside sys-corridor, run.
{{CodeSelect|code=
sudo tail -f /var/log/syslog
}}
If corridor blocks anything, the output will be similar to this.
{{CodeSelect|code=
Jul 19 00:58:27 localhost kernel: [ 954.706833] corridor:
}}
== Interpreting the Results ==
The safest configuration is only setting {{project_name_gateway_vm}} to use sys-corridor for Networking. The reason is the [https://github.com/marmarek/qubes-core-agent-linux/blob/master/vm-systemd/qubes-update-check.service qubes-update-check.service] will try to use the Internet without Tor, and [https://github.com/QubesOS/qubes-issues/issues/1814 other programs] may also try to use clearnet. Therefore, always shut down corridor-client.
== Configure {{project_name_gateway_vm}} ==
To set Networking of {{project_name_gateway_vm}} to sys-corridor:
Qube Manager → left-click {{project_name_gateway_vm}} → right-click → Qube settings → Networking → {{Code2|sys-corridor}} → OK
The procedure is now complete.
= Debugging =
If problems are encountered, this section provides tips on gathering useful information for debugging.
It is also possible to ignore everything said on this website. Pretend it does not exist. Then [https://github.com/rustybird/corridor acquire corridor from its original upstream] and [https://github.com/rustybird/corridor/issues contact upstream for support].
Check if the {{Code2|corridor_relays}} ipset gets populated.
{{CodeSelect|code=
sudo ipset list corridor_relays
}}
It is recommended to also install the {{Code2|usability-misc}} package from {{project_name_short}} repository, since it provides the {{Code2|iptables-save-deterministic}} command. Alternatively, retrieve the package from [[Dev/Firewall_Refactoring|elsewhere]].
{{CodeSelect|code=
sudo apt install usability-misc
}}
Run {{Code2|iptables-save-deterministic}}.
{{CodeSelect|code=
sudo iptables-save-deterministic
}}
In Qubes, the output should be similar to the following.
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:CORRIDOR_SNAT - [0,0]
-A POSTROUTING -j CORRIDOR_SNAT
-A CORRIDOR_SNAT -s 10.137.0.0/16 ! -d 10.137.0.0/16 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:CORRIDOR_FILTER - [0,0]
-A FORWARD -j CORRIDOR_FILTER
-A CORRIDOR_FILTER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A CORRIDOR_FILTER -m set --match-set corridor_relays dst,dst -j RETURN
-A CORRIDOR_FILTER -m set --match-set corridor_logged src -j LOG --log-prefix "corridor: reject " --log-macdecode
-A CORRIDOR_FILTER -j REJECT --reject-with icmp-host-prohibited
COMMIT
= Credits =
The author of corridor is [https://github.com/rustybird rustybird]. [https://github.com/adrelanos Patrick Schleizer] is the author of the [https://github.com/adrelanos/corridor corridor for Debian] [https://en.wikipedia.org/wiki/Fork_%28software_development%29 fork] used in these {{project_name_short}} instructions.
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]