GitLab

Using fteproxy on Debian stretch isn't straight easy. So far no luck.

From /lib/systemd/system/tor@default.service, the AppArmor profile gets into the way.

AppArmorProfile=system_tor

Also the other systemd hardening results in.

Could not launch managed proxy executable at '/usr/bin/fteproxy' ('Permission denied').

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
ReadWriteDirectories=-/var/run
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE

Even with all of that disabled, Tor does not successfully bootstrap.

Feb 11 06:26:01.000 [notice] Bootstrapped 5%: Connecting to directory server
Feb 11 06:26:01.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Feb 11 06:26:01.000 [warn] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 6; recommendation warn; host redacted at IP:PORT)
Feb 11 06:26:01.000 [warn] 6 connections have failed:

I guess my torrc config is fine. Copied that part over from TBB to system Tor /etc/tor/torrc.

UseBridges 1
ClientTransportPlugin fte exec /usr/bin/fteproxy --managed
Bridge fte IP:PORT redacted

Any hints what I am doing wrong? (Not in a censored area. TBB without bridges as well as fteproxy works for me. Debian stretch system Tor with Debian fteproxy packages does not work for me.)

I am asking for Whonix integration purposes.