I’m using Qubes OS on my computer and I want to hide this fact from my ISP. My default template is Fedora(sys-net, sys-usb, sys-firewall are Fedora operating system). I’m using my own router (my own. Not the one I got from my ISP) and I have a VPN enabled on it. A computer with Qubes will always be used with the VPN enabled on the router. Other devices will also use the router (sometimes with the VPN enabled on the router and sometimes without the VPN enabled on the router).
1 In this situation, can my ISP see that I am using the Qubes operating system on my computer? Or does he see that I’m using Fedora? Or is it unable to recognize the operating system?
2 I’ve heard that an ISP can identify an operating system using passive OS identification based on TCP/IP packet headers. If I use my own router (my. Not the one I got from my ISP) and I have a VPN enabled on it, is that still possible?
You can look into routing your QubesOS, and your debian/fedora templates
update checks to use tor onion URLs. Other the update checks, I don’t
know what would give away your use of QubesOS to your ISP.
If you setup that VPN - and it’s routing - properly, means: all traffic from your Qubes is going into that VPN tunnel.
Then this way your ISP only see the VPN packets, and those supposed to be properly encrypted - depending on the VPN protocol you use.
So your solution is theoretically correct (unable to recognize your operating system), but in practice: it is heavily depends on your implementation
(a common implementation mistake if your router is forwarding the internal DNS queries outside of the VPN.)
ISPs can use statistic methods to identify your operating system.
If you update Qubes via sys-whonix as netvm, they try to mitigate this problem afaik.
If you dont use sys-whonix as netvm and you still want to be safe, I can recommend mullvad-vpn with its DAITA feature enabled which should make it much harder, if not impossible.
If they make it like “nmap”, then they see only the OS of your template VM, so in fact fedora-xx or debian-xx. Afaik it exists no easy way to detect QubesOS. Correct me, if i am wrong (ideally with some proof-of-concept or link to a site with further explanation, how this should work).
I didnt immediately find my source that I very much remember in my head (and i dont have much time right now to find it) but a big problem is that you typically dont only update one template vm at a time, but a lot of templates. While there are other identifiers, one big one is obviously that you update a lot of fedora/debian templates at the same time.
I think whonix solves it by implementing some sort of timeouts in the background between updating each template
Hmm, understand. But that can be addressed with updating not all templates at the same time, instead one after another with random pauses between. Isn’t it?
First of all, I would like to point out that I am not an advanced user. For some time now, I have been looking for information on how to hide the fact that I am using Qubes OS from my internet service provider. I have read many posts on our forum, the Whonix forum, and threads on GitHub. Here is the information that indicates to our ISP that we are using Qubes OS on our computer:
Fingerprinting resulting from the use of multiple virtual machines and Fedora as sys-net (when checking for updates, our computer connects to Fedora servers). Does using a VPN on our own router eliminate this risk? Are updates then checked through the VPN?
Passive identification of the operating system based on TCP/IP headers. Is such passive identification possible if we use a VPN on our own router?
NTP requests to Fedora NTP servers. If I have a VPN on my own router, do such NTP requests also go through the VPN? Is this risk also eliminated?
I might be talking out of my backside here, so maybe someone else with a deeper understanding can interject or correct me if I am wrong?
I think the multiplication of network adapters may help if it is indeed an issue.
I believe it is possible to isolate your VMs with the use of separated network interfaces.
That is to say, more than one Ethernet port or more that one WiFi network and more than one sys-net, more than one sys-firewall and more than one VPN.
You could also add further DNS protections to each one of these networks.
If all these parameters can be individually configured, then it would be possible to have absolute isolation, up to the point of injection into the router. Of course you could even have more than one router and more than one ISP if this is indeed a possibility and/or feasible for your situation.
I suppose the first questions to ask is how much you trust your ability to correctly configure your system, how much you trust your router config, and how much you trust your VPN service provider.
It might also be an idea to look into I2P and Garlic routing.
This could provide additional layers of encryption to bypass these issues.
Realistically, yes. The statistic threats we are talking about were never seen in the wild yet, so unless you live in a highly repressive country you most likely dont have to care about this.
Not sure if its possible via TCP/IP header, but via statistic methods its still possible. Unless you either use Mullvad VPN with DAITA enabled (which is only possible by using the Mullvad VPN apps, so you cant do this via your router) or update your system via whonix it could still be possible to identify the OS you are using. If you care about this, just enable updates via whonix on your system then you can be sure.
Yes! Everything goes through your VPN and therefore NTP request also go through your router if you have configured the vpn on your router correctly. I dont know what Router you use or how exactly you have set it up, but you might want to use the Connection Check pages that most VPN companies provide to make sure you dont have DNS leaks.
Is it a fingerprint of updating multiple templates at the same time?How can an update via sys-whonix help here? From what I’ve noticed, several templates are still being updated at once, despite the update being passed by sys-whonix.
Yes, this is only about using it as update proxy. There is no need to use sys-whonix as sys-net.
Yes, updating all templates at the same time allows it to be fingerprinted. sys-whonix solves this by implementing by-default timeouts between updating templates.
Having that said: This method of fingerprinting is only theoretical. Nothing like that has been ever seen in the wild.
