Flexi-chains: multi-protocol tunnel-chaining app for Qubes to annoy GPAs

Dear all;

I must first apologise for the last week’s craziness. I had some stuff to sort out - I am sincerely sorry and it will not happen again.

To perhaps prove this, I have set upon reinstating flexi-chains.

All About Flexi-chains - (excerpt)

How is flexi-chains any different, in principle, from anything else?
I still want there to be an open-source Not Uniquely Identifiable network for everyone to use.
However, to have a truly NUI network (refering solely to the network layer), you NEED the option for private and anonymised, (via steganography), nodes.
In short, a truly NUI-network client would be somewhat-like a really advanced proxychains. In this sense, you can think of flexi-chains as a gateway to NUI-net - it is just a really very advanced proxy-chains.

See here for more information about flexi-chains.

I haven’t done anything like this before, so if anybody would like to help, you can PM me here or I’m sure you can manage to contact me via the details I have on github.

Please let me know what you think so far!

Yours Faithfully;


Actually, @deeplow can this be moved to general discussion? (Given it is on-topic Qubes).

Perhaps giving some context about what it is on the first post could be helpful. I had to refer to github. I’ve also changed the title to give a bit of insight as to what it is, otherwise, people may not go into this thread because they have no idea what flexi-chains refers to.

Feel free to edit your first post and edit the title (you can also move the category unintuitively by clicking on the :pencil2: to edit the title).

1 Like

Thank you @deeplow for the information, I wasn’t aware one could change the category by doing so.

I have updated the post, please let me know if you think it would benefit from any further clarification.


This seems really interesting! Is there any way to test this out yet? Or is it a proof of concept?

I would love to help but sadly I have literally no programming experience.

1 Like

@sadja I had previously wanted to keep this private, but I decided to make it public a few weeks ago. Since then I’ve had other things going on, but now I’ve got a bit of spare time to work on it.

As this is going to be a public open-source project, which I intend not only for the benefit of itself, but to benefit the wider qubes community - I want to make sure that everything is as simple and modular as possible, as I plan for cool features such as the ability to create custom plugins/extensions; (e.g: a programmable firefox plugin which can reboot the entire chain, or specific links in the chain and use different chains according to sites etc).

If you want to see the project status, I recommend checking this doc out every so-often.
The repo is going to be very volatile and reorganised. The above gen0 spec is not yet complete. When it is I shall start work, and hopefully at a very quick pace.

I hope this answers your question @sadja. Do let me know if you need any more info.

There is now a (very volatile) roadmap
There is also a (volitaile) feature list - the ‘why’ to the roadmap

The train is chugging along - I now have a spoilers page.


If anybody has the time, I have some questions about what I need to do (e.g: dom0/special admin VM).

See here

Any & all help is very much appreciated.

actually, a good project,
hopefully, can be an additional option for solution.

if I understand it correctly,
so the purpose of flexi-chains / proxychains, is to cover the flaw in Tor.

but If we use Tor, on top of Whonix, can it replace the flaw ?

1 Like

THe comparison of flexi-chains to proxychains: as an ‘advanced proxychains’ is more apt. than ‘cover the flaw in TOR’.

The point is, it’s giving you the control: hence ‘flexi’ ‘chains’.

TOR on whonix is still TOR, if you’re thinking purely in terms of the network-layer.

Let me elaborate. Proxychains limits you to socks/https, etc.
flexi-chains let’s you choose ANY protocol (current plan is to piggyback off-of glider).
fliex-chains lets you use any guardVM (e.g. minimal debian firewall, IPS, etc).
You can add multiple configs to a tunnel link and set the setting to rotate(random,minutes,10,20) and every 10-20 minutes that link will reboot and a new config (from the ones you added) will be loaded. SO you could add a vpn and a proxy config, respectively, as the last link in the chain - so any adversary is just really confused.

Does that make more sense? @newbie Apologies in advance if I’ve just made things more complicated.

1 Like

nope, it does make sense, all things have different complicacy.
hmm, apologies in advance, it looks like beyond my capacity.
but, thanks in advance, for initiating this kind of project.

i thought, web browser communicates via https protocol only,
but maybe, other software communicates via different protocol, i.e. ftp, etc
i am not sure, maybe different OSI layer has different protocol,

and flexi-chains can randomize setting, for every specific times,
it’s good, it can randomize proxy and vpn, let’s say every 10 minutes,
but it also randomize protocol ? or for protocol we can choose only,
hmm, what if it gives us ftp, while we need http, and vice versa,

also it looks like, it has not considered browser fingerprint,
also, software that using specific protocol, may have software fingerprint,
also it looks like, cannot solve my case , since definitely cannot block / remove NSA-tier backdoor.
do you have any project, that can block / remove NSA-tier backdoor ?

Don’t underestimate yourself.

firefox/chrome can use many different protocols, not just https.

A link can be one of either: a tunnel or a guard.
A tunnel is the type which forwards/proxies/VPNs/TORs/etc traffic - hence ‘tunnel’.
A tunnel has a ‘mode’ (i.e. static/reboot/rotate-[between configs]), as I explained earlier.
You can set config(s): hence you can have multiple configurations.
Within the configuration you can choose the protocol.
Now, what is interesting with V0, is that (when released), given I am currently planning to use glider, you could technically create a chain with one config.
That aside, (sorry if I complicated things again), the point is if you select rotate(random,minutes,10,20) as the ‘mode’ for your tunnel - link 1, and you have 2 configuration files, one of them we’ll call: VPN, the other: proxy - every 10-20 minutes that tunnel VM, link 1, would restart, so if it was previously on VPN it would switch to proxy, if it was previously on proxy, it would switch to VPN.
So it’s up to you if you switch the protocol. WHich would happen in the above case if your proxy was https, for instance, and your VPN was wireguard, for instance.

CHeck out the link I posted, (r/e glider), that’s the current plan for the supported protocols for V0.

If you checkout the roadmap (link on the github page), you’ll see that this has been factored in for a release Far In The Future. If you read the long-feature-list.md you will see the why says: this is a pivotal step to something approaching true anonymity. (e.g: super cool browser plugins :P).

I was not joking about the whole google-keep metaphor. I agree with you 100%, security is all about privacy. The only true privacy is in your head. However, you can use your computer securely (i.e. in a privacy respecting manner), even if it has been ‘compromised’. You just have to ensure what you do is done in a way that you understand, and your adversary doesn’t - does that make sense to you @newbie ?

Apoligies if the above are poor explanations.

I was not joking about the whole google-keep metaphor. I agree with you 100%, security is all about privacy.

hmm, actually I don’t really understand about the metaphor,
it feels like, it has multi-interpretation.
Apology if I have wrong interpretation.

You just have to ensure what you do is done in a way that you understand, and your adversary doesn’t

so, related to NSA-tier backdoor, for example ?

Yes. I think I may be explaining this poorly, how can I be more helpful to you?

Assuming that you understand the following assumptions:
You are only as strong as your weakest link
Hence, the strongest your achile’s heel (weakest link) is, the more difficult it is for an attacker, e.g: a bad NSA.

My point about google keep is this:
It’s all very well somebody attacking what /they/ may think your weakpoint is - let’s say a BIOS/firmware backdoor - that is, they’ve got root access over dom0 (for example).

However, if when they get inside dom0 they discover you are writing things such as ‘must send a cake to mount everest via teletubby’ - being inside dom0 isn’t really pwnage (owning you/your privacy/compromising your security) is it?

For instance, the above to me would mean, in my head:
Message Edward Snowden via Telegram to say happy birthday.

Is this making more sense @newbie ?

Again, I apologise if it doesn’t - just let me know.

i see, you mean, we can write data as disinformation,
which mean, only the writer can interpret.

hmm, yes, i think it works, only if we have few data,
but maybe, for writer, journalist, with huge writing data,
i could not remember, much information, and disinformation in my head,
that’s why we need notes, or laptop.

or maybe during writing email, or graphic designer, interior designer, architect,
also cannot disinformation.

but, thank you for your advice,
apology for keep reasoning.

That is what I mean, yes.

For somebody in such a situation, who for example had an NSA firmware-backdoor, it is best to assume that this information has been accessed already by the NSA. If they had logs I would recommend they check them.

Sometimes attacks cannot be prevented (because nobody has unlimited time to secure their computers). So, this is why I would always recommend a non-networked, passive logging system. That way you can try and discover when and how the attacker gained entry, thus identifying what exploit they used/how you are vulnerable - such that it cannot happen again.

Is this more helpful to you? @newbie

i apologize, i think our discussion, has made your thread out of context,

a non-networked, passive logging system

what kind of logging system it is ? any software / system name ?

Don’t worry about it, I’ve made more mess than anybody here.

Just make sure on this thread discussion is strictly relevant to flexi-chains.

I suggest you start here.
Sorry to be blunt, I have got other things to do.

I have tagged @deeplow on a thread linked where I’ve indicated to split (sry again deeplow - but also thankyou :wink:

1 Like

okay, thanks in advance :slightly_smiling_face:

Let’s get this party started!!

I very much look forward to this. Will you have install and basic setup routines to help use out in doing “flex-chains”?

You may want to look at v2ray

1 Like