First of all, the only mention of freelancing I’ve found is this verbose thread, as it remains undeleted\unedited yet seen by moderator, I assume that freelance requests are allowed.
Send your price&time suggestions : nym2tor@protonmail.com
I pay in crypto of your preference (xmr?)
Details : The task is to chain packets from Whonix Workstation (aka ws-15) first through the NYM mixnet, then through Tor mixnet.
Final product I’m expecting is a detailed how-to guide, that any normal person could follow (and by that I mean copypasting commands). It will be publicly available, and maybe even will be posted in Qubes community docs (or maybe won’t, I don’t know and not affiliated with it’s admin).
Your first implementation idea may be running a NYM client inside of the Whonix Gateway qube (aka gw-15) under “clearnet” user, and just type “SocksPort localhost:1080” in torrc, but…
- It lowers isolation (running 3rd party software in gw-15 is insecure cause it could be exploited to turn off tor, or tor could be exploited to turn off nym-socks5-client).
-
It’s impossible at the moment. as gw-15 ships with outdated version of glibc6 (2.28-10, nym-socks5-client requires 2.29) cause 15’th version is based on Debian 10 stable, Buster.
I couldn’t swap it with a new one and this practice is strongly advised against (libc is core system part).
New Debian is going to be released soon, so can expect new Whonix in… a few months?
I guess it could be roughly like that:
- Building ubuntu 20 template qube as NYM is tested on it by devs; apt update && apt upgrade -y, then apt install redsocks, then wget current version of nym-socks5-client from nymtech github, chmod 777 it. All in a template.
- Create an AppVM qube for running nym, check “Provides network”, run nym-socks5-client
- We’re using redsocks to send tcp packets into socks5 (localhost:1080). Default redsocks incoming port is localhost:12345, so create iptables rule to redirect incoming tcp (on virtual interface from connected gw-15) to it. Also reject udp i guess.
- Automate running nym-socks5-client, redsocks, iptables rules on startup after network is available and vif is known, cron “@reboot” or service. Probably do this in a template, rather than AppVM qube.
- Suffer the latency, enjoy the privacy.
Well I’m not really know the stuff so I got stuck on the iptables part and realized (after a few days) I won’t make it.
If you’re need any help with NYM part (like, you’re gonna need running requester to run a nym-client) I probably can do.
P.S. If you’re aware of some other serious mixnet projects please comment them. Because I’m not.
P.P.S. If you’re using Tor, you should be interested in some violent critique on it from Dr. Neal Krawetz:
https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html
https://www.hackerfactor.com/blog/index.php?/archives/868-Deanonymizing-Tor-Circuits.html
https://www.hackerfactor.com/blog/index.php?/archives/906-Tor-0day-The-Management-Vulnerability.html
P.P.P.S. Reason for using NYM → Tor and not Tor → NYM is cause NYM’s exit node (“requester”) IP is persistent and since not many people are using NYM and a lot less people will be using same requester, it’s really a fingerprint. Tor is mainstream and more common to connect to\from it’s nodes.
But yeah, if tor circuit was busted, Global Observer can see it’s coming from nym, then look up connections to NYM nodes from non-NYM residential IPs, automatically correlate timings of requests on in (mixnode) and on out (requester node) and find you (or just ddos mixnodes one by one until only the adversary mixnodes with rewritten code will be available, and find you again, like with Tor).
But that’s another story.
P.P.P.P.S. Also this (yet nonexistent) guide could help with other mixnet setup, or dVPN setup, or basically whatever supports socks5.
P.P.P.P.P.S. Don’t try to connect ws-15 directly to nym-qube, it won’t work cause ws-15 is tweaked to get connection only from gw-15. Yea if you know iptables you probably can change that.