Now, in Qubes OS I created a new qube and set sys-whonix as its Net qube. When testing, I found out that a direct curl call without special options (like --proxy) does use Tor indeed. However, the exit IP address I get for all sites seems to be the same. Additionally, I canât use the socks5h://user:pass approach because curl refuses the connection by failing to connect to 127.0.0.1. Obviously, a different approach is necessary but even after digging the web for 2 hours I could not find my way.
So, what is the correct way to do this in Qubes OS? (hopefully without influencing other qubes which would not work well with it)
Qubes OS provides both the Whonix-Gateway (sys-whonix) and the Whonix-Workstation (anon-whonix and whonix-workstation-16-dvm). See the Whonix documentation on how to install and configure them.
Within the Whonix-Workstation, curl is stream-isolated by default.
I have chosen to install whonix during Qubes OS installation. This documentation says that the right way to anonymize a qube is to simply set itâs NetVM to sys-whonix - that is exactly what I have done. Unfortunately, it does not provide stream isolation. Does it mean the documentation is wrong/incomplete, or that there is a bug? I donât know.
You seem to suggest to run curl inside whonix-ws itself. I am still learning about Qubes OS and I am careful not to mess up any installation-created qube by doing âmy stuffâ inside of it. IOW I still donât know what is the purpose of whonix-ws.
Is using whonix-ws as a template (instead of fedora, as I have done so far) the key? If âyesâ, does that mean that qubes based on other (non whonix-ws) templates cannot be stream isolated? Or, if they can - how?
Use 10.152.152.10. (Thatâs where port 9050 on 127.0.0.1 would automatically be redirected to, in a whonix-ws-based VM.)
Sort of: uwt isolates a program (e.g. curl) from other programs, but not from other invocations of the same program in the same VM. TORSOCKS_ISOLATE_PID=1 curl should work though. Youâre right, /etc/tor/torsocks.conf already has IsolatePID 1.
The linked documentation contains instructions on how to tunnel a non-Whonix qubeâs network traffic through Tor. While it is easy to tunnel the network of an app qube based on Fedora or Debian through Tor, it does not provide the same protection as using an app qube based on Whonix tunneled through Tor.
Correct. Fedora and Debian based app qubes are not designed to be âTor-aware.â They will not take advantage of features such as stream isolation.
You should run curl in an app qube based on a Whonix-Workstation template. The app qube should have its netvm set to a service qube that is based on the Whonix-Gateway template.
Yes. If the initial installation of Qubes OS setup Whonix for you, you should have a red app qube called âanon-whonix.â
Open up Qubes Tools > Qube Manager from the menu to list all your qubes.
In my case, the default Whonix installation created a red app qube called âanon-whonix.â Within anon-whonix is where curl should be run for stream isolation.
Anon-whonix is based on the whonix-ws-16 (workstation) template. Itâs netvm is set to âsys-whonix.â
Further down is the black app qube âsys-whonix.â This is the service qube that takes the network traffic it receives and tunnels it through Tor. It is based on the whonix-gw-16 (gateway) template.
In summary:
Use âanon-whonixâ as an example of an app qube that should be used for a Tor related workspace.
TORSOCKS_ISOLATE_PID=1 curl https://ipinfo.io/ip shows a different IP address on each call. TORSOCKS_ISOLATE_PID=0 curl https://ipinfo.io/ip always shows the same IP address.
Questions:
How do you know this IP address: 10.152.152.10?
Are there any other useful IP addresses I can read about?
What is your advice regarding using other SocksPorts (9051, 9052 etc) which seem set in whonix in relation to this thread?
Without the ability to lock the used stream using a user:pass for an explicit socks5h proxy connection in the whonix-ws based VM (which is obviously the one I should use) it is not clear how one can make sure that certain connections are within the same stream. Suppose a scenario in which one needs to make sequential calls to the same host (e.g. as in a session or for some other reason) within the same stream. TORSOCKS_ISOLATE_PID=0 does lock the IP address but it cannot give isolated streams to the same host. So, how should that be done?
In a whonix-ws based VM use 127.0.0.1 (and maybe bypass uwt), otherwise 10.152.152.10. Either way always include the port number, so that it doesnât default to the conventional Socks port 1080.
That variable does nothing in Fedora, where curl etc. are not wrapped with torsocks by default.
A notable alternative port is 9150, which in whonix-gw based VMs uses isolation flags âlike Tor Browserâ (IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ExtendedErrors), compared to port 9050 which uses the default isolation without any added flags.
Hmm maybe itâs documented somewhere on the Whonix wiki.
The only difference I can think of is that a) is probably more like socks5:// instead of socks5h:// (which would be observable for the exit node and, due to timing, for the website). And of course, different curl versions in different OSs.
Both would go through the Tor network if the VM has a whonix-gw based netvm. The difference is that using socks5h:// to download https://example.com makes a request to the exit node for something like âconnect me to example.com on port 443â, whereas socks5:// (or transparently torified, or torified via torsocks e.g. through the uwt wrapper) makes two requests to the exit note: "what is the IP address for example.com", then âconnect me to <that IP address> on port 443â
You can observe this in the whonix-gw based netvmâs Onion Circuits application.
But how would socks5h:// connect me to example.com without knowing (having a cache) or asking for its IP address? Even if that is somehow possible (e.g. through some secondary/implicit resolving), it is still unclear to me if a) or b) is better or worse along the lines of anonymity.
Sorry for so many questions but you really caught my interest
The Tor protocol allows you to ask an exit node to connect to a hostname, in which case the exit node resolves the IP address on its end and connects to the result (but doesnât tell you what that result was).
Neither per se, but itâs a difference in behavior and as such itâs fingerprintable from the view of the exit node as well as the website. That aside, socks5h:// is more elegant.
The Tor protocol allows you to ask an exit node to connect to a hostname, in which case the exit node resolves the IP address on its end and connects to the result (but doesnât tell you what that result was).
do you think it can also be considered more secure to use socks5h://, as leaving the DNS resolving to the exit node (which may be compromised in some way) may have unexpected consequences?
It uses one combined resolve-and-connect step instead of two separate steps, so latency is a bit lowered by avoiding one round trip, and thereâs less opportunity for failure. Also, when youâre making two separate Tor protocol requests for each step, those two requests could be split across two circuits, possibly even ending in two different exit nodes - which doesnât seem ideal. Although I have no idea how often that happens in practice.
Oh thanks, those are bits and pieces Iâve picked up chaotically over timeâŚ
One thing thatâs been useful to get some ground truth about circuit use is to play around with a Tor control port connection. E.g. tor-ctrl -w SETEVENTS CIRC STREAM in sys-whonix - and then trying all kinds of different requests (like socks5:// vs. socks5h://) to see the difference, while looking at control-spec.txt (in this case, section 4.1.1 and especially 4.1.2) to make just barely enough sense of it.