Monero wallet isolation

I created an isolated wallet using this github guide but had issues as per helge’s comments in this thread and so used @qubes-kernel-5.8 's solution to fix it, Thanks guys!

Summary

followed the original guide until the step:


3. In the AppVM monero-wallet-ws :

  • Edit the file /rw/config/rc.local .
user@host:~$ sudo nano /rw/config/rc.local

Add the following line to the bottom:

socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"

But instead of above added qubes-kernel-5.8’s workaround:

  • Edit the file /rw/config/rc.local
qvm-connect-tcp ::18081

Then create a TCP connect policy in dom0:

sudo nano /etc/qubes-rpc/policy/qubes.ConnectTCP
monero-wallet-ws @default allow,target=monerod-ws

However, I have been worried that the combination of the original guide and the workaround may lead to an insecure solution, as I’m new to qubes can anyone set my mind at ease?

I also checked out @adrelanos 's solution from Whonix wiki (monero_wallet_isolation) which looks very like the original guide and is probably what it’s based on and as such it would likely have the same issue with Qubes 4.1. I’m guessing probably due to some changes that must have been made to the firewall?

After reading about stream isolation in Whonix and torsocks I became concerned that the original guide I followed did not implement torsocks. Consequently I edited my previously created monerod service and added the Whonix config options, see below

[Unit]
Description=Monero Full Node
After=network.target

[Service]
User=user
Group=user
PIDFile=/home/user/.bitmonero/monerod.pid
Type=forking

KillSignal=SIGKILL

Environment=DNS_PUBLIC=tcp
Environment=TORSOCKS_ALLOW_INBOUND=1

ExecStart=torsocks monerod  --data-dir=/home/user/.bitmonero \
               --no-igd --hide-my-port --pidfile=/home/user/.bitmonero/monerod.pid \
               --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 \
               --non-interactive

Restart=always
PrivateTmp=true

[Install]
WantedBy=multi-user.target

This is working but I am very aware that I have implemented various parts of 3 guides now and at worst this may be an insecure implementation and at best probably contains some redundant code.

If someone could just look over the service above quickly and just check that it is secure or suggest changes I would be massively grateful and am happy to write this up into a new guide for others or contribute in some other way to Whonix and or Qubes.

Thanks

TLDR

3 things:

is this a safe policy:

monero-wallet-ws @default allow,target=monerod-ws

Now that I am using qvm-connect-tcp what redundant code can I get rid of, e.g socat?

Does the service config above look safe?

Thanks

2 Likes

where do i add configuration settings?

i follow guide and it not work

if add configuration settings, does work then?

Literally all of the information is written in detail in the first post, it works fine with the workaround which is in the summary.

Although I don’t know if this is a secure solution, that’s why I posted it…

Try to follow the guide above from scratch, if you can’t do it, PM me and I will help you

where did you add these? what is file or what do i click on to cut and paste these? I still can’t run connect wallet-ws to ws

Binding TCP '@default:18081' to 'localhost:18081'...
user@host:~$ 2022/02/27 01:43:03 socat[3300] E bind(5, {AF=2 0.0.0.0:18081}, 16): Address already in use

[2/27/22 1:44 AM] 2022-02-27 01:44:44.891 I Monero ‘Oxygen Orion’ (v0.17.3.0-release)
Error: Unsuccessful – json_rpc_request:

Did I do right?

I clicked on links and tried to add everything. I tried normal guide and it not work so I try bearqub way and not work good

@adrelanos sorry… I linked the wrong guide in my initial post the edit is below if you are interested

The guide I actually used is almost identical to yours, so I don’t think this works as of Qubes 4.1

EDIT: I’m an ass… I got confused and linked to the official monero guide instead of the guide I meant and even quoted from the wrong guide too… :eggplant: and now it seems too late to edit it… :frowning_face:

If anyone want’s to help tell me if this is a safe solution then this is how the initial post should have read:

I created an isolated wallet using this github guide but had issues as per helge’s comments in this thread and so used @qubes-kernel-5.8 's solution to fix it, Thanks guys!

followed the original guide until the step:

4.2. Create communication channel with daemon on boot

  • Edit the file /rw/config/rc.local .
user@host:~$ sudo kwrite /rw/config/rc.local
  • Enter the following below any existing text, and save the file.
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws whonix.monerod-mainnet" &

But instead of above added qubes-kernel-5.8’s workaround:

  • Edit the file /rw/config/rc.local
qvm-connect-tcp ::18081

Then create a TCP connect policy in dom0:

sudo nano /etc/qubes-rpc/policy/qubes.ConnectTCP
monero-wallet-ws @default allow,target=monerod-ws

However, I have been worried that the combination of the original guide and the workaround may lead to an insecure solution, as I’m new to qubes can anyone set my mind at ease?

I also checked out @adrelanos 's solution from Whonix wiki (monero_wallet_isolation) which looks very like the original guide and is probably what it’s based on and as such it would likely have the same issue with Qubes 4.1. I’m guessing probably due to some changes that must have been made to the firewall?

After reading about stream isolation in Whonix and torsocks I became concerned that the original guide I followed did not implement torsocks. Consequently I edited my previously created monerod service and added the Whonix config options, see below

[Unit]
Description=Monero Full Node
After=network.target

[Service]
User=user
Group=user
PIDFile=/home/user/.bitmonero/monerod.pid
Type=forking

KillSignal=SIGKILL

Environment=DNS_PUBLIC=tcp
Environment=TORSOCKS_ALLOW_INBOUND=1

ExecStart=torsocks monerod  --data-dir=/home/user/.bitmonero \
               --no-igd --hide-my-port --pidfile=/home/user/.bitmonero/monerod.pid \
               --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 \
               --non-interactive

Restart=always
PrivateTmp=true

[Install]
WantedBy=multi-user.target

This is working but I am very aware that I have implemented various parts of 3 guides now and at worst this may be an insecure implementation and at best probably contains some redundant code.

If someone could just look over the service above quickly and just check that it is secure or suggest changes I would be massively grateful and am happy to write this up into a new guide for others or contribute in some other way to Whonix and or Qubes.

TLDR

3 things:

is this a safe policy:

monero-wallet-ws @default allow,target=monerod-ws

Now that I am using qvm-connect-tcp what redundant code can I get rid of, e.g socat?

Does the service config above look safe?

Thanks

2 Likes

i think i do this all already and still get error

i download 125 GB monero file and very slow to download, take many weeks

i just check status and at 2%, height 6000 of 256000

i still have 125 GB file in monero-ws

what is this?

is there way for taking 125 GB file which took much time to download and putting it in new directory to try create again through github bearqub guide? i use github at first and it not work, then i try bearqub it not work

Great post @BearQub :clap: – I think you should copy & paste the other guides and combine them with your workarounds and reasoning.

Then title it: Monero Wallet Isolation with Qubes 4.1 + Whonix [WORKING]

People will find it very useful and it should get a lot of attention, then some experts may finally check that it is secure or suggest changes.

@BearQub it looks like the guide from the Whonix wiki that adrelanos linked includes torsocks.

@qubesn00b → start from scratch and follow this guide: How-to: Use Monero with Wallet Isolation in Qubes-Whonix ™

What is the point of using TorSocks for stream isolation if the WorkStation VM is dedicated to monerod.
After reading Stream_Isolation Whonix it seem that it’s used to prevent multiple application to use the same tor circuits.

However if the VM is dedicated to monerod, than only monerod is using the network isn’t it ?
And from Whonix documentation " Multiple Whonix-Workstation ™ are automatically stream isolated."

Even if in my point of view it seem useless, my concern is about errors messages i get from TorSocks during sync:
ERROR torsocks[…]: General SOCKS server failure (in socks5_recv_connect_reply() at socks5.c:527)
ERROR torsocks[…]: [socks5] Resolve destination buffer too small (in socks5_recv_resolve_reply() at socks5.c:701)
or
libunbound[…:0] error: outgoing tcp: connect: Connection refused for X.X.X.X port 53

Does theses error normal or TorSocks is making the sync slower by “crashing/errors” ? I often check the sync and see that it’s stopped for minutes or hours due to this, doing “systemctl --user restart monerod” make the sync start again before another “error” happens.

Anyone tested without TorSocks ? Does the sync stuck sometimes too ?