Monero wallet isolation

EDIT: I’m an ass… I got confused and linked to the official monero guide instead of the guide I meant and even quoted from the wrong guide too… :eggplant: and now it seems too late to edit it… :frowning_face:

If anyone want’s to help tell me if this is a safe solution then this is how the initial post should have read:

I created an isolated wallet using this github guide but had issues as per helge’s comments in this thread and so used @qubes-kernel-5.8 's solution to fix it, Thanks guys!

followed the original guide until the step:

4.2. Create communication channel with daemon on boot

  • Edit the file /rw/config/rc.local .
user@host:~$ sudo kwrite /rw/config/rc.local
  • Enter the following below any existing text, and save the file.
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws whonix.monerod-mainnet" &

But instead of above added qubes-kernel-5.8’s workaround:

  • Edit the file /rw/config/rc.local
qvm-connect-tcp ::18081

Then create a TCP connect policy in dom0:

sudo nano /etc/qubes-rpc/policy/qubes.ConnectTCP
monero-wallet-ws @default allow,target=monerod-ws

However, I have been worried that the combination of the original guide and the workaround may lead to an insecure solution, as I’m new to qubes can anyone set my mind at ease?

I also checked out @adrelanos 's solution from Whonix wiki (monero_wallet_isolation) which looks very like the original guide and is probably what it’s based on and as such it would likely have the same issue with Qubes 4.1. I’m guessing probably due to some changes that must have been made to the firewall?

After reading about stream isolation in Whonix and torsocks I became concerned that the original guide I followed did not implement torsocks. Consequently I edited my previously created monerod service and added the Whonix config options, see below

[Unit]
Description=Monero Full Node
After=network.target

[Service]
User=user
Group=user
PIDFile=/home/user/.bitmonero/monerod.pid
Type=forking

KillSignal=SIGKILL

Environment=DNS_PUBLIC=tcp
Environment=TORSOCKS_ALLOW_INBOUND=1

ExecStart=torsocks monerod  --data-dir=/home/user/.bitmonero \
               --no-igd --hide-my-port --pidfile=/home/user/.bitmonero/monerod.pid \
               --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 \
               --non-interactive

Restart=always
PrivateTmp=true

[Install]
WantedBy=multi-user.target

This is working but I am very aware that I have implemented various parts of 3 guides now and at worst this may be an insecure implementation and at best probably contains some redundant code.

If someone could just look over the service above quickly and just check that it is secure or suggest changes I would be massively grateful and am happy to write this up into a new guide for others or contribute in some other way to Whonix and or Qubes.

TLDR

3 things:

is this a safe policy:

monero-wallet-ws @default allow,target=monerod-ws

Now that I am using qvm-connect-tcp what redundant code can I get rid of, e.g socat?

Does the service config above look safe?

Thanks

2 Likes