Tips to improve my anonymity with this configuration?

so I asked this question on r/qubes and it was deleted as spam, absolutely no idea why.

Perhaps someone here can offer advice; I’m looking for an as anonymous as possible setup mostly for web browsing although some of the sites I need to use block tor exit nodes. this is my current setup in Qubes 4.1

SYS-NET > SYS-FIREWALL > VPN-FIREWALL > WG-VPN-VM > SOCKS5-FIREWALL > FIREFOX-VM

• sys-net and sys-firewall are standard.
• vpn-firewall only allows the IP of a multihop wireguard vpn.
• wg-vpn-vm uses a github script from HKBAKKE which is great, highly recommend it btw

or here’s the script

#!/usr/bin/env bash
#
# This script can safely be executed multiple times.
#
set -e -u

. ./config

# /etc/wireguard/wg0.conf is symlinked to this folder in the template
mkdir -p -m 700 /rw/config/wireguard

# Protect the key in the config file
touch /rw/config/wireguard/wg0.conf
chmod 600 /rw/config/wireguard/wg0.conf

cat << EOF > /rw/config/wireguard/wg0.conf
[Interface]
Address = $WG_ADDRESS
DNS = $WG_DNS
PrivateKey = $WG_PRIVATE_KEY
PostUp = for ns in \$(resolvectl dns wg0 | sed 's/.*: //'); do echo "nameserver \$ns"; done > /etc/resolv.conf
PostUp = /usr/lib/qubes/qubes-setup-dnat-to-ns
PostDown = for ns in \$(resolvectl dns | grep -F 'Global' | sed 's/.*: //'); do echo "nameserver \$ns"; done > /etc/resolv.conf
PostDown = /usr/lib/qubes/qubes-setup-dnat-to-ns
[Peer]
PublicKey = $WG_PEER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = $WG_ENDPOINT
EOF

# Start the wireguard connection at boot
grep -F "systemctl start wg-quick@wg0" /rw/config/rc.local > /dev/null || echo "systemctl start wg-quick@wg0" >> /rw/config/rc.local

# Ensure only traffic destined for the wireguard interface is forwarded
mkdir -p /rw/config/qubes-firewall.d

cat << EOF > /rw/config/qubes-firewall.d/wireguard
#!/bin/sh
iptables -F QBS-FORWARD
iptables -A QBS-FORWARD -o wg+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A QBS-FORWARD -i vif+ -o wg+ -j ACCEPT
iptables -A QBS-FORWARD -j DROP
EOF

chmod +x /rw/config/qubes-firewall.d/wireguard

I use this script with a highly recommended vpn provider who allows anonymous payments, they also support multihop on their end meaning I can use a single configuration file with this script and I can connect to one server and they route my exit through another server, so I have 2 hops there.

• socks5-firewall is you guessed it… a socks5 firewall allowing only the IP of my vpn providers socks5 proxy which is specified in firefox
• firefox-vm is firefox with some privacy addons and the socks5 proxy specified.

How would increase my anonymity and security here besides using whonix?

I have the feeling my firewalls are too simple as they are only configured in the qube manager gui. I’m sure I could be more secure by using a more advanced iptables config but as it says on the Qubes manual ‘you really shouldn’t mess with iptables unless you know what you are doing as you will probably make things worse’, and I really don’t know what I’m doing with that…

Any suggestions welcome, thanks

I have external firewalls in additon to my Qubes machine. One is a dedicated pfSense miniPC that only allows in traffic if it comes through a generic high bandwidth VPN used by a good volume of people (not as secure as anonymous payments, but the first layer direct to your IsP does not raise as many red flags - ask yourself if you were the CIA looking for Snowden in Hong Kong what would you do? i would look for all tor nodes coming out of hotels in Hong Kong, then see how it correlates to when Snowden arrived, then send jackboots there. That is the reason I believe the CIA had to be complicit in what was done to the NSA in a power struggle or he never would have gotten out of Hong Kong. They are not that incompetent). You can then even chain that to other firewalls like Deeper Connect that do decentralized routing, but that is probably not necessary for your Qubes machine since you can then do the tunneling yourself on Qubes. Of course the problem with even software firewalls these days is most traffic is https so even if you had a good software firewall up and running on Qubes or the external box, it cannot really do deep packet inspection. That needs to be done before the traffic is ever encrypted in the browser. I would love to see a new protocol for firewalls where an encrypted key(s) (that only could be read by the firewall(s)) is passed with the encrypted blocks to the firewall and then stripped and used so the firewall could perform the packet inspection. Would not be surprised if someone already had a project like that and I had not heard of it. That is one of the reasons certain firewall features are barely worth the trouble in setting up anymore. Where it can be useful is for IP blocking (google, ad services etc. - and when you do this you would be shocked to see how much stuff breaks…thus the warnings over iptables) as even Https has to route to somewhere, but if you are using multiple layers of VPN/tor, that has to be done before it reaches the VPN layer. So if I were doing something with iptables I would do it before the VPN servers and in a separate qube based on what i was doing in the VM. THe nice thing about qubes is you literally could have a different more or less restrictive ip tables config for each VM. I just think it is overkill when you have access to stuff like disposable VMs and special VMs for special tasks already.

There is one other idea i wanted to throw out there. Another idea is instead of using a very high utility VPN that a lot of people use is using a dedicated server for an improvised VPN that you yourself have exclusive access to. That might raise less red flags than even a VPN connection if a hostile government was really searching for you. It could be viewed as just a private company security network, not being on the VPN IP lists. There is one problem with that, which is the primary reason I ahve thought about it and not done it. If they are really looking for you and they know you own that server, they just have to see where the server is sending all its traffic. But depending on the situation and if you can actually purchase / setup a compeltely anonymous server, it might make sense.

Yeah I bought all the components to build my own router on which to run opnsense, but my ISP does not allow putting their cheap crappy router into bridge mode unless you’re a business customer… I was pissed. I could still run a custom router in a DMZ I suppose.

BTW if you haven’t heard pfsense has (although they may have fixed it now) a severely poor implementation of wireguard according it’s creator to Jason Donnenfield. Also there was all of this drama due to them trying to smear another company, opnsense I think, calling them Nazis etc. So character wise, I wouldn’t trust them to hold my cupcake let alone anything else

Making my own VPN would still mean obtaining a server and paying for it anonymously, I feel safer with a VPN that more people are connecting to and doing it that way really.

If I’m using wireguard all of my traffic is signed with a key anyway so isn’t that similar to what you’re talking about? Can you do deep packet inspection on wireguard traffic?

Or do you mean you a separate and second level of encryption for the traffic either before or after the wireguard encryption that can only be decrypted by the firewall-VM’s key? So the firewall could check the traffic/IP was actually from the wireguard server before reaching my workstation app VM? - I may totally have the wrong end of the stick here I apologize if so

Rightly or wrongly I am not too worried about my VPN provider side of things you have to trust someone, at least to some degree and my ability to pay them very anonymously gives me some comfort, I certainly trust them more than ISP s in my country that’s for sure.

My firewalls in front and behind the VPN-VM only allow the specific and different IPs of my wireguard/socks5 connections respectively, I was just wondering if there was something I could do outside of the GUI to beef them up a bit

Thanks for your input Chris

Thanks for the heads up on pfsense. I will look into it. It has been so long since I compared OpenSense and pfSense that I do not even remember why I chose one over the other I do not even use most of the features on that end for the reasons I brought up earlier. Most of the traffic coming into it will be encrypted anyway to another VPN endpoint, so there is very little analysis at the IP or packet inspection level that it can do. The main rule is only VPN traffic to my first level VPN can get in or out of the house from any device.

My suggestion on the first level VPN was not with regards to the VPN provider but with someone’s ability to not be found in reverse if you are really into hard core anonymity. For example if you have your home in an anonymous land trust, have all your bills at a mail drop, etc. Or if you are in a situation like Snowden was. If I wanted to find someone off the grid, I would start by looking for houses using tor nodes and the hardest core privacy VPNs and then doing a quick search of each address. If in a large country like the US that is not that feasible (well might be if you had other data you could use to eliminate addresses - like an idea where they lived), but if in a smaller third world country, it is big threat. So like in the Snowden case, they might not be able to decrypt the communications, but there was probably only one hotel, the Mira, where they could detect tor nodes starting the first day he arrived. Then they send officers there and boom. If I had come up with this at the time, I am sure the CIA could have - which is the reason I think he was a CIA plant in a power struggle with the NSA the whole time; would have never been able to leave the country. There are a lot of cheap VPNs with no anonymous pay that people use to get access to programming overseas etc. so that is harder to isolate. But obviously the reason I bring up the server is that is even harder to isolate than VPNs which also might be rare in some countries (though doubt anymore given content blocks with services like netflix). But yeah, you have to be able to pay anonymously with those servers too.

"Or do you mean you a separate and second level of encryption for the traffic either before or after the wireguard encryption that can only be decrypted by the firewall-VM’s key? So the firewall could check the traffic/IP was actually from the wireguard server before reaching my workstation app VM? " That is EXACTLY what I mean. To my knowledge you cannot do deep packet inspection on any https traffic because it will be encrypted before reaching Wireguard, IPtables, etc. And now the vast majority of web traffic is https because Google is penalizing websites that do not use it and it is needed for secure ecommerce transactions anyway.

That is the reason I basically do not even bother setting up packet inspection now. Just about everything is encrypted now (which is a good thing; we just need a protocol to allow for packet inspection like I suggested - I would think this would be obvious and someone would have thought of it already, but I am just not aware of such a protocol).

@Chris0803 Great info, I wholeheartedly agree with you on all points - rare to say unfortunately with so many kooks on the web lol

Are there any iptables wizards that have any advice for me on this setup, not looking at anyone @icequbes1 would you have any ideas as you seem to be an iptables wizard from what I’ve seen in posts like this - Freelance request: NYM -> Tor connection chaining for Whonix Workstation qube - #9 by icequbes1

I’m also looking to set up redsocks but its beyond me at this stage, does anyone have a good guide?

From the Qubes FAQ:

In other words, if you want anonymity, please use whonix.

Anonymity is really hard to achieve. Firefox alone won’t do you any good. Take a look a the Tor Browser design document to see all the things they had change on firefox to achieve some level of anonymity…

What you’re achieving with that setup is pseudonymity. Simply put all your traffic can be linked (because you use a non-fingerprint resistant browser). That may be what you want but since you asked for “anonymity”…

Yes, thats true, succinctly put. Although as long as I can stop my actual identity being linked with my pseudonymous configuration that will be enough. So I suppose I was actually looking for security tips relating to firewalls and IPtables that will stop, as much as is reasonably possible, tracing, attacks and correlation.

I might add, I’m not doing anything illegal, not by most countries standards anyway but the country I live is pretty reperessive.

As the sites I need to use block tor exit nodes whonix is not an option for me but I will try to implement as many of the tor changes to firefox as possible.

Thank you for your reply, any other suggestions most welcome

It’s not clear what you wanna do, and TBH not really Qubes related. IDS, IPS ? Ad-blocking ? Fingerprinting blocking ?
If you want to inspect packets going out of your appVMs, simply add another transparent domU in between.
Look for “MITM HTTPs” to inspect HTTPs packets. It involves using a self-signed certificate.
Also I think you can run Tor Browser WITHOUT the Tor network. It will at least act as a -really- hardened FF.
You can also tunnel the Tor traffic inside the VPN connection. Or the opposite. But never do Tor-inside-Tor.

I’m using tor exclusively for non-presonal use (personal use includes work, homebanking, and similar). I’m using Tor Browser for that. If the site I need blocks tor exit nodes, askubuntu for example, I just use proxysite.com to access it. If the site I need to login, like this forum is, blocks tor I simply don’t use those sites. Internet is huge and there are millions of alternatives. I call this anonymity. What I’m doing is publicly known, but hopefully no one knows who I am. Using any other browser than Tor browser most probably won’t help you.

I haven’t seen anyone mentioning privacy. Everyone knows who I am, but no one knows what I am doing, except interacting counterpart. My bank, my employer, etc. For this I don’t use Tor browser and tor, but clearnet.

In order to do both and not to be linked, I need security and that is why I use Qubes.

Hardly more/less and simpler than this could help you.

I don’t find VPNs usable for my threat model. I don’t see the need for them in any country that doesn’t block tor. And those are very few I’d say.

What about to protect against logging of ISP’s in case of say, a political shift in your country that might make your online activity dangerous in the future, or just preferring to shift the trust from ISP that government can access, to a logless VPN that at least the period before Gov forces them to enable logging the info isn’t on an accessible server?

As you said, threat model dependent, just curious your take on that.

Also, using a VPN which is outside your country can prevent some spying/information exchange.
Lame example: if you’re american, you can use a russian or chinese proxy.
But never forget the ISP can see your connection to the VPN provider !
They can’t see what you’re doing, but they can see you’re trying to hide things via an external provider.
And they know the provider, as they know its IP.

A VPN doesn’t really hide your origin country as long as you have Javascript enabled in your browser.

Any Javascript code can extract your installed fonts, your installed locale, the timezone of your clock, …
Some of these might even work without JS (e.g. clock timezone).

@zithro

I am trying as much as possible to retain/protect my pseudonymity by using qubes in this configuration. I’m happy for anyone to point out any pitfalls or offer advice.

The DNS I use for my wireguard multihop config blocks trackers and ads to some degree at least… and in firefox I use all the different fingerprint defender addons for fonts, canvas etc. also not sure how well these works besides the annoying notifications. I also use a cookie autodelete addon set to purge everything as soon as a tab is closed and privacy badger.

Networking is really what I’m worst at and but I will look into IDS and IPS

A ‘transparent domU’ would that just be a ‘blank VM’ somewhere in my vm chain with my traffic passing through it? Presumably then I would use something like wireshark to check the packets?

As I’m sure you can tell, I’m really far beyond my knowledge level already but if that’s what needs to be done I’ll learn, I just don’t want to compromise my pseudonymity doing this in the meantime as this is a setup that’s in use. I’m committed to becoming thoroughly competent in qubes but for now I just need so targeted pointers as it’s critical this setup works securely for daily use.

using Tor broswer without the tor network is a great tip, thank you I will definitely look into that, any ideas how easy would it be to get it to run without the tor network? Only if you know already, if not I’ll find out.

I get confused by tor-over-vpn/vpn-over-tor terminology but I do use whonix for some tasks, where I can and use a vpn to hide from my isp that I am using tor.

I haven’t been able to get it work the other way though, (the way in which the vpn effectively becomes your permanent exit node), as there seems to be some problem with qubes 4.1, multiple users are experiencing the same issue and I don’t want to use the arp hack around.

Yes this is exactly what I do and am aware that my ISP must know which VPN provider I use by it’s IP but I have to have some trust somewhere and so I trust my VPN providers no logs policy, well it’s the best option I have really, I certainly can’t trust my ISP

Thanks so much for your help

@enmus Yes to a large degree this is also what I do, I have a ‘doxxed’ configuration that I use on the clearnet for everything that needs my personal information.

I have a completely separate configuration which is pseudonymous and contains no personal information, that is the config listed above in my opening post, my aim is to find holes and improve it as much as possible. As I am aware that I am very new to this and my best guess, even after research, probably doesn’t cut it against people who do this for work. I am a journalist and my country is repressive, my own and other peoples safety may be at risk if I make an error.

thank you for replying

@tripleh

thats a good point and made well. I try to mitigate this by using addons to defend against fingerprinting as I need JS in my browser but it has been a concern for me. I will try to implement zithro’s suggestion of using tor browser without the tor network in hopes of mitigating this further.

thanks for your reply

@KarlinQubes

I understand your point

My country is extremely repressive, my online activity is already dangerous, In my country everyone knows the ISP and the Government are one and the same and we are all aware that we are regularly spied on and there is nothing we can do apart from using a VPN. I trust my VPN providers no logs policy, either way they are far better than the ISP and I doubt my country has much power to force the VPN providers country to release anything, certainly not quickly anyway.

Thank you for your reply

If I were a journalist and my country is repressive, and my own and other peoples safety might be at risk if I make an error what I’d first is to put myself into my adversary’s position and looked at me.

• You are journalist - this is obviously known to me.
• You are using tor over your ISP. Enough to raise suspicion to me. I’d spy on you and eventually would reveal your activities one waz or another.
• You are using VPN over your ISP. It’s a notorious fact that that especially in my oppressive country, people, especially journalists are using VPNs in order to hide the fact they’re using tor, not to watch Netflix. Enough to raise suspicion to me. I’d spy on you and eventually would reveal your activities one way or another.
• You left your photo here. I’d probably think that you want to mislead me, but I’d anyway check if there are any journalist in my country that looks like person on this photo. No? Is there a person in my country that looks like this man? No. OK, back to previous methods. No oppressive or recently even western country would leave this to a chance to miss.

So, most probably you can’t win, unless

• You exclusively do your regular job via your ISP.
• You have separate hardware for tor and VPN used via crowded public places WiFi exclusively.
• You and the ones in danger leave your country permanently to a place you could do this more safely.
• If not able to leave, I’d consider if it’s worth to put other’s life to danger for what? Journalism? Is there a possibility I’m used by third party for this and not being aware of it? I’d could sacrifice myself, but I’d find it irresponsible to endanger my family for a “higher” journalism cause. No, most probably, and I’d try find another job to live decent and humble life with beloved ones.

I hope you’ll find my post as a concern for your own safety and especially for the safety of your family/ the other ones endangered.

I appreciate your reply @enmus.

to your points;

No of course it isn’t my real photo

yes I have separate hardened hardware for running qubes and I travel with it and so it is used mostly in other public places with wifi although I cannot help having to use it from home on occasion.

I am not worried about my own safety and live alone, nobody mentioned family (but you are right to assume it as most people have that)

I am not going to debate the ethics of my chosen career, of course journalism is important.

thanks again

Thanks for your kind response. I just wanted to point that in no way my intention was to chalenge journalism’s ethics but the safety while doing it, and rather rhetorically now I’m asking myself where that statement came from.
You mentioned safety of other people in other post, so I just replied on that too.

But I respect your determination and dedication, no doubt of that.