Tor sessions on Qubes - do different qubes share Tor session?

crowphale · March 19, 2022, 2:11pm

I’m trying to learn more about Tor and Qubes. On Tails website, they say it’s good practice to start new Tor/Tails session for each activity/identity. That makes sense to me, you don’t wanna link different identities together.

How does Tor on Qubes work? If I’m running two qubes/VMs at the same time, both using sys-whonix for networking, do both qubes share the same Tor session? If so, is there any way to create different session per qube?

I know that you can still correlate sessions, for instance, by time (ie. if two sessions are always active at the same time), but seems like that would be good practice anyways.

Appreciate anyone who can clarify this for me, or point to good reading material.

behemothwerecat · March 19, 2022, 3:44pm

This speaks to ‘stream isolation’ with different Qubes options, which is the term relevant to your question:

For Tor generally:

To see what Tor circuit your app qube is using, see Sys-whonix > Tor control panel > Utilities > Onion Circuits.

dailyzodiac · March 20, 2022, 5:44pm

An alternative you can do is to have one application workstation and gateway
pair dedicated to a given task. Won’t have to worry about stream isolation
when there’s only one Tor stream from a Qube.

fsflover · March 21, 2022, 12:44pm

Sven · March 22, 2022, 7:56pm

→ ‘User Support’

crowphale · March 27, 2022, 9:29pm

I assume you mean at the very top right corner, which is I believe global Tor status. How do I know which circuit is used by specific app qube?

crowphale · March 27, 2022, 10:31pm

I read those, so now I know a bit more about Tor and circuits. Thank you.

But I’m still not confident about my original question: does Qubes, when using just Tor (sys-whonix) without VPN, isolate streams? Ie. does every request, no matter what qube it goes from, use different Tor circuit? Does it use Whonix’s SocksPort?

codydaig · March 28, 2022, 12:32am

It’s my understanding that sys-whonix/tor doesn’t do anything specific to isolate streams. Although I believe Tor does is through requests to ensure that similar requests aren’t always using the same entry/exit nodes.
(I am not a TOR expert, but if you truly want to differentiate streams further than what TOR already does, I would create multiple TOR networking qubes to route traffic through for different identities/purposes. )

crowphale · March 28, 2022, 12:37am

That’s a great idea!

behemothwerecat · March 28, 2022, 2:02pm

This page provides a great breakdown for whonix stream isolation.

" Whonix ™ configures most applications that come preinstalled with Whonix ™ to use a different SocksPort , thus no identity correlation is at risk. Whonix ™ uses either socks proxy settings to direct various applications to different SocksPort s or uwt (more information below)."

codydaig · March 28, 2022, 5:03pm

@behemothwerecat Thanks for that link!

crowphale · April 2, 2022, 11:57pm

I will take this as “yes”, Qubes by default, using Whonix-Tor for networking does stream isolation (assuming you are not running VPN over it). Anyone, please correct if that’s not true.