Traffic routing questions related to Telegram App

Hi. I created App Qube based on Whonix Workstation template and with sys-whonix as its net-qube. Then downloaded there (in this app qube) official Telegram app from the official site. Then I opened it and just realized that it connects to the internet without any barriers. First I scared then checked onion circuits and saw that there appeared some new connection. I opened Telegram settings and saw that it’s configured to use system proxy settings. I thought that Whonix Whorkstation has some default proxy settings and that’s why Telegram app could immediately connect to the Internet without any pre-configuring. But then decided to check what happens if I disable proxy in Telegram app. I expected that it returns error that it can’t connect to the Internet (as it always happens in Tails OS, when you’re booting Telegram app there at the first time), but then, surprisengly, it still continued connecting to the Internet like nothing happened. I mean its connections remained in Onion Circuits (with status “remap”). I checked many times - closed and opened Telegram app many times, again and again, and its connections appeared and disappeared in Onion Circuits. Then I configured Tor proxy in Telegram app and it continued connections to the Internet using same Tor circuits but now with status “succeeded” instead of “remap”. So I have now few noob questions: :grinning:

  1. Was all, that I described above, something normal for Qubes OS? I mean, does it (and should it) always work like this? From all this I can deduce that it turns out that Whonix Workstation (or most likely sys-whonix) has such network settings that even when app tries to connect to the Internet through the clearnet, sys-whonix anyway somehow routs it through the Tor network (am I right by the way?). But were there any traffic leaks possible when I did all things that I described above (I did only what I said and nothing more)? Or Whonix App Vms with their sys-whonix provide such strong traffic protection that no app can break it when trying to connect to the Internet bypassing Tor?
  2. Why, when Telegram app used default proxy settings and when used no proxy settings, it had in Onion Circuits status “remap” instead of “succeeded”? What means “remap” status? I noticed that when you update templates using their terminals their connections have “remap” status too.
  3. What is safer: to use downloaded official Telegram app or installed from the terminal telegram.desktop version? And is there such a big difference in security that it’s worth paying attention to? Because Telegram version that I used in Tails was installed either from the terminal or from the Synaptic (I don’t remember) and always had the old version. Now, when I use it, it often can’t display some messages in channels or groups, saying that these messages can be displayed only in new version of Telegram app. I’m afraid that it will continue happen if I will use Telegram version installed from the Terminal.

P.S. And another little extra question. :slight_smile: I noticed that in new qubes (I mean created by me), when I switch layout using win+space combination, it always adds space in text like if I clicked space button. But it never happens in default qubes. Why and what can I do to fix it? Little thing, but annoying. :slight_smile:

(clearnet mirror: Stream Isolation)

It depends on what do you mean by safer.
If you use the app downloaded from the telegram website then it’ll be updated to the newer version faster and could fix the security bugs faster.
But their desktop app is not built reproducible and you can’t verify its authenticity since it’s not signed.
Also during app update it could serve you targeted with malicious app.

The app installed from OS repository (using apt in debian or dnf in fedora) could have some delays in providing new app version but you can be sure that this app can’t be used for targeted attack.

Related issue:

1 Like

So it means that when some app tries to connect to the clearnet (to bypass Tor), sys-whonix (Whonix Gateway) automatically routs it through the Tor network to prevent traffic leaking to the clearnet? So in other words I was right when I said this in my assumption? I’m asking because some parts of that document you sent me looked just like they were written by the man whos native language was not English. Couldn’t they just write: “Whoinix Gateway automatically routs all traffic outcoming from all apps through the Tor, no matter how those apps were pre-configured to connect to the Internet!”? Instead of this they write “Use Firefox on host operating system without Tor or any proxy/VPN without Whonix involved”, “In that case probably the home router is doing “transparent proxying”. A proxy that is transparent. It does stuff for the user/program without the user necessarily having to know anything about it”, "Using Tor Browser on the host without Whonix involved: This is an example for “no transparent proxying available” and so on. Sounds like author was high when was writing it and gave off some stream of consciousness, that f***ing confuses even more than explains something! So I’m asking again to ensure that I understood everything right.

Not sure if I understood what you meant under word “reproducible”. That their app isn’t open source? But, as I know, it is. Their servers are not open source. At least that’s what I know.


Those examples are there so users can understand what a Transparent Proxy is in general without relation to Whonix before explaining Whonix transparent proxying specifically.

With free software, anyone can inspect the source code for malicious flaws. But Debian provide binary packages to its users. The idea of “deterministic” or “reproducible” builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source.

1 Like