Per-VM stream isolation in Whonix
74 views
Skip to first unread message
tetra...@danwin1210.me
Sep 22, 2019, 10:24:43 AM9/22/19
to qubes...@googlegroups.com
Is there any way to automatically do stream isolation on a per-VM basis?
For example:
I start AppVM "A", with networking via Whonix, and interact with the
internet as "Alice"
I start AppVM "B", with networking via Whonix, and interact with the
internet as "Bob"
Naturally I want Alice to appear to be using a different IP address than
Bob, else the two identities are linked.
Right now it appears this is not necessarily the case -- the network
traffic of AppVMs A and B may end up using the same Tor circuits (and
exit nodes).
Is there a way to set this up?
For example:
I start AppVM "A", with networking via Whonix, and interact with the
internet as "Alice"
I start AppVM "B", with networking via Whonix, and interact with the
internet as "Bob"
Naturally I want Alice to appear to be using a different IP address than
Bob, else the two identities are linked.
Right now it appears this is not necessarily the case -- the network
traffic of AppVMs A and B may end up using the same Tor circuits (and
exit nodes).
Is there a way to set this up?
awokd
Sep 22, 2019, 10:52:58 AM9/22/19
to qubes...@googlegroups.com
tetrahedra via qubes-users:
cases, per tab & TLD in Tor Browser's
(https://www.whonix.org/wiki/Stream_Isolation).
If you want the VMs to use different guard nodes, you can point them at
separate Whonix gateways
(https://www.whonix.org/wiki/Multiple_Whonix-Gateway). However, keep in
mind there are trade-offs
(https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters)
to using additional guards.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
> Is there any way to automatically do stream isolation on a per-VM basis?
> Right now it appears this is not necessarily the case -- the network
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).
>
> Is there a way to set this up?
>
Stream isolation is enabled out of the box- per application in most
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).
>
> Is there a way to set this up?
>
cases, per tab & TLD in Tor Browser's
(https://www.whonix.org/wiki/Stream_Isolation).
If you want the VMs to use different guard nodes, you can point them at
separate Whonix gateways
(https://www.whonix.org/wiki/Multiple_Whonix-Gateway). However, keep in
mind there are trade-offs
(https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters)
to using additional guards.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
tetra...@danwin1210.me
Sep 22, 2019, 12:19:34 PM9/22/19
to awokd, qubes...@googlegroups.com
On Sun, Sep 22, 2019 at 02:51:00PM +0000, 'awokd' via qubes-users wrote:
>tetrahedra via qubes-users:
>> Is there any way to automatically do stream isolation on a per-VM basis?
>
>> Right now it appears this is not necessarily the case -- the network
>> traffic of AppVMs A and B may end up using the same Tor circuits (and
>> exit nodes).
>>
>> Is there a way to set this up?
>>
>Stream isolation is enabled out of the box- per application in most
>cases, per tab & TLD in Tor Browser's
>(https://www.whonix.org/wiki/Stream_Isolation).
I am referring to stream isolation for non-Whonix Workstation based VMs,
>tetrahedra via qubes-users:
>> Is there any way to automatically do stream isolation on a per-VM basis?
>
>> Right now it appears this is not necessarily the case -- the network
>> traffic of AppVMs A and B may end up using the same Tor circuits (and
>> exit nodes).
>>
>> Is there a way to set this up?
>>
>Stream isolation is enabled out of the box- per application in most
>cases, per tab & TLD in Tor Browser's
>(https://www.whonix.org/wiki/Stream_Isolation).
and/or for applications which are not wrapped by `uwt`. (e.g Signal)
It would seem that different VMs ought to be stream isolated by default
(they are different VMs, we obviously want them isolated as much as
possible!)...
Claudia
Sep 27, 2019, 9:37:43 AM9/27/19
to qubes...@googlegroups.com
tetrahedra via qubes-users:
Isolating apps in the same VM is a different issue, but you're saying
traffic from different VMs is appearing to come from the same address?
Hmm, that definitely should not be happening. VM isolation is enabled
out of the box. Different VMs, whonix or otherwise, should never share
circuits. IsolateClientAddr (on by default) in whonix-gw's torrc should
isolate streams originating from different addresses/VMs, no matter what
OS or apps they're running.
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
traffic from different VMs is appearing to come from the same address?
Hmm, that definitely should not be happening. VM isolation is enabled
out of the box. Different VMs, whonix or otherwise, should never share
circuits. IsolateClientAddr (on by default) in whonix-gw's torrc should
isolate streams originating from different addresses/VMs, no matter what
OS or apps they're running.
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
tetra...@danwin1210.me
Sep 28, 2019, 7:06:20 AM9/28/19
to Claudia, qubes...@googlegroups.com
On Fri, Sep 27, 2019 at 01:37:06PM +0000, Claudia wrote:
>Isolating apps in the same VM is a different issue, but you're saying
>traffic from different VMs is appearing to come from the same address?
>
>Hmm, that definitely should not be happening. VM isolation is enabled
>out of the box. Different VMs, whonix or otherwise, should never share
>circuits. IsolateClientAddr (on by default) in whonix-gw's torrc
>should isolate streams originating from different addresses/VMs, no
>matter what OS or apps they're running.
I don't see that setting in
>Isolating apps in the same VM is a different issue, but you're saying
>traffic from different VMs is appearing to come from the same address?
>
>Hmm, that definitely should not be happening. VM isolation is enabled
>out of the box. Different VMs, whonix or otherwise, should never share
>circuits. IsolateClientAddr (on by default) in whonix-gw's torrc
>should isolate streams originating from different addresses/VMs, no
>matter what OS or apps they're running.
/usr/local/etc/torrc.d/40_tor_control_panel.conf or in 50_user.conf ...
which torrc is that setting supposed to be in?
Claudia
Sep 29, 2019, 10:44:00 AM9/29/19
to qubes...@googlegroups.com
tetrahedra via qubes-users:
I don't think it matters. It would be at the end of a
SOCKSPort/TransPort/DNSPort/etc line. The syntax is
SocksPort [address:]port|unix:path|auto [flags] [isolation flags]
but IsolateClientAddr is enabled by default, so it doesn't have to be
specified at all. To turn it off you have to specify
NoIsolateClientAddr. IsolateSOCKSAuth is similarly on by default.
You can try viewing your active tor settings in Nyx (preinstalled in
Whonix) rather than from torrc directly. Just in case some setting is
being overridden or something like that. See
https://www.whonix.org/wiki/Tor_Controller and
https://nyx.torproject.org/#config_editor
Note if you specified a TrackHostExits in your config, there is a bug
that causes isolation flags to be ignored.
If you're seeing the same exit address in different whonix-ws VMs, it
sounds like IsolateSOCKSAuth isn't working either. Tor browser randomly
generates a SOCKS username and password at startup (or at least after
you hit "new identity", I forget), so Tor Browsers should always be
isolated, even from the same client address.
Try opening two Tor Browsers in different VMs, navigate to
check.torproject.org in both, then click menu -> "new Tor circuit for
this site" in both. If you still get the same address in both, then
socks auth isolation isn't working either.
You can also try reinstalling the whonix-gw template and recreating
sys-whonix. It might fix it, but more importantly it will tell us if
it's a reproducible issue.
I saw in another thread you asked about using two separate whonix-gw
VMs. Did you try this, and did it work? (It shouldn't be necessary, I'm
just wondering if it worked.)
Other than that, you might have to ask on the Whonix list/forum, but if
you find a solution please follow up here :)
SOCKSPort/TransPort/DNSPort/etc line. The syntax is
SocksPort [address:]port|unix:path|auto [flags] [isolation flags]
but IsolateClientAddr is enabled by default, so it doesn't have to be
specified at all. To turn it off you have to specify
NoIsolateClientAddr. IsolateSOCKSAuth is similarly on by default.
You can try viewing your active tor settings in Nyx (preinstalled in
Whonix) rather than from torrc directly. Just in case some setting is
being overridden or something like that. See
https://www.whonix.org/wiki/Tor_Controller and
https://nyx.torproject.org/#config_editor
Note if you specified a TrackHostExits in your config, there is a bug
that causes isolation flags to be ignored.
If you're seeing the same exit address in different whonix-ws VMs, it
sounds like IsolateSOCKSAuth isn't working either. Tor browser randomly
generates a SOCKS username and password at startup (or at least after
you hit "new identity", I forget), so Tor Browsers should always be
isolated, even from the same client address.
Try opening two Tor Browsers in different VMs, navigate to
check.torproject.org in both, then click menu -> "new Tor circuit for
this site" in both. If you still get the same address in both, then
socks auth isolation isn't working either.
You can also try reinstalling the whonix-gw template and recreating
sys-whonix. It might fix it, but more importantly it will tell us if
it's a reproducible issue.
I saw in another thread you asked about using two separate whonix-gw
VMs. Did you try this, and did it work? (It shouldn't be necessary, I'm
just wondering if it worked.)
Other than that, you might have to ask on the Whonix list/forum, but if
you find a solution please follow up here :)
tetra...@danwin1210.me
Sep 30, 2019, 10:18:26 AM9/30/19
to Claudia, qubes...@googlegroups.com
On Sun, Sep 29, 2019 at 02:42:29PM +0000, Claudia wrote:
>You can try viewing your active tor settings in Nyx (preinstalled in
>Whonix) rather than from torrc directly. Just in case some setting is
>being overridden or something like that. See
>https://www.whonix.org/wiki/Tor_Controller and
>https://nyx.torproject.org/#config_editor
I don't see any mention of the relevant settings at all in the "Arm tor
>You can try viewing your active tor settings in Nyx (preinstalled in
>Whonix) rather than from torrc directly. Just in case some setting is
>being overridden or something like that. See
>https://www.whonix.org/wiki/Tor_Controller and
>https://nyx.torproject.org/#config_editor
controller" app. Nyx does not appear to be installed at all.
On further troubleshooting it looks like separate VMs may have been
connecting to the same IP addresses (as part of checking for updates) at
the same time, and that may have been producing the effects I have seen.
IsolateSOCKSAuth appears to be working as intended.
Rusty Bird
Sep 30, 2019, 6:49:49 PM9/30/19
to tetra...@danwin1210.me, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
tetrahedra:
good that two different circuits will sometimes happen to use the same
exit.
It would in fact hurt your anonymity if that *wasn't* the case,
because then the destination services could (over time) correlate two
supposedly isolated workloads purely from the observation that they
mysteriously, against all odds, never ever come from the same exit IP
address. Which would be expected to happen occasionally if they were
really from two different people using Tor on different computers...
OTOH, if you're often connecting to related services using e.g.
different pseudonyms at the same time, that alone will correlate the
workloads: It would be unlikely for different people to be so in sync
with their usage patterns, no matter if their network connections are
perfectly anonymous.
Rusty
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl2ShoNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt83ShAAgp1UcL/nZ044i+tSiCwWdNkaDFS6/PS7smHTfkb22Kjf18JHYf/dev/c
Wmg99psE0tmmVfz75jBBTbg5m7aOtZ23uWBVrHCkUAnVmyBw40o7nBzbrAhTxaSW
Wres8WsmeFoialvZxuD6Ssgqce62kz7/uE0dCpUkqUYrJ0Wo4nOX8TbXOvLRohsn
ZOR82gpydIlc63NYiEi1JdxetNC8MyiJUNjhlO9WMZ/IQAhnOBZWuIQugUj/l6mK
zoaIiw1rxcmmnUAKQpTHdWD8h9n4yI1kT9ZV3K81IglojkGUtt+p1PnnvJP6eHZc
2JpKh9gaYotKiCOQdQWIX6dVNRrltRoxhuTE0VKbHgQhq/fCfSumtwcfhip7JE3K
9rGFMK1SkZCFoTMR1Kq6S1jUqgOYDwmwv4eM4uWbaVAojavBLkX8LGGzd/X2Li2k
Lw/Bnsw8AoasD9BMZIQCY2SQn9fz3+9oaRTk2X+0uOKdVH0BjOast40KLXdiYrVN
cpExO3hidj2b9vmpYlwOuXIXwWoMRnJkhd8nRlWOzYo9oPey6MoUxyy1+49W7NYV
nQFwLJqD0DpGrX3c2Z0CX9BU4ck5ds/fvMkLAuEYMkA5vtW4giQXfnELAwKFO2Pe
Gk1LJEftBgOXPENMlPUOLORy371zhxwz1oOBe8w6qifT53seFG0=
=Ns/M
-----END PGP SIGNATURE-----
Hash: SHA512
tetrahedra:
> Naturally I want Alice to appear to be using a different IP address than
> Bob, else the two identities are linked.
>
> Right now it appears this is not necessarily the case -- the network
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).
The circuits should be isolated out of the box, but it's normal and
> Bob, else the two identities are linked.
>
> Right now it appears this is not necessarily the case -- the network
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).
good that two different circuits will sometimes happen to use the same
exit.
It would in fact hurt your anonymity if that *wasn't* the case,
because then the destination services could (over time) correlate two
supposedly isolated workloads purely from the observation that they
mysteriously, against all odds, never ever come from the same exit IP
address. Which would be expected to happen occasionally if they were
really from two different people using Tor on different computers...
OTOH, if you're often connecting to related services using e.g.
different pseudonyms at the same time, that alone will correlate the
workloads: It would be unlikely for different people to be so in sync
with their usage patterns, no matter if their network connections are
perfectly anonymous.
Rusty
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl2ShoNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt83ShAAgp1UcL/nZ044i+tSiCwWdNkaDFS6/PS7smHTfkb22Kjf18JHYf/dev/c
Wmg99psE0tmmVfz75jBBTbg5m7aOtZ23uWBVrHCkUAnVmyBw40o7nBzbrAhTxaSW
Wres8WsmeFoialvZxuD6Ssgqce62kz7/uE0dCpUkqUYrJ0Wo4nOX8TbXOvLRohsn
ZOR82gpydIlc63NYiEi1JdxetNC8MyiJUNjhlO9WMZ/IQAhnOBZWuIQugUj/l6mK
zoaIiw1rxcmmnUAKQpTHdWD8h9n4yI1kT9ZV3K81IglojkGUtt+p1PnnvJP6eHZc
2JpKh9gaYotKiCOQdQWIX6dVNRrltRoxhuTE0VKbHgQhq/fCfSumtwcfhip7JE3K
9rGFMK1SkZCFoTMR1Kq6S1jUqgOYDwmwv4eM4uWbaVAojavBLkX8LGGzd/X2Li2k
Lw/Bnsw8AoasD9BMZIQCY2SQn9fz3+9oaRTk2X+0uOKdVH0BjOast40KLXdiYrVN
cpExO3hidj2b9vmpYlwOuXIXwWoMRnJkhd8nRlWOzYo9oPey6MoUxyy1+49W7NYV
nQFwLJqD0DpGrX3c2Z0CX9BU4ck5ds/fvMkLAuEYMkA5vtW4giQXfnELAwKFO2Pe
Gk1LJEftBgOXPENMlPUOLORy371zhxwz1oOBe8w6qifT53seFG0=
=Ns/M
-----END PGP SIGNATURE-----
Claudia
Sep 30, 2019, 7:19:01 PM9/30/19
to qubes...@googlegroups.com
tetrahedra via qubes-users:
all. IsolateClientAddr and IsolateSOCKSAuth are on by default, so as
long as they're not showing as off, you should be okay.
> On further troubleshooting it looks like separate VMs may have been
> connecting to the same IP addresses (as part of checking for updates) at
> the same time, and that may have been producing the effects I have seen.
>
> IsolateSOCKSAuth appears to be working as intended.
>
Glad to hear it's working. I guess I should have asked at the
beginning... What brought you to the conclusion they were using the same
circuits? I assumed you were using check.torproject.org or another "what
is my IP" site, but if looking at tcpdump or something, there are plenty
of reasons they might connect to the same IP. Although, I think you
would only see the local connection to sys-whonix, so I'm still not
exactly sure what's going on here.
> On Sun, Sep 29, 2019 at 02:42:29PM +0000, Claudia wrote:
>> You can try viewing your active tor settings in Nyx (preinstalled in
>> Whonix) rather than from torrc directly. Just in case some setting is
>> being overridden or something like that. See
>> https://www.whonix.org/wiki/Tor_Controller and
>> https://nyx.torproject.org/#config_editor
>
> I don't see any mention of the relevant settings at all in the "Arm tor
> controller" app. Nyx does not appear to be installed at all.
They're the same thing. Arm was renamed to Nyx in newer versions, that's
>> You can try viewing your active tor settings in Nyx (preinstalled in
>> Whonix) rather than from torrc directly. Just in case some setting is
>> being overridden or something like that. See
>> https://www.whonix.org/wiki/Tor_Controller and
>> https://nyx.torproject.org/#config_editor
>
> I don't see any mention of the relevant settings at all in the "Arm tor
> controller" app. Nyx does not appear to be installed at all.
all. IsolateClientAddr and IsolateSOCKSAuth are on by default, so as
long as they're not showing as off, you should be okay.
> On further troubleshooting it looks like separate VMs may have been
> connecting to the same IP addresses (as part of checking for updates) at
> the same time, and that may have been producing the effects I have seen.
>
> IsolateSOCKSAuth appears to be working as intended.
>
beginning... What brought you to the conclusion they were using the same
circuits? I assumed you were using check.torproject.org or another "what
is my IP" site, but if looking at tcpdump or something, there are plenty
of reasons they might connect to the same IP. Although, I think you
would only see the local connection to sys-whonix, so I'm still not
exactly sure what's going on here.
tetra...@danwin1210.me
Sep 30, 2019, 10:30:17 PM9/30/19
to Claudia, qubes...@googlegroups.com
On Mon, Sep 30, 2019 at 08:05:44AM +0000, Claudia wrote:
>Glad to hear it's working. I guess I should have asked at the
>beginning... What brought you to the conclusion they were using the
>same circuits? I assumed you were using check.torproject.org or
>another "what is my IP" site, but if looking at tcpdump or something,
>there are plenty of reasons they might connect to the same IP.
>Although, I think you would only see the local connection to
>sys-whonix, so I'm still not exactly sure what's going on here.
I am using the Onion Circuits GUI app to display all outgoing circuits
>Glad to hear it's working. I guess I should have asked at the
>beginning... What brought you to the conclusion they were using the
>same circuits? I assumed you were using check.torproject.org or
>another "what is my IP" site, but if looking at tcpdump or something,
>there are plenty of reasons they might connect to the same IP.
>Although, I think you would only see the local connection to
>sys-whonix, so I'm still not exactly sure what's going on here.
and their destination IPs.
Claudia
Oct 1, 2019, 3:53:40 PM10/1/19
to qubes...@googlegroups.com
tetrahedra via qubes-users:
Okay, it makes more sense now.
To make sure IsolateClientAddr is working (as opposed to
IsolateSOCKSAuth), you can run
curl.anondist-orig https://check.torproject.org
in two different whonix-ws VMs at the same time, and make sure they
output different addresses. You should also see check.torproject.org:443
pop up in Onion Circuits under different circuits. If they show up under
the same circuit, or output the same address, then IsolateClientAddr is
indeed broken.
Bonus points: try running that command twice in the **same** VM, and it
should (usually) output the same address both times.
(Note: You need to use `curl.anondist-orig` because otherwise curl will
be transparently wrapped by torsocks and will use SOCKS isolation
anyway.
https://www.whonix.org/wiki/Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper
)
If you're still seeing something that doesn't look right, please post a
screenshot if possible :)
To make sure IsolateClientAddr is working (as opposed to
IsolateSOCKSAuth), you can run
curl.anondist-orig https://check.torproject.org
in two different whonix-ws VMs at the same time, and make sure they
output different addresses. You should also see check.torproject.org:443
pop up in Onion Circuits under different circuits. If they show up under
the same circuit, or output the same address, then IsolateClientAddr is
indeed broken.
Bonus points: try running that command twice in the **same** VM, and it
should (usually) output the same address both times.
(Note: You need to use `curl.anondist-orig` because otherwise curl will
be transparently wrapped by torsocks and will use SOCKS isolation
anyway.
https://www.whonix.org/wiki/Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper
)
If you're still seeing something that doesn't look right, please post a
screenshot if possible :)
tetra...@danwin1210.me
Oct 2, 2019, 7:35:05 AM10/2/19
to Claudia, qubes...@googlegroups.com
On Mon, Sep 30, 2019 at 04:15:26PM +0000, Claudia wrote:
>To make sure IsolateClientAddr is working (as opposed to
>IsolateSOCKSAuth), you can run
>
> curl.anondist-orig https://check.torproject.org
>
>in two different whonix-ws VMs at the same time, and make sure they
>output different addresses. You should also see
>check.torproject.org:443 pop up in Onion Circuits under different
>circuits. If they show up under the same circuit, or output the same
>address, then IsolateClientAddr is indeed broken.
>
>Bonus points: try running that command twice in the **same** VM, and
>it should (usually) output the same address both times.
Both steps worked exactly as they should have. Thank you for your help!
>To make sure IsolateClientAddr is working (as opposed to
>IsolateSOCKSAuth), you can run
>
> curl.anondist-orig https://check.torproject.org
>
>in two different whonix-ws VMs at the same time, and make sure they
>output different addresses. You should also see
>check.torproject.org:443 pop up in Onion Circuits under different
>circuits. If they show up under the same circuit, or output the same
>address, then IsolateClientAddr is indeed broken.
>
>Bonus points: try running that command twice in the **same** VM, and
>it should (usually) output the same address both times.
Patrick Schleizer
Oct 6, 2019, 9:06:58 AM10/6/19
to tetra...@danwin1210.me, qubes...@googlegroups.com
tetrahedra via qubes-users:
/usr/share/tor/tor-service-defaults-torrc
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist
https://www.whonix.org/wiki/Dev/git#grep_Whonix_source_code
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist
https://www.whonix.org/wiki/Dev/git#grep_Whonix_source_code
Reply all
Reply to author
Forward
0 new messages