Hi,
Qubes-Whonix Gateway currently has a single mode of operations which aims to cover many different use-cases and applications and as such exposes a lot of services/ports to the AppVMs behind it:
- onion-grater
- tiny-proxy
- DNSPort
- TransPort
- many SocksPorts
and has a rather long list of iptables rules.
I’d suggest to introduce a “minimal” mode that provides everything needed for an application that just needs access to a single SocksPort with IsolateDestAddr (no DNSPort, no tiny-proxy, no onion-grater, no TransPort). Thunderbird would be an example for such an application.
Such a “minimal” mode could be an option for the anon wizard or just supported for “power users” which can configure their setups themselves.
To a certain extend “power users” can configure sys-whonix to achieve such a setup by overriding settings from /usr/share/tor-service-defaults-torrc via placing directives in /usr/local/etc/torrc.d/50_user.conf (which persists across reboots in a deployed instance of the whonix-gw-14 template).
Example: /usr/local/etc/torrc.d/50_user.conf
DNSPort 0
TransPort 0
# disable all SocksPort directives from /usr/share/tor/tor-service-defaults-tor
/SocksPort
SocksPort <IP>:9050 IsolateDestAddr
Due to a bug in the qubes-service subsystem of the whonix-gw-14 template (⚓ T879 qvm-service infrastructure does not work with whonix-gw-14 template) I was unable to disable tinyproxy via qvm-service and onion-grater’s systemd service file does not appear to support qvm-service since it is missing a
ConditionPathExists=/var/run/qubes-service/onion-grater
line in its systemd service file to be able to use qvm-service to disable it.
Files as: ⚓ T884 add qvm-service support to onion-grater systemd service file
What do you think about this idea?