monero in Whonix with torsocks for better stream isolation

torbrowser · July 7, 2018, 7:19am

I’m trying to understand when should torsocks be used in Whonix.
I’ve seen the following as a recommended way to launch Monero client:

torsocks ./monero-wallet-cli --daemon-host [node_onion_url:port] --restore-height -1

From GitHub - dgoulet/torsocks: Library to torify application - NOTE: upstream has been moved to https://gitweb.torproject.org/torsocks.git I understand it operates as some kind of tunnel/firewall to torify applications. But why is it necessary if Whonix-Gateway takes care of that anyway? What does it contribute, and how is it related to the uwt package?

torbrowser · July 7, 2018, 10:06am

To follow up on that (perhaps related), when I perform a monero transaction with the CLI wallet, I get 20 lines with the error:

libunbound[12335:0] error: can’t create socket: Operation not permitted

However the transaction is successful. Any clues?

Patrick · July 7, 2018, 12:16pm

Patrick · July 7, 2018, 12:18pm

Doesn’t monero have socks proxy settings? Please use search engine
“monero tor”, “monero socks proxy” and you’ll probably find it. Socks
proxy settings are most times better than torsocks if available.

Outdated, please update if you can:

torbrowser · July 7, 2018, 1:57pm

I went through this page, it doesn’t explain what is the connection between SocksPort, TransPort and torsocks.

Does torsock allow applications to use SocksPort?

Patrick · July 7, 2018, 1:58pm

Yes.

torbrowser · July 7, 2018, 2:47pm

I didn’t find any mention of socks proxy setting.
The Monero client connects to an onion address monero node, how can there be a socks proxy in this setup?

torbrowser · July 7, 2018, 2:48pm

Certainly, once I figure out how to do it without the errors popping.

Patrick · July 7, 2018, 3:33pm

After some searching… The following looks sensible. Untested. Let alone tested if there is TransPort pollution.

DNS_PUBLIC=tcp TORSOCKS_ALLOW_INBOUND=1 torsocks ./monerod --p2p-bind-ip 127.0.0.1 --no-igd --hide-my-port

Feel free to try.

Makes only sense in Whonix 14 since then torsocks has and has by default enabled IsolatePID 1.

Why would that be mutually exclusive? Socks proxy settings pointing to Tor and using onions is generally very good. If onions make sense in case of monero, I don’t know.

Patrick · July 7, 2018, 4:01pm

Just now added some basic info here: Stream Isolation

LakeMonster · July 8, 2018, 1:59pm

This only starts the CLI? Can we adjust this for Monero-GUI?

Patrick · July 9, 2018, 3:51am

Gui does connect to existing already running daemon, no?

Try same command line options. Discuss with monero community.

Also note:

Free Support for Whonix ™

LakeMonster · July 9, 2018, 4:37am

No.

Best to connect to remote Hidden Service daemon.

Patrick · July 9, 2018, 5:01am

Then you need to research what kind of connections the monero-wallet-gui makes.

Connections to different Tor [[Onion Services]] are automatically stream isolated. [tor-talk] hidden services and stream isolation

About connecting to a remotely running monerod (on an onion service or not) I am not sure about that but researching that topic is difficult and time consuming.

torbrowser · July 9, 2018, 2:42pm

I don’t run monerod at all. AFAIK this is required only when run a full node.
monero-wallet-cli with --daemon-host allows connecting to a remote node instead of running your own.
The disadvantages of running a full node are mostly the time and space requirements due to synchronization of the blockchain.

It’s a bit tricky to experiment with the options when it involves real money. I only get the errors when a real transaction is performed, not with any other operation in monero-wallet-cli (for example: checking balance or address, generating a new wallet, listing past transactions).

torbrowser · July 9, 2018, 3:03pm

The following is guide for tails that uses the same command I’m using.

https://www.reddit.com/r/Monero/comments/80ucva/best_tails_os_tutorial_for_newbies_for_monero_cli/

Here (GitHub - monero-project/monero: Monero: the secure, private, untraceable cryptocurrency) there are different instructions for the general case of running behind Tor and for Tails, that includes adding an iptables rule:

Using Tor on Tails
TAILS ships with a very restrictive set of firewall rules. Therefore, you need to add a rule to allow this connection too, in addition to telling torsocks to allow inbound connections. Full example:

sudo iptables -I OUTPUT 2 -p tcp -d 127.0.0.1 -m tcp --dport 18081 -j ACCEPT
DNS_PUBLIC=tcp torsocks ./monerod --p2p-bind-ip 127.0.0.1 --no-igd --rpc-bind-ip 127.0.0.1
–data-dir /home/amnesia/Persistent/your/directory/to/the/blockchain

None of those sources cared to explains what happens with the case of Whonix.

FrozenCat · July 10, 2018, 12:38pm

Does monero require separate proxy settings on Whonix Workstation?

torbrowser · August 4, 2018, 3:49pm

OK, I added the shell variables as in Patrick’s answer, and run the CLI client like so:

DNS_PUBLIC=tcp TORSOCKS_ALLOW_INBOUND=1 torsocks ./monero-wallet-cli --daemon-host [onionurl:port] --restore-height -1

This seems to have solved the problem. I don’t get any error messages and transfers work as before (I did a couple of transfers between two wallets, with small amounts). This is still on Whonix 13 by the way, with Virtual box.

torbrowser · August 4, 2018, 3:55pm

@FrozenCat: I didn’t change any settings.

LakeMonster · September 3, 2018, 4:15am

When I use Monero GUI in Whonix, I run the following command:

torsocks ~/Monero/start-gui.sh &

In the settings I have instructed it to connect to a hidden service remote node.

Are there any security or anonymity issues with this?