add proxy capabiltiies (provides_network) to Whonix-Workstation / move Qubes updates proxy to Whonix-Workstation


ID: 725
PHID: PHID-TASK-k7dk44vkxthfqfmo6v7e
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal


Could we reasonably make a Whonix-Workstation be a ProxyVM (provides_network)?

Running tinyproxy / Qubes updates proxy in a whonix-ws based disposable UpdateVM would have some advantages:

  • Whonix-Gateway firewall rules simplification
  • [ currently ] Qubes torified updates proxy runs in Whonix-Gateway, a VM that has a “wire” to:
    • access Tor: yes
    • access clearnet: yes
      * → not great
  • [ proposed ] Qubes torified updates proxy runs in Whonix-Workstation, a VM that has a “wire” to:
    • access Tor: yes
    • access clearnet: no
      * → better
  • Moving the attack surface of tinyproxy from #Qubes sys-whonix to a whonix-ws based AppVM running behind sys-whonix.
  • a compromised tinyproxy is less likely of compromising Whonix-Gateway and sending clearnet traffic

Other advantages:

  • Prerequisite for Qubes whonix-ws based disposable UpdateVM.
  • (low priority) Allows sanely running an DHCP server on a Whonix-Workstation.
    ** (low priority) Opens up for torification of Android emulator. (ref)
    ** (low priority) Whonix-Workstation could be assigned a WiFi device and being developed to provide a torified WiFi hotspot (useful for circumvention only, not so much for anonymity)


  • DHCP support T239



2017-11-03 13:46:02 UTC