Any limit to transparent proxy connections?

Is there any limit that you will hit by having several different workstations (running arbitrary OSes) connecting through the same Whonix gateway via transparent proxying?

I ask because I’ve got 4 VMs connecting through the gateway and the connectivity seems erratic, both for outgoing and incoming connections. For the outgoing connections, one machine will sometimes be unable to resolve names or to reach the outside Internet at all, for no obvious reason.

For incoming connections to one of my machines which is running a web server, which I try to access over Tor using the address configured on the gateway, and even though the web server is running perfectly locally, the Tor browser returns a 504 Gateway Time-out.

These problems are sporadic though, because sometimes it will randomly start working again, and it’s not predictable which VM will be affected when. I’ve had a VM running for a week trying every day to do an “apt get update” and it won’t resolve the name of the apt archive, then suddenly out of the blue it works. Same with the incoming connections.

So it seems like I am hitting a resource limit somewhere, clogging up the gateway’s ability to serve workstations via the transparent proxying. Is this possible?

Hi hs-hosting

connectivity seems erratic, both for outgoing and incoming connections.

These problems are sporadic though, because sometimes it will randomly start working again, and it’s not predictable which VM will be affected when. I’ve had a VM running for a week trying every day to do an “apt get update” and it won’t resolve the name of the apt archive, then suddenly out of the blue it works. Same with the incoming connections.

Unfortunately this is a common occurrence for many users weather using 1 VM or 4. Starting late last year until present, there has been very sizable DDoS attack on the Tor network. What you are experiencing; erratic/intermittent connectivity, trouble updating system ( apt-get) , is reported on the forums all to often as of late.

I think torjunkie summed it up the best…

torjunkie

If you read through some Tor tickets or mailing lists, you see stories like:

Some form of exhaustion attack on guards in general, whereby the spooks are having clients form many multiple >connections to particular nodes, and then collapsing them all of a sudden, and then recycling this behaviour. No doubt >this overloads those (guard) nodes, leading to poor connectivity for normal users.

I also read reports whereby it’s suggested that malicious guard nodes will likely cut off / drop connections for >normal users who aren’t part of a set of IP addresses that are (most probably) being targeted for end-end traffic >correlation attacks. This is why people can also get shitty connections that drop out all the time, or circuits collapse >etc.

(Think yourself lucky in the second case, since they don’t care about confirming your Whonix posts and porntube >habits :slight_smile: )

All in all, the shitter my connection, the more confident I feel.

This is of course counter-balanced with the “frustration hypothesis”, whereby they may attempt to make your Tor >browsing so intolerable, that you are tempted to shift to a pwned guard that they have control over, simply because >they want to see what you’re up to with greater precision.

This is a common occurrence. I think the best advice, hang in there and give the Tor devs more time to figure this out. ( They always do ) And by continuing to use Tor, your telling whom ever is responsible for this, that we won’t give in. EVER!

Related…

https://forums.whonix.org/t/internet-connection-drops
https://metrics.torproject.org/userstats-bridge-version.html

Thanks, that was valuable information. However, here’s why I have trouble accepting that Tor congestion is the only problem here:

My gateway has (of course) only one Tor daemon running. Yet out of the 4 VMs, only 1 of them is having any trouble. There are other VMs that are also running webservers, but which are reachable perfectly well.

Also, on the VM that isn’t accessible via HTTP over Tor, it is still accessible via SSH over Tor.

Also, I just set up a brand new Tor v3 address redirecting to a different IP address on the same VM, just in case the old address was the problem. That brand new, never-before-used v3 address also won’t load via HTTP over Tor, with the 504 Gateway Time-out error.

All of these things seem more like a problem between the workstation and the gateway than with a problem between the gateway and the Tor network. If you insist I’m wrong then I’ll take your word for it though…

Hi hs-hosting

First outgoing and incoming connections are erratic. Implies all 4 machines.

Now just outgoing connections. On one machine.

Then you say. “Its not predictable which VM with be affected”. So, this says the problem has been affecting all of your VMs.

Second Post

I’m confused now.

Can you please clarify. You are having problems on just 1 VM? All of these problems only affect 1 specific VM.

Edit:

If you are having issues with just 1 and no other.

  1. Its not an issue with Whonix-Gateway since other VMs have no connectivity issues.

  2. Its not an issue with “limit to transparent proxy connections”. If there was (a limit) it would affect other VMs at random.

    Test:

    If you run the problematic VM by itself, no other VMs running, does it still have the same problems?

  3. Its likely a configuration issue with the problematic VM. DNS issue?

In the future if asking for help try to be as specific as possible.

Exp.

Whonx-Gateway: Connects to Tor no problems

VM1: Sporadic connectivity for outgoing/incoming connections. Not able to apt-get update .
VM2: Connects to websites, apt-get etc. no problems.
VM3: Not able to connect to anything (apt-get, web sites etc.).
VM4: Connects…

Sorry for not being clear, but there is no inconsistency in the two messages. Out of the four VMs, at a given time usually one of them (unpredictably, it’s not always the same one) will have trouble with incoming and/or outgoing connections. So per your addendum above, it does affect other machines at random.

Then I went on to give two examples of this. In the apt-get example, one of the VMs will suddenly be unable to even resolve domain names, still less download anything, even though other identically configured VMs have no trouble doing so. In the case of the HTTP example, one VM will be inaccessible over the web even while other identically configured VMs are accessible. Then without any configuration change, those problems might resolve. Maybe I am wrong to write a single message about both problems but it seemed likely to me they would be related.

Edit: After reinstalling the machine that was currently having problems, they went away… so I’ll circle back if I can replicate this later. Anyway, you had answered my main question was that I wasn’t hitting any sort of connection limit on the gateway. Thanks!

Clock jumps?

1 Like

Thanks for the suggestion, will check that next time.

Also, I’ve ruled out one of the problems that I observed as being related. Any time when there were problems with incoming web connections but not outgoing connections, that was due to an unrelated timeout in a PHP script. I figured that out by testing a plain HTML page, which worked.

Just thought I’d clear that up because this report was kind of misleading. Sorry about that. But the other problem (where one VM will suddenly be unable to reach the Internet or do DNS lookups through the gateway) is a real one which I will still need to solve, next time it happens. Thanks again for the clock jump tip.

1 Like

It’s happened again. The clock on the workstation and gateway are the same.

The workstation’s network settings look like this:

iface eth0 inet static
  address 10.152.152.20
  netmask 255.255.255.0
  gateway 10.152.152.10

The DNS for the workstation is set to 10.152.152.10. When I ping the gateway I get replies. When I ping or make an HTTP request to any external IP address I don’t get anything.

Hi hs-hosting

I ping or make an HTTP request to any external IP address I don’t get anything.

Tor does not support ICMP so ping will not work.

The workstation’s network settings look like this:
iface eth0 inet static
address 10.152.152.20
netmask 255.255.255.0
gateway 10.152.152.10

Looks good as long as address 10.152.152.20 is unique among VMs

  • Just so I understand, this VM is the only one having this problem. Correct?
  • Do you have this problem when you run this VM by itself or just when running with other VMs?
  • These VMs use different circuits (stream isolation), have you seen any problems in Tor/ Arm logs that could indicate why this is happening (i.e circuit collapsing etc.)?
  • High load on your machine(s) when this happens…low resources?
  • Is this the machine that you could SSH but no HTTP ?
1 Like

Thanks for your help with this.

Just so I understand, this VM is the only one having this problem. Correct?

Yes, but previously it has been different ones. It seems to be whichever one I set up most recently. When I set up a brand new VM, it almost always starts off with this problem before magically resolving itself some time later without any configuration changes.

Do you have this problem when you run this VM by itself or just when running with other VMs?

I’ve shut down the others to test that, and restarted the problematic one. It has made no difference.

These VMs use different circuits (stream isolation), have you seen any problems in Tor/ Arm logs that could indicate why this is happening (i.e circuit collapsing etc.)?

They are not Whonix workstations they are vanilla Debian/Ubuntu images, so I don’t think stream isolation is in effect. I am not seeing any error messages about circuits, though I am seeing (normal?) errors about “tried resolving or connecting to address ‘[scrubbed]’ at 3 different places, giving up”. Tor says that there are 43 circuits open.

High load on your machine(s) when this happens…low resources?

No, and I can reboot either the gateway or the workstation with no effect on the problem.

Is this the machine that you could SSH but no HTTP ?

I thought so, but I was wrong about that. The fact that the website wouldn’t load was unrelated. I was confusing two separate problems. And anyway no, this is a different machine now.

Hi hs-hosting

  • Are you always using the same address 10.152.152.20 for the problematic VM?
  • Are you running the same exact software on all VMs?

After resolving does it stay that way. Problem free?

Are you always using the same address 10.152.152.20 for the problematic VM?

No.

Are you running the same exact software on all VMs?

Usually because it’s a clone of the same OS image, which is a basic install of Debian stretch. Though in the most recent case I installed Ubuntu rather than Debian.

After resolving does it stay that way. Problem free?

That’s a good question and I really need to start keeping logs of these problems, because although I want to say “no”, I’m now doubting myself because above I confused a separate problem with web access to the VM with this networking problem. Definitely there have been recurring problems, but maybe they were just those web problems. So to be honest, I can’t say with complete certainty. I will have to make better notes from now on.

I’ve installed (just today) a brand new Debian VM to see if that would effect the previous Ubuntu one I was having problems with. It didn’t, but both of them are now suffering from the same problem. So that’s now two VMs affected at once.

Hi hs-hosting

Did you verify the ISO image?

This VM you just created, did it have connectivity problems from the start or after a period of time?


You should monitor your Tor logs not only when you are having connection problems but also when you’re not. See the difference…

Continually recreating the VMs probably isn’t going to help find out what the problem is. Its possible it may not be an issue with your VMs. Could you please try creating/cloning 4 default Whonix-Workstations, see if you have the same problems (just to check connectivity). This could rule out a Debian/Ubuntu VM issue if the problem still persists.

Which hypervisor? How are you cloning images?

Conflicting HW (MAC) addresses?

2 Likes

Thanks for the suggestions. I haven’t had time to clone the Whonix-Workstations yet but the hypervisor is KVM. The template operating system that I am closing is a qcow2 disk image. The method of cloning them is using (a wrapper around the) virt-clone command from libvirt, which I think is why they end up with unique mac addresses; I am not using the graphical Virtual Machine Manager because Whonix and the workstations are running headless.

1 Like

//cc @HulaHoop (just FYI)

Try giving the GW more RAM in case Tor needs it though I doubt this is your problem which I will explain shortly.

Whonix uses static addresses because having a DHCP server running on the GW just opens up a huge security hole you can drive a truck thru.

When working with multi-WS you need to go in and manually assign different IPs to those workstations or you will see he behavior you reported an other weird things such as an intermittently working Tor Button in Tor Browser.

Indeed libvirt cloning takes care to assign unique MACs to avoid conflicts. I will check and update if there is a similar networking feature for IPs.

Good that you know KVM. Hats off for a user who knows what they’re doing.

2 Likes