[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Enable Docker's containers to communicate in Whonix Workstation

#1

Hi,

I want to run a hidden service in Whonix and to isolate the webserver and php I want to configure them inside docker containers. I installed Docker and configured nginx, php and both containers are up and running. I also can access the nginx server through the hidden service generated in the gateway (I followed the official whonix guide to configure it) but the nginx can’t access the php container, I tested the communication between them using ping but there isn’t any communication between those containers. The same docker file is working in Debian 9 without problems so I guess that maybe I need to add something in the firewall to allow the private internal address of containers. I though that this will can be a good idea to improve whonix security or anonimity because even if there is any leak, it will be a docker private ip and having the code isolated in containers I think that’s better. I am not an expert in Docker but I am very noob using firewall and iptables so I need some help to get that configuration working.

Best Regards

#2

The IP won’t help much as it is only a local IP address. This can’t be used for anything unless the attacker is connected to the same network as you.

It will improve security though and would be a good idea although I think other solutions like Firejail and Bubblewrap would be better.

1 Like
#3

Thanks for your reply. I know that if there is a leak the ip is internal, but as far as I know; the attacker could know that you are using whonix as gateway. Using a different internal ip address won’t disclose that information.

About Bublewrap I will check it but it is the first time that I hear it. I have some knowledges about lxc and firejail; I tried to build it using both but it was a bit difficult.

In docker I am not sure if my guessing it is right but if so, I only need to know how can allow connection between internal private ips to connect containers which I also think that it should be handled by the firewall but I don’t have many knowledges about iptables, networking and firewalls

#4

Hiding that you’re using Whonix won’t help much. There are also many other ways of figuring out that you’re using Whonix.

It does seem related to the firewall but I don’t know much about iptables either so I can’t help.

#5

What other ways an attacker can figure out that I am using Whonix? And is there any way to hide them?

Okay thanks, if other person knows about iptables and can help me, I would be grateful!

#6

This discussion assumes local execution ability. In that case for example installed list of packages is unique to Whonix, fonts, and whatnot. Also while https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection is not fully on topic, some things apply.

From network observer perspective, see: https://www.whonix.org/wiki/Fingerprint

No.

2 Likes
#7

Okay, now I understand it better. Thanks for your reply! Each day I learn new things