Enhancing Security: Exploring Strategies for Accessing Discord & Telegram on Qubes-Whonix

Dear Sir/Madam,

I am currently attempting to establish access to Discord and Telegram on Qubes-Whonix, and due to my heightened level of security consciousness, I have been considering various options.

Initially, I had planned to implement the following chain: Wifi > Tor > VPN > Tor.
However, upon further consideration, I realized that utilizing a VPN for the purpose of privacy and anonymity is counterproductive, as it is a commonly employed tool.

Subsequently, I considered the option of using Wifi > Tor.
But dismissed it due to the potential risk of advanced adversaries hosting the entry and exit nodes, which would expose my IP address and activity.

As a result, my latest idea is to employ the following chain: Wifi > Tor1 > Tor2.
Each Tor instance would have its own dedicated wifi, entry node, and exit node. This approach would ensure that my entry guard is not linked to my exit guard, thereby creating a more secure middle chain.

As my main goal is to access Discord and Telegram on Qubes-Whonix, while being mindful of the fact that both platforms block Tor IP addresses, I am seeking recommendations for additional measures that can be implemented within the Tor network to create accounts without facing bans, and without compromising anonymity or security by adding another service to the chain, such as a proxy or zeronet for example.

Thank you for your assistance in this matter.

Sincerely,
Albert

Why not utilize a socks5 proxy on top of Tor, acquired via TBB using cryptocurrency? You can rotate the top sock5 layer regularly if needed. There are both dedicated and shared socks5 proxies. The latter is cheaper and more appropriate if you’re consistently rotating the top layer. I believe Telegram has a proxy setting as well, but for a generalized approach one can configure OpenVPN with a socks5 proxy.

Another (possible?) method would be to use Proxychains inside the Workstation, but you’ll need to remove the Tor line socks4 127.0.0.1 9050 from /etc/proxychains4.conf if no dedicated SocksPort is being used; modify the line appropriately otherwise.

Furthermore: how would you insure every circuit built by the two instances of Tor wouldn’t conflict with one another? And how would this method circumvent both Discord and Telegram from blocking Tor?

EDIT
This does not negate all benefits of dedicated socks5 proxies. They can still be rotated, just less often. Although system time is dead giveaway, shared socks have a higher chance of being flagged as proxies than dedicated ones. Ideally you’d be rotating your dedicated socks5 pool monthly (new identity, new accounts, etc…) and shared socks daily/weekly.

The application layer (discord, telegram) isn’t strongly related to the connection chain.
Also Qubes-Whonix vs Non-Qubes-Whonix is mostly unrelated.

As for the usefulness of these combinations, see:

Tips on Remaining Anonymous chapter Refrain from “Tor over Tor” Scenarios in Whonix wiki

I actually already saw that post, but I thought it would add a security feature if I use two different wifi, and so it would unlink my entry guard node which has a wifi, to the last exit node which has also his own wifi.

edit ( because I want to develop my thought. ) : So with the first tor I will get a entry & exit node. The exit node will not be known by the entry node of the second tor, because the exit node doesn’t get leaked, but just the used ip, so there is no link between both tor. Even if my entry guard node ( of Tor1 ), and last exit node ( of Tor2 ) are audited by the same advanced entities, how they could link my identity? Having 6 hops instead of 3 isn’t useful if i’m using the same wifi for sure, but why it wouldn’t work if I break the chain by using two different wifi.It’s possible that i’m ignoring somethings about the Tor network, but actually I found that good. Tell me what do you think

Thanks for your answer, so yeah I will order a few proxy socks5. it is possible to make a ProxyVM using WhonixGW? I’m not trying to get tor and the proxy in the same VM but more Tor > Proxy with two different WhonixGW

Timing attacks can still be performed if Guard A and Exit B are controlled by the same adversary, thus correlating the two despite each circuit using separate networks. Seems to me you’d only succeed in slowing down your connection. Also don’t forget: the path between Exit A and Guard B is not protected by Tor and you’re increasing your chances of using malicious nodes.

Yes, you should be able to create a template ProxyVM that uses sys-whonix as its network then use the ProxyVM as the input network for additional AppVMs, ie: sys-whonixsys-proxyDiscordVM

The Qubes-Community Github has instructions for constructing a ProxyVM gateway Qube that will fail close if interrupted – specifically the second method discussed. I’ve successfully built multiple VPN gateways this way as of ~8 months ago, but the instructions haven’t been updated in over a year. Obviously you will need to configure OpenVPN for a socks5 proxy instead of a VPN; search online or inquire on the Qubes OS Forum and OpenVPN Forum for an appropriate OVPN config.

This isn’t what you want but, if you’re trying to prevent Tor censorship, socks5 in Whonix using proxychains4 firefox-esr --private-window should work fine for Discord’s web app. System time can be matched to IP using the Chameleon User Agent extension for FireFox. Again, make sure to remove the Tor line socks4 127.0.0.1 9050 in /etc/proxychains4.conf unless you plan on changing that to a dedicated SocksPort, ie: socks5 {gateway_inet} {socks_port} – isolate as much as possible.

1 Like

Not directly. Indirectly? Please start from here.

That wiki page has links to all the instructions.

1 Like

Thanks man for all, it’s very complete. I just have a few questions concerning your message.

1 : Can I prevent Tor Censorship without proxy/vpn, but just a setting/app on Whonix? I’m already using FacistFirewall 1 to prevent Tor Censorship from my ISP, but i’m now looking for anything that could do the same, but to the website i’m visiting.

2 : Telegram, Discord, works fine with Chameleon but snapchat web is redirecting me to a login link, the problem is that the link is loading infinitely. The link is accounts.snapchat.com, do you think that’s a problem from the Whonix-Gateway firewall?

Have a good day !

Not that I know. And I doubt it. Destination websites made a policy decision to block connections originating from the Tor network. There is conceptually no way to have a setting to get around that block, except for using a different IP address.

One far fetched setting could be if the destination website would specifically support this.

This issue is most likely unspecific to Whonix. The same would happen with the Tor Browser Bundle. (TBB)

Highly likely the same issue happens also with TBB. Hence, highly unlikely that Whonix firewall can cause such issues.

Highly likely the same issue happens also with TBB. Hence, highly unlikely that Whonix firewall can cause such issues.

Is there a way to disable the firewall from Whonix-Gateway so I can try without it? When I set my Whonix-Workstation on sys-net, it works perfectly, so the problem come from the Tor tunnel, but I can’t see from where exactly.

No.

Try with TBB first. Most likely same issue.

1 Like