Using a setup very similar to Whonix, a VM tor middlebox only has access to the internet using a USB device. Thus the middlebox retains exclusive access to the USB device and also has a compiled driver. The Host does not have the USB device driver nor anything else that would permit it to connect to the internet.
A second VM runs the Tor Browser (or other tor software as required).
A private virtual network (no gateway, no dhcp) connects the desired online VMs and they cannot communicate with the host nor the clear internet except using the tor socks proxy via the middlebox.
The problem is that tor cannot chain through tor except as a bridge, and when doing so as a bridge, the effective tor circuit length is reduced from three to two nodes because one of the hops is virtual within the same computer between the two VMs.
The other option is to expose a socks proxy on the middlebox that gives access to the clear internet. Thus the Tor Browser or other private VMs with tor can make a full three node tor circuit. Obviously, the opening to the clear internet is a huge weakness.
Ideally, the only way out of the private network should be via the tor on the middlebox. We could call it a “Tor Bridge Middlebox”.
The third way is to hack tor-over-tor or compile the tor code with a change for a four node circuit. Tor-over-tor is not recommended since it would end up being a 5 node circuit which is shown to be worse than 3. Another hack would be tor-over-tor and faking two additional hops on the virtual private network to get a final 3 real node tor circuit, which would be wasteful.
I haven’t found anything related to this yet, except for tor project proposals for “Bridge Guards” in the context of “Bridge Enumeration”, thus I feel that the Whonix project would be best placed to understand the importance of such a setup.
Has there been any discussion of this yet? Any solutions that I missed? (eg corridor is not). I have this all working except I am stuck with either sock5 clearnet proxy on the middlebox or a two-node tor circuit.
I have also posted issue 40093 on the Tor Project for this, please refer to it for more tor specific details. This Whonix current issue has more VM specific information.