Hello, i have some considerations regarding the use of Whonix on a anonymous hosted VPS to run a hidden service.
Purpose:
- Host a webserver as hidden service on a Linux KVM-based VPS [1] with limited applications e.g. nginx, mysql.
- Hidden services are properly configured according to [2]
- Outgoing connections are properly configured in the application proxy settings [3]
Questions:
Would you still suggest to setup the hidden service in Whonix according to Whonix: /wiki/Onion_Services?
Disadvantages:
- Using Whonix in terms of hosting hidden services seems not to be very common (found very few information user information about this)
- Compatibility to some applications or technology is possibly not tested e.g. container technology
- On KVM-based VPS nested virtualizaion is necessary to get Whonix Gateway and Whonix Workstation running [4]. This consumes a lot of computing ressources and could mean more attack surface [5].
Advantages:
- Stream isolation by Isolating Proxy (Whonix Gateway) with additional Transparent Proxy as fallback
- Strongest protection from IP/DNS leaks
My evaluation: Setup without Whonix due to low general use, uncertain compatibility, high resource consumption is currently more beneficial if you configure the anonymous third party VPS securely and use only limited open source applications. Successful attacks against the hidden service will not lead to your location as it is anonymous third party hosted.
Are my assumptions correct? What is your opinion?
Is there another way to host Whonix on a KVM-based VPS without the need of nested virtualization?
Thank you.
[1] Hosting Location Hidden Services - Whonix
[2] Tor Project: Onion Service Configuration Instructions
[3] TorifyHOWTO · Wiki · Legacy / Trac · GitLab
[4] Whonix ™ for KVM
[5] Nested Virtualization - Kicksecure