Hidden Service on VPS: Drawbacks of Whonix

Hello, i have some considerations regarding the use of Whonix on a anonymous hosted VPS to run a hidden service.

Purpose:

• Host a webserver as hidden service on a Linux KVM-based VPS [1] with limited applications e.g. nginx, mysql.
• Hidden services are properly configured according to [2]
• Outgoing connections are properly configured in the application proxy settings [3]

Questions:
Would you still suggest to setup the hidden service in Whonix according to Whonix: /wiki/Onion_Services?

Disadvantages:

• Using Whonix in terms of hosting hidden services seems not to be very common (found very few information user information about this)
• Compatibility to some applications or technology is possibly not tested e.g. container technology
• On KVM-based VPS nested virtualizaion is necessary to get Whonix Gateway and Whonix Workstation running [4]. This consumes a lot of computing ressources and could mean more attack surface [5].

Advantages:

• Stream isolation by Isolating Proxy (Whonix Gateway) with additional Transparent Proxy as fallback
• Strongest protection from IP/DNS leaks

My evaluation: Setup without Whonix due to low general use, uncertain compatibility, high resource consumption is currently more beneficial if you configure the anonymous third party VPS securely and use only limited open source applications. Successful attacks against the hidden service will not lead to your location as it is anonymous third party hosted.

Are my assumptions correct? What is your opinion?

Is there another way to host Whonix on a KVM-based VPS without the need of nested virtualization?

Thank you.

[1] Hosting Location Hidden Services - Whonix
[2] Tor Project: Onion Service Configuration Instructions
[3] TorifyHOWTO · Wiki · Legacy / Trac · GitLab
[4] Whonix ™ for KVM
[5] Nested Virtualization - Kicksecure

Seems you are going out of your way to make an argument for others not to use Whonix for one of it’s most critical usecases.

If making leak free Tor services were easier in any other way we wouldn’t have bothered with creating Whonix. You can forego Whonix protection at your own peril.
A slower perf service vs being vanned or shot depending on where you live - choose wisely.

Unlikely since almost every host provider will be using a hypervisor underneath the OS They rent to you to squeeze out as much use and profit from their servers as possible.

First of all thanks for your answer. I did not necessarily want to argue against using Whonix in this use case.

It really seems that the use case for servers is not very common. There are only a few threads and documentations compared to the client usage. And if a successful attack against the hidden service will not lead to your location as it is anonymous third party hosted you should be secure enough. But I agree it is all about risk assessment. I will rethink of using it in this use case.

I am thinking of an alternative to use Whonix without nested virtualization on a VPS.

1. Rent a VPS with Debian and install Whonix Gateway [1]
2. Rent a VPS with Debian and install Whonix Workstation [2]. The visibility of hardware serials to Whonix Workstation are not critical as the VPS is anonymous third party hosted.
3. Interconnect both VPS on local network of hosting provider. Turn off Workstation internet connectivity.

What do you think about it? Or do I miss some important points?

[1] How To Install Whonix-Gateway ™ on Hardware (RECOMMENDED)
[2] Install Whonix-Workstation ™ on hardware (NOT RECOMMENDED)

lovewhonix via Whonix Forum:

There are only a few threads and documentations compared to the client usage.

Documentation on clearnet for all use cases of clearnet is also more
client then server. Much more people are clients than server. What would
you expect.

And if a successful attack against the hidden service will not lead to your location as it is anonymous third party hosted you should be secure enough.

How many times you want to re-setup the onion service if discovered?
There’s probably not too many service providers to choose from. Also
connecting to a compromised onion service (ssh) has risks. See:

Also to be avoided.

I am thinking of an alternative to use Whonix without nested virtualization on a VPS.

1. Rent a VPS with Debian and install Whonix Gateway [1]
2. Rent a VPS with Debian and install Whonix Workstation [2].

Connecting them might be hard be hard.

3. Interconnect both VPS on local network of hosting provider. Turn off Workstation internet connectivity.

Dunno. I never did that. Easy as that?

Hello, Thanks for your answer. You are convincing me using Whonix also in server environments. I have some additional questions.

Regarding the interconnection of two vps on the local network: Some hosting providers offer this but of course it is not guaranteed that it works exactly as desired. Especially turning off internet connection would be an individual request. I guess the current way to go will be nested virtualization.

I assume the vps memory requirements - of course taking the webserver requirements into account - should generally not be lower than 8GB of RAM.
https://www.whonix.org/wiki/System_Requirements
https://www.linuxnix.com/kvm-virtualization-how-to-check-my-hardware-support-kvm/
Do you have any experiences on systeem requirements with this approach?

For webserver setup state of the art is using a reverse proxy with web application firewall. Would you recommend to setup the reverse proxy as a separate virtual machine in front of the Whonix Gateway as a or do you think it is not necessary? I know the Whonix Gateway acts somehow as reverse proxy but has no web application firewall capabilties. How would you handle this?

Are there any limitations working with docker on the Whonix Workstation?

Thank you.

No known issues.

A WAF cannot be in the following places (which are actually all the same place):

• on the host
• “behind” Whonix-Gateway
• Whonix-Workstation → Whonix-Gateway → host [here]

That is because at that point it’s just encrypted Tor traffic and the WAF has no way to analyze it.

Realistically the WAF should be installed on the same place where the (web) server is running, i.e. inside Whonix-Workstation. Which WAF did you had in mind? A local or remote WAF? Open Source or SaaS? I see no reason why nginx with nginx modsecurity wouldn’t work. Then you don’t even need a reverse proxy. Even cloudflare claims they’re using the WAF directly inside nginx.

You might want to go super secure by running the WAF in a separate VM. I.e. if the WAF itself gets exploited, doesn’t necessarily exploit the web server too. Stacking VMs is unsupported. More within reach of enterprise level security. Non-trivial stuff that I haven’t seen easily doable/documented yet, specifically not within Tor ecosystem.

Nginx modsecurity was in my mind. Why are you stating that I do not need a reverse proxy? I thought the nginx WAF acts as reverse proxy as it redirects requets to the application server. Or am I missing something?

I got your point that the WAF should not be placed before the Whonix Gateway (NOT: Whonix-Workstation → Whonix-Gateway → WAF) because the Tor traffic is encrypted but why it should be placed inside the Whonix-Workstation instead of the Wonix-Gateway*? Is traffic not unencrypted from Whonix-Gateway where the hidden service is hosted?
https://www.whonix.org/wiki/Onion_Services

Are following approaches for hosting hidden services on one VPS consistent and state of the art in terms of security?

1. Approaches without Whonix (restricted to one VPS)

a) Traditional
Internet - reverse proxy/WAF (VM) - application (VM) - database (VM)

b) Container (on one VM)
Internet - reverse Proxy/WAF (Container) - application (Container) - database (Container)

2. Approach with Whonix

a) Traditional
Internet - Whonix-Gateway (VM) - WAF (VM) - Whonix-Workstation (VM) - database (VM)
OR
*Internet - Whonix Gateway+WAF (VM) - Whonix-Workstation (VM) - database (VM) or even better to place WAF inside Whonix-Workstation but why?

b) Container
Internet - Whonix-Gateway (VM) - Whonix-Workstation (VM) consisting of application container and database container
Again: Where to place the WAF here? Maybe as a container on the Whonix-Workstation (VM) in front of the application container or as container on the Whonix-Gateway?

What do you mean with stacking VMs?

Thank you for the discussion.

“Effectively” a “reverse proxy” but “actually” implemented inside nginx process.

Only Tor traffic (encrypted by Tor) leaving Whonix-Gateway by default.

Traffic that reaches from Whonix-Workstation on Whonix-Gateway is unencrypted (unless let’s say end-to-end encrypted by browser https). Might be possible to run a separate WAF process on Whonix-Gateway too. Intercepting traffic before forwarding to Tor HiddenServicePort but that’s undocumented. But I don’t think installing a WAF inside Whonix-Gateway is a good idea. Whonix’s usual approach is installing applications / servers “elsewhere”, i.e. inside Whonix-Workstation.

Slightly off-topic.

Not even cloudflare claiming to do that according to video I linked above.

I wouldn’t call this traditional. I don’t remember anyone putting a VM between gateway VM and workstation VM.

I don’t see why this wouldn’t be possible but I also don’t remember people posting their setups.

What we documented on Onion Services - Whonix is rather only the essential knowledge. We don’t document stacked VMs, WAF’s, etc. (yet). And I am not sure we should. We’re not a “most secure server configuration” project (yet). These are certainly interesting subjects.

Also Free_Support_Principle applies regarding to “most secure server configuration”.

Maybe you’re overthinking this. Suggested steps to learn this:

• Step 1: setup any clearnet server (don’t need to actually do this - just require this knowledge)
• Step 2: setup “more secure” clearnet server including WAF inside a single VM
• Step 3: setup a “simple” onion web server according to Onion Services - Whonix
• Step 4: replicate the setup from step 1 inside Whonix-Workstation. The only Whonix specific thing is making the server which is supposed to connect to the internet talk to Tor, i.e. use Tor onion service.

In other words, you could setup nginx according to Onion Services - Whonix. Once that’s functional, follow any instructions on how to setup nginx-modsecurity.

I don’t have any handy that I could recommend but for example Compiling and Installing ModSecurity for NGINX Open Source | NGINX doesn’t even mention “reverse proxy”. You make the nginx-modsecurity module work (not saying that is trivial - but Whonix won’t be in the way), then enable it.

Quote

Add the modsecurity and modsecurity_rules_file directives to the NGINX configuration to enable ModSecurity:

server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

None of that requires reverse proxy.

Either way, Whonix wouldn’t be in the way.

Though, stacking of VMs and reverse proxy inside stacked VMs is undocumented. But again, Whonix certainly doesn’t implement purposely technical hurdles to prevent that. It’s non-trivial but such setups are also non-trivial for clearnet.

Whonix does what it does. It stays out of the way whenever possible. We don’t have documentation yet on how to setup a high traffic, high risk, complex php webapp onion service including load balancing using onionbalance, WAF, and whatnot. These are enterprise level features as far as I know. Anyone capable of setting up such complex setups (loadbalancing, caching, WAF) on clearnet, I guess would also be able to set it up on Whonix too.

standard setup: Whonix-Workstation VM → Whonix-Gateway VM

“stacking” example: standard setup: Whonix-Workstation → WAF VM → Whonix-Gateway VM → VPN VM

Thanks for your very detailed response on these non-trivial topics. Even if some topics were slightly off-topic and not directly Whonix-related I am glad that we can discuss them as they are very interesting.

I think I got it now. nginx+modsecurity can be used anywhere. In practice I see it is often used within multi-tier-architectures as separate server in front of the application server. In this case it acts as reverse proxy and is the “first line of defense”. A successfull attack does not compromise the application server.

And if I got it right cloudflare uses WAF directly inside nginx but it is not clear if they run it on a different server in front of the application servers. But excuse me but I haven’t had time to watch the complete video. I will catch it up as soon as possible.

Is this correct?

Incoming requests/traffic to the hosted Onion Service is encrypted until it reaches the Onion Service at Whonix-Gateway. Whonix-Gateway forwards the requests to Whonix-Workstation unencrypted in every case. Also if https is in place end-to-end means from users’ browser to Whonix-Gateway (Onion Service) encrypted. From Whonix-Gateway to Whonix-Workstation (nginx/waf+application) unencrypted.

Are my assumptions correct?

Thanks I will perform these steps to get a better practical understanding.

Very interesting and complex architectural topics which of course need more investigation.

Thank you.

My original inclusion might be incorrect. Cloudflare saying “we run the LUA WAF directly inside nginx” doesn’t preclude that cloudflare WAF server in the middle of (one or multiple) load balance as well as an application server(s).

onions are encrypted Tor to Tor. See:

• Notes about End-to-end Security of Onion Services

https is usually between user’s browser (clearnet browser, host TBB, Tor Browser inside Whonix-Workstation, doesn’t matter) and (SSL terminator) web server. I.e. I guess the most common case is for Tor (including Whonix-Gateway) not being able to read the cleartext.

I don’t think a WAF could check much for end-to-end https encrypted traffic on Whonix-Gateway due to TLS encryption. Dunno if WAF’s can be used to detect something malicious inside the encrypted TLS. In theory, perhaps, in practice, dunno. However, a serious analyis of cleartext requires a SSL terminator. (Using SSL and TLS loosely. I know SSL is outdated but still popular term for discussion.)

Added to wiki just today:
Onion Services - Whonix Quote

High Traffic Onion Service Scalability Performance

Although mostly focused on non-anonymous onion services, the tor-dev mailing list discussion onionbalance useful on same server / for high-spec non-location hidden servers? [archive] contains interesting information on scalability and performance of high traffic onion services. The tor-dev mailing list [archive] (sign-up [archive]) is considered a useful resource for technical information since they are receptive to genuine inquiries.

Thanks for your response and referencing to the topic “High Traffic Onion Service Scalability Performance”. We should follow this up in a different topic.

I investigated regarding the initial questions.

There are currenty two ways of hosting hidden services with Whonix on a VPS:

1) Setup on KVM

• setup one vps or dedicated server
• create virtual machines for Whonix-Workstation and Whonix-Gateway.
• in case of using a kvm-based vps nested virtualization will be present.

Drawbacks of this approach are high requirements regarding computing ressources. Also nested virualization could mean more attack surface which can me avoided by choosing a dedicated server: Nested Virtualization - Kicksecure

2) Setup on Hardware

• setup two VPS or dedicated servers with Debain. One for Whonix-Workstation and the other one for Whonix-Gateway.
• follow instructions on Build Documentation: Physical Isolation for How To Install Whonix-Gateway ™ on Hardware (RECOMMENDED) and Install Whonix-Workstation ™ on hardware (NOT RECOMMENDED)
• connect VPS / dedicates servers through virtual LAN
• consider Connections between Whonix-Gateway ™ and Whonix-Workstation ™
• turn off Workstation internet connectivity

Some hosting providers provide these features.

For me it seems that this approach is not common and includes not recommended steps also encryption between Whonix-Workstation and Whonix-Gateway has to be considered as virtual LAN is operated by hosting provider.

Conclusion: Currently approach 1) is preferred in terms of security and complexity and compatibility aspects.

Do you agree?

The more the better. Depends on how much traffic you expect.

It belongs in the WS not on the GW or between the two.

The GW handles Tor connections without leaks and that’s it. Onion services provide Layer 2/3 DDoS protection by design but Layer 7 protection depends on how you configure the reverse proxy.

No, but don’t depends on it for security and make sure you have a way to verify the container app contents before execution. Unlike signed debs, containers have little trust mechanisms to link code to author.

Thanks for your response and explanations. It makes things clear for me.

Regarding my last post do you also agree currently to choose approach 1) ?

Yes.

https://www.whonix.org/wiki/Onion_Services#OnionBalance

Hello everyone,

These days I am very concerned about the following questions and it seems to fit this topic, so I am not creating a new thread.

Of course always this advantage takes effect:

But for an anonymous hosted VPS or dedicated server doesn’t this diminish the relevance of the above fully?

Also, there is no concern about server security and successful attacks against Tor onion services will not lead to your location or IP address.
Hosting Location Hidden Services - Whonix

What are the relevant advantages of using Whonix if you use an anonymous hosted VPS anyway?

Another point which I would like to bring into the discussion: Today’s architectures follow a layered approach with separated servers for web, application and database.

Is such an approach even possible with Whonix without further ado? I.e. a VPS or dedicated server with Whonix, where Whonix-Workstation acts as a web server. Behind it a non-Whonix application server VPS and behind that a non-Whonix database server VPS. Connections between web server and application server and between application server and database server carried out over virtual LAN of hosting provider.

Taking all this into account, could it not reduce the complexity in such an approach (multiple anonymous third party VPS instances for layered architecture) to setup without Whonix without losing relevant security and anonymity measures or am i missing something?

Thank you very much.

No. Users usually don’t want the VPS to be found so it cannot be attacked, DOS’ed, its onion service private key being stolen, taken offline or impersonanted.

Added to the wiki just now:
Why use Whonix ™ for Hosting Onion Services

If you do it over Tor, it’s always more cumbersome than over clearnet.

VPS might be an issue. The V implies it’s virtual. That would either be nested virtualization, which is probably slow.

Or somehow integrating with VPS. […]

[…]

Undocumented at present.

Don’t know what you’re asking here.

Thank you very much. I appreciate your answers.

With the last question I meant whether it would not be better to do without Whonix when hosting hidden services anonymously on a third party server due to the complexity and undocumented areas.

Your answers and the new wiki chapter confirm that Whonix should not be left out, because the loss of relevant security measures is significant also in this use case.