How can I request a new IP from the gateway?

rob75 · June 10, 2019, 12:09pm

Is there a way from the workstation, to connect to the gateway, and ask it for a new TOR exit IP?

nurmagoz · June 10, 2019, 6:03pm

That depend if the App with Stream(Network) Isolation or not:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stream_Isolation

rob75 · June 10, 2019, 6:16pm

I meant more if I were to write my own little application, can I request a new IP or a specific IP?

nurmagoz · June 10, 2019, 6:19pm

Possible but this is not Whonix issue to do this work for your application, but you can do it using Whonix.

No, Specific IP means Specific Guard and thats not how Tor works and even if there is away then its unsafe to use this method for your anonymity.

Patrick · June 10, 2019, 6:23pm

Self Support First Policy for Whonix applies since this is a general Tor question.

Control and Monitor Tor applies.

https://gitweb.torproject.org/torspec.git/tree/control-spec.txt for how to give commands to Tor.

signal NEWNYM is related but not really what you want, which quote FAQ

will likely create a new circuit with a different Tor exit relay and IP address, but this is not guaranteed.

This FAQ entry mostly applies:
Frequently Asked Questions - Whonix FAQ

Tor can do that, but how to do that is as far as I know undocumented. https://gitweb.torproject.org/torspec.git/tree/control-spec.txt would help doing it but certainly non-trivial. However, it’s still more of a Tor than Whonix question.

rob75 · June 10, 2019, 9:00pm

Isn’t there an open port on the whonix server that you can connect to (e.g. with telnet) and just issue some command to get a new exit node? Sorry for my own confusion.

Patrick · June 10, 2019, 9:36pm

There is,

port 9050 on Whonix-Workstation (with onion-grater filtering which can be adjusted)
/var/run/tor/control unix domain socket file on Whonix-Gateway

but that is not your problem. You need to learn how to use Tor first - which doesn’t concern Whonix. That’s the big/difficult part to learn. After you figured that out, making that work on Whonix is the easy part by comparison.

Doesn’t exist - at least not in an easy way. Learning how to do that by using https://gitweb.torproject.org/torspec.git/tree/control-spec.txt is the only option that I know.

rob75 · June 11, 2019, 12:20am

So the way the Tor Browser asks the Whonix Server for a new IP isn’t something I can easily implement myself?

I’m basically only asking how I can from the Whonix Gateway do the same as pressing ‘n’ in the arm interface on the Whonix Server, or like the Tor Browser does it.

I will try to read up on this myself in general since I clearly lack some knowledge, but just knowing this part would help a lot.

Patrick · June 11, 2019, 5:16am

It’s not asking for a new IP.
It’s asking for newnym (new circuit).
See: Frequently Asked Questions - Whonix FAQ

That is answered here:

rob75 · June 11, 2019, 9:37am

Thanks for clarifying, sorry again, but what I mean is simply this then:

How can I from the Whonix Workstation, using telnet, ask for a new circuit (newnym)?

0brand · June 11, 2019, 10:03am

Hi `rob75

That is something you would have to research on your own. What you are asking can be very dangerous so its not likely many (if any) users have done that.

Its understood what you are asking. Patrick tried to point you in the right direction in previous posts. This is more of a Tor question so you may want to try asking on tor.stackexchange? Maybe a more generic question leaving out the Whonix part of your question?

How do I change my Tor circuit remotely? Then apply what you learn to Whonix.

Patrick · June 11, 2019, 11:11am

This:

Control and Monitor Tor

Note: new circuit doesn’t mean new IP as already said.

rob75 · June 11, 2019, 11:18am

Thanks 0brand,
I will research this on my own. Thank you. Could you tell me why it might be dangerous?

rob75 · June 11, 2019, 11:19am

Perfect, thanks!

0brand · June 12, 2019, 3:06am

Whonix uses hypervisors to isolate the Whonix-Workstation Whonix-Gateway from each other and the host. If Whonix-Workstation is compromised and you connect to Whonix-Gatway (from the Whonix-Workstation) the Gateway could also be compromised. If that happened you could be de-anonymized.

rob75 · June 12, 2019, 3:09am

Thanks for your help but this doesn’t seem right.

I’m not doing anything an attacker couldn’t already do.

If an attacker compromised my Whonix Workstation, that attacker could connect to the Whonix Gateway as well, using Control and Monitor Tor

I’m not adding anything extra, I’m just using existing functionality already provided.

0brand · June 12, 2019, 3:20am

If it was a remote exploit. Your assuming worst case scenario. Which is what you want to do but its more likely you would pick up a passive malware unless you were high profile.

Anyways you are increasing the risk of Whonix-Gateway compromise by connecting from Whonix-Workstation.

Patrick · June 12, 2019, 7:04am

An application can send signal newnym to Whonix-Gateway without additional risk since Tor Browser does the same. If signal newnym does what the application developer wants depends on the understanding of signal newnym (=ineffective for long running connections, need to terminate connections before signal newnym has effect).

0brand · June 12, 2019, 10:13am

I stand corrected.

rob75 · June 12, 2019, 11:07am

Running any new application inside the Workstation would be an increased security risk though. If I made my own little application, it is probably not as secure as something well tested and mature like the applications that come with the Workstation. However, compromising my application or e.g. the Tor browser wouldn’t matter at all for my own security, it would both have the same consequences, unless my application were to run as root.