2 posts were split to a new topic: Whonix Website Change Suggestions
OK - here’s my second attempt awaiting sign-off in the wiki 
= Transporting UDP Tunnels over Tor =
‘’‘Tor Design’‘’
According to the Tor Project:Moving Tor to a datagram transport | The Tor Project
Tor transports data over encrypted TLS tunnels between nodes, which is in turn carried by TCP.
The current Tor design does not support the transport of [UDP over Tor (#7830) · Issues · Legacy / Trac · GitLab UDP-based protocols] through exit nodes in the network, and this is unlikely to be supported in the near future due to incompatibility with cryptographic protocols in use and those planned.
The consequence is that UDP-based protocols and applications cannot be used to transmit UDP datagrams between guards and exit nodes in the default environment. Example UDP protocols / applications include:User Datagram Protocol - Wikipedia
- Domain Name System (DNS);
- Simple Network Management Protocol (SNMP);
- Routing Information Protocol (RIP);
- Dynamic Host Configuration Protocol (DHCP); and
- Voice and video traffic.
‘’‘Transporting UDP Tunnels over Tor with a VPN’‘’
A solution to this problem is to use a [Tunneling protocol - Wikipedia tunneling protocol]. In simple terms, this allows a user to access a foreign protocol or network service that the underlying (Tor) network does not support or provide directly.
The tested and working method in Whonix is to utilize a Virtual Private Network (VPN) with a trusted provider that does not block UDP traffic (User → Tor → VPN → [Other Anonymizing Network] → Internet). Some VPN protocols such as OpenVPN may use UDP while implementing reliable connections and error checking at the application level.Other VPN implementations may also be useful, but have not been researched yet.
Please first read the related VPN documentation and warnings:
- [TorPlusVPN · Wiki · Legacy / Trac · GitLab Tor Plus VPN or Proxy];
- [[Whonix:General_disclaimer#Whonix_VPN_disclaimer|Whonix VPN disclaimer]];
- [[Tunnels/Connecting to Tor before a VPN| How to connect to Tor before a VPN (User → Tor → VPN → Internet)]]; and
- [[Tunnels/Introduction#Comparison_Table|Tunneling comparison table]].
Before following the instructions to [[Tunnel_UDP_over_Tor|tunnel UDP over Tor]].
The current [http://sec.cs.ucl.ac.uk/users/smurdoch/papers/tor11datagramcomparison.pdf Tor architecture] may cause negative performance impacts on user activities. This arises from high latency due to congestion in the network, queue length on nodes (mixing of traffic across multiple nodes), and TCP mechanisms which attempt to account for lost packets and hold delivery of future packets until a resend is complete.Voice over Tor? - Guardian Project
Understand that adding a second connection in the tunneling chain adds significant complexity. This potentially increases the security and anonymity risks to the user due to: misconfiguration, the increased attack surface of secure tunneling software, the difficulty in anonymously paying for VPN services, and potential bottlenecks with VPN providers. Depending on your configuration, you may also increase your fingerprinting risk, lose stream isolation of your activities, and have a permanent destination X in the Tor network.Also read the Tor Project warnings here: TorPlusVPN · Wiki · Legacy / Trac · GitLab.
‘’‘Whonix Recommendations’‘’
Whonix recommends the use of [OpenVPN - Wikipedia OpenVPN] as the most secure (SSL/TLS-based) protocol, rather than reliance upon IKE, L2TP/IPsec or PPTP. OpenVPN is considered extremely secure when used with encryption algorithms such as AES.IKE is being exploited by the NSA to decrypt IPSec traffic. IPsec configured with pre-shared keys is vulnerable to MITM attacks. PPTP is an obsolete method for VPN implementation with a host of security weaknesses. For further reading on intelligence agency capabilities against VPN protocols see: http://www.spiegel.de/media/media-35515.pdf
A dedicated virtual machine is recommended for this activity, see: [[Multiple Whonix-Workstations]].
1 Like
What do you think about the suggested homepage changes in this post? Long Wiki Edits Thread - #12 @Ego
Good day,
Sure, can/will add those.
Have a nice day,
Ego
1 Like
The examples need some work.
- Domain Name System (DNS);
Tor supports some types of DNS. There is more information and references on that topic here: Alternative DNS Resolver - Whonix
- Simple Network Management Protocol (SNMP);
- Routing Information Protocol (RIP);
- Dynamic Host Configuration Protocol (DHCP); and
Do users care to tunnel those over Tor?
- Voice and video traffic.
This is a good example. Replaced with some using voice or video are using UDP since there are also applications using TCP. Perhaps we should link to Voice over IP (VoIP)?
That reminds me of Voice over IP (VoIP). What do you think about the quality of that page? It has lots of nicely researched information, but I am not sure it will help as many users to actually use voip as possible.
What’s the use case to highlight?
- Two person who know each other talking to each other but obfuscating these fact by using Tor?
- One person in a censored area calling someone in another area not necessarily using Tor?
- (Due to voice recognition and stylometry there is no way for the caller to stay anonymous.)
I am not sure all of this is really getting clear for the user.
What seems to you to be the easiest to use already documented solution?
Wondering if any of the new instant messengers such as ricochet / unMessage are going to get voip and/or video support or if other applications similar to those are being worked on?
//cc @HulaHoop
Thanks for that.
I changed that applications list part and linked in the VOIP section as follows:
The consequence is that UDP-based protocols and applications cannot be used to transmit UDP datagrams between guards and exit nodes in the default environment, for example, some [[VoIP]] or video applications.User Datagram Protocol - Wikipedia
It’s a good Question re: use of UDP apps in general forced through the Tor network. I know little about networking, so wasn’t sure of other relevant applications or protocols that Whonix users would frequently want to use in this manner? I figured you experts would know.
Based on my quick read of the VOIP wiki entry, it looks like really bad advice to be forcing it over Tor anyway, given the voice recognition de-anonymization potential. A big fat warning probably needs to be at the top of that page, just like the wiki has for VPNs and other anonymizing networks in long chains.
It all seems to come back to peer-to-peer, metadata-less, hidden services-based instant messangers like Ricochet as being the gold standard for high-security comms in general.
Or perhaps something like I2P-bote, but I know very little about that, apart from what’s in the wiki. Tox looks promising too, but still too early in development to trust.
Re: reviewing the VoIP page
I’m happy to review the VoIP page next for editing, now that the Security Guide is done.
Although, I’ll probably finish off the rest of the templates, since I’ve already reviewed and edited the first 100 out of 233 (total) templates on the website i.e. Special:UncategorizedTemplates (except for the “Build Documentation” ones, since they look very painful and I’ve been procrastinating on those). 
I also realize that translate tags should get added to every page on the website too right as per @Ego’s instructions? Looks pretty simple to do.
(Edit by Patrick: Ego → @Ego)
1 Like
Btw there is no need to fix https://www.whonix.org/wiki/Template:Infobox_OS/doc and a few similar pages that are not visible to users - it’s not our template. We just imported it from wikipedia. When it’s not user facing, not even developer facing, there is no need to spend time on it.
1 Like
It should be properly explained indeed, so I am glad you can visit it with a fresh view.
Anyhow. Two people who know each other communicating via voice over Tor is still a use case where Whonix is still an ideal solution to have an encrypted/authenticated voice conversation that cannot be observed by third parties.
1 Like
Let’s move that here:
whonix.org wiki translation / mediawiki extension translate - technical discussion - #41 by Ego
Can you please undo parts of this change? Please do not change any licensing texts.
There are organizations such as FSF out there who work with lawyers, fight in courts, etc. Since Whonix is Libre Software and not in the lawyerization business, we use their texts verbatim with the only exception of small changes as per their recommended best practices (i.e. to fill out gaps for name, copyright and year). If we were to change these texts, we would go into unchartered legal waters. Really not worth the risk.
No problem.
Edit: wasn’t sure if backing out would undo all the changes, so I just edited the license stuff back to the original text.
1 Like
It’s been a great wiki wide rephrasing and spell fixing so far!
1 Like
There is only one mistake.
Old
- [[ExoneraTor|ExoneraTor:]] a [https://exonerator.torproject.org/ Website] that Tells You Whether a Given IP Address is a Tor Relay
New
- [[ExoneraTor|ExoneraTor:]] a [https://exonerator.torproject.org/ Website Tool] to Check for Tor Relay IP Addresses
This seems like a bug. Meaning changed and got wrong.
Quote https://exonerator.torproject.org/
Enter an IP address and date to find out whether that address was used as a Tor relay:
All of these really but especially the first one which is what makes this special.
I suggested VoIP to ricochet a while back with radio silence on that ticket. unMessage are interested in implementing this at some point. No other anonymous solutions for VoIP planned AFAIK.
If both users are communicating over anonymously created accounts and the VoIP streams are encrypted this shouldn’t be a risk.
Is there some overlap between these two chapters?
You’re right. I think the time sync related stuff should be moved out from the sec guide.
Security Guide - Whonix causes some confusion. Missing torproject apt signing key. ( https://forums.whonix.org/t/gpg-error-when-onionizing-tor-project-updates )
Security Guide - Whonix why onionize torproject repository in the workstation? Fixed to gateway.
Enabling torproject apt repository is now documented here, you might like to revision it: Security Guide - Whonix
You changed the link text to Increasing the Virtual Harddisk in documentation index. Should we therefore also move the page from Grow_Virtual_Harddisk to Increasing_Virtual_Harddisk?
“Expanding Virtual Harddisk” sounds better?