Monero Anonymity: QubesOS/Whonix Split Monero Wallet vs. Self-hosted Onion Remote Node

Support
1

Hi, I have a technical question that I can’t seem to find the answer to. I’m fairly tech-savvy and have studied the documentation. I don’t take up support time lightly. I created this account specifically for this forum, hoping to find the answer I’m looking for.

My question is about the most secure AND anonymous Monero node setup and usage. I would like some feedback on two advanced setups I am considering, along with a comparison. If there is a better option, please let me know, too. Thanks! Ideally, the setup should be holistic, considering not only one aspect, but also real usage, such as sending transactions.

  1. QubesOS/Whonix Monero split full node wallet setup, as described in the documentation
  • Limited qrexec interface to increase Monero private key security.
  • All traffic (p2p, transaction broadcast, etc.) is sent over Whonix/Tor for anonymity.
  • The full node allows for full access to ring signature data and doesn’t require trust in a remote node.
  1. Self-hosted Onion Service Monero remote node:
  • The onion service allows for anonymous remote access.
  • A self-hosted server can be considered partially trustworthy (more than other remote nodes but less than the isolated qrexec method).
  • Transactions are broadcast from the remote node (I am aware of Dandelion++), not from the local QubesOS PC’s Tor connection.

I like the security of the QubesOS/Whonix Monero split wallet approach. I think we can all agree that it’s top-notch and could be strengthened with offline VMs in QubesOS or hardware wallets.

This brings me to my question: How does the anonymity of a Monero split wallet setup compare to that of a self-hosted, onion service-enabled Monero remote node? Unfortunately, I am not an expert in all of these areas, so I am asking for help here.

I could be wrong, so please correct me if I am. I think there might be a correlation risk when all Monero traffic is sent through the QubesOS/Whonix split Monero wallet setup. I imagine peer-to-peer traffic to other nodes and transaction broadcasts shouldn’t be sent this way, i.e., mixed over sys-whonix. However, this might not be an issue when Tor’s stream isolation is in place. Is this enabled in such a setup, and does it help? Can the setup be hardened with additional configurations?

Assuming I’m right that forcing all Monero node traffic through sys-whonix poses a risk, it might be better to leave p2p traffic to the remote node and only sync data to the local device. This would leave the network broadcast of sending transaction data to the remote node. I hope you understand the issues I’m having trouble with.

Please help! Thank you very much.

monero in Whonix with torsocks for better stream isolation
2

You can make your setup so complicated that you lose your funds because of complexity risk. See: Complexity Risk

Multisig is also difficult and introduces its own risks.. See multisig.

Hardware wallets introduce their own issues:

3

Complexity is a fair point. Nevertheless, what are your thoughts on the risks of combining p2p and transaction broadcast traffic in a Monero split wallet setup, as well as the stream isolation aspects? I know there is a flag for monerod called --tx-proxy tor,127.0.0.1:9050,10, but it isn’t documented in the official documentation, and I failed to implement it. As I understand it, this flag instructs monerod to broadcast transactions over Tor using ten possible Tor circuits and to not mix them with p2p traffic. I would love it if you could explain the situation to me in general and why the flag is not listed in the official documentation. Thank you so much.

I am aware of this post: Setup Monero Node with Stream Isolation

4

Maybe @JeremyRand can help me find the answer to my question. I saw you talk about SocksTrace, and you mentioned that you’re active in the Whonix community and that you’re a Monero guy. Honestly, I don’t know who or where else to ask.

My main concern is that the QubesOS/Whonix Monero split wallet setup, as described in the Whonix documentation, is problematic in terms of correlation attacks because both p2p and broadcast traffic go over the same Tor connections. At least, that is my understanding.

I assume this could be improved with the mentioned flag, but I couldn’t get it to work (I tried for hours). However, I could be wrong about the flag.

If the p2p traffic could be decoupled from the Monero transaction broadcast, then I would assume my original question would pertain to the Monero split wallet method rather than the remote node. In other words, these are related questions.

What I have, and have had for a long time, is a perfectly functioning Monero split wallet, which is easy to update because I use the Flatpak version instead of the binary directly.

Please help me understand this.

5

After further reviewing the Whonix documentation, I determined that the optimal approach is to use the command-line option --tx-proxy tor,127.0.0.1:9180,10 with a custom SocksPort in the range of 9180–9189, as detailed in the documentation: https://www.whonix.org/wiki/Stream_Isolation#How_to_mitigate_identity_correlation

Ideally, this will result in different circuits broadcasting Monero transactions that differ from the p2p traffic going through the TransPort. Is that correct? Is this how it’s supposed to work?

6

Additionally, I thought it would be interesting to have the p2p traffic use Onion Services instead of Tor exit nodes. This would further reduce timing correlation against Tor exit nodes. If I understand correctly, adding exclusive nodes to monerod would essentially only use these. Therefore, I propose adding only Onion Service nodes so that all p2p traffic goes through Tor Onion Services and never leaves the network. What do you think? Is this possible and sensible? Is it a good approach? Also, what type of SocksPort would be best for this, considering IsolateDestAddr and IsolateDestPort? Would a SocksPort with stream isolation make sense here, given the long-lived p2p monerod connections?

7

There was a stream isolation wiki chapter that got deleted by accident.

Restored just now:
Stream Isolation

Dedicated forum thread:
monero in Whonix with torsocks for better stream isolation

1 Like
8

A post was merged into an existing topic: monero in Whonix with torsocks for better stream isolation