[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

monero in Whonix with torsocks for better stream isolation

torsocks
stream_isolation
monero

#1

I’m trying to understand when should torsocks be used in Whonix.
I’ve seen the following as a recommended way to launch Monero client:

torsocks ./monero-wallet-cli --daemon-host [node_onion_url:port] --restore-height -1

From https://github.com/dgoulet/torsocks I understand it operates as some kind of tunnel/firewall to torify applications. But why is it necessary if Whonix-Gateway takes care of that anyway? What does it contribute, and how is it related to the uwt package?


Support policy for gazillion of crypto currencies?
#2

To follow up on that (perhaps related), when I perform a monero transaction with the CLI wallet, I get 20 lines with the error:

libunbound[12335:0] error: can’t create socket: Operation not permitted

However the transaction is successful. Any clues?


#3

#4

Doesn’t monero have socks proxy settings? Please use search engine
“monero tor”, “monero socks proxy” and you’ll probably find it. Socks
proxy settings are most times better than torsocks if available.

Outdated, please update if you can:


#5

I went through this page, it doesn’t explain what is the connection between SocksPort, TransPort and torsocks.

Does torsock allow applications to use SocksPort?


#6

Yes.


#7

I didn’t find any mention of socks proxy setting.
The Monero client connects to an onion address monero node, how can there be a socks proxy in this setup?


#8

Certainly, once I figure out how to do it without the errors popping.


#9

After some searching… The following looks sensible. Untested. Let alone tested if there is TransPort pollution.

DNS_PUBLIC=tcp TORSOCKS_ALLOW_INBOUND=1 torsocks ./monerod --p2p-bind-ip 127.0.0.1 --no-igd --hide-my-port

Feel free to try.

Makes only sense in Whonix 14 since then torsocks has and has by default enabled IsolatePID 1.

Why would that be mutually exclusive? Socks proxy settings pointing to Tor and using onions is generally very good. If onions make sense in case of monero, I don’t know.


#10

Just now added some basic info here: https://www.whonix.org/wiki/Stream_Isolation#Information


#11

This only starts the CLI? Can we adjust this for Monero-GUI?


#12

Gui does connect to existing already running daemon, no?

Try same command line options. Discuss with monero community.

Also note:

https://www.whonix.org/wiki/Free_Support_Principle


#13

No.

Best to connect to remote Hidden Service daemon.


#14

Then you need to research what kind of connections the monero-wallet-gui makes.

Connections to different Tor [[Onion Services]] are automatically stream isolated. https://lists.torproject.org/pipermail/tor-talk/2012-September/025432.html


About connecting to a remotely running monerod (on an onion service or not) I am not sure about that but researching that topic is difficult and time consuming.


#15

I don’t run monerod at all. AFAIK this is required only when run a full node.
monero-wallet-cli with --daemon-host allows connecting to a remote node instead of running your own.
The disadvantages of running a full node are mostly the time and space requirements due to synchronization of the blockchain.

It’s a bit tricky to experiment with the options when it involves real money. I only get the errors when a real transaction is performed, not with any other operation in monero-wallet-cli (for example: checking balance or address, generating a new wallet, listing past transactions).


#16

The following is guide for tails that uses the same command I’m using.

Here (https://github.com/monero-project/monero) there are different instructions for the general case of running behind Tor and for Tails, that includes adding an iptables rule:

Using Tor on Tails
TAILS ships with a very restrictive set of firewall rules. Therefore, you need to add a rule to allow this connection too, in addition to telling torsocks to allow inbound connections. Full example:

sudo iptables -I OUTPUT 2 -p tcp -d 127.0.0.1 -m tcp --dport 18081 -j ACCEPT
DNS_PUBLIC=tcp torsocks ./monerod --p2p-bind-ip 127.0.0.1 --no-igd --rpc-bind-ip 127.0.0.1
–data-dir /home/amnesia/Persistent/your/directory/to/the/blockchain

None of those sources cared to explains what happens with the case of Whonix.


#17

Does monero require separate proxy settings on Whonix Workstation?


#18

OK, I added the shell variables as in Patrick’s answer, and run the CLI client like so:

DNS_PUBLIC=tcp TORSOCKS_ALLOW_INBOUND=1 torsocks ./monero-wallet-cli --daemon-host [onionurl:port] --restore-height -1

This seems to have solved the problem. I don’t get any error messages and transfers work as before (I did a couple of transfers between two wallets, with small amounts). This is still on Whonix 13 by the way, with Virtual box.


#19

@FrozenCat: I didn’t change any settings.


#20

When I use Monero GUI in Whonix, I run the following command:

torsocks ~/Monero/start-gui.sh &

In the settings I have instructed it to connect to a hidden service remote node.

Are there any security or anonymity issues with this?