Multiple OnionCats on Gateway

We are using a nice experimental tool in clearnet that allows us to bundle 2 or more isps to one virtual connection. The result is an increase of 60-80% from the additional connection(s) speed. My dream is to port this to Tor using Whonix. It would allow to build a fast Tor based infrastructure. Additionally it would make Tor much more secure as only a fraction of the traffic would pass through one connection.

One of the essential parts is onioncat to provide the ip addresse(s) needed. What does not fit though is to setup the ip from onioncat only on the workstation. The tool needs a pool of predefined ip addresses to use: it takes the first ip and establishes a connection to the other side. Using this first connection the tool on both sides then negociates the next pair of ips to use for the next connection and so on.

The tool takes care that packets from the different connections are sorted in the right order, makes all the checks and uses one ip for each side that bundles the traffic.

To make this work on Whonix I have to generate an ip pool on the gateway using multiple onioncats. The tool then picks them up and transforms them into one whonix isolated network address on the gateway.

The main question here is if the gateway is capable to establish several tor connections (one for each onioncat ip) or if I should us several gateways, as my guess is that the gateway uses only one connection to Tor and puts all onioncats into it. The advantage of this setup would only be available if there is one connection to Tor for each onioncat ip.

Whonix has no built-in forced limitations.

There are a few points why I think this is a bad idea. A local observer would see, that you open more Tor connections than regular users, which reduced your anonymity set. It might also be fingerprintable at Tor exits, because you’re among them who are multiplexing connections.

I don’t think there is a magic pill that can be locally applied that makes Tor faster without making it worse for everyone else. There might be, such as performance improvements in Tor (such as ntor handshake that was implemented), but no easy stuff (better routing algorithms etc.), and it would have to be implemented in Tor. You’d basically appear as many Tor users instead as one. Taking not only your fair bandwidth share of one, but many, at cost of others. Therefore, for what I know now, I think it would be immoral to help with this.

Well, then there’s more to think about than I thought…

To avoid reduced anonymity I would have to use different ISPs in this case.

Your argument about the fair bandwidth share I do not understand as this kind of installation would only work if the other tor user has the same configuration. For the typical use of tor it doesn’t make any sense at all.
On the other side a very good example would be to connect whonix mirrors over tor with it, or that a whistleblower can rapidly upload large volumes of data using tor.

But I will respect your concerns and not publish any further result in this forum.

This looks complicated and interesting. Do you mind making a network topology diagram to explain it better?


Patrick has to make up his mind first to give it a go. In this case I am just a small and idealistic researcher and maybe cannot imagine what Patrick was/is going through making Whonix so he took the decision to refuse my idea - the fact that he or me cannot grasp the others idea/opinion doesn’t mean that he is wrong or that I am right. But I think that Whonix is his and I shall not take it in a direction he doesn’t agree with.

I would certainly be less concerned if you discussed this on the tor-talk mailing list.

Feel free to discuss it here, though. (Related, although no 100% match: Whonix Forum)

I would certainly be less concerned if you discussed this on the tor-talk mailing list.
Feel free to discuss it here, though.
No. I already regret I started this post.

Tor and Whonix are both complex. It does not make sense for me to dig deep into Whonix wasting a lot of time to find out things Patrick could have told me from the beginning.

I will leave Whonix out of this.

If this feature can be used with Tor I will publish this elsewhere, you then still can decide to implement it and how to implement it.

I don’t think Patrick and I really understand what you are trying to do to comment on it. I documented how to use onioncat with Whonix and so I’m interested to know about your setup. I can tell you if what you are going is safe for your anonymity.

Are you Torrifying the traffic of multiple ISPs and their customer’s data through a Whonix box?

Or are you hooking up multiple physical cables from different ISPs and presenting them as a single unified virtual NIC to your host that runs a Whonix gateway and onion service for increased bandwidth?

Either way what you’re doing won’t affect the security of the Tor network since you are not running relays but they have implications for you.

For those who are interested: the same subject now came up in the Tor blog also.

This setup will stick out on the network I wouldn’t advise you to do it because it will deanonymize you straight away.

I hope you stay safe from the gangs looking for you.