[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Obfsproxy not working on Qubes R3

Qubes-Whonix
#1

I have no idea why, but obfsproxy isn’t working on R3. arm shows no network traffic.

Before it’s asked:

  • Yes, Whonix has worked before, I’ve been using Whonix on Qubes (R2) for several months.
  • No, I haven’t changed the configuration. I spent around 13 hours (tempered by coffee making breaks!) yesterday trying to get it to work, but then I removed qubes-gw-experimental and installed it again (actually, twice) to make sure it wasn’t some fuckwittery of my own.
  • I managed to get plain Tor to “work” once, I have no idea how since configuration didn’t change between rebooting the domain.
  • I’ve tried connecting it directly to the netvm
  • I’ve tried disabling ipv6 (ipv6.disable) in the netvm, firewallvm, and gateway
  • I’ve tried the R2 kernel
  • Yes, tbb does work (thank God…) in the Fedora template.

Any help would be greatly appreciated.

#2

[quote=“oneoffew, post:1, topic:1099”]I have no idea why, but obfsproxy isn’t working on R3. arm shows no network traffic.

Before it’s asked:

  • Yes, Whonix has worked before, I’ve been using Whonix on Qubes (R2) for several months.
  • No, I haven’t changed the configuration. I spent around 13 hours (tempered by coffee making breaks!) yesterday trying to get it to work, but then I removed qubes-gw-experimental and installed it again (actually, twice) to make sure it wasn’t some fuckwittery of my own.
  • I managed to get plain Tor to “work” once, I have no idea how since configuration didn’t change between rebooting the domain.
  • I’ve tried connecting it directly to the netvm
  • I’ve tried disabling ipv6 (ipv6.disable) in the netvm, firewallvm, and gateway
  • I’ve tried the R2 kernel
  • Yes, tbb does work (thank God…) in the Fedora template.

Any help would be greatly appreciated.[/quote]

I will create an issue for this. I have never used obsproxy before so do not know how to test it off hand. First thing to look into is to make sure it works in regular Whonix 10. Maybe I missed some startup file or firewall rule.

#3

Issue submitted https://phabricator.whonix.org/T322

#4

obfs4 and scramblesuite make traffic analysis significantly harder. If your threat model includes nation states, which I presume both Qubes and Whonix definitely do, you should be using one of those, and not plain tor.

#5

[quote=“whoknows, post:4, topic:1099”][quote author=nrgaway link=topic=1249.msg8233#msg8233 date=1432283146]
I have never used obsproxy before so do not know how to test it off hand.
[/quote]
obfs4 and scramblesuite make traffic analysis significantly harder. If your threat model includes nation states, which I presume both Qubes and Whonix definitely do, you should be using one of those, and not plain tor.[/quote]

I don’t think that’s what bridges are for…

From https://www.whonix.org/wiki/Bridges

[html] Bridges are less reliable and tend to have lower performance than other entry points. If you life in a uncensored are, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity. [/html]

Maybe also somewhat related… From https://www.whonix.org/wiki/Hide_Tor_and_Whonix_from_your_ISP

[html] Using private and obfuscated bridges alone doesn't provide strong guarantees of hiding the fact you are using Tor from your ISP. Quote[5] [6] Jacob Appelbaum:

Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing.

[/html]
#6

[quote=“Patrick, post:5, topic:1099”][quote author=whoknows link=topic=1249.msg8297#msg8297 date=1432887542]
obfs4 and scramblesuite make traffic analysis significantly harder. If your threat model includes nation states, which I presume both Qubes and Whonix definitely do, you should be using one of those, and not plain tor.
[/quote]

I don’t think that’s what bridges are for…

From https://www.whonix.org/wiki/Bridges

[quote]
Bridges are less reliable and tend to have lower performance than other entry points. If you life in a uncensored are, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.
[/quote][/quote]
I’m sorry, I didn’t mean to imply that bridges were intended to defeat traffic analysis.

I meant only to imply that obfuscation of packet timing and length, as those two pluggable transports do, is useful in resisting an adversary who can see both entry and exit points (cf. Tempora), and performs traffic analysis across both.

#7

https://phabricator.whonix.org/T322#6482

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]