Wondering how onionbalance could be combined with Whonix.
Quote
https://onionbalance.readthedocs.io/en/latest/v3/tutorial-v3.html
Onionbalance implements round-robin like load balancing on top of Tor onion services. A typical Onionbalance deployment will incorporate one frontend servers and multiple backend instances.
I’d if this gets supported, the incrementally. First iterations could be:
- multiple Tor onion instances
- 1 backend server
For non-anonymous use cases (for example: whonix.org alternative onion) it isn’t required to run Whonix. Therefore running multiple Tor instances inside the same Whonix-Gateway with onionbalance, while easier, seems a bit pointless. That Whonix-Gateway would generate unusually much Tor traffic. Hence, less anonymous. The only situation where this could make sense would be on an anonymously purchased VPS where anonymity is not that important.
Related:
https://lists.torproject.org/pipermail/tor-dev/2020-June/014347.html
Otherwise for retaining good anonymity it would be required to run multiple Whonix-Gateway in physically different locations. This is to avoid that one Whonix-Gateway instance would be producing too much Tor traffic.
That however breaks how Whonix is operating for now:
One machine (Whonix-Workstation) connected to another machine (Whonix-Gateway) over an isolated, internal, (virtual) LAN connection. Unencrpyted. Related:
A prerequisite for onionbalance with Whonix is most likely the (optional) implementation of encrypted and authenticated connections between Whonix-Gateway and Whonix-Workstation. Otherwise onionbalance instances on physically separate machines couldn’t securely connect to the backend Whonix-Workstation (web or any) server.
(Unless - perhaps using onions with TLS which would reduce this to TLS level connection security and adding a dependency on TLS CAs.)
Example…
Whonix-Gateway onionbalance Instance Nr. 3 → Internet, clearnet, unencrypted → Whonix-Workstation backend (web or any) server
Probably not what we want. We probably want at least:
Whonix-Gateway onionbalance Instance Nr. 3 → Internet, clearnet, encrypted → Whonix-Workstation backend (web or any) server
Or should this even be torified?
Whonix-Gateway onionbalance Instance Nr. 3 → Internet, torified, encrypted → Whonix-Workstation backend (web or any) server
It’s not a bowl of cherries. Meaning, of course everyone would like to see the perfect implementation. If all traits (torified, encrypted, fast enough) could be implemented then these should be implemented. But in practice for this setup it might be either torified or fast enough. Both at the same time might be impossible.
Maybe I am missing something about onionbalance.
Outside of Whonix… Unrelated to Whonix… How does onionbalance solve this?
VPS onoinbalance Instance Nr. 2 → Internet → backend server
How would this be encrypted/authenticated? This is left to the system administrator?
Also as per onionbalance default not torified?