Performance Statistics and Optimization of KVM-based Tor Hidden Services

Introduction

I would like to know how Tor hidden services can be optimized to handle high traffic. I know that vertical scaling is possible with Onionshare by adding more backend instances.

Current Stats of High Traffic Tor Onion Services

How much traffic can a hidden Tor server based on KVM handle? What throughput can be achieved? How many client connections can be handled? What will most likely be the bottleneck?

KVM Optimization

What can be done to optimize a single KVM-based Tor hidden server setup? I’m pretty sure this can all be configured in the KVM XML config files.

Is there something like a GitHub repository with optimized KVM configuration settings? I’m thinking about adding more virtual cores to the gateway or workstation, adding more RAM and all the other things that would help to get better performance. Are there other things I can configure to increase performance? Are there anonymity drawbacks?

Virtualization Optimization

Because I’m pretty sure the Tor implementation is the bottleneck, I’d like to know if it’s possible to run multiple Tor instances across multiple Whonix gateway instances pointing to the same (or different) Workstation with the web application running (on the same physical server). This could enable more efficient utilization of hardware, especially since many servers today are designed for 1 Gbit/s connections.

Whonix Workstation Database Connection Optimization

How can I configure a bypass of the Whonix Gateway Tor proxy so that only certain connections from Whonix workstations are not anonymized by Tor? I want to have my Whonix Workstation application protected by the Whonix Gateway, but have the database backend connections bypass the gateway to improve performance.

More Optimization

Are there other Whonix KVM optimizations to improve performance or make efficient use of server hardware? Finally, my questions can be summarized like this: At which points can I optimize before I can only scale vertically with Onionshare?

I doubt that. If there is, then nobody informed this forum.


Note: I don’t maintain Whonix KVM.

related:

OnionBalance?

Not sure KVM would be the bottleneck. The primary bottleneck to worry about might be Tor.
You could rephrase this question about clearnet to find out the limitations of KVM generally.

(Whonix is based on Kicksecure.)

Possible for sure but there’s no concept for that. Perhaps adding another internal-only network interface. Non-trivial for sure. Undocumented.


I doubt the answer for many of these questions will be available in this forum.
(But then I am also not sure they’d be available elsewhere.)

Yes, OnionBalance (not OnionShare, too many onions…).

I agree, KVM has almost no bottlenecks. What Onion service stats (throughput on a Tor hidden service) have you seen?

Isn’t there a Whonix firewall bypass config file or something? I literally want to whitelist an IP that doesn’t go through Tor.

I didn’t look into that.

No. There’s no easy bypass. Why? See:

https://www.whonix.org/wiki/Dev/Technical_Introduction#multiple_security_layers

More on the bypass idea here:

Thanks for the information. Is there a Whonix like project that is capable of doing this? I am looking for the perfect hosting environment for Onion Services in the cloud.

I doubt it. I am not aware of any.

1 Like