So what you are proposing is a physical isolation accross servers connected via I2P, right?
Well, physical isolation has been shown to not necessarily be more secure than a software based approach, actually the opposite years ago, as mentioned here: http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf Whonix-Qubes is what can thus be considered the most safe for now.
Tunneling the whole connection over I2P via SSH as you suggest would in this case only make the surface of attack bigger as opposed to leaving the connection between GW and WS local, as if the WS and GW are in different (not locally connected) networks they’d both need additional connections to I2P to access eachother effectivley increasing the amount of IPs exposed in case physical access is gained…
Like I said, not necessarily safer, actually increases the surface of attack. The less local control there is over what is used, the less safe your configuration is. If the GW and WS aren’t locally present in the same network, using them isn’t possible safely.
The wasn’t flaming, however without knowning what the problem is, solutions can’t be found. Most of the time when someone carrys something like this to the surface, it either is very old and already fixed, based on missinformation/not properly done studys or is nothing for Whonix to fix. If the problem is as big as you say it is, this would be something the core Tor developers would have to fix in every iteration of Tor. Also again, what kind of attack are we talking about? You can’t talk about a 1:1 possibility and then about physical access, because those two things contradict eachother.
Define uncover. Finding out where a hidden service hosted over a Whonix based system is located has not been proven to be possible by anyone. Also, why did you then write about physical access, deanonymizing/uncovering a hidden services real location/IP without physical access is something at the moment not possible.
If you have physical access to the workstation, even if you could seperate the two as you proposed to let’s say different servers in different countrys, would mean the real location of the GW could be found, simply by following what is on the WS, as those two would have a fixed point of connection to work properly. Also, to give the WS access to the GW over I2P via SSH, the WS would need a seperate access to the internet as well, meaning you now exposed to IPs while trying to preven that.
What could be made a case for though, is getting a small server at a more or less trustable hoster, only paying that hoster via an anonymous currency and running Whonix (WS and GW) on that while accessing that configuration via Whonix on your computer. Hosting a hidden service over this configuration would also hardly ever be able to expose your real IP in any scenario. However that design could in turn also have problems as mathematically speaking and backed up by quite a lot of research, it has been prooven that using more than the three relays used by Tor usually actually increases the chance for having a malicious one at the start and end, as explained here: How can we help? | Tor Project | Support
Have a nice day,