(1) transaction broadcasts (tx) go through Tor to onion peers
(2) blockchain sync goes through clearnet to seed nodes.
→ (2) is undesirable as public ip address gets exposed
(1) every outgoing connections goes through Tor to seed nodes and leave Tor on Tor exit node
→ this is undesirable as it could potentially lead to identity correlation
If you want to setup monero node on Whonix-Workstation and want to setup proper stream isolation I assume that the following setup is currently the preferred approach.
Starting monero node with custom socks ports prepared for custom installed applications without IsolateDestAddr and without IsolateDestPort.
(1) transaction broadcasts (tx) go through Tor via Whonix-Gateway to onion peers
(2) blockchain sync goes with Transport via Whonix-Gateway through Tor to seed nodes and leave Tor on Tor exit node
→ IP/DNS leaks prevented by Whonix-Gateway
→ stream isolation for (1)
→ no stream isolation for (2) unless there are no additional connections through Transport from same Whonix-Workstation. If there are additional connections through Transport from the same Whonix-Workstation you have to avoid that applications are connected to a kind of the same pseudonym to prevent identity correlation.
Why is it beneficial to create uwt stream isolation wrapper for monero node instead of set up application SOCKS port and configure application to use that SOCKS port?
Perhaps I did not express myself very well. I do not want to isolate streams by IP address.
I want to use the custom socks ports prepared in /usr/share/tor/tor-service-defaults-torrc for custom installed applications. In this case for monerod.
Therefore I wantet to use port 9153: ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port]
For best protection against identity correlation: Stream Isolation
^ by following these instructions, either proxy settings are adhered one way or another (socks proxy settings or socksifier such as torsocks) or no traffic at all.
What’s better, using a socksifier or proxy settings method? Nobody is researching that to my knowledge. In Whonix, the risk is traffic going through Tor’s TransPort (transparent torification) instead thorough a dedicated Tor SocksPort. That risk is way too theoretic, obscure to anyone making it a priority to work on.
I would expect something such as orjail might be better suited for torification (non-Whonix use case) or better stream isolation enforcement (Whonix use case). orjail / torsocks as kinda “mini Whonix netwoking”.
Thanks for your posts as this is a very interesting topic.
To apply this for running an monerod service using Whonix the approach of “Better Protection” is not applicable as “All applications not configured to use a SocksPort by socks proxy settings or forced to use a SocksPort by a socksifier will not be able to establish connections.”
Because according to Monero Anonymity Networks and Monero Reference using Whonix custom socks ports with ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port] still means that blockchain sync and forwarded transactions (those not originating from connected wallet) go still through clearnet to seed nodes.
Therefore if changing firewall settings according to “Better Protection” blockchain sync and forwarded transactions are not possible.
And using “Better Protection” configuration with this command DNS_PUBLIC=tcp torsocks monerod --p2p-bind-ip 127.0.0.1 --no-igd will work, but every outgoing connections especially transactions goes through Tor to seed nodes and leave Tor on Tor exit node which is undesirable as it could potentially lead to identity correlation by leaving Tor exit nodes.
To summarize currently this is the most beneficial way to run monerod on Whonix: ./monerod --tx-proxy tor,10.152.152.10:9153,10 --add-peer=[onionservice]:[port]
127.0.0.1:9050 gets redirected to 10.152.152.10:9050 by anon-ws-disable-stacked-tor especially to prevent Tor on Tor scenarios.
Would it be beneficial to run ./monerod --tx-proxy tor,10.152.152.10:9153,10 instead?
What would be different in terms of security? What happens if we use port 9050 instead of 9153? Does any other whonix standard application use this port by default to get torified?
Port 9153 is custom socks port according to stream isolation page.
Thank you very much for your response. Slowly I get a deeper understanding.
Please excuse me if it is obvious but is the “TransPort” port 9050 or another port (if it is another which and where is it documented)? Thank you.
As port 9153 is a custom socks port I assume that I found a mistake on the following page and section: Dev/anon-ws-disable-stacked-tor - Whonix Here is stated that port 9153 is used by Tor Messenger and forwarded to Whonix Gateway. From my understanding this is not the case as on the streamline isolation page it is stated that 9153 can be used as custom socks port for own application.
Tor TransPort is port 9040 on Whonix-Gateway and cannot directly be accessed. System default networking (TCP) originating form Whonix-Workstation will be redirected to that port.
That is confusing indeed.
9153 in workstation was Tor Messenger default ControlPort being redirected to gateway 9051 ControlPort (actually control port filter proxy, onion-grater).
9153 on the gateway is a custom SocksPort.
A bit messy but no longer an issue since Tor Messenger was deprecated years ago.