[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Should Whonix host be fully torified by default?

What are the pros and cons of either?

1 Like

Fully torified would mean routing all traffic over Tor which would result in Tor over Tor when using a Whonix VM. Something that isn’t wanted.

Routing only some traffic over Tor (e.g. apt) would be good in my opinion as it anonymizes the host instead of just the VMs.

No torification cons:

  • An attacker could see what packages you have installed and have better idea of what exploits to use as apt isn’t torified.

  • User might use the network on the host and do something like visit a website, potentially deanonymizing them.

  • User might install other software and will be deanonymized if that software phones home.

  • ISP or anyone else monitoring the network can analyse all untorified traffic.

No torification pros:

  • Faster speeds for the host.

  • No extra configuration required.

  • No need for troubleshooting Tor on the host.

1 Like

Please assume we can sort that out using OneVM or so.

We’ll probably would have to add optional clearnet access on demand too even if we went fully torified by default.

Should Whonix host be fully torified by default? is more of a theoretic very long term vision question for now.

1 Like

Interesting. I haven’t heard of using OneVM before. Would the VM be using the host’s Tor client?

Would it be better to use full torification with both VMs and add exceptions for the VMs if that is possible?

That would be useful for captive portals. It could be added as a custom boot parameter like clearnet=on. Maybe there could be a window at start-up with options. Similar to Tails.

Edit: looking at the wiki page, it seems that OneVM would be using the host’s Tor client.

1 Like

I am of the opposite opinion. See my topic here:

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/suggestion-remove-or-disable-tor-and-all-whonix-network-related-packages-and-settings-in-whonix-desktop/7384/8

The way I understand it, Whonix Host is “merely” a hardened debian with installed and configured KVM Whonix-Gateway/Workstation VMs with virt-manager.

But network shouldnot be torified.

Reasons:

  • May be installed anywhere anyhow, providing debian hardened security + Whonix VM for Tor activities
  • Do not connect to Tor by default unless the user wants it -> avoiding dangerous situations for the user, ensuring ubiquity
  • Torifiying the Host does not seem useful as Tor is already provided by the Whonix VMs.

This being said maybe torifying the network connections could be chosen by the user, not bye default

2 Likes

Yes.

Some very outdated bits here: https://www.whonix.org/wiki/OneVM

Should we go for torification by default, yes.

Yes.

1 Like

That sounds like a good middle ground. It could be added to the anon connection wizard or as a boot option.

It doesn’t seem too hard to setup. It doesn’t seem as secure as the ordinary way though.

1 Like

What about the cases users need to use different gateway / tor configuration?

For example, today users can use another Gateway when using onionshare. Another disadvantage will be the lack of snapshots that makes it easier to recover from mistakes in configurations.

In general I agree with @onion_knight’s view. Whonix host as a hardened debian / pre-installed Whonix, Tor connections only within the VMs.

1 Like

cant we as well separate Tor in whonix host connection from Tor in GW ?

GW has its own connection and whonix host has its own connection. so torrifying the host wont lead to TorOverTor nor oneVM connection.

TNT_BOM_BOM via Whonix Forum:

cant we as well separate Tor in whonix host connection from Tor in GW ?

GW has its own connection and whonix host has its own connection. so torrifying the host wont lead to TorOverTor nor oneVM connection.

That it’s the state of things anyhow. Whonix-Host and Whonix-Gateway
running separate Tor. A lot easier to implement than Whonix-Host using
Tor running inside Whonix-Gateway.

1 Like

Should Whonix host be fully torified by default?

Reframing the question:
What purposes are we using Whonix Host for besides hosting Whonix VMs in a secure way?

I would argue for turning the Whonix Host into something resembling Dom0 where no internet access is possible for software running there except to update the system and keep accurate network time. Any other cleranet access by other applications will add unnecessary risk.

Since we are applying this policy to Kicksecure (with the important caveat that non anonymous traffic is allowed) this shouldn’t seem controversial a decision IMHO.

1 Like

Good point!

Created for it: Should Whonix-Host have any features besides hosting Whonix VMs in a secure way?

(Created a new thread because this is an important directional decision, can generate better attention and this can be shared on social media.)

Could you please clarify what you are referring to? I am not sure how Kicksecure is related here.

Kicksecure ™: A Security-hardened, Non-anonymous Linux Distribution

Kicksecure is at time of writing available for:

but these are mostly convinience options. More importantly will be in future a Kicksecure ISO.

Well, we can say Whonix is based on Kicksecure but Kicksecure development goal is being standalone and not reliant on Whonix software. Although Kicksecure is unfortunately still hosted on whonix.org which is due to lack of resources, non-ideal and a source of confusion.

1 Like

We Torrify sdwdate and apt on Kicksecure but otherwise no traffic anonymization or restrictions are applied.

As an aside, I think a Kicksecure VM on a Whonix Host as I envision is necessary for dealing with captive portals and stubborn websites like banking that won’t accept Tor.

Kicksecure can potentially be the base for a Unistation on baremetal rather than the final end product for users.

2 Likes

I see.

I was contemplating that.

This goes back to the question: what would users expect from a Whonix-Host? Does something called Whonix-Host generate the impression, that all VMs and all applications running on such a host are torified by default? I guess Should Whonix-Host have any features besides hosting Whonix VMs in a secure way? will tell.

In that case users might shoot their own feet with a Kicksecure VM?
This is specifically bad since SecBrowser in Kicksecure is still branded as “Tor Browser” (as rebranding seems not possible in an easy, reliable way without recompilation which would be too much effort).

This would lead to confusion for sure if not gotten right. Tails renamed their captive portal solution Unsafe Browser to make that clear and then users still use it for all sorts of stuff.

Also not sure yet how that would influence Whonix-Host firewall. Some VMs no connectivity (Whonix-Workstation), some VMs Tor-only connectivity (Whonix-Gateway), some VMs clearnet connectivity (Kicksecure). Related:

That was always possible. Calling it Kicksecure or not. In that case,

  • there wouldn’t be any need to have a website (or wiki page) https://www.whonix.org/wiki/Kicksecure.
  • there wouldn’t have been any need to call it Kicksecure / renamed/restructure packages.

If Kicksecure doesn’t become an end-product for users then there’s little need for it. Was the idea behind Kicksecure. Debian based security (invented as “by-product” of Whonix development) but without focus on anonymity/privacy.

1 Like

Please call for comments in the thread in addition to a poll. We can get more information on what exactly users expect.

Its important to implement VM differentiation because of this. TO-DO research on window borders, desktop wallpapers and so on,

I believe they were using vanilla Firefox as a unsafe browser base.

So here is what I mean by end product family tree:

Kicksecure base -> Kicksecure VM
|
| -> Whonix VM
| -> Whonix Host
|
|-> Unistation Baremetal*

  • Is to become its own separate thing with clearnet access and selective anonymity profiles (potentially VPN/I2P access thrown into the mix) on baremetal, using lightweight app sandboxing to do its thing.

If Unistation too complex with diminishing returns, go for a hardened vanilla baremetal Kicksecure and forget about the whole anonymity part.

1 Like

For initial Whonix-Host release my plan is:

  • no clearnet traffic allowed
  • optional clearnet / captive portal will be sorted out in a later release or user documentation
  • torified traffic for apt and sdwdate

This is because the Whonix brand stands for “the all Tor operating system”. No exceptions. No IFs. That brand must not be damaged / confused / diluted.

1 Like

One method you could do it (using whonix inside a debian based OS) is to install torghost hxxps://github .com/SusmithKrishnan/torghost in the whonix-host,and then start whonix gateway, but in my case sometimes I have some problems.

What do you think about this method?

It would result in Tor over Tor. -> Avoid Tor over Tor Scenarios.

But I think torghost only pass through one node, but it would be tor over tor too. I see.

Interesting package, but I’m not sure why you need it inside Whonix

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]