I’m using different app vms in qubes, and they are connected to sys-whonix. In some vms(fedora or debian template) there is telegram and other social media running. In some vms(anon-whonix) there is tor browser. In other vms there is some other stuff running.
My question is how does whonix work in this case. Does whonix allocate different entry guard node to different app vms? If it doesn’t allocate different entry guard node to these different app vms, and say has only 3 entry guard nodes, does it route traffic from these different app vms to 1 of the 3 entry guards? I mean does it always allocate 1 entry guard to 1 specific app vm, or does it split the traffic from 1 app vm to all 3 entry guard nodes simultaneously(and hence split traffic simultaneously from other vms as well to all 3 entry guard nodes), or does it rotate traffic from 1 specific app vms to each of the 3 after sometime(I mean for a minute it uses guard 1 the next minute, it uses guard 2 and so on instead of simultaneously using all 3)?
My isp sees entry guard nodes. If it uses different entry guards for different app vms or always uses 1 entry guard node(out of the 3) to 1 specific app vm, then it would be bad for anonymity because of traffic correlation. It would be better if all the traffic is mixed up.
Those are valid considerations which were addressed “tor wise” long ago.
All AppVMs share the same Tor process in sys-whonix, so they all use the exact same set of entry guards (usually 2–3, with one primary guard that stays for months).
Tor does not split one VM’s traffic across all guards at once, nor does it rotate guards per VM every few minutes. All traffic from all VMs is mixed at the gateway and routed over circuits from this single guard set.
Your ISP therefore only sees connections to the same small group of entry guards for everything.
This is actually good for anonymity. Tor deliberately keeps entry guards stable for a long time — frequent changes would make correlation attacks easier.
Check this out for more info:
If you want separate guards for different activities, you need multiple Whonix gateways — but that is usually not recommended, as fresh guards per gateway weaken the protection.
Thanks for the reply @Patrick and @lars-qubes . So lets say there is an Application A in first appvm(whonix-workstation). Application B in second appvm(fedora-template). Application C in the same second appvm(fedora-template). And lets say there are 3 entry guards 1, 2 and 3 powering 10 circuits. How does the whonix gateway allocate traffic from the 3 Applications?
So as an example, does the whonix gateway sends traffic from A to 1, B to 2 and C to 3, and the next minute it changes to A to 2, B to 2, and C to 1.
Or as you said traffic/packets from A is mixed by gateway and sent across 1, 2 and 3? Or in other words, traffic/packet-1 of A gets sent to 2, traffic/packet-2 of A gets sent to 1, traffic/packet-3 of A gets sent to 3? Same happening with Applications B and C as well? So if Application B is a download happening, then the packets from B gets spread across, 1, 2 and 3. So my ISP sees heavy download traffic in all 1, 2 and 3 entry nodes?
It’s a Tor feature. Tor does that based on IsolateClientAddr (and IsolateSOCKSAuth, if applicable). The details on how Tor specifically is doing that are up to Tor only and unspecific to Whonix.
tor-ctrl-observer might be useful to watch Tor streams.
@Patrick Thanks. Ok, so Tor handles it. So what exactly happens with the real world example I gave before? How does traffic from applications A, B(download happening) and C, (in the first and second appvms), gets routed though the 3 entry nodes? What is the amount of traffic my isp see in the 3 entry nodes? At which entry nodes does the packets from the 3 applications end up, and does it always route through the same entry node, or does it switch node after some time, or does the traffic/packet-1 of A gets sent to 2, traffic/packet-2 of A gets sent to 1, traffic/packet-3 of A gets sent to 3 and so on?
@Patrick Thanks. I already searched extensively on search engines and documentation but couldn’t find answer to my above questions. If I’m on telegram and telegram connects to an entry node and no other application is connected to that node this would mean my adversary who is monitoring my connection and the telegram group I’m replying in can deanonymize me by traffic correlation.