It somewhat clashes with Whonix’s stream isolation design. (Stream Isolation)
The issue is documented here:
Combining Tunnels with Tor
There is an idea to simplify this:
https://phabricator.whonix.org/T142
I got a local git branch, that implements the VPN_FIREWALL feature in Whonix-Workstation Firewall. But it currently breaks applications, that are configured to use a SocksPort.
Let’s take for example XChat. How should XChat connect when VPN_FIREWALL has been enabled on Whonix-Workstation? Certainly, user → Tor → destination would be wrong? So best VPN_FIREWALL could do for now is cutting off its internet access until XChat gets configured to use “no proxy”, i.e. “use system defaults”, which would go through the VPN, i.e. then it would go user → Tor → VPN → destination. (Setting to “no proxy” for VPN users could be done at a later point and is not part of this issue. Much later.)
But what about a few other “likely-fingerprintable-if-using-the-same-Tor-or-VPN-exit” connections? Such as:
- whonixcheck: Tor SocksPort Test (documented here: systemcheck - Security Check Application)
- whonixcheck: Tor Browser Update Check
- whonixcheck: Whonix News Check
- tb-updater: Tor Browser Download
- sdwdate
Should those go user → Tor → VPN → destination? Or just user → Tor → destination?
What speaks against letting them exit through the VPN (user → Tor → VPN → destination)? Then the VPN might be able to identify the user as a Whonix user.
What speaks against those not going through the VPN (user → Tor → destination)? Some users add the VPNs for eventual better anonymity/privacy/security. (Eventual as in, it’s not part of this topic, see: also TorPlusVPN · Wiki · Legacy / Trac · GitLab) Those users would expect the VPN to be always used and would not worry about fingerprinting so much. Skipping the VPN would be unexpected.
Both defaults would be bad.
At the moment I think it would be best to cut off all Tor SocksPort access by default, i.e. make sure applications not configured to use a Tor SocksPort, i.e. configured to use system defaults would result in using user → Tor → VPN → destination and everything else (XChat still configured to use a Tor SocksPort, whonixcheck, tb-updater) would just fail closed. And then give an option (or as a mid term solution just documentation) on how users can allow direct Tor SocksPort (i.e. user → Tor > destination) exceptions. And another option (or as a mid term solution just documentation), on how to configure the “likely-fingerprintable-if-using-the-same-Tor-or-VPN-exit” applications to not use a proxy, i.e. so they also use user → Tor → VPN → destination?
Except for sdwdate. Since it will only use Tor Hidden Services in Whonix 10, there is no way to make it exit through VPNs.
Ticket:
https://phabricator.whonix.org/T158
Thoughts?