Re: [qubes-users] Per-VM stream isolation in Whonix
tetrahedra via qubes-users: > On Fri, Sep 27, 2019 at 01:37:06PM +, Claudia wrote: >> Isolating apps in the same VM is a different issue, but you're saying >> traffic from different VMs is appearing to come from the same address? >> >> Hmm, that definitely should not be happening. VM isolation is enabled >> out of the box. Different VMs, whonix or otherwise, should never share >> circuits. IsolateClientAddr (on by default) in whonix-gw's torrc >> should isolate streams originating from different addresses/VMs, no >> matter what OS or apps they're running. > > I don't see that setting in > /usr/local/etc/torrc.d/40_tor_control_panel.conf or in 50_user.conf ... > which torrc is that setting supposed to be in? > /usr/share/tor/tor-service-defaults-torrc https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist https://www.whonix.org/wiki/Dev/git#grep_Whonix_source_code -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b427b05-a407-283b-1ec1-8382ba47bb81%40whonix.org.
Re: [qubes-users] Per-VM stream isolation in Whonix
On Mon, Sep 30, 2019 at 04:15:26PM +, Claudia wrote: To make sure IsolateClientAddr is working (as opposed to IsolateSOCKSAuth), you can run curl.anondist-orig https://check.torproject.org in two different whonix-ws VMs at the same time, and make sure they output different addresses. You should also see check.torproject.org:443 pop up in Onion Circuits under different circuits. If they show up under the same circuit, or output the same address, then IsolateClientAddr is indeed broken. Bonus points: try running that command twice in the **same** VM, and it should (usually) output the same address both times. Both steps worked exactly as they should have. Thank you for your help! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191002113420.GA2217%40danwin1210.me.
Re: [qubes-users] Per-VM stream isolation in Whonix
tetrahedra via qubes-users: On Mon, Sep 30, 2019 at 08:05:44AM +, Claudia wrote: Glad to hear it's working. I guess I should have asked at the beginning... What brought you to the conclusion they were using the same circuits? I assumed you were using check.torproject.org or another "what is my IP" site, but if looking at tcpdump or something, there are plenty of reasons they might connect to the same IP. Although, I think you would only see the local connection to sys-whonix, so I'm still not exactly sure what's going on here. I am using the Onion Circuits GUI app to display all outgoing circuits and their destination IPs. Okay, it makes more sense now. To make sure IsolateClientAddr is working (as opposed to IsolateSOCKSAuth), you can run curl.anondist-orig https://check.torproject.org in two different whonix-ws VMs at the same time, and make sure they output different addresses. You should also see check.torproject.org:443 pop up in Onion Circuits under different circuits. If they show up under the same circuit, or output the same address, then IsolateClientAddr is indeed broken. Bonus points: try running that command twice in the **same** VM, and it should (usually) output the same address both times. (Note: You need to use `curl.anondist-orig` because otherwise curl will be transparently wrapped by torsocks and will use SOCKS isolation anyway. https://www.whonix.org/wiki/Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper ) If you're still seeing something that doesn't look right, please post a screenshot if possible :) - This free account was provided by VFEmail.net - report spam to ab...@vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f9c9c078-6330-c638-46c8-284be1baa6a4%40vfemail.net.
Re: [qubes-users] Per-VM stream isolation in Whonix
On Mon, Sep 30, 2019 at 08:05:44AM +, Claudia wrote: Glad to hear it's working. I guess I should have asked at the beginning... What brought you to the conclusion they were using the same circuits? I assumed you were using check.torproject.org or another "what is my IP" site, but if looking at tcpdump or something, there are plenty of reasons they might connect to the same IP. Although, I think you would only see the local connection to sys-whonix, so I'm still not exactly sure what's going on here. I am using the Onion Circuits GUI app to display all outgoing circuits and their destination IPs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191001022935.GA1014%40danwin1210.me.
Re: [qubes-users] Per-VM stream isolation in Whonix
tetrahedra via qubes-users: On Sun, Sep 29, 2019 at 02:42:29PM +, Claudia wrote: You can try viewing your active tor settings in Nyx (preinstalled in Whonix) rather than from torrc directly. Just in case some setting is being overridden or something like that. See https://www.whonix.org/wiki/Tor_Controller and https://nyx.torproject.org/#config_editor I don't see any mention of the relevant settings at all in the "Arm tor controller" app. Nyx does not appear to be installed at all. They're the same thing. Arm was renamed to Nyx in newer versions, that's all. IsolateClientAddr and IsolateSOCKSAuth are on by default, so as long as they're not showing as off, you should be okay. On further troubleshooting it looks like separate VMs may have been connecting to the same IP addresses (as part of checking for updates) at the same time, and that may have been producing the effects I have seen. IsolateSOCKSAuth appears to be working as intended. Glad to hear it's working. I guess I should have asked at the beginning... What brought you to the conclusion they were using the same circuits? I assumed you were using check.torproject.org or another "what is my IP" site, but if looking at tcpdump or something, there are plenty of reasons they might connect to the same IP. Although, I think you would only see the local connection to sys-whonix, so I'm still not exactly sure what's going on here. - This free account was provided by VFEmail.net - report spam to ab...@vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a72ceeaa-7bb7-a566-dd3b-755036cae1a6%40vfemail.net.
Re: [qubes-users] Per-VM stream isolation in Whonix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 tetrahedra: > Naturally I want Alice to appear to be using a different IP address than > Bob, else the two identities are linked. > > Right now it appears this is not necessarily the case -- the network > traffic of AppVMs A and B may end up using the same Tor circuits (and > exit nodes). The circuits should be isolated out of the box, but it's normal and good that two different circuits will sometimes happen to use the same exit. It would in fact hurt your anonymity if that *wasn't* the case, because then the destination services could (over time) correlate two supposedly isolated workloads purely from the observation that they mysteriously, against all odds, never ever come from the same exit IP address. Which would be expected to happen occasionally if they were really from two different people using Tor on different computers... OTOH, if you're often connecting to related services using e.g. different pseudonyms at the same time, that alone will correlate the workloads: It would be unlikely for different people to be so in sync with their usage patterns, no matter if their network connections are perfectly anonymous. Rusty -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl2ShoNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0 QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv Kt83ShAAgp1UcL/nZ044i+tSiCwWdNkaDFS6/PS7smHTfkb22Kjf18JHYf/dev/c Wmg99psE0tmmVfz75jBBTbg5m7aOtZ23uWBVrHCkUAnVmyBw40o7nBzbrAhTxaSW Wres8WsmeFoialvZxuD6Ssgqce62kz7/uE0dCpUkqUYrJ0Wo4nOX8TbXOvLRohsn ZOR82gpydIlc63NYiEi1JdxetNC8MyiJUNjhlO9WMZ/IQAhnOBZWuIQugUj/l6mK zoaIiw1rxcmmnUAKQpTHdWD8h9n4yI1kT9ZV3K81IglojkGUtt+p1PnnvJP6eHZc 2JpKh9gaYotKiCOQdQWIX6dVNRrltRoxhuTE0VKbHgQhq/fCfSumtwcfhip7JE3K 9rGFMK1SkZCFoTMR1Kq6S1jUqgOYDwmwv4eM4uWbaVAojavBLkX8LGGzd/X2Li2k Lw/Bnsw8AoasD9BMZIQCY2SQn9fz3+9oaRTk2X+0uOKdVH0BjOast40KLXdiYrVN cpExO3hidj2b9vmpYlwOuXIXwWoMRnJkhd8nRlWOzYo9oPey6MoUxyy1+49W7NYV nQFwLJqD0DpGrX3c2Z0CX9BU4ck5ds/fvMkLAuEYMkA5vtW4giQXfnELAwKFO2Pe Gk1LJEftBgOXPENMlPUOLORy371zhxwz1oOBe8w6qifT53seFG0= =Ns/M -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190930224940.GA1208%40mutt.
Re: [qubes-users] Per-VM stream isolation in Whonix
On Sun, Sep 29, 2019 at 02:42:29PM +, Claudia wrote: You can try viewing your active tor settings in Nyx (preinstalled in Whonix) rather than from torrc directly. Just in case some setting is being overridden or something like that. See https://www.whonix.org/wiki/Tor_Controller and https://nyx.torproject.org/#config_editor I don't see any mention of the relevant settings at all in the "Arm tor controller" app. Nyx does not appear to be installed at all. On further troubleshooting it looks like separate VMs may have been connecting to the same IP addresses (as part of checking for updates) at the same time, and that may have been producing the effects I have seen. IsolateSOCKSAuth appears to be working as intended. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190930141749.GA1010%40danwin1210.me.
Re: [qubes-users] Per-VM stream isolation in Whonix
tetrahedra via qubes-users: On Fri, Sep 27, 2019 at 01:37:06PM +, Claudia wrote: Isolating apps in the same VM is a different issue, but you're saying traffic from different VMs is appearing to come from the same address? Hmm, that definitely should not be happening. VM isolation is enabled out of the box. Different VMs, whonix or otherwise, should never share circuits. IsolateClientAddr (on by default) in whonix-gw's torrc should isolate streams originating from different addresses/VMs, no matter what OS or apps they're running. I don't see that setting in /usr/local/etc/torrc.d/40_tor_control_panel.conf or in 50_user.conf ... which torrc is that setting supposed to be in? I don't think it matters. It would be at the end of a SOCKSPort/TransPort/DNSPort/etc line. The syntax is SocksPort [address:]port|unix:path|auto [flags] [isolation flags] but IsolateClientAddr is enabled by default, so it doesn't have to be specified at all. To turn it off you have to specify NoIsolateClientAddr. IsolateSOCKSAuth is similarly on by default. You can try viewing your active tor settings in Nyx (preinstalled in Whonix) rather than from torrc directly. Just in case some setting is being overridden or something like that. See https://www.whonix.org/wiki/Tor_Controller and https://nyx.torproject.org/#config_editor Note if you specified a TrackHostExits in your config, there is a bug that causes isolation flags to be ignored. If you're seeing the same exit address in different whonix-ws VMs, it sounds like IsolateSOCKSAuth isn't working either. Tor browser randomly generates a SOCKS username and password at startup (or at least after you hit "new identity", I forget), so Tor Browsers should always be isolated, even from the same client address. Try opening two Tor Browsers in different VMs, navigate to check.torproject.org in both, then click menu -> "new Tor circuit for this site" in both. If you still get the same address in both, then socks auth isolation isn't working either. You can also try reinstalling the whonix-gw template and recreating sys-whonix. It might fix it, but more importantly it will tell us if it's a reproducible issue. I saw in another thread you asked about using two separate whonix-gw VMs. Did you try this, and did it work? (It shouldn't be necessary, I'm just wondering if it worked.) Other than that, you might have to ask on the Whonix list/forum, but if you find a solution please follow up here :) - This free account was provided by VFEmail.net - report spam to ab...@vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/edbaa771-91fb-edf6-a48f-1bbf2a9d666e%40vfemail.net.
Re: [qubes-users] Per-VM stream isolation in Whonix
On Fri, Sep 27, 2019 at 01:37:06PM +, Claudia wrote: Isolating apps in the same VM is a different issue, but you're saying traffic from different VMs is appearing to come from the same address? Hmm, that definitely should not be happening. VM isolation is enabled out of the box. Different VMs, whonix or otherwise, should never share circuits. IsolateClientAddr (on by default) in whonix-gw's torrc should isolate streams originating from different addresses/VMs, no matter what OS or apps they're running. I don't see that setting in /usr/local/etc/torrc.d/40_tor_control_panel.conf or in 50_user.conf ... which torrc is that setting supposed to be in? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190928110536.GA1832%40danwin1210.me.
Re: [qubes-users] Per-VM stream isolation in Whonix
tetrahedra via qubes-users: On Sun, Sep 22, 2019 at 02:51:00PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: Is there any way to automatically do stream isolation on a per-VM basis? Right now it appears this is not necessarily the case -- the network traffic of AppVMs A and B may end up using the same Tor circuits (and exit nodes). Is there a way to set this up? Stream isolation is enabled out of the box- per application in most cases, per tab & TLD in Tor Browser's (https://www.whonix.org/wiki/Stream_Isolation). I am referring to stream isolation for non-Whonix Workstation based VMs, and/or for applications which are not wrapped by `uwt`. (e.g Signal) It would seem that different VMs ought to be stream isolated by default (they are different VMs, we obviously want them isolated as much as possible!)... Isolating apps in the same VM is a different issue, but you're saying traffic from different VMs is appearing to come from the same address? Hmm, that definitely should not be happening. VM isolation is enabled out of the box. Different VMs, whonix or otherwise, should never share circuits. IsolateClientAddr (on by default) in whonix-gw's torrc should isolate streams originating from different addresses/VMs, no matter what OS or apps they're running. - This free account was provided by VFEmail.net - report spam to ab...@vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36af5c0c-913e-9e99-769e-f83925d0f944%40vfemail.net.
Re: [qubes-users] Per-VM stream isolation in Whonix
On Sun, Sep 22, 2019 at 02:51:00PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: Is there any way to automatically do stream isolation on a per-VM basis? Right now it appears this is not necessarily the case -- the network traffic of AppVMs A and B may end up using the same Tor circuits (and exit nodes). Is there a way to set this up? Stream isolation is enabled out of the box- per application in most cases, per tab & TLD in Tor Browser's (https://www.whonix.org/wiki/Stream_Isolation). I am referring to stream isolation for non-Whonix Workstation based VMs, and/or for applications which are not wrapped by `uwt`. (e.g Signal) It would seem that different VMs ought to be stream isolated by default (they are different VMs, we obviously want them isolated as much as possible!)... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190922160655.GA2477%40danwin1210.me.
Re: [qubes-users] Per-VM stream isolation in Whonix
tetrahedra via qubes-users: > Is there any way to automatically do stream isolation on a per-VM basis? > Right now it appears this is not necessarily the case -- the network > traffic of AppVMs A and B may end up using the same Tor circuits (and > exit nodes). > > Is there a way to set this up? > Stream isolation is enabled out of the box- per application in most cases, per tab & TLD in Tor Browser's (https://www.whonix.org/wiki/Stream_Isolation). If you want the VMs to use different guard nodes, you can point them at separate Whonix gateways (https://www.whonix.org/wiki/Multiple_Whonix-Gateway). However, keep in mind there are trade-offs (https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) to using additional guards. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ffe9cc6-038f-0110-4745-9ac2d470a3c7%40danwin1210.me.
[qubes-users] Per-VM stream isolation in Whonix
Is there any way to automatically do stream isolation on a per-VM basis? For example: I start AppVM "A", with networking via Whonix, and interact with the internet as "Alice" I start AppVM "B", with networking via Whonix, and interact with the internet as "Bob" Naturally I want Alice to appear to be using a different IP address than Bob, else the two identities are linked. Right now it appears this is not necessarily the case -- the network traffic of AppVMs A and B may end up using the same Tor circuits (and exit nodes). Is there a way to set this up? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190922142428.GB2032%40danwin1210.me.
