Page MenuHomePhabricator

add proxy capabiltiies (provides_network) to Whonix-Workstation / move Qubes updates proxy to Whonix-Workstation
Open, NormalPublic


Could we reasonably make a Whonix-Workstation be a ProxyVM (provides_network)?

Running tinyproxy / Qubes updates proxy in a whonix-ws based disposable UpdateVM would have some advantages:

  • Whonix-Gateway firewall rules simplification
  • [ currently ] Qubes torified updates proxy runs in Whonix-Gateway, a VM that has a "wire" to:
    • access Tor: yes
    • access clearnet: yes
      • --> not great
  • [ proposed ] Qubes torified updates proxy runs in Whonix-Workstation, a VM that has a "wire" to:
    • access Tor: yes
    • access clearnet: no
      • --> better
  • Moving the attack surface of tinyproxy from Qubes sys-whonix to a whonix-ws based AppVM running behind sys-whonix.
    • a compromised tinyproxy is less likely of compromising Whonix-Gateway and sending clearnet traffic

Other advantages:

  • Prerequisite for Qubes whonix-ws based disposable UpdateVM.
  • (low priority) Allows sanely running an DHCP server on a Whonix-Workstation.
    • (low priority) Opens up for torification of Android emulator. (ref)
    • (low priority) Whonix-Workstation could be assigned a WiFi device and being developed to provide a torified WiFi hotspot (useful for circumvention only, not so much for anonymity)




Event Timeline

VM do not need to be a ProxyVM or have provides_network=True to serve as updatevm on Qubes 4.0. You just need to start updates proxy there (tinyproxy, enabled with qvm-service --enable vmname qubes-updates-proxy), and just qrexec policy of qubes.UpdatesProxy to direct the traffic there.

If you want it to be a DispVM, it should be easy:

qvm-create --class DispVM -t whonix-ws -l yellow whonix-updateproxy
qvm-prefs whonix-updateproxy netvm sys-whonix
qvm-prefs whonix-updateproxy default_dispvm ''

Such VM can be started normally, the main difference is that its state (private volume) gets discarded at restart.

So, being updates proxy is mostly unrelated to providing DHCP service and such.