Page MenuHomePhabricator
Create Task
Maniphest T725

add proxy capabiltiies (provides_network) to Whonix-Workstation / move Qubes updates proxy to Whonix-Workstation
Open, NormalPublic
Actions

Description

Could we reasonably make a Whonix-Workstation be a ProxyVM (provides_network)?

Running tinyproxy / Qubes updates proxy in a whonix-ws based disposable UpdateVM would have some advantages:

  • Whonix-Gateway firewall rules simplification
  • [ currently ] Qubes torified updates proxy runs in Whonix-Gateway, a VM that has a "wire" to:
    • access Tor: yes
    • access clearnet: yes
      • --> not great
  • [ proposed ] Qubes torified updates proxy runs in Whonix-Workstation, a VM that has a "wire" to:
    • access Tor: yes
    • access clearnet: no
      • --> better
  • Moving the attack surface of tinyproxy from Qubes sys-whonix to a whonix-ws based AppVM running behind sys-whonix.
    • a compromised tinyproxy is less likely of compromising Whonix-Gateway and sending clearnet traffic

Other advantages:

  • Prerequisite for Qubes whonix-ws based disposable UpdateVM.
  • (low priority) Allows sanely running an DHCP server on a Whonix-Workstation.
    • (low priority) Opens up for torification of Android emulator. (ref)
    • (low priority) Whonix-Workstation could be assigned a WiFi device and being developed to provide a torified WiFi hotspot (useful for circumvention only, not so much for anonymity)

Related:

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Nov 3 2017, 1:16 PM
Herald added a project: Whonix. · View Herald TranscriptNov 3 2017, 1:16 PM
Herald added a subscriber: WhonixQubes. · View Herald Transcript
marmarek added a comment.Nov 3 2017, 1:46 PM

VM do not need to be a ProxyVM or have provides_network=True to serve as updatevm on Qubes 4.0. You just need to start updates proxy there (tinyproxy, enabled with qvm-service --enable vmname qubes-updates-proxy), and just qrexec policy of qubes.UpdatesProxy to direct the traffic there.

If you want it to be a DispVM, it should be easy:

qvm-create --class DispVM -t whonix-ws -l yellow whonix-updateproxy
qvm-prefs whonix-updateproxy netvm sys-whonix
qvm-prefs whonix-updateproxy default_dispvm ''

Such VM can be started normally, the main difference is that its state (private volume) gets discarded at restart.

So, being updates proxy is mostly unrelated to providing DHCP service and such.

Patrick mentioned this in T766: use tinyproxy socks proxy support once available in Qubes-Whonix-Gateway.Feb 6 2018, 7:39 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer