Name: qubes-app-linux-tor
Owner: Qubes OS Project
Description: Qubes component: app-linux-tor
Created: 2015-02-11 01:27:27.0
Updated: 2018-04-05 15:17:00.0
Pushed: 2018-04-05 15:16:58.0
Homepage: null
Size: 120
Language: Shell
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Qubes TorVM is a ProxyVM service that provides torified networking to all its clients.
By default, any AppVM using the TorVM as its NetVM will be fully torified, so even applications that are not Tor aware will be unable to access the outside network directly.
Moreover, AppVMs running behind a TorVM are not able to access globally identifying information (IP address and MAC address).
Due to the nature of the Tor network, only IPv4 TCP and DNS traffic is allowed. All non-DNS UDP and IPv6 traffic is silently dropped.
See this article for a description of the concept, architecture, and the original implementation.
Qubes TorVM is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.
Qubes TorVM is not a magic anonymizing solution. Protecting your identity requires a change in behavior. Read the “Protecting Anonymity” section below.
Traffic originating from the TorVM itself IS NOT routed through Tor. This includes system updates to the TorVM. Only traffic from VMs using TorVM as their NetVM is torified.
(Optional) If you want to use a separate vm template for your TorVM
qvm-clone fedora-20-x64 fedora-20-x64-net
In dom0, create a proxy vm and disable unnecessary services and enable qubes-tor
qvm-create -p torvm
qvm-service torvm -d qubes-netwatcher
qvm-service torvm -d qubes-firewall
qvm-service torvm -e qubes-tor
# if you created a new template in the previous step
qvm-prefs torvm -s template fedora-20-x64-net
From your template vm, install the torproject Fedora repo
sudo yum install qubes-tor-repo
Then, in the template, install the TorVM init scripts
sudo yum install qubes-tor
Configure an AppVM to use TorVM as its netvm (example a vm named anon-web)
qvm-prefs -s anon-web netvm torvm
… repeat for other appvms …
Shutdown templateVM.
Set prefs of torvm to use your default netvm or firewallvm as its NetVM
Start the TorVM and any AppVM you have configured
From the AppVM, verify torified connectivity
curl https://check.torproject.org
Check if the qubes-tor service is running (on the torvm)
[user@torvm] $ sudo service qubes-tor status
Tor logs to syslog, so to view messages use
[user@torvm] $ sudo grep Tor /var/log/messages
Restart the qubes-tor service (and repeat 1-2)
[user@torvm] $ sudo service qubes-tor restart
Applications should “just work” behind a TorVM, however there are some steps you can take to protect anonymity and increase performance.
The TorVM only purports to prevent the leaking of two identifiers:
This is accomplished through transparent TCP and transparent DNS proxying by the TorVM.
The TorVM cannot anonymize information stored or transmitted from your AppVMs behind the TorVM.
Non-comprehensive list of identifiers TorVM does not protect:
In order to mitigate identity correlation TorVM makes use of Tor's new stream isolation feature. Read “Threat Model” below for more information.
However, this isn't desirable in all situations, particularly web browsing. These days loading a single web page requires fetching resources (images, javascript, css) from a dozen or more remote sources. Moreover, the use of IsolateDestAddr in a modern web browser may create very uncommon HTTP behavior patterns, that could ease fingerprinting.
Additionally, you might have some apps that you want to ensure always share a Tor circuit or always get their own.
For these reasons TorVM ships with two open SOCKS5 ports that provide Tor access with different stream isolation settings:
Each AppVM gets its own circuit, and each app using a unique SOCKS
user/pass gets its own circuit
Same as default settings listed above, but additionally traffic
is isolated based on destination port and destination address.
Default tor settings are found in the following file and are the same across all TorVMs.
/usr/lib/qubes-tor/torrc
You can override these settings in your TorVM, or provide your own custom settings by appending them to:
/rw/config/qubes-tor/torrc
For information on tor configuration settings man tor
TorVM assumes the same Adversary Model as TorBrowser, but does not, by itself, have the same security and privacy requirements.
The primary security requirement of TorVM is Proxy Obedience.
Client AppVMs MUST NOT bypass the Tor network and access the local physical network, internal Qubes network, or the external physical network.
Proxy Obedience is assured through the following:
TorVM SHOULD prevent identity correlation among network services.
Without stream isolation, all traffic from different activities or “identities” in different applications (e.g., web browser, IRC, email) end up being routed through the same tor circuit. An adversary could correlate this activity to a single pseudonym.
TorVM uses the default stream isolation settings for transparently torified traffic. While more paranoid options are available, they are not enabled by default because they decrease performance and in most cases don't help anonymity (see this tor-talk thread)
By default TorVM does not use the most paranoid stream isolation settings for
transparently torified traffic due to performance concerns. By default TorVM
ensures that each AppVM will use a separate tor circuit (IsolateClientAddr
).
For more paranoid use cases the SOCKS proxy port 9049 is provided that has all stream isolation options enabled. User applications will require manual configuration to use this socks port.
Qubes TorVM is inspired by much of the previous work done in this area of transparent torified solutions. Notably the following: