After making the second step, posting how to use corridor, a Tor traffic whitelisting gateway with Qubes-Whonix, I will hereby do the first step, posting a general announcement of an interesting third party project, corridor. Please forget about Whonix for a moment, and I will explain what the corridor project by default is doing.
corridor is a Tor traffic whitelisting gateway. It is a filtering gateway. Not a proxying gateway.
corridor can be used to check systems / programs that should cause only Tor traffic for leaks. corridor can log any clearnet, non-Tor traffic and will block it.
Ideally, corridor gets installed on a physically isolated device running Debian with two network adapters. Let’s call that corridor-Gateway. Then start Tails, TBB or Whonix behind such a corridor-Gateway. Should there be any accidental clearnet traffic (leaks), then corridor could log it and would block it.
Alternatively, corridor can be installed in a Debian based VM. Another VM could run Tails, TBB or Whonix-Gateway. These VMs would be configured to connect through corridor-Gateway.
In pure corridor, non-Whonix terms, let’s call these VMs corridor-Gateway and corridor-Workstation.
In a corridor like setup, it is up to the coridor-Workstation to run its own Tor client to establish connections. The corridor-Gateway will run its own, separate Tor client. For the simplicity of the design, corridor-Workstation does not have access to Tor’s ControlPort running on corridor-Gateway. Again, corridor-Gateway is not a proxying gateway, it is a filtering gateway. The main purpose of the Tor client running on corridor-Gateway is to know obtain the current list of Tor entry guards. corridor-Gateway’s firewall restricts all outgoing connections to Tor relays [or Tor bridges].
This is not necessarily more anonymous. It is an additional fail-save Tor traffic whitelisting firewall that would protect from accidental clearnet leaks (hypothetical clearnet leak bugs in TBB, Tails or Whonix). As corridor’s project description states, quote “it cannot prevent malware on a client computer from finding out your clearnet IP address”.
corridor is mostly useful for developers and auditors of TBB, Tails or Whonix, perhaps also for advanced users who would like to have an additional safety net.
Quote corridor readme:
“corridor is not a replacement for using a well-designed operating system on your client computers, like Qubes with TorVM/Whonix.”
corridor cannot sit between Whonix-Gateway and Whonix-Workstation. That would make no sense in combination with the Whonix design.
Credits: The author of corridor is rustybird. The author of fork of corridor for Debian is Patrick Schleizer.
If you like Whonix, please support it.