Author Topic: Stream Isolation  (Read 679 times)

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
Stream Isolation
« on: May 10, 2014, 10:55:49 am »
Stream Isolation very nice technology, i have some newbie questions about it...

1) So these ports for isolate stream is running on whonix-gateway. That means i can use these ports from ANY workstation which connected to gateway. It can be windows, other Linux etc. What i need to do is just type whonix-gateway ip and port in some software proxy settings like 192.168.0.10:9103. And this means that my instant messenger (which i run on windows workstation)  from now be using different tor route from my browser  (which i run on windows workstation also) ?

2) On whonix-gateway there is many prepaired ports for many applications. For xchat, bitcoin etc... It's difference which one port i use for bitcoin and xchat ? I mean for bitcoin software i must use ONLY 9111 ?

3) Is there are a way to test if a stream isolation for IM is working ?

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3112
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Stream Isolation
« Reply #1 on: May 10, 2014, 04:27:27 pm »
Quote
1) So these ports for isolate stream is running on whonix-gateway. That means i can use these ports from ANY workstation which connected to gateway. It can be windows, other Linux etc. What i need to do is just type whonix-gateway ip and port in some software proxy settings like 192.168.0.10:9103. And this means that my instant messenger (which i run on windows workstation)  from now be using different tor route from my browser  (which i run on windows workstation also) ?
If the application is really using the proxy you set (proxy bypass bugs are not uncommon, see TorifyHOWTO) and if that workstation is not already compromised and if you are not using other workstations that are compromised, then yes.

Quote
2) On whonix-gateway there is many prepaired ports for many applications. For xchat, bitcoin etc... It's difference which one port i use for bitcoin and xchat ? I mean for bitcoin software i must use ONLY 9111 ?
Bitcoin port 9111 is just "reserved" for an eventual future, where a bitcoin client gets pre-installed by default or in case if we would at least ship a bitcoin.conf pointing at that port by default. If you use 9152, 9153, 9154 or else is up to you. Doesn't matter. Just don't (unless you know what you are doing) configure two applications to use the same port and use both applications at the same time. As long as you don't run short on custom ports (no one ever reported that), just use a separate one per custom application and just remember or note somewhere. In case you run short on custom ports, new ones could be created.

Quote
3) Is there are a way to test if a stream isolation for IM is working ?
Yes, but no easy one. If you strongly care about this, turn of Whonix's transparent proxying fallback feature (explained on stream isolation documentation page as well). To actually check it, you need to either audit the applications source code and/or use a network monitor (wireshark etc.) to see if there are any proxy bypass bugs.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

punk

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: Stream Isolation
« Reply #2 on: May 11, 2014, 09:20:41 am »
Quote
As long as you don't run short on custom ports (no one ever reported that)

What you mean by that ? short  on custom ports?

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3112
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Stream Isolation
« Reply #3 on: May 11, 2014, 01:06:32 pm »
Quote
As long as you don't run short on custom ports (no one ever reported that)

What you mean by that ? short  on custom ports?
Using more then 9 custom installed applications that you want to route through Tor SocksPort's without IsolateDestAddr and without IsolateDestPort. Then you can add some more yourself.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

benny

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Stream Isolation
« Reply #4 on: December 16, 2014, 03:41:40 pm »
On whonix workstation, ssh client is already configured to use "isolated by destination address" ?
If i at the same time connect to different machines over ssh, do i get separated tor routes ?

Patrick

  • a maintainer of Whonix
  • Administrator
  • *****
  • Posts: 3112
  • (adrelanos)
    • View Profile
    • Patrick Schleizer – Profile Page
Re: Stream Isolation
« Reply #5 on: December 16, 2014, 06:12:42 pm »
On whonix workstation, ssh client is already configured to use "isolated by destination address" ?
No.

Quote
If i at the same time connect to different machines over ssh, do i get separated tor routes ?
No.

You have to manually configure this if you want this. I'd advice using https://www.whonix.org/wiki/Multiple_Whonix-Workstations though for better identity separation.
HOT: How to Ask Smart Questions | How to Report Bugs Effectively
Impressum | Datenschutzerklärung | Haftungsausschluss
If Whonix (g+) is useful to you, please consider a reoccurring donation so I (e-mail) (gpg) (g+) can work full time on Whonix.
Need more attention? Get Professional Support!

 

Legal

Impressum Datenschutz Haftungsausschluss Contact

Links

Homepage Blog Issues Github

Misc

Contribute Donate Investors Free Support Professional Support