[Whonix-devel] Circuit isolating proxy?
bill at eff.org
Sat Dec 10 22:40:18 CET 2016
I'm using whonix from within Qubes. I'm trying to find a way to remove the tor ports as an attack surface from the whonix-ws while still maintaining circuit isolation for applications run within workstations. Currently, I see that the tor ports are forwarded from the whonix-gw via rinetd.
Possible solution: a piece of software intended to be used on whonix-gw which opens one network interface per circuit, and provisions an arbitrary number of VMs with circuit-isolated, transparently torified connections without exposing the tor socks/control ports to them. That way you could run one application per VM which is on an isolated circuit, but has no access to the tor ports. Does anything like this currently exist?
Obviously this would be a bad solution for the Tor Browser, which relies on access to the tor ports to do per-tab isolation. But I figure it would be an okay solution for other applications that do not rely on such hands-on circuit control.
More information about the Whonix-devel