Qubes TorVM (qubes-tor)

Qubes TorVM is a ProxyVM service that provides torified networking to all its clients.

By default, any AppVM using the TorVM as its NetVM will be fully torified, so even applications that are not Tor aware will be unable to access the outside network directly. (On the Qubes mailing lists, an AppVM using a TorVM as its NetVM is commonly referred to as an "AnonVM.")

Moreover, AppVMs running behind a TorVM are not able to access globally identifying information (IP address and MAC address).

Due to the nature of the Tor network, only IPv4 TCP and DNS traffic is allowed. All non-DNS UDP and IPv6 traffic is silently dropped.

See this article for a description of the concept, architecture, and the original implementation.

Warning + Disclaimer

  1. Qubes TorVM is produced independently from the Tor(R) anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

  2. Qubes TorVM is not a magic anonymizing solution. Protecting your identity requires a change in behavior. Read the "Protecting Anonymity" section below.

  3. Traffic originating from the TorVM itself IS NOT routed through Tor. This includes system updates to the TorVM. Only traffic from VMs using TorVM as their NetVM is torified.

Installation

  1. (Optional) If you want to use a separate vm template for your TorVM

    qvm-clone fedora-18-x64 fedora-18-x64-net
    
  2. In dom0, create a proxy vm and disable unnecessary services and enable qubes-tor

    qvm-create -p torvm
    qvm-service torvm -d qubes-netwatcher
    qvm-service torvm -d qubes-firewall
    qvm-service torvm -e qubes-tor
    
    # if you  created a new template in the previous step
    qvm-prefs torvm -s template fedora-18-x64-net
    
  3. From your template vm, install the torproject Fedora repo

    sudo yum install qubes-tor-repo
    
  4. Then, in the template, install the TorVM init scripts (Note: This is not currently working for Fedora 18. See this thread for details and alternatives.)

    sudo yum install qubes-tor
    
  5. Configure an AppVM to use TorVM as its netvm (example a vm named anon-web)

    qvm-prefs -s anon-web netvm torvm
    

    ... repeat for other appvms ...

  6. Shutdown templateVM.

  7. Set prefs of torvm to use your default netvm or firewallvm as its NetVM

  8. Start the TorVM and any AppVM you have configured to use it

  9. From the AppVM, verify torified connectivity

    curl https://check.torproject.org
    

Troubleshooting

  1. Check if the qubes-tor service is running (on the torvm)

    [user@torvm] $ sudo service qubes-tor status
    
  2. Tor logs to syslog, so to view messages use

    [user@torvm] $ sudo grep Tor /var/log/messages
    
  3. Restart the qubes-tor service (and repeat 1-2)

    [user@torvm] $ sudo service qubes-tor restart
    

Usage

Applications should "just work" behind a TorVM, however there are some steps you can take to protect anonymity and increase performance.

Protecting Anonymity

The TorVM only purports to prevent the leaking of two identifiers:

  1. WAN IP Address
  2. NIC MAC Address

This is accomplished through transparent TCP and transparent DNS proxying by the TorVM.

The TorVM cannot anonymize information stored or transmitted from your AppVMs behind the TorVM.

Non-comprehensive list of identifiers TorVM does not protect:

  • Time zone
  • User names and real name
  • Name+version of any client (e.g. IRC leaks name+version through CTCP)
  • Metadata in files (e.g., exif data in images, author name in PDFs)
  • License keys of non-free software

In particular, using a TorVM does nothing by itself to combat browser fingerprinting. For this, it is recommended that you use Tor Browser with "Transparent Torification" selected in it Proxy Settings in order to avoid running Tor over Tor (which is strongly discouraged and potentially dangerous). Likewise, if you use Thunderbird in an AnonVM, it is recommended that you use the TorBirdy extension in order to prevent Thunderbird from leaking potentially identifying information about you.

By default, DispVMs in Qubes use the firewallvm as their NetVM. This can be dangerous if, for example, you download a file in an AnonVM, then open it in a DispVM, and it "phones home" over your clearnet connection from the DispVM. For this reason, you may wish to customize your DispVM template in order to change the default NetVM to "none." Then, whenever you start a new DispVM, you can manually select the desired ProxyVM (e.g., firewallvm, torvm) or simply leave it network-disconnected. This also prevents any default applications from automatically collecting and/or divulging identifying information (e.g., via an automated update-check process) over your clearnet connection before the NetVM is changed (which might be the case if a default firewallvm-connected DispVM is started, then switched to connect to the TorVM).

Further Reading

Performance

In order to mitigate identity correlation TorVM makes heavy use of Tor's new stream isolation feature. Read "Threat Model" below for more information.

However, this isn't desirable in all situations, particularly web browsing. These days loading a single web page requires fetching resources (images, javascript, css) from a dozen or more remote sources. Moreover, the use of IsolateDestAddr in a modern web browser may create very uncommon HTTP behavior patterns, that could ease fingerprinting.

Additionally, you might have some apps that you want to ensure always share a Tor circuit or always get their own.

For these reasons TorVM ships with two open SOCKS5 ports that provide Tor access with different stream isolation settings:

  • Port 9049 - Isolates destination port and address, and by SOCKS Auth
    Same as default settings listed above, but each app using a unique SOCKS user/pass gets its own circuit.
  • Port 9050 - Isolates by SOCKS Auth and client address only
    Each AppVM gets its own circuit, and each app using a unique SOCKS user/pass gets its own circuit

SOCKS Port 9050 should be used by web browsers.

Custom Tor Configuration

Default tor settings are found in the following file and are the same across all TorVMs.

  /usr/lib/qubes-tor/torrc

You can override these settings in your TorVM, or provide your own custom settings by appending them to:

  /rw/usrlocal/etc/qubes-tor/torrc

For information on tor configuration settings man tor

Threat Model

TorVM assumes the same Adversary Model as TorBrowser, but does not, by itself, have the same security and privacy requirements.

Proxy Obedience

The primary security requirement of TorVM is Proxy Obedience.

Client AppVMs MUST NOT bypass the Tor network and access the local physical network, internal Qubes network, or the external physical network.

Proxy Obedience is assured through the following:

  1. All TCP traffic from client VMs is routed through Tor
  2. All DNS traffic from client VMs is routed through Tor
  3. All non-DNS UDP traffic from client VMs is dropped
  4. Reliance on the Qubes OS network model to enforce isolation

Mitigate Identity Correlation

TorVM SHOULD prevent identity correlation among network services.

Without stream isolation, all traffic from different activities or "identities" in different applications (e.g., web browser, IRC, email) end up being routed through the same tor circuit. An adversary could correlate this activity to a single pseudonym.

By default TorVM uses the most paranoid stream isolation settings for transparently torified traffic:

  • Each AppVM will use a separate tor circuit (IsolateClientAddr)
  • Each destination port will use a separate circuit (IsolateDestPort)
  • Each destination address will use a separate circuit (IsolateDestAdr)

For performance reasons less strict alternatives are provided, but must be explicitly configured.

Future Work

  • Integrate Vidalia
  • Create Tor Browser packages w/out bundled tor
  • Use local DNS cache to speedup queries (pdnsd)
  • Support arbitrary DNS queries
  • Fix Tor's openssl complaint
  • Support custom firewall rules (to support running a relay)
  • Integrate Whonix into Qubes (discussion)

Acknowledgements

Qubes TorVM is inspired by much of the previous work done in this area of transparent torified solutions. Notably the following:

Known issues:

Source of this document: http://git.qubes-os.org/gitweb/?p=marmarek/qubes-app-linux-tor.git;a=blob;f=README.md

Last modified 3 months ago Last modified on Jan 23, 2014 4:08:10 AM