Whonix.skull.space
whonix.skull.space provides a means to access a Skullspace hosted Whonix gateway over ssh.
To obtain an account, contact Mark Jenkins <mark@parit.ca> .
Both styles of TCP port tunneling through ssh are supported:
- SOCKS proxy (-D in openssh), which many applications can be configured to use
- local port forwarding (-L in openssh)
This service is hosted on vmsrv . Because an ip address is shared with vmsrv.skullspace.ca, you have to connect your ssh client to port 1887, not port 22. A openssh command line example:
$ ssh -D SOCKSPORT -L LOCALPORT:SOMEREMOTESERVER:SOMEREMOTEPORT -p 1887 username@whonix.skull.space
The distinct whonix.skull.space domain name can help you avoid typing the port each time you login, just put
Host whonix.skull.space HostName whonix.skull.space Port 1887
in your ~/.ssh/config file (openssh) or equivilent profile feature in other ssh clients.
Implementation details
The whonix.skull.space setup consists of two parts:
- a KVM virtual machine using only 256 megabytes of RAM running the whonix cli gateway stack on Debian 9 (10.0.2.15 / 10.152.152.10)
- an unprivileged linux container running Debian 9 and openssh-server locked down to only allow port forwarding. (172.30.8.4 / 10.152.152.51). Uses the whonix gateway (above) as a default route and dns server. Port 1887 is forwarded with a source NAT and destination NAT rule from the vm server host OS so as to come from 172.30.8.1. This node is sort of a subtitute for the Whonix workstation.
Privacy/Security caution
Security and convenience are trade-offs, this setup provides the convenience of only requiring ssh and your client applications to use a forwarded port or SOCKS proxy. Using Whonix in the way it was designed, or alternatively the Tor Browser Bundle or Tails is going to be more solid.
Another alternative that still allows you to use whatever choice of operating system and applications on your usual workstation is to run a Whonix gateway yourself on another computer of your own. An old PC with two network cards could be suitable for this. If there's interest, Mark could show people how to build Whonix boxes someday.
Some possible issue to consider when using the Skullspace hosted Whonix gateway: (This section TODO)