Whonix.skull.space

From SkullSpace Wiki
Revision as of 04:29, 21 May 2019 by Markjenkinsparit (talk | contribs) (signed host keys by Mark Jenkins)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

whonix.skull.space provides a means to access a Skullspace hosted Whonix gateway over ssh.

To obtain an account, contact Mark Jenkins <mark@parit.ca> .

Both styles of TCP port tunneling through ssh are supported:

  • SOCKS proxy (-D in openssh), which many applications can be configured to use
  • local port forwarding (-L in openssh)

This service is hosted on vmsrv . Because an ip address is shared with vmsrv.skullspace.ca, you have to connect your ssh client to port 1887, not port 22. A openssh command line example:

$ ssh -D SOCKSPORT -L LOCALPORT:SOMEREMOTESERVER:SOMEREMOTEPORT -p 1887 username@whonix.skull.space

The distinct whonix.skull.space domain name can help you avoid typing the port each time you login, just put

Host whonix.skull.space
    HostName whonix.skull.space
    Port 1887

in your ~/.ssh/config file (openssh) or equivilent profile feature in other ssh clients.

Implementation details

The whonix.skull.space setup consists of two parts:

  • a KVM virtual machine using only 256 megabytes of RAM running the whonix cli gateway stack on Debian 9 (10.0.2.15 / 10.152.152.10)
  • an unprivileged linux container running Debian 9 and openssh-server locked down to only allow port forwarding. (172.30.8.4 / 10.152.152.51). Uses the whonix gateway (above) as a default route and dns server. Port 1887 is forwarded with a source NAT and destination NAT rule from the vm server host OS so as to come from 172.30.8.1. This node is sort of a subtitute for the Whonix workstation.

Privacy/Security caution

Security and convenience are trade-offs, this setup provides the convenience of only requiring ssh and your client applications to use a forwarded port or SOCKS proxy. Using Whonix in the way it was designed, or alternatively the Tor Browser Bundle or Tails is going to be more solid.

Another alternative that still allows you to use whatever choice of operating system and applications on your usual workstation is to run a Whonix gateway yourself on another computer of your own. An old PC with two network cards could be suitable for this. If there's interest, Mark could show people how to build Whonix boxes someday.

Some possible issue to consider when using the Skullspace hosted Whonix gateway: (This section TODO)

ssh host key hashes

These are signed by Mark Jenkins <mark@markjenkins.ca> (http://markjenkins.ca/gpg/)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
SHA256:8RJrSbdshRleYx8hzOuTP+VCfFG1x6aowUqwaw4Fo4A (RSA)
MD5:f6:a1:f9:95:bf:f8:e1:13:21:72:d1:cb:52:dd:b1:55 (RSA)
SHA256:ZPiteHCt00McOADVQl/C1lUBA7dGqh2oalKSZVJKTOc (ECDSA)
MD5:e1:10:b1:80:35:86:fe:82:2d:bf:c3:8a:0d:f4:8b:bc (ECDSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJc433FAAoJEKj4ZJOqTbH7JR4H/3HANDBHyBe5e7E6iKxBp+gi
6klCVdkmLDWr3vgWi1WGZ0eMnaQ8T5BE5cx3bntUlKWG5dGLj2iAyRSKYI+JXpnv
aXc6GlWsWZ89Cpmak5Ac9LbFSDYpo/5PcTpoUiX8DnXXyEGAQJuhGsaFixjdzKYl
vdH1YxtcIpbULMgW2I+trGaIXvbqMPrfP3n3nbUfMmydu+UfJzJ3fedTcPFnmV1y
23xqWWL06NmCH5h2ZDwyRPbXPj+QDGA98hNclFaifNtMB9KETMoQ2G7XZVyawsbU
ifMDdH+vPUINkTI3G2Ng1lUbTYJfVrdGwn8fxTn/buv/l2HEZl5ZNizQw8v3/Cs=
=FCYW
-----END PGP SIGNATURE-----