Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a user-guide for qubes+whonix wallet and daemon isolation #405

Closed
wants to merge 2 commits into from
Closed

Add a user-guide for qubes+whonix wallet and daemon isolation #405

wants to merge 2 commits into from

Conversation

0xB44EFD8751077F97
Copy link
Contributor

Please review, comment, and critique.

@0xB44EFD8751077F97
Add user-guide qubes+whonix virtual isolation...
0354956 
This PR includes the following:
- Add file resources/user-guides/wallet-daemon-isolation-qubes-whonix.md.
- Modify resources/user-guides/index.md to add guide to "Wallets" section.
mattcode55
mattcode55 reviewed Sep 18, 2017
View reviewed changes
resources/user-guides/wallet-daemon-isolation-qubes-whonix.md Outdated

Qubes gives us the flexibility to easily create separate VMs for different purposes. We first create a Whonix gateway which routes all traffic over Tor. Next a Whonix workstation for the wallet with no networking. Lastly, another Whonix workstation for the daemon which will use our Whonix gateway as it's NetVM. For communication between the wallet and daemon we will make use of Qubes [qrexec](https://www.qubes-os.org/doc/qrexec3/).

This is a safer approach than other guides I've seen which route the wallets rpc over a Tor hidden service, or that use physical isolation but still have networking to connect to the daemon. In this way we don't need any network connection on the wallet at all, we preserve resources of the Tor network, and there is less latency.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other guides I've seen
we will make use
our Whonix gateway
...

Being a bit nitpicky here but I think that the first person should be avoided.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem, I can edit the intro to avoid first person. I'll have a revised intro to review some time today when I get a break from work.

@0xB44EFD8751077F97
Copy link
Contributor Author

Please hold on merging this PR for now because I've found a better method for the qrexec call that doesn't require ssh. I have some questions for the Monero team before I continue.

Should I change the install process to use the binaries instead of building from source?

Should I change the monerod.service file to use the one provided here (with only --no-igd and --bind-ip=127.0.0.1 added)? If so I will have to incorporate Qubes bind dirs which will add some steps and complexity.

I already plan to change the user:group from monerod to monero.

Any other suggestions?

@fluffypony
Copy link
Contributor

@0xB44EFD8751077F97 ping

@0xB44EFD8751077F97
Copy link
Contributor Author

I was kinda waiting on some answers to the the questions I posted, but I guess I really don't need them.

I'm closing this PR for now while I rework the guide. In short: no build from source, minimal changes to systemd file, and new qrexec method. I'll resubmit soonish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattcode55 mattcode55 mattcode55 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0xB44EFD8751077F97 @fluffypony @mattcode55