I’m running a VM on Incus and I’m trying to route all its traffic through the Tor network for added anonymity. I’ve set up Tor on the host machine, but I’m not sure how to configure the VM to use it.
Can anyone provide guidance on how to route all traffic from the VM through the Tor network?
I understand that I need to route all traffic from the VM through the Tor interface (usually something like 127.0.0.1:9050 or a dedicated Tor interface), but I have no experience with setting this up correctly. I’m worried that I might misconfigure something and end up with a non-functional setup.
There are some issues to take case with setting up Tor so that you do indeed get everything right.
In your case, you would like to install Tor on the host, and then route all traffic from a designated VM through the Tor network.
There’s an alternative, using Whonix and Whonix for KVM. Here, you would use one dedicated VM, the Whonix-Gateway, which is the system that runs Tor. Then, you would use a second dedicated VM, the Whonix-Workstation, from where you would be browsing the Internet through the Tor network. Alternatively, as the second dedicated VM, you can use your own VM (Anonymize Other Operating Systems).
I have not found a tutorial on this. You would convert the VM images to the type that are usable by Incus, then launch the two VMs with them.
The 127.0.0.1:9050 is likely a Socks proxy URL that you configure the Workstation system to use, so that the traffic goes through the Tor network. Ideally, you would want to avoid a custom operating system as it may leak information. That is, on the Tor network, you always assume that the Tor exit node is reading your traffic, with a lot of interest.
How would it be possible to do so, without Tor? That is, create an Incus project with isolated network, then have that network not be able to connect directly to the Internet but only through a suitable proxy.
This would likely be an incusbr1 bridge without the typical iptables/nftables rules (that give access to the Internet) but with the appropriate such rules so that only a specific IP address is accessible. That specific IP address would be another container or VM (Whonix-gateway) that only runs the proxy.