Additional Bridge Guards for Private Network Bridges ("Tor Bridge Middlebox")
When the only exit of a private network (either physical or virtual) is a Bridge, an additional Bridge Guard is required to effectively have a three node tor circuit.
Specific examples of such private networks are Whonix, Qubes OS or any custom use of multiple VMs by one user. Other examples could be a lab or office, or simply a single user with multiple devices/computers in close proximity.
An even more concrete example is a Desktop with a tor middlebox setup using VMs. In this example, the tor middlebox VM is ONLY the gateway to the internet and another VM is running the Tor Browser. The Tor Browser's tor either requires a proxy or a Bridge. To use a proxy, the tor middlebox would have to expose a proxy that connects directly to the clear internet. If using the tor middlebox as a tor bridge, the user will effectively have a 2 node circuit, since the first circuit is only virtual between two local VMs.
Using a tor bridge as the ONLY exit from a private network would be a very powerful protection for certain de-anonymization risks, such as trojans or successful penetration of a VM or physical device, with the middlebox still secure. However, at the moment, the bridge must also be the guard, thus effectively imposing a two node circuit where the middle node is effectively also the entry and guard node.
Of course, a Socks5, Sock4 or HTTP/HTTPS proxy can be used to exit the network, thus permitting tor installations within the network to properly setup a three node circuit. However, having a proxy directly to the internet is a weak link because it is either unprotected or the authentication information would stored on a to-be-compromised system. This could be avoided if a Bridge could have a separate additional guard.
There are no available workarounds at the moment. MyFamily does not work, nor does it work to Exclude the Bridge Node. And even if tor cannot confirm that the Bridge is unreachable from the public internet, it does not get an extra guard.
There should be a mechanism to not count multiple MyFamily nodes that are a required part of a circuit, thus permitting multiple private network tor chaining when the nodes are TRULY controlled by the same entity. Or something similar. If the nodes are controlled by the same entity, using them as additional circuit nodes does risk overloading the tor network. Another option would be to not count toward the three node circuit any chain of unreachable tor nodes, regardless of how many private tor nodes are chained.
We could call this setup a "Tor Bridge Middlebox", which could be chainable
Here are some examples Tor Node Circuits, The same examples can be extended to private physical LANs.
Virtual Machine Tor Bridge Middlebox setup, as is, two node circuit: VM1-Tor > VM2-Tor-Bridge-Guard > Tor-Middle > Tor-Exit
Virtual Machine Tor Bridge Middlebox setup, as it should be: VM1-Tor > VM2-Tor-Bridge > Tor-Entry-Guard > Tor-Middle > Tor-Exit
Virtual Machine Socks/Proxy Middlebox setup: VM1-Tor > VM2-Clear-Proxy > Tor-Entry-Guard > Tor-Middle > Tor-Exit
There has been extensive discussion and proposals for "Bridge Guards", however, it seems to have always been in the context of Bridge Enumeration, thus I am putting this as a separate issue, but that could be solved in a way similar to previous issues and proposals.
References: https://www.qubes-os.org/ https://www.whonix.org/ legacy/trac#7144 (moved) #9500 (closed) https://gitweb.torproject.org/torspec.git/tree/proposals/188-bridge-guards.txt