Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet)

Lantern is a censorship circumvention tool, an alternative to Tor bridges.

Testers only! As an exercise and proof of concept, I quickly put together a documentation chapter for Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet). Qubes-Whonix only! Non-Qubes-Whonix is unsupported.

At the moment these instructions have several limitations.

  • They install Lantern in a separate ProxyVM behind sys-whonix. The motivation behind this was better security. Lantern is not installable from Debian. It’s a package from the lantern website. In theory, Tor should not be compromised if Lantern was compromised. But if Lantern was compromised to begin with or more easily exploited than Tor, it is very much desirable to run Lantern in a separate ProxyVM for better isolation.
  • However, this is very impractical. Since Qubes does not support static IP addresses yet, the Tor config setting /etc/tor/torrc ‘Socks5Proxy’ is not stable. When the Lantern ProxyVM gets its IP changed, connectivity breaks and /etc/tor/torrc in sys-whonix needs a manual update. Not great.
  • It would be a lot more usable to document how to run Lantern directly in sys-whonix (under user tunnel with TUNNEL_FIREWALL=true etc.) However, then we would have less isolation.
  • Does not autostart Lantern yet.
  • The footnotes on the wiki page contain several TODO items.
  • And more…
  • I probably won’t be able to become a maintainer of a fully featured Lantern-Gateway comparable to Whonix-Gateway using Tor. Help welcome.
  • Lantern seems to have connectivity issues on its own. Even for me in a non-censored area, it works for me in only 1 of 4 attempts. Often I needed to restart the VM and start fresh. Shutdown of Lantern does not seem to be clean. Often in the Lantern-Gateway VM – while no Whonix network is involved – I am unable to visit any websites from the automatically started lantern browser.

Déjà vu? This blog post is very similar to my last blog post Connecting to JonDonym before Tor (User -> JonDonym -> Tor -> Internet).

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in Qubes-Whonix News, Testers wanted!, Whonix Wiki Updates

Notable Replies

  1. Thank you Patrick for all your work -- another reason I love Whonix is there's such a supportive and efficient community behind it:)

    Maybe I can help to do some TODO:)

    That's strange because I followed exactly your instruction to install and use Lantern but nothing wrong happened to me when using it within the Lantern-Gateway.

    However, I did met some problem when following the instruction, and here's what I've done (for 3 times):

    1. Create a new standalone ProxyVM called Lantern-Gateway based on Debian-8 template.

    2. Unload Qubes iptables rules in the Lantern-Gateway ProxyVM:
      2.1 sudo nano
      2.2 copy Firewall_Unload to and save it.
      2.3 sudo chmod -x
      2.4 sudo

    3. Install lantern

    4. lantern -addr

    5. curl --tlsv1.2 --proto =https --socks5-hostname socks5h://
      But it failed
      According to "lantern -help", by runnig 'lantern -addr IP:Port', lantern open a http port instead of socks5. It seems taht the instruction need to be changed?
      I tried letting Iceweasel to use proxy listening on and it worked.

    6. According to the wiki: "You could run the following command within sys-whonix to find out the IP of your Lantern-Gateway ProxyVM:
      qubesdb-read /qubes-gateway"
      But what it showed when I ran this command was the GatewayIP of sys-whonix itself. I don't know why but I'm sure sys-whonix was using Lantern-Gateway as netvm.

    7. Then I tried adding each of the following to torrc separately:
      Socks5Proxy Lantern-GatewayIP:8788
      HTTPSProxy Lantern-GatewayIP:8788

    but neither of them made Tor work.(It stopped at 5% during boot up)

    Would you please help me to find what I have done wrong?

    Thank you very much!

  2. Instructions changed to http proxy. Could not get socks to work. However, lantern seems to support socks, they say so in this ticket:

    Can you figure out how to make socks listen on non-local, on all interfaces ( That would be better.

    You might have changed the NetVM while sys-whonix was already running. Then I could imagine that happening. Otherwise should not happen. Please try again.

    Another breaking bug I found was Qubes default iptables rules being reinforced. Just now added to instructions how to disable qubes-firewall and qubes-iptables.

    I got Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) working.

  3. Made the page translateable. Seems this is an action only admins can click. Please try now. Should you have further comments on translations, please create a new thread in the Whonix website sub forum.

Continue the discussion

7 more replies