Chaining Anonymizing Gateways


By default, all Whonix-Workstation traffic is forced through Whonix-Gateway. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.

Possible Configurations[edit]


## chain:
Whonix-Workstation -> VPN-Gateway    -> Whonix-Gateway -> clearnet
## connection scheme:
user               -> VPN            -> Tor            -> Internet


## chain:
Whonix-Workstation -> Whonix-Gateway -> VPN-Gateway    -> clearnet
## connection scheme:
user               -> Tor            -> VPN            -> Internet

Pre- and Post-Tor-VPN[edit]

## chain:
Whonix-Workstation -> VPN-Gateway    -> Whonix-Gateway -> VPN-Gateway -> Internet
## connection scheme:
user               -> VPN            -> Tor            -> VPN         -> Internet

Whonix is not limited to VPN-Gateways; the VPN can be replaced with a Proxy-Gateway.


## chain:
Whonix-Workstation -> Proxy-Gateway  -> Whonix-Gateway -> clearnet
## connection scheme:
user               -> Tor            -> Proxy          -> Internet

Other Connection Schemes[edit]

Virtually any combination is possible: a Post-Tor-Proxy; a Pre/Post-Tor-SSH; or the proxy being replaced with JonDo or perhaps I2P.

The user should always remember that the connection will be created in reverse order. This is best explained using an example. [1]

## chain:
Whonix-Workstation -> Proxy-Gateway  -> Whonix-Gateway -> VPN-Gateway -> clearnet
## connection scheme:
user               -> VPN            -> Tor            -> Proxy       -> Internet

Upon reflection, it becomes clear why the connection happens in reverse order:

  • Whonix-Workstation has no way but to go through the Proxy-Gateway.
  • The Proxy-Gateway has no way but to go through Whonix-Gateway.
  • In this case, the last element in the chain is the VPN-Gateway, which must obviously connect through clearnet.

Thus, the VPN-Gateway uses clearnet, the Whonix-Gateway uses the VPN-Gateway to connect, the Proxy-Gateway uses Whonix-Gateway to connect, and Whonix-Workstation uses the Proxy-Gateway to connect. Since the Proxy-Gateway has option but to go through Whonix-Gateway followed by VPN-Gateway, it is clear why it will be the last hop in front of the destination server.

Other Considerations[edit]

Whether these combinations make sense in terms of security and anonymity is hotly debated and depends on the user's personal threat model, see Tor plus VPN or Proxy.

Before attempting complex tunnel configurations, the following basic knowledge is required:

This resource may also be useful: Inspiration.

Users must also understand and be capable of editing /etc/network/interfaces on Whonix-Gateway and/or on Whonix-Workstation. In the case of Non-Qubes-Whonix, this refers to the virtual internal network name in VirtualBox settings.

This process is generally difficult because there are no other anonymizing gateways (VPN / JonDo / I2P / Proxy / SSH / VPN) available for download in Whonix, just the Whonix-Gateway which uses Tor to anonymize traffic. Users often have to look for instructions and/or build an anonymizing gateway themselves. [2]

For a VPN-Gateway, see also:


  1. "Internet" below refers to the destination server (a website for example).
  2. There are some instructions for a pfSense based VPN-Gateway which can be found with search engines, but it is untested for leaks.


Whonix Chaining Anonymizing Gateways wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chaining Anonymizing Gateways wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Random News:

Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)