Chaining Anonymizing Gateways

From Whonix



Info Only advanced users should attempt these configurations!

By default, all Whonix-Workstation ™ traffic is forced through Whonix-Gateway ™. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.

Before attempting complex tunnel configurations, the following basic knowledge is required:

This Inspiration resource may also be useful.

Possible Configurations[edit]


## chain:
Whonix-Workstation ™ -> VPN-Gateway -> Whonix-Gateway ™ -> clearnet
## connection scheme:
user -> VPN -> Tor -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.


## chain:
Whonix-Workstation ™ -> Whonix-Gateway ™ -> VPN-Gateway -> clearnet
## connection scheme:
user -> Tor -> VPN -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Pre- and Post-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> VPN-Gateway -> Whonix-Gateway ™ -> VPN-Gateway -> Internet
## connection scheme:
user -> VPN -> Tor -> VPN -> Internet

Whonix ™ is not limited to VPN-Gateways; the VPN can be replaced with a Proxy-Gateway.


## chain:
Whonix-Workstation ™ -> Proxy-Gateway -> Whonix-Gateway ™ -> clearnet
## connection scheme:
user -> Tor -> Proxy -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Other Connection Schemes[edit]

Virtually any combination is possible: a Post-Tor-Proxy; a Pre/Post-Tor-SSH; or the proxy being replaced with JonDo or perhaps I2P.

Always remember that the connection will be created in reverse order; see the example below. [1]

## chain:
Whonix-Workstation ™ -> Proxy-Gateway -> Whonix-Gateway ™ -> VPN-Gateway -> clearnet
## connection scheme:
user -> VPN -> Tor -> Proxy -> Internet

Upon reflection, it becomes clear why the connection happens in reverse order:

  • Whonix-Workstation ™ has no option but to pass through the Proxy-Gateway.
  • The Proxy-Gateway has no option but to pass through Whonix-Gateway ™.
  • In this case, the last element in the chain is the VPN-Gateway, which must obviously connect via clearnet.

In other terms:

  • The VPN-Gateway uses clearnet.
  • Whonix-Gateway ™ uses the VPN-Gateway to connect.
  • The Proxy-Gateway uses Whonix-Gateway ™ to connect.
  • Whonix-Workstation ™ uses the Proxy-Gateway to connect.

Since the Proxy-Gateway can only pass through Whonix-Gateway ™ followed by the VPN-Gateway, it is clear why it will be the last hop in front of the destination server.

Other Considerations[edit]

Whether these combinations make sense in terms of security and anonymity is hotly debated and depends on your personal threat model, see Tor plus VPN or Proxy [archive]. Advanced tunneling configurations also require knowledge of how to properly edit /etc/network/interfaces on Whonix-Gateway ™ and/or on Whonix-Workstation ™. In the case of Non-Qubes-Whonix ™, this refers to the virtual internal network name in VirtualBox settings.

This process is generally difficult because there are no other anonymizing gateways (VPN / JonDo / I2P / Proxy / SSH / VPN) available for download in Whonix ™, just the Whonix-Gateway ™ which uses Tor to anonymize traffic. This means a search for instructions is often required and/or an anonymizing gateway must be built from scratch. [2]

For a VPN-Gateway, see also:


  1. "Internet" below refers to the destination server, such as a website.
  2. Instructions for a pfSense based VPN-Gateway can be found with search engines, but it is untested for leaks.

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Please help us to improve the Whonix Wikipedia Page [archive]. Also see the feedback thread [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.