Actions

Chaining Anonymizing Gateways

From Whonix


Chaininganon23234.jpg

Introduction[edit]

Info Only advanced users should attempt these configurations!

By default, all Whonix-Workstation ™ traffic is forced through Whonix-Gateway ™. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.

Before attempting complex tunnel configurations, the following basic knowledge is required:

This Inspiration resource may also be useful.

Possible Configurations[edit]

Pre-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> VPN-Gateway -> Whonix-Gateway ™ -> clearnet
## connection scheme:
user -> VPN -> Tor -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Post-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> Whonix-Gateway ™ -> VPN-Gateway -> clearnet
## connection scheme:
user -> Tor -> VPN -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Pre- and Post-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> VPN-Gateway -> Whonix-Gateway ™ -> VPN-Gateway -> Internet
## connection scheme:
user -> VPN -> Tor -> VPN -> Internet

Whonix ™ is not limited to VPN-Gateways; the VPN can be replaced with a Proxy-Gateway.

Post-Tor-Proxy[edit]

## chain:
Whonix-Workstation ™ -> Proxy-Gateway -> Whonix-Gateway ™ -> clearnet
## connection scheme:
user -> Tor -> Proxy -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Other Connection Schemes[edit]

Virtually any combination is possible: a Post-Tor-Proxy; a Pre/Post-Tor-SSH; or the proxy being replaced with JonDo or perhaps I2P.

Always remember that the connection will be created in reverse order; see the example below. [1]

## chain:
Whonix-Workstation ™ -> Proxy-Gateway -> Whonix-Gateway ™ -> VPN-Gateway -> clearnet
## connection scheme:
user -> VPN -> Tor -> Proxy -> Internet

Upon reflection, it becomes clear why the connection happens in reverse order:

  • Whonix-Workstation ™ has no option but to pass through the Proxy-Gateway.
  • The Proxy-Gateway has no option but to pass through Whonix-Gateway ™.
  • In this case, the last element in the chain is the VPN-Gateway, which must obviously connect via clearnet.

In other terms:

  • The VPN-Gateway uses clearnet.
  • Whonix-Gateway ™ uses the VPN-Gateway to connect.
  • The Proxy-Gateway uses Whonix-Gateway ™ to connect.
  • Whonix-Workstation ™ uses the Proxy-Gateway to connect.

Since the Proxy-Gateway can only pass through Whonix-Gateway ™ followed by the VPN-Gateway, it is clear why it will be the last hop in front of the destination server.

Other Considerations[edit]

Whether these combinations make sense in terms of security and anonymity is hotly debated and depends on your personal threat model, see Tor plus VPN or Proxy [archive]. Advanced tunneling configurations also require knowledge of how to properly edit /etc/network/interfaces on Whonix-Gateway ™ and/or on Whonix-Workstation ™. In the case of Non-Qubes-Whonix ™, this refers to the virtual internal network name in VirtualBox settings.

This process is generally difficult because there are no other anonymizing gateways (VPN / JonDo / I2P / Proxy / SSH / VPN) available for download in Whonix ™, just the Whonix-Gateway ™ which uses Tor to anonymize traffic. This means a search for instructions is often required and/or an anonymizing gateway must be built from scratch. [2]

For a VPN-Gateway, see also:

Footnotes[edit]

  1. "Internet" below refers to the destination server, such as a website.
  2. Instructions for a pfSense based VPN-Gateway can be found with search engines, but it is untested for leaks.


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Chaining Anonymizing Gateways&body=https://www.whonix.org/wiki/Chaining_Anonymizing_Gateways link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Chaining_Anonymizing_Gateways&title=Chaining Anonymizing Gateways link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Chaining_Anonymizing_Gateways&t=Chaining Anonymizing Gateways link=https://mastodon.technology/share?message=Chaining Anonymizing Gateways%20https://www.whonix.org/wiki/Chaining_Anonymizing_Gateways&t=Chaining Anonymizing Gateways

Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.