Jump to: navigation, search

Deprecated/Using Tunnels with Whonix

This page contains changes which are not marked for translation.


Contents

Introduction[edit]

All kinds of tunnels are possible and tested to work with Whonix. With Whonix you can route a connection through a VPN, SSH, or proxy before Tor, after Tor, or both.

Read first:

Comparison Table[edit]

USER -> PROXY -> TOR -> INTERNET USER -> VPN/SSH -> TOR -> INTERNET USER -> TOR -> PROXY/VPN/SSH -> INTERNET
configuration modification applied where Whonix-Gateway Whonix-Gateway [or host (FAQ)] Whonix-Workstation
evade Tor bans by websites No No possibly
evade Tor bans by network censors maybe [1] [2] maybe [3] No
Hide Tor and Whonix from your ISP very weak [4] maybe [5] No
no loss of Stream Isolation Yes Yes No
no reconfiguration[6] of pre-configured software required[7] in order to use extra tunnel-link Yes Yes No
no permanent exit relay unaffected unaffected No
increased tunnel length Yes Yes Yes
effects on anonymity disputed [8] disputed [8] disputed [8]
Tunnel UDP over Tor No No Proxy: No

VPN: Yes
ssh: undocumented

Connecting to a tunnel-link (proxy/VPN/SSH) before Tor (User -> proxy/VPN/SSH -> Tor -> Internet)[edit]

DESCRIPTION: (USER -> PROXY/VPN/SSH -> TOR -> INTERNET)

When to use a tunnel-link before Tor

Sometimes you have to use a tunnel-link to make outgoing connections to the internet because some ISP's censor your ability to access the full internet (e.g. the Great Firewall of China), or you are linked within a LAN (such as in an educational or corporate environment).

A proxy, VPN or SSH can also be possibly


Safety issues to consider when connecting to a tunnel-link before Tor

In determining whether to use a tunnel-link before Tor, the question basically is how much you can trust the server / connecting tunnel-link provider (a VPN host being an example). The server will be able to see that you are using Tor, but thanks to Tor, they won't see what you are doing. However, note that when connecting directly to a tunnel-link before connecting to Tor, the server (for example the VPN hosting service) will know and *may* log your IP Address, the times when you log on, etc. If you have paid for the tunnel-link provider's service (thereby establishing a "money trail") this could be of additional concern and more easily enable a third-party (the government for example) to specifically identify you. For these reasons alone, it may be ill-advised to use a tunnel-link before connecting to Tor. Still, if it is incredibly unsafe for your ISP to see that you are using Tor in any way and you use your own server in a safe country, while you are in a dangerous country, connecting to a tunnel-link before Tor may be your best bet. Note: not many people seem to use a tunnel before they connect to Tor, therefore it's safety in providing anonymity and privacy have not been fully tested. *Do not rely on this too much to protect your anonymity*

Connecting to a VPN before Tor (User -> VPN -> Tor -> Internet)[edit]

There are many different VPN protocols (too many for this guide). However, OpenVPN, which is open-source and free software, has been vetted by multiple Tor users and is the recommended VPN protocol to use (not pptp).

Setting up VPN before Tor (User -> VPN -> Tor -> Internet)[edit]

If you are forced to use a VPN server or if you are already using a VPN server, you most likely know how you can connect to it. When your VPN is properly set up, all your connections are forced through the VPN first. If you start Tor on top of that, you will now connecting to the VPN, then to Tor, then to the Internet. In other words, your connection will be the following: (User -> VPN -> Tor -> Internet).

There are two ways of setting up the VPN:
1. You can either add the VPN on the host, in which Whonix-Gateway will be tunneled through it.
2. Or you can add the VPN into Whonix-Gateway.

See also What's the difference of installing a VPN on the host versus installing on Whonix-Gateway?

See also examples of setting up VPNs to work with Whonix.

Use a Fail Closed Mechanism[edit]

A general problem with VPNs is that during a connection, they often fail to remain open (meaning that the VPN connection becomes closed, in which the user is now directly connected to the Internet without tunneling through the VPN). This is not a Whonix specific problem. VPN servers and VPN software can occasionally break down without announcement. This means, if the VPN is unreachable, the connection breaks down for whatever reason, which in most cases you continue to connect to the internet without the VPN.

One of the benefits of Whonix is that when a VPN connection breaks down, you still have the protections provided by Tor. In such an event where the VPN connection breaks down, Whonix-Workstation will seamlessly continue to make "direct" connections through Tor. If you are using the VPN only to circumvent the censorship of Tor, you may not care so much. On the other hand, if you believe a VPN improves your security, you should make sure that when the VPN connection breaks down, all connections with the outside world and your computer cease.

How to add the VPN on the host[edit]

Just as you would if you were not using Whonix. (Consider the security precautions and links to examples discussed above.)

How to add the VPN in Whonix-Gateway[edit]

After installing Whonix-Gateway, do the following steps before activating Tor in Whonix Setup Wizard.

1. Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix User Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

2. Add the following settings. You can skip comments (starting with #). Note: make sure to adjust the VPN_SERVERS variable in your config (unless you are using seattle.vpn.riseup.net as your VPN service).

###########################
## VPN-Firewall Settings ##
###########################
## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1

## IP address of the VPN server.
## Get the IP using: nslookup vpn-example-server.org
## Example: seattle.vpn.riseup.net
## Some providers provide multiple VPN servers.
## You can enter multiple IP addresses, separated by spaces.
VPN_SERVERS="198.252.153.26"

## For OpenVPN.
VPN_INTERFACE=tun0

## Destinations you don not want routed through the VPN.
## 10.0.2.2/24: VirtualBox DHCP
LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24"

3. Exit and save the file.

<CTRL-X> --> Press Y --> <ENTER>

4. Reload Whonix-Gateway Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run:

sudo whonix_firewall

5. Now setup OpenVPN. It should be able to connect. You find some help in chapter #Examples_of_setting_up_VPNs_to_work_with_Whonix.

6. Enable Tor using Whonix Setup Wizard.

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Whonix Setup Wizard

For terminal-only Whonix-Gateway, use.

sudo whonixsetup

Additional Tweaks / Recommendations / Troubleshooting[edit]

If having problems with the connection / Tor is not fully bootstrapped

You have may have to manually restart Tor. This is because the VPN may not be ready when Tor is attempting to connect, because the VPN connection initialization takes too long. Due to a bug in Tor, it won't keep trying to connect. To fix this, you may have to manually restart Tor after boot, if whonixcheck reports that Tor is not fully bootstrapped. The same may be necessary if your VPN software or connection temporarily broke down.

To Manually restart Tor:

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Leak Tests

When you shut down the VPN, neither Tor, nor Whonix-Gateway's whonixcheck/apt-get/etc. nor Whonix-Workstation should be able to connect anywhere anymore.

Force Tor to wait for OpenVPN

sysvinit: (Legacy. Prefer the systemd method below.) [9]

systemd (Whonix 11 and above):

Create a folder /etc/systemd/system/tor.service.d.

sudo mkdir /etc/systemd/system/tor.service.d

Create a file /etc/systemd/system/tor.service.d/50_user.conf.

Open /etc/systemd/system/tor.service.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/systemd/system/tor.service.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/systemd/system/tor.service.d/50_user.conf

Add the following content.

[Unit] After=openvpn.service

Save.

At next boot, the Tor daemon will be started after the OpenVPN daemon.

Debugging: [10]

Limitations

  • Only tested with OpenVPN. Most other VPN's have deficiencies anyway.
  • DNS (IP address) of VPN server has to be manually resolved. There is technically no way to automatically resolve DNS without making the setup much more complex. The VPN server's IP address should not be resolved over Tor, because that's what you wanted to hide in the first place. Since outside observers will know, that you are connecting to the VPN IP anyway, it is probably save to resolve the DNS over clearnet or by asking the VPN provider if they don't already document their IPs on their website anyway.
  • No support for IPv6 yet.

Troubleshooting VPN -> Tor

  • If not connecting, see above to manually restart Tor
  • Check your VPN software's logs.
  • Test if you are able to connect using your VPN

1. Login as user clearnet.

sudo su clearnet

2. Try connecting to check.tpo. Note, at time of writing, it looked like usaip free trial is probably blocking SSL, therefore it might not work.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --silent -H 'Host: check.torproject.org' -k https://38.229.72.22

Should show something along: Your IP address appears to be: xxx.xxx.xxx.xxx

3. Get back to normal user.

exit

Connecting to a proxy before Tor (User -> proxy -> Tor -> Internet)[edit]

Proxy Warning[edit]

How to setup proxy before Tor (User -> proxy -> Tor -> Internet)[edit]

Tor natively supports proxy settings.

On Whonix-Gateway:

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Depending on your proxy configuration, add the settings you'll need to your /etc/tor/torrc. For more information on these settings, have a look in the Tor manual and read the FAQ.

HTTPProxy host[:port]
HTTPProxyAuthenticator username:password
HTTPSProxy host[:port]
HTTPSProxyAuthenticator username:password

Socks4Proxy host[:port]

Socks5Proxy host[:port]
Socks5ProxyUsername username
Socks5ProxyPassword password

FascistFirewall 0|1 

ReachableAddresses ADDR[/MASK][:PORT]… 
ReachableDirAddresses ADDR[/MASK][:PORT]… 
ReachableORAddresses ADDR[/MASK][:PORT]… 

Note: You need to use the IP instead of the hostname (proxy.example.com). If you don't know the IP of your proxy, please run nslookup proxy.example.com (replace proxy.example.com with the hostname of your actual proxy) in a terminal (Konsole) on your host operating system. Using IP instead of hostname might cause subtle fingerprinting issues, see [12] for more information.

Connecting to SSH before Tor (User -> SSH -> Tor -> Internet)[edit]

This chapter is not fully tested/complete. Please give feedback if it worked for you. This doesn't seem to be very popular, no one ever asked about it in over one year.

Setting up the SSH tunnel could be either done on the host or inside Whonix-Gateway.

1. First we have to install the ssh client.

sudo apt-get update

sudo apt-get install ssh

2. Then be sure that your SSH connection itself is working well. SSH to your ssh server using.

ssh yourusername@your.ssh.server

3. It's recommended to set up public key authentication. (TODO: how to create a private and public key)

cd /home/yourusername

mkdir .ssh

nano authorized_keys

Paste line beginning with ssh-rsa ... (your public key) (TODO: how to create that line).

4. Terminate SSH connection.

exit

Login again using public key authentication. (TODO: how to do that)

5. When that is working install your favorite text mode browser, for example.

apt-get install lynx

And test if the shell's external internet connection is working. Try.

lynx check.torproject.org

You're done with the per-requisets. Exit your shell.

exit

6. Now we will tell the SSH client to start a socks5 proxy server listening on localhost 127.0.0.1 port 1080. The following command has to be run in background (TODO: add line how to do that) on each start up, before Tor starts (TODO: to which file, to do that). It would be wise to activate public key authentication (TODO: how to add private key to use public key authentication).

ssh -D 1080 your.ssh.server

Now we have to tell Tor to use the new local ssh server.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

And add.

(In case SSH tunnel has been setup from Whonix-Gateway.)

Socks5Proxy 127.0.0.1:1080

(Or in case SSH tunnel has been setup on the host.)

#Socks5Proxy IP:PORT

7. (TODO: if running inside Whonix-Gateway, probably new firewall rules are required.)

8. We are done, from now on, Tor will connect through the SSH server.

Connecting to Tor before a tunnel-link (proxy/VPN/SSH) (User -> Tor -> proxy/VPN/SSH -> Internet)[edit]

DESCRIPTION: (USER -> TOR -> PROXY/VPN/SSH -> INTERNET)

You can tunnel through Tor first and add a tunnel-link (proxy/SSH/VPN) as your "exit relay". When setting up your tunnel-chain in this way, services (such as websites, etc.) that you connect to will not know that you are using Tor [13]. This can be useful to evade Tor bans, for example, to be able to visit websites or IRC networks who blacklisted Tor. Beware of the risks, this adds a "permanent exit relay", read Tor Plus VPN or proxy.

To do that, go to your Whonix-Workstation and add the proxy, SSH or VPN normally, just like you would do, if you wouldn't use the Whonix-Gateway. Adding your proxy, SSH or VPN inside Whonix-Workstation will, thanks to Whonix-Gateway, result in them getting tunneled over Tor.

Protocol leaks[14] still apply, though to a lesser extent. Leaks would only leak through Tor and you have best possible Protocol-Leak-Protection and Fingerprinting-Protection.

Things to keep in mind when connecting to Tor before a tunnel-link[edit]

uwt and Tor Browser

There are two special cases in Whonix: (1) applications using uwt and (2) Tor Browser.

Applications using uwt are pre-configured to use Socks Proxy settings. [15] You may have to disable the affected uwt wrapper, in case there is one, for the application you want to tunnel. See Stream Isolation to learn what uwt and uwt wrappers are. You could disable them.

If you want to do it with Tor Browser, read Change/Remove Proxy Settings.

Malware

Also note that once Whonix-Workstation gets rooted by malware, the VPN/SSH/proxy can be easily circumvented by the attacker and you are left to the protections by Whonix and Tor.

Leaks

If setting up socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak free manner were easy, this means while ensuring nothing will bypass the VPN, SSH or proxy, there would have been no reason to develop Whonix in the first place.

The methods described on this page are all tested and should all more or less work. Should there be any misconfiguration or leak bug, you are left to the protections by Whonix and Tor. This means, the leak will still go through Whonix-Gateway and therefore forced through Tor. The methods on this page are not as safe as a Whonix-Gateway. There were development discussions and some progress[16], about chaining multiple Gateways, VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX, but nothing was finished due to the lack of community interest, support and developers.

Web Browser

It is unknown how anonymous it is to use (proxy/VPN/SSH ->) Tor -> Proxy/VPN/SSH -> Tor Browser -> website. How many people show up with a proxy, VPN or SSH IP using Tor Browser? This setup is so special that probably only very few people are doing it. For this reason, recommend against.

On the other hand, due to browser fingerprinting, it can't be recommend using any browser other than Tor Browser either.

Loss of Hidden Services Connectivity

When using USER -> TOR -> PROXY/VPN/SSH -> INTERNET, i.e. if the last server is not a Tor relay, you will be no longer able to connect to Hidden Services. (Unless you would run another Tor client on top, but this would lead to Tor over Tor, which is discouraged for security reasons.

Connecting to Tor before a VPN (User -> Tor -> VPN -> Internet)[edit]

Important things to consider when connecting to Tor before a VPN[edit]

Loss of stream isolation

While you are connecting to Tor before a VPN, you probably will not be able to make use of the stream isolation feature [17], which is planned for Tor Browser. This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the VPN instead.

Possible increased threat of identity correlation

By design, a VPN routes all your applications (those without any proxy settings, as explained above) through the VPN. You may not want this, as explained above (Stream Isolation). To circumvent that, you should use this Whonix-Workstation only for the particular application you want to route through the VPN. You are advised to read Multiple Whonix-Workstations.

How to setup connecting to Tor before a VPN (User -> Tor -> VPN -> Internet)[edit]

Note: that you have to choose TCP transport, because Tor does not support UDP.

Just use general instructions on doing so and of course do it inside Whonix-Workstation. Don't forget to read all the notes above. Since everything is routed through Tor, the VPN can be easily tunneled through Tor.

See also section at the bottom of this page #Examples_of_setting_up_VPNs_to_work_with_Whonix.

Using TransPort instead of SocksPort is required for Tor -> VPN[edit]

For applications configured to use SocksPort, instead of TransPort, which is the default setting for most Whonix default applications, such as Tor Browser.

SocksPort is configured for Stream Isolation. As Tor Plus VPN or proxy explains, you have to keep in mind, a VPN behind Tor adds a permanent exit relay.

Rather, all applications, which are configured to use SocksPort, will not be tunneled through the VPN. They will be "only" tunneled through Tor. This is because, the VPN will not touch connections to 10.152.152.10, which is the Whonix-Gateway. For example, if you wish to tunnel Tor Browser through Tor -> VPN, you have to remove all proxy settings from Tor Browser, see Change/Remove Proxy Settings. Check.torproject.org will tell you then "You are not using Tor." and you'll see your VPN's IP. In fact your VPN was tunneled through Tor first. (Because Whonix-Workstation can not make any non-Tor connections by design, everything is tunneled over Tor.) When you stop your VPN for test reasons (sudo /etc/init.d/openvpn stop), it will show "You are using Tor." again.

Use a Fail Closed Mechanism[edit]

A general problem with VPNs is that during a connection, they often fail to remain open (meaning that the VPN connection becomes closed, in which the user is now directly connected to the Internet without tunneling through the VPN). This is not a Whonix specific problem. VPN servers and VPN software can occasionally break down without announcement. This means, if the VPN is unreachable, the connection breaks down for whatever reason, which in most cases you continue to connect to the internet without the VPN.

One of the benefits of Whonix is that when a VPN connection breaks down, you still have the protections provided by Tor. In such an event where the VPN connection breaks down, Whonix-Workstation will seamlessly continue to make "direct" connections through Tor. If you are using the VPN only to circumvent the censorship of Tor, you may not care so much. On the other hand, if you believe a VPN improves your security, you should make sure that when the VPN connection breaks down, all connections with the outside world and your computer cease.

Connecting to Tor before a proxy (User -> Tor -> proxy -> Internet)[edit]

Proxy Warning[edit]

Proxy Settings Method[edit]

Generally[edit]

After understanding the "Read First" information in the #Introduction there is no difference from using proxy settings in an ordinary why, other than that it's running inside Whonix-Workstation.

If proxy settings are honored by an application or in the worst case there are leaks (still forced through Tor thanks to Whonix), is another question and out of scope, see TorifyHOWTO.

Tor Browser Proxy Configuration[edit]

Due to a bug in Tor Browser [19], extra steps are required to use proxies with Tor Browser.

It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

Inside Whonix-Workstation.

1. Install FoxyProxy add-on in Tor Browser

2. Change Tor Browser Settings:

  • Double click Default proxy in FoxyProxy and setup the IP and port of the proxy. If configuring a SOCKS proxy check the option and specify the type.
  • Set Mode: Use Proxy "Default" for all URLs

Proxyfier Method[edit]

General[edit]

After understanding the "Read First" information in the #Introduction, there is no difference from using a Proxyfier in an ordinary way, other than that it's running inside Whonix-Workstation.

If the Proxifier is leak free or in worst case leaks through Tor alone (thanks to Whonix), is another question and not in Whonix's power, see TorifyHOWTO.

uwt[edit]

uwt uses torsocks. While the name torsocks implies it's Tor specific, it's not. You can point it to any socks proxy.

uwt - wget Example

Tor Tor stream isolation #1

uwt -t 5 -i 10.152.152.10 -p 9153 /usr/bin/wget.anondist-orig -c https://check.torproject.org

For Tor stream isolation #2

uwt -t 5 -i 10.152.152.10 -p 9154 /usr/bin/wget.anondist-orig -c https://check.torproject.org

For Tor stream isolation #3</br> Requires deactivated wget uwt wrapper!

uwt -t 5 -i 10.152.152.10 -p 9155 /usr/bin/wget -c https://check.torproject.org

Proxy #1

uwt -t 5 -i x.x.x.x -p xxxx /usr/bin/wget.anondist-orig -c https://check.torproject.org

Proxy #2
Requires deactivated wget uwt wrapper!

uwt -t 5 -i x.x.x.x -p xxxx /usr/bin/wget -c https://check.torproject.org

[20]

For testing, if you didn't disable the wget uwt wrapper, the following command will most likely get another IP, because still using Stream Isolation.

Using Tor's TransPort.
(/usr/bin/wget.anondist-orig original non-uwt-wrapped version)

wget.anondist-orig https://check.torproject.org

If you disabled wget's uwt wrapper, you could use.

Using Tor's TransPort.
Requires deactivated wget uwt wrapper!

wget https://check.torproject.org

uwt - Tor Browser Example

Do not forget to Remove Proxy Settings from Tor Browser.

Then try this command. (Untested! Please leave feedback if it worked for you!)

uwt -t 5 -i 10.152.152.10 -p 9153 ~/tor-browser_en-US/App/Firefox/firefox --profile ~/tor-browser_en-US/Data/profile

See also the wget example above for more information and usage examples.

Might be also interesting:

proxychains[edit]

Warnings[edit]
  • We don't know how well proxychains works. For example torsocks has a IPv6 leak bug[21]. We don't know if proxychains forces everything through the proxies. Whonix only ensures, should their be leaks, they go only through Tor.
  • There are at least three different versions of proxychains. The old/original/unmaintained version on sourceforge.net and two forks on github. We don't know about that status of any of them and haven't heard of anyone looking if they do really work as expected. The two authors argue with each other and we weren't motivated to understand the conflict and to determine which version is better. However, any leaks not going through the proxy(chain) will go through Tor.
Instructions[edit]
General[edit]

Install proxychains.

sudo apt-get install proxychains

Note the uwt and Tor Browser notice above first. After you have done so it's quite simple.

Open proxychains configuration file.

Open /etc/proxychains.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/proxychains.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/proxychains.conf

Go to the bottom of the settings file. Comment out "socks4 127.0.0.1 9050" and add for example "socks5 10.152.152.10 9152" (for Tor stream isolation) or "socks5 ip port" with an IP and port of your choice to set the proxy settings.

[ProxyList]
## add proxy here ...
## meanwhile
## defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 10.152.152.10 9152
# socks5 x.x.x.x xxxx

Advanced. Recommendation: Why not use Tor stream isolation for the proxychains connection?

[ProxyList]
## add proxy here ...
## meanwhile
## defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 10.152.152.10 9152
socks5 x.x.x.x xxxx

Save the configuration file. Test afterwards.

test uwt wrapped application[edit]

For example:

proxychains /usr/bin/wget.anondist-orig https://check.torproject.org

For testing, if you didn't disable the wget uwt wrapper, the following command will most likely get another IP. (Stream Isolation)

Using Tor's TransPort.
(/usr/bin/wget.anondist-orig original non-uwt-wrapped version)

wget.anondist-orig https://check.torproject.org

Tor Browser[edit]

The combination of proxychains and Tor Browser does currently not work. Someone needs to Contribute by figuring this out. Otherwise this will not be possible for a very long time. See forum discussion.

Do not forget to Remove Proxy Settings from Tor Browser.

Then try this command.

proxychains ~/tor-browser_en-US/start-tor-browser

Might be also interesting:

Transparent Proxying (Advanced users only!)[edit]

To make clear, what this is about. Whonix-Gateway is already serving as a Transparent Proxy [22], which means, that all applications not explicitly configured [23] to use a SocksPort, can connect through Tor without any settings. This section is about configuring Whonix-Workstation also to act as a Transparent Proxy [24]. Use case: a user wants to ensure all traffic goes through Tor (by using Whonix-Gateway) and want to additionally ensure, all traffic goes through a proxy choosen by the user after the Tor link, i.e. user -> Tor -> proxy -> internet.

[25]

You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.

In case you redirect the network layer directly with iptables, you need a TransPort. Unfortunately very few applications, do offer a TransPort. For example, Tor supports a TransPort. In most other cases, you need to translate the different kinds of data.

Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.

Required reading:

Tools[edit]

Tor is a socks proxy and also has a TransPort. Unfortunately, Tor can not be directly used as a http proxy. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort..

redsocks can also accept "Trans data streams" and can forward them to https, socks4 and socks5 proxies. If you were to use a http proxy (no https, without connect-method, see proxy article), you could access only http sites, no https sites. Rather redsocks can convert UDP DNS queries to TCP DNS queries.

DNS resolution[edit]

The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.

It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see Transparent Proxying Method for explanation. You need an extra DNS server, which answers over TCP.

You have several options to resolve DNS.

Either leave the setup as it is, Tor's DnsPort and therefore the Tor exit relays will still do the DNS requests. (See DNS rule #1.) This is probably not what you want, since you wanted to cloak your identity with an additional proxy after Tor.

Alternatively you can use a public DNS resolver. The instructions for Secondary DNS Resolver#DNSCrypt by OpenDNS should work out of the box (tested). (See DNS rule #2.)

All DNS resolvers [26] should work, as long TCP is supported and as long you are querying a TCP enabled DNS server. [27] [28] [29] [30]

Read the DNS related warnings.

How to setup proxy tunnel-link after Tor (User->Tor->Proxy->Internet)[edit]

Unfinished!
Advanced users only!

Everything on Whonix-Workstation. Get a working proxy and test if it works reliable.

1. Install redsocks.

sudo apt-get install redsocks

Open /etc/default/redsocks in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/default/redsocks

If you are using a terminal-only Whonix, run:

sudo nano /etc/default/redsocks

Look for.

START=no

And replace it with.

START=yes

2. Configure redsocks by editing /etc/redsocks.conf to your needs.

Open /etc/redsocks.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/redsocks.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/redsocks.conf

Under.

redsocks {

You have to edit.

        ip = 127.0.0.1;
        port = 1080;
        type = socks5

To your needs.

3. Start redsocks.

sudo service redsocks start

4. Create a file fw.bsh.

5. And use the following firewall rules.

#!/bin/bash
## These iptables rules redirect the traffic for all users,
## including root, with the exception of the user redsocks,
## through the proxy.

## TODO: these iptables rules need review.
## TODO: use iptables default policy drop.

## Choose either DNS rule #1 or DNS rule #2.

## For debugging/testing use this command in console.
## tail -f /var/log/syslog

## Flush old rules.
iptables -F
iptables -t nat -F
iptables -X

## Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT --dst 127.0.0.1 -j ACCEPT

## Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Established outgoing connections are accepted.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## DNS rule #1.
## Allow DNS directly through Whonix-Gateway.
#iptables -A OUTPUT --dst 10.152.152.10 -p udp --dport 53 -j ACCEPT

## DNS rule #2.
## For DNSCrypt set /etc/resolv.conf to
## nameserver 127.0.0.1
##
## sudo dnscrypt-proxy --tcp-only --user=user
##
## DNSCrypt listening on port 53
iptables -t nat -A OUTPUT --dst 127.0.0.1 -p udp --dport 53 -j ACCEPT
iptables -t nat -A OUTPUT --dst 127.0.0.1 -p tcp --dport 53 -j ACCEPT

## redsocks must be allowed to establish direct connections.
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks

## Redirect remaining traffic to redsocks.
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345

## TODO: UDP rule untested.
#iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053

## Log blocked traffic for debugging.
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables: "

## Reject all other traffic.
iptables -A OUTPUT -j REJECT

5. Make the firewall script executable.

sudo chmod +x fw.bsh

6. Apply the firewall rules.

sudo fw.bsh

Connecting to Tor before a SSH (User -> Tor -> SSH -> Internet)[edit]

This chapter is not about connecting to a SSH server as a client (see Whonix in general and the Torify HOWTO). It is about adding an extra SSH tunnel after Tor.

Note that even though SSH supports socks5, SSH is still not able to forward UDP on its own. Have a look at the source of that information. To summarize: to tunnel UDP over SSH client and shell admin need a special setup, which is for most shells, not going to happen.

A SSH tunnel will provide a local socks5 proxy. Create the SSH tunnel in the Whonix-Workstation. From there you'll end up with a local socks5 proxy. You can use this socks5 proxy following the proxy instructions above. Once the SSH tunnel is established, there are not many differences, besides the difference already clarified above about UDP and that the warning about missing encryption to the proxy does not apply to SSH tunnels, since SSH is encrypted. The SSH process needs to be allowed to access the internet directly, if you use transparent proxying, run the SSH process under an account, which is privileged to access the internet directly.

Another untested method may be sshuttle.

User -> Tor -> VPN -> proxy -> Internet[edit]

https://forums.whonix.org/t/source-list-error/1680/18

Examples of setting up VPNs to work with Whonix[edit]

The purpose of this chapter is mainly to demonstrate how easy it is to add a VPN to Whonix, whether is to use a VPN tunnel-link before or after Tor (i.e. User -> Tor -> VPN -> Internet or User -> VPN -> Tor -> Internet).

The examples given below were mainly for testing purposes. You may setup accounts for the same reasons, or use the information below as a very rough "guide" for setting up a VPN with Whonix. When setting up the accounts within the examples, make sure not to enter personal information while signing up. Use an extra e-mail address for registration, which you will never use for anything else. If you plan to use User -> Tor -> VPN, you should obviously also sign up through Tor. When using User -> VPN -> Tor, it is unknown what is best (to sign up through Tor or not), but using probably Tor can't hurt.

Riseup.net[edit]

Riseup.net Quick VPN Command Line Test[edit]

Known to support TCP, UDP, SSL.

(1) You need a riseup.net account.
(2) You need to know your riseup account name.
(3) Go to riseup.net -> help -> VPN and obtain your VPN secret. (VPN password)
(4) Look inside the riseup VPN help page for RiseupCA.pem and download it.
(5) Open a terminal. (konsole) Get into the same folder, you stored RiseupCA.pem.
(6) Install openvpn. sudo apt-get update && apt-get install openvpn (7) The following line from the riseup OpenVPN help page[31] won't work for user -> Tor -> VPN -> Internet, because the Tor network does not support UDP.
sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --ca RiseupCA.pem The following line works for user -> Tor -> VPN -> Internet.
sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --ca RiseupCA.pem --proto tcp (8) For DNS, see #Riseup DNS below.

Riseup.net riseup.conf[edit]

Known to support TCP, UDP, SSL.
(1) You need a riseup.net account.
(2) You need to know your riseup account name.
(3) Go to https://user.riseup.net/users/riseupusername/vpn to obtain your VPN secret. (VPN password) (Replace "riseupusername" with your actual riseup user name.) (Or just got to https://user.riseup.net, login and click on "VPN".)
(4) Look inside the riseup VPN help page for RiseupCA.pem and (right click) download it.
(5) Create a file auth.txt inside the same folder.

riseupusername
vpnsecret

(6) Create a file riseup.conf inside the same folder.

client
dev tun
auth-user-pass auth.txt
#remote vpn.riseup.net 443
#remote seattle.vpn.riseup.net 443
remote nyc.vpn.riseup.net 80
ca RiseupCA.pem
remote-cert-tls server
script-security 1
#user nobody
#group nobody
proto tcp
#log /var/log/openvpn.log

(7) Start OpenVPN.

sudo openvpn riseup.conf

(8) For DNS, see #Riseup DNS below.

Riseup DNS[edit]

Setup[edit]

Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/resolv.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/resolv.conf

Comment out.

#nameserver 10.152.152.10

Add.

## Riseup.net OpenVPN DNS server
nameserver 172.27.100.1

Save.

If you want to be sure, that /etc/resolv.conf does not get overwritten by other packages. (Such as DHCP or resolvconf.)

sudo chattr +i /etc/resolv.conf

If you ever want to remove it, use -i.

Testing[edit]

When using "nameserver 10.152.152.10"...

nslookup idnxcnkne4qt76tg.onion

Will show.

Server:         10.152.152.10
Address:        10.152.152.10#53
Non-authoritative answer:
Name:   idnxcnkne4qt76tg.onion
Address: 10.192.0.1

When using "nameserver 172.27.100.1"...

nslookup idnxcnkne4qt76tg.onion

Will show.

Server:         172.27.100.1
Address:        172.27.100.1#53
** server can't find idnxcnkne4qt76tg.onion: NXDOMAIN

Because you can not access .onion domains when a VPN has be chained. (user -> Tor -> VPN -> Internet)

Resolving clearnet DNS should work.

nslookup riseup.net

Should show.

Server:         172.27.100.1
Address:        172.27.100.1#53
Non-authoritative answer:
Name:   riseup.net
Address: 198.252.153.35

securityKISS.com[edit]

Unfortunately securityKISS.com drops many TCP and UDP ports besides ports 80 and 443. That limits its usefulness for testing purposes, such as Tunnel UDP over Tor. If you know a less restrictive free VPN provider, we'd be thankful for a comment.

Install openvpn.

sudo apt-get install openvpn

Register at securitykiss.com, login and download their OpenVPN package to /home/user. Unpack. The folder contains contains ca.cert, client.cert, client.key, README.txt (with list of their servers and ports). Rename the folder to securitykiss. Structure should be like /home/user/securitykiss/ca.cert etc.

Open /etc/openvpn/client.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/client.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/client.conf

Paste the following content.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 91.121.208.218 443
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /home/user/securitykiss/ca.crt
cert /home/user/securitykiss/client.crt
key /home/user/securitykiss/client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Edit server IP and port and paste it. (It's almost only the default openvpn client.conf with minor changes.)

Save.

To initially start the VPN type:

sudo service openvpn start

After rebooting the VPN will be automatically started.

If you do not wish to start the VPN automatically for some reason:

Open /etc/default/openvpn in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/default/openvpn

If you are using a terminal-only Whonix, run:

sudo nano /etc/default/openvpn

Add.

AUTOSTART=="none"

Save.

DNS settings have not been considered for this securitykiss.com chapter.

usaip.eu[edit]

For testing purposes, in past, usaip.eu was used. They have been chosen, because they were free and didn't block the tested outgoing UDP port. The free version of usaip.eu can probably only be used for testing purposes, as it's only a test version, which force disconnects every 7 minutes. For longer and serious/stable use, you'll probably need another, VPN account.

Note, at time of writing, it looked like, that usaip is probably blocking SSL, therefore

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https https://check.torproject.org

will probably not work.

Install OpenVPN.

sudo apt-get install openvpn

Go to usaip.eu and click on free demo. Download the usaip.zip. It contains the OpenVPN configuration files. Unpack. Open a shell and get into the folder cd usaip. List all files dir. Connect to a VPN, for example:

sudo openvpn /home/user/usaip/eu-luxemburg.ovpn

At time of writing, the page stated, the password was demo, password also demo. Wait until it's connected. When success, it will show "Initialization Sequence Completed". It might happen, that the connection will not succeed for some unknown reason. In this case try replacing the eu-luxemburg.ovpn from the example above with another <country>.ovpn from the usaip folder.

DNS settings have not been considered for this usaip.eu chapter.

Using a graphical user interface[edit]

KDE Network Manager[edit]

If you want to install the KDE Network Manager.

sudo apt-get install network-manager-kde

Start menu -> System Settings -> Network Settings

At time of writing the riseup.net OpenVPN instructions for KDE where not finished. Perhaps you'll find out yourself, use another guide for KDE Network Manager or use the command line based examples above.

Don't wonder if you don't see Whonix-Workstation's (virtual) wired network interface to Whonix-Gateway. That's still managed by the ordinary ifupdown way in /etc/network/interfaces. See Dev/Network Manager if you want to know why it's not installed by default in Whonix.

GNOME Network Manager[edit]

Although Whonix is by default based on KDE, you can usually integrate GNOME applications.

In case of GNOME Network Manager it just requires some more fiddling because upstream developers wanted to make GNOME and KDE as compatible as possible, which includes that one settings manager won't show up when the other desktop has been started in a dual (KDE, GNOME) installation.

If you want to install the GNOME Network Manager.

sudo apt-get install network-manager-gnome network-manager-openvpn-gnome

If you want to autostart GNOME Network Manager, open /etc/xdg/autostart/nm-applet.desktop with root rights.

Open /etc/xdg/autostart/nm-applet.desktop in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/xdg/autostart/nm-applet.desktop

If you are using a terminal-only Whonix, run:

sudo nano /etc/xdg/autostart/nm-applet.desktop

And comment out.

NotShowIn=KDE;

If you want to make the nm-applet start menu entries visible and to start it manually, open /usr/share/applications/nm-applet.desktop.

Open /usr/share/applications/nm-applet.desktop in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /usr/share/applications/nm-applet.desktop

If you are using a terminal-only Whonix, run:

sudo nano /usr/share/applications/nm-applet.desktop

And comment out.

NotShowIn=KDE;

And add.

Categories=GNOME;GTK;Settings;X-GNOME-NetworkSettings;

If you want to make the nm-connection-editor start menu entries visible and to start it manually, open nm-connection-editor.

Open /usr/share/applications/nm-connection-editor.desktop in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /usr/share/applications/nm-connection-editor.desktop

If you are using a terminal-only Whonix, run:

sudo nano /usr/share/applications/nm-connection-editor.desktop

And comment out.

NotShowIn=KDE;

Then you could open the settings.

Applications -> Settings -> Network Connections

You could try the riseup.net OpenVPN instructions for GNOME.

Footnotes[edit]

  1. See Hide_Tor_and_Whonix_from_your_ISP#Using_a_Proxy.
  2. Works only against simplistic IP blocking lists, because connections to such proxies are usually not encrypted.
  3. In these situations, VPNs are also often censored. You might be better off using Bridges.
  4. See Hide_Tor_and_Whonix_from_your_ISP#Using_a_Proxy.
  5. See Hide_Tor_and_Whonix_from_your_ISP.
  6. Disabling Stream Isolation.
  7. If you did not disable Stream Isolation, then applications still pre-configured for Stream Isolation would go only through Tor and not through the extra tunnel-link. It is up to you for which applications you disable Stream Isolation and for which not. If for some reason, you want for example to use gpg through the extra tunnel link, but Tor Browser not, then just disable stream isolation for gpg, but not for Tor Browser.
  8. 8.0 8.1 8.2 See Tor Plus VPN or proxy.
  9. To improve this situation, if you are using OpenVPN and Debian's init script to automatically start it, add an insserv override to wait for openvpn being started. 1. Create a new file /etc/insserv/overrides/tor. Open /etc/insserv/overrides/tor in an editor with root rights.

    If you are using a graphical Whonix or Qubes-Whonix, run:

    kdesudo kwrite /etc/insserv/overrides/tor

    If you are using a terminal-only Whonix, run:

    sudo nano /etc/insserv/overrides/tor

    2. Add the following content.

    ### BEGIN INIT INFO
    # Provides:          tor
    # Required-Start:    $local_fs $remote_fs $network $named $time
    # Required-Stop:     $local_fs $remote_fs $network $named $time
    # Should-Start:      $syslog openvpn
    # Should-Stop:       $syslog
    # Default-Start:     2 3 4 5
    # Default-Stop:      0 1 6
    # Short-Description: Starts The Onion Router daemon processes
    # Description:       Start The Onion Router, a TCP overlay
    #                    network client that provides anonymous
    #                    transport.
    ### END INIT INFO
    

    3. Then apply these changes by running.

    sudo update-rc.d tor defaults

  10. Reload systemd. sudo systemctl daemon-reload Check Tor service status. sudo service tor status It should list the drop-in file /etc/systemd/system/tor.service.d/50_user.conf.
  11. Such as the Tor, JonDonym or I2P software.
  12. https://github.com/Whonix/Whonix/issues/94
  13. Unless it's a "transparent proxy" in sense of sending http forwarded for, covered in the Tor Plus VPN or proxy article.
  14. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO
  15. ...and not just TransPort, which is a security feature: Stream Isolation.
  16. see Dev/Inspiration
  17. Bug #3455: Tor Browser should set SOCKS username for a request based on referer
  18. Such as the Tor, JonDonym or I2P software.
  19. Circuit isolation by SOCKS proxy may be breaking other proxies or non-proxies
  20. Using .anondist-orig, i.e. /usr/bin/wget.anondist-orig will circumvent the wget uwt wrapper.
  21. https://trac.torproject.org/projects/tor/wiki/doc/torsocks#WorkaroundforIPv6leakbug
  22. anonymizing middlebox
  23. by uwt socksifier or proxy settings
  24. local redirection
  25. torproject.org wiki version 129 contains an old example using privoxy, JonDo and httpsdnsd. The new example uses redsocks and is simpler.
  26. https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
  27. You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to /etc/resolv.conf in Whonix-Workstation (i.e. Tor -> public DNS resolver), it would have no effect, as explained under Whonix-Workstation is firewalled.
  28. Also Secondary DNS Resolver#httpsdnsd by JonDos might work, but you'd need to make some changes (use httpsdnsd as a system wide, Whonix-Workstation wide, DNS resolver, not just for a specific user account).
  29. DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit relay can sniff or manipulate your DNS requests, since they are encrypted and authenticated.
  30. Or perhaps also ttdnsd with Google could work.
  31. https://help.riseup.net/en/openvpn-linux

Random News:

Want to make Whonix more safe and usable? We're looking for helping hands. Check out Open Issues and development forum.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.