Jump to: navigation, search

Hide Tor and Whonix from your ISP


Whonix users are most likely Tor power users. They are more paranoid than normal Tor users. And adversaries might ask themselves why. Whonix users most likely host Hidden Services or do other fancy stuff over Tor.

Depending on how restricted your area is and how paranoid you are, you may want to hide the fact from your provider, that you are a Whonix and/or Tor user.

Hiding the fact that you are a Tor user is very tricky to achieve. Be very careful. Here are some tips. This is not a step by step tutorial. It is recommended to read this whole page.

When trying to hide using Tor from your ISP some may consider it preferable to use either private obfuscated bridges or a VPN/SSH tunnel instead of public obfuscated bridges. This is because public obfuscated bridges have a greater likelihood of being censored, simply due to the fact that they are by their very nature publicly listed. The best chance to hide Tor from your ISP may be to combine using both private obfuscated bridges and a VPN/SSH by connecting to the VPN relay first and then connecting to the private obfuscated bridge. However, solely using a private obfuscated bridge (i.e. no VPN/SSH) would be preferable for those who want to hide that they are using Tor and would not want to "come on the radar" by using a VPN or SSH.

Using private and obfuscated bridges alone doesn't provide strong guarantees of hiding the fact you are using Tor from your ISP. Quote[5] [6] Jacob Appelbaum:

Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing.

Using a VPN or SSH does not provide strong guarantees of hiding the fact you are using Tor from your ISP either.[7] VPN's and SSH's are vulnerable to an attack called website traffic fingerprinting[8].


  • Think about, if your ISP knowing you're a VPN or SSH user is acceptable to you.
  • Download Tor through a trusted internet service provider (in your (home) country) or through SSH or VPN (or before entering a hostile environment).
  • Setup the SSH/VPN tunnel or the private obfuscated bridges first. (Depending on what you want to use, read below.)
  • If you are extra paranoid, you should also download the supported platform over Tor.
  • First, think about, how do you obtain Tor Browser and obfuscated bridges and/or VPN and/or SSH, without your ISP noticing it? It is a chicken-and-egg problem. You most likely have to get it from a trusted source. This is not a problem which Whonix could solve, it is a Tor upstream question.
  • Another issue for hiding your Whonix usage is installing and/or downloading Whonix.
  • Download.
    • If you download Whonix from whonix.org that download be encrypted, however your internet service provider (or SSH/VPN provider) can conclude from the traffic transfered, that you downloaded Whonix.
      • A workaround could be, to download Whonix by using the official torproject.org Tor Browser.
      • Since Whonix 7 and above, you no longer have to turn off your network connection while starting Whonix for the first time, [9] thanks to Whonix Setup Wizard - Connection Wizard. Then set up everything to hide your Tor/Whonix usage, either by using a SSH or VPN or private obfuscated bridge, which is also covered on this page.
  • Building from Source.
    • You can learn everything about building Whonix, using Tor Browser.
    • If you are building Whonix from source, the build scripts will download a specific set of software packages with of apt-get, Tor Browser with curl, update-command-not-found, and your internet service provider could notice that you are building Whonix from source.
    • If you understand the build scripts, you can also manually build Whonix by applying the commands and configuration files manually.
    • See also Dev/Build Anonymity.

Using a Proxy[edit]

Impossible! (The connection between you and your proxy is unencrypted. That goes for all proxies, http, https, socks4, socks4a, socks5.) [10] Your ISP could still see that you are connecting to the Tor network. This is only mentioned because that myth is constantly suggested and asked when this topic comes up.

Using SSH or VPN[edit]

See warnings above first. By default all traffic of Whonix-Gateway is routed through Tor! You need to route all that traffic through SSH/VPN.

Tunnel all Tor related traffic first through a VPN or SSH. See Combining Tunnels with Tor (ignore the proxy related stuff). After reading the introduction, head over to user -> VPN/SSH -> Tor -> internet (link on that introduction page). This will hide the fact that you use Tor from your ISP. If the server is outside a national firewall this is also a way to circumvent Tor censorship.

If you do not trust any SSH or VPN providers, then anonymously host your own in a safe place. You cannot do this in the same location were you want to hide Tor. You need a safe remote place using a different IP from your own.

Using private and obfuscated bridges[edit]

See warnings above first. Set up Tor to use private and obfuscated bridges. This makes it harder for ISPs and national firewalls to detect and block Tor but it does not prevent a dedicated adversary to find out that you are using Tor (research is ongoing, see obfsproxy).

Footnotes / References[edit]

  1. Since Whonix 0.2.1, Whonix-Gateway traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
  2. To preserve the anonymity of a user's Whonix-Workstation activities, it is not necessary to torify Whonix-Gateway's own traffic.
  3. For reader interest: If DNS settings on Whonix-Gateway are changed in /etc/resolv.conf, this only affects Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway that issue network traffic (apt-get, whonixcheck, timesync) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation's default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation (via /etc/network/interfaces), which is the Whonix-Gateway. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway's firewall. Whonix-Gateway's /etc/resolv.conf does not affect Whonix-Workstation's DNS requests.
  5. https://mailman.boum.org/pipermail/tails-dev/2013-April/002950.html
  6. http://www.webcitation.org/6G67ltL45
  7. Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services
  8. For a reference for website traffic fingerprinting, see VPN/SSH Fingerprinting (w)
  9. In previous versions (up to Whonix 0.5.6 turning off ones network connection while starting whonix for the first time was still required to prevent connecting to the public Tor network.
  10. Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN_Services

Random News:

There are five different options for subscribing to Whonix source code changes.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.