Hide Tor and Whonix ™ use from the ISP


In many cases Whonix ™ users are likely to be Tor "power users" who:

  • Have higher security and anonymity goals than normal Tor users; and
  • Often host Onion Services and pair other advanced configurations with Tor.

Various adversaries might ask themselves why individuals are choosing to adopt a hardened platform. Depending on your assessed threat model and location, government policies on Tor might necessitate the hiding of Whonix ™ and/or Tor use from the Internet Service Provider (ISP).

General Advice[edit]

Table: General Advice

Category Description
Bridges Only Using private and obfuscated bridges alone does not provide strong guarantees of hiding Tor use from the ISP. As Jacob Appelbaum has noted: [1] [2]

Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing.

Hide Tor Use

Hiding the fact that you are a Tor user is difficult and you must be very careful. Some tips are below, but it is recommended to read this entire page:

  • Prefer private obfuscated bridges or VPN/SSH tunnels: This configuration is preferred over public obfuscated bridges. The reason is the latter have a greater likelihood of being censored, simply because they are publicly listed.
  • To hide Tor from the ISP it might be safest to combine both private obfuscated bridges and a VPN/SSH, by connecting to the VPN/SSH relay first and then connecting to the private obfuscated bridge.
    • On the other hand, solely using a private obfuscated bridge (i.e. no VPN/SSH) would be preferable for those who want to hide that they are using Tor and do not want to "come on the radar" by utilizing a VPN or SSH.
Hide Whonix ™ Use
  • Hiding the fact that you are using Whonix ™ is relatively easy, because Whonix ™ itself is exclusively generating Tor activity on the network. To find out how easy/difficult it is for an ISP to detect Whonix ™ see the Fingerprint page for details.
  • If you download Whonix ™ over Tor, using Tor Browser, the fact that you are using Whonix ™ will be hidden. All traffic from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [3] [4] [5] [6]
VPN/SSH Strength Using a VPN or SSH does not provide a strong guarantee of hiding Tor use from the ISP either. [7] VPNs and SSHs are vulnerable to an attack called website traffic fingerprinting. [8]


Table: Hiding Tor / Whonix ™ Considerations

Category Description
Building from Source
  • Building Whonix ™ learning resources can be accessed with Tor Browser.
  • If Whonix ™ is built from source, the build scripts will download a specific set of software packages with apt-get, Tor Browser with curl, update-command-not-found etc. and the ISP might recognize this activity.
  • If you understand the build scripts, Whonix ™ can be built by applying the commands and configuration files manually.
  • See also Dev/Build Anonymity.
Known VPN/SSH User Consider whether the ISP knowing you are a VPN/SSH user is an acceptable risk.
Safe Configuration Setup the SSH/VPN tunnel and/or private obfuscated bridges first -- depending on the desired configuration, read this entire section.
Secure Tor Download Download Tor through a trusted ISP in your (home) country or through SSH/VPN, particularly before entering a hostile environment.
Secure Whonix ™ Download
  • For better security, download the supported platform over Tor.
  • If Whonix ™ is downloaded from ("clearnet") then the download is encrypted. However, the ISP (or SSH/VPN provider) can conclude from the traffic volume that a Whonix ™ platform was downloaded.
    • A possible workaround is downloading Whonix ™ with the official Tor Browser.
Secure Whonix ™ Operation From Whonix ™ 7 onwards, it has been unnecessary to turn off the network connection before starting Whonix ™ for the first time, [9] thanks to Whonix ™ Setup Wizard - Connection Wizard and its sucessor Anon Connection Wizard. Therefore, hiding Tor / Whonix ™ usage relies upon either a SSH/VPN or private obfuscated bridge, as outlined on this page.
Trusted Sources If you think about it, how is it possible to obtain Tor Browser and obfuscated bridges and/or VPN/SSH without the ISP noticing? This is a classic chicken-and-egg problem. The answer is receiving these resources from a trusted source. This problem cannot be solved by Whonix ™ and it is a Tor upstream question.


Using a Proxy[edit]

It is impossible to safely use a proxy! The connection between the user and the proxy is unencrypted and this applies to all proxies: http, https, socks4, socks4a and socks5. [10] This means the ISP can still clearly see that connections are made to the Tor network. This fact is only mentioned here because proxies are constantly (falsely) suggested as a solution whenever this topic comes up in public arenas.

Using SSH or VPN[edit]

See the Warnings above first. By default all Whonix-Gateway ™ traffic is routed through Tor, meaning that traffic must first be routed through SSH/VPN. To tunnel all Tor-related traffic this way:

  1. See Combining Tunnels with Tor and ignore the proxy-related material.
  2. Next read:

Either of these configurations will hide Tor use from the ISP. If the server is outside a national firewall, then this is also a way to circumvent Tor censorship.

If zero trust is placed in any SSH or VPN providers, then anonymously host your own in a safe place. However, this cannot be hosted in the same location where you want to hide Tor -- a safe, remote place is required which has a different IP from your own.

Using Private and Obfuscated Bridges[edit]

See the Warnings above first. Anon Connection Wizard can configure Tor to use private and obfuscated Bridges. This will make it harder for ISPs and national firewalls to detect and block Tor, but it does not prevent a determined and well-resourced adversary from finding out that you are using Tor; research is ongoing, see obfsproxy.


  3. Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
  4. To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
  5. For reader interest: If DNS settings on Whonix-Gateway ™ are changed in /etc/resolv.conf, this only affects Whonix-Gateway ™s's own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, timesync) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
  6. Whonix-Workstation ™ default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation ™ (via /etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™ /etc/resolv.conf does not affect Whonix-Workstation ™ DNS requests.
  7. Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services
  8. For a reference for website traffic fingerprinting, see VPN/SSH Fingerprinting (w).
  9. In previous versions (up to Whonix ™ v0.5.6) this was necessary to prevent connections to the public Tor network.
  10. Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN_Services

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Please help in testing new features and bug fixes in Whonix ™.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.