Jump to: navigation, search

Hide Tor and Whonix from your ISP

Introduction[edit]

Whonix users are most likely Tor power users. They are more paranoid than normal Tor users. And adversaries might ask themselves why. Whonix users most likely host Hidden Services or do other fancy stuff over Tor.

Depending on how restricted your area is and how paranoid you are, you may want to hide the fact from your provider, that you are a Whonix and/or Tor user.


Hiding the fact that you are a Tor user is very tricky to achieve. Be very careful. Here are some tips. This isn't a step by step tutorial. It's recommended to read this whole page.

When trying to hide using Tor from your ISP some may consider it preferable to use either private obfuscated bridges or a VPN/SSH tunnel instead of public obfuscated bridges. This is because public obfuscated bridges have a greater likelihood of being censored, simply due to the fact that they are by their very nature publicly listed. The best chance to hide Tor from your ISP may be to combine using both private obfuscated bridges and a VPN/SSH by connecting to the VPN relay first and then connecting to the private obfuscated bridge. However, solely using a private obfuscated bridge (i.e. no VPN/SSH) would be preferable for those who want to hide that they are using Tor and would not want to "come on the radar" by using a VPN or SSH.

Using private and obfuscated bridges alone doesn't provide strong guarantees of hiding the fact you are using Tor from your ISP. Quote[5] [6] Jacob Appelbaum:

Some pluggable transports may seek to obfuscate traffic or to morph it. However, they do not claim to hide that you are using Tor in all cases but rather in very specific cases. An example threat model includes a DPI device with limited time to make a classification choice - so the hiding is very specific to functionality and generally does not take into account endless data retention with retroactive policing.

Using a VPN or SSH does not provide strong guarantees of hiding the fact you are using Tor from your ISP either.[7] VPN's and SSH's are vulnerable to an attack called website traffic fingerprinting[8].

Warnings[edit]

  • Think about, if your ISP knowing you're a VPN or SSH user is acceptable to you.
  • Download Tor through a trusted internet service provider (in your (home) country) or through SSH or VPN (or before entering a hostile environment).
  • Setup the SSH/VPN tunnel or the private obfuscated bridges first. (Depending on what you want to use, read below.)
  • If you are extra paranoid, you should also download the supported platform over Tor.
  • First, think about, how do you obtain the Tor Browser Bundle and obfuscated bridges and/or VPN and/or SSH, without your ISP noticing it? It's a chicken-and-egg problem. You most likely have to get it from a trusted source. This isn't a problem which Whonix could solve, it's a Tor upstream question.
  • Another issue for hiding your Whonix usage is installing and/or downloading Whonix.
  • Download.
    • If you download Whonix from whonix.org that download be encrypted, however your internet service provider (or SSH/VPN provider) can conclude from the traffic transfered, that you downloaded Whonix.
      • A workaround could be, to download Whonix by using the official torproject.org Tor Browser Bundle.
      • Since Whonix 7 and above, you no longer have to turn off your network connection while starting Whonix for the first time, [9] thanks to Whonix Setup Wizard - Connection Wizard. Then set up everything to hide your Tor/Whonix usage, either by using a SSH or VPN or private obfuscated bridge, which is also covered on this page.
  • Building from Source.
    • You can learn everything about building Whonix, using the Tor Browser Bundle.
    • If you are building Whonix from source, the build scripts will download a specific set of software packages with of apt-get, Tor Browser with curl, update-command-not-found, and your internet service provider could notice that you are building Whonix from source.
    • If you understand the build scripts, you can also manually build Whonix by applying the commands and configuration files manually.
    • See also Dev/Build Anonymity.

Using a Proxy[edit]

Impossible! (The connection between you and your proxy is unencrypted. That goes for all proxies, http, https, socks4, socks4a, socks5.) [10] Your ISP could still see that you are connecting to the Tor network. This is only mentioned because that myth is constantly suggested and asked when this topic comes up.

Using SSH or VPN[edit]

See warnings above first. By default all traffic of Whonix-Gateway is routed through Tor! You need to route all that traffic through SSH/VPN.

Tunnel all Tor related traffic first through a VPN or SSH. See Combining Tunnels with Tor (ignore the proxy related stuff). After reading the introduction, head over to user -> VPN/SSH -> Tor -> internet (link on that introduction page). This will hide the fact that you use Tor from your ISP. If the server is outside a national firewall this is also a way to circumvent Tor censorship.

If you do not trust any SSH or VPN providers, then anonymously host your own in a safe place. You cannot do this in the same location were you want to hide Tor. You need a safe remote place using a different IP from your own.

Using private and obfuscated bridges[edit]

See warnings above first. Set up Tor to use private and obfuscated bridges. This makes it harder for ISPs and national firewalls to detect and block Tor but it does not prevent a dedicated adversary to find out that you are using Tor (research is ongoing, see obfsproxy).

Footnotes / References[edit]

  1. Since Whonix 0.2.1 also the Whonix-Gateway traffic is routed over Tor. This prevents telling the world that the user is a Whonix user.
  2. To preserve anonymity of activities the user is doing inside Whonix-Workstation, it would not be required to torify Whonix-Gateway's own traffic.
  3. For your interest: if you were to change DNS settings on Whonix-Gateway in /etc/resolv.conf, this would only affect Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. Actually, by default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway issuing network traffic (apt-get, whonixcheck, timesync) are explicitly configured (or forced by uwt wrappers) to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation's default applications are configured to use separate Tor SocksPort's (see Stream Isolation), thus not using the system's default DNS resolver. Any applications on Whonix-Workstation, not configured for stream isolation (for example nslookup), will use the default DNS server configured in Whonix-Workstation in /etc/network/interfaces, which is Whonix-Gateway. Those DNS requests will be redirected to Tor's DnsPort by Whonix-Gateway's firewall. (Therefore Whonix-Gateway's /etc/resolv.conf does not affect Whonix-Workstation's DNS requests.
  5. https://mailman.boum.org/pipermail/tails-dev/2013-April/002950.html
  6. http://www.webcitation.org/6G67ltL45
  7. Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services
  8. For a reference for website traffic fingerprinting, see VPN/SSH Fingerprinting (w)
  9. In previous versions (up to Whonix 0.5.6 turning off ones network connection while starting whonix for the first time was still required to prevent connecting to the public Tor network.
  10. Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN_Services

Random News:

We are looking for video makers.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.