Hide Tor and Whonix ™ use from the ISP
In many cases Whonix ™ users are likely to be Tor "power users" who:
- Have higher security and anonymity goals than normal Tor users; and
- Often host Onion Services and pair other advanced configurations with Tor.
Various adversaries might ask themselves why individuals are choosing to adopt a hardened platform. Depending on your assessed threat model and location, government policies on Tor might necessitate the hiding of Whonix ™ and/or Tor use from the Internet Service Provider (ISP).
Table: General Advice
|Bridges Only||Using private and obfuscated bridges alone does not provide strong guarantees of hiding Tor use from the ISP. As Jacob Appelbaum has noted:  
|Hide Tor Use||
Hiding the fact that you are a Tor user is difficult and you must be very careful. Some tips are below, but it is recommended to read this entire page:
|Hide Whonix ™ Use||
|VPN/SSH Strength||Using a VPN or SSH does not provide a strong guarantee of hiding Tor use from the ISP either.  VPNs and SSHs are vulnerable to an attack called . |
Table: Hiding Tor / Whonix ™ Considerations
|Building from Source||
|Known VPN/SSH User||Consider whether the ISP knowing you are a VPN/SSH user is an acceptable risk.|
|Safe Configuration||Setup the SSH/VPN tunnel and/or private obfuscated bridges first -- depending on the desired configuration, read this entire section.|
|Secure Tor Download||Download Tor through a trusted ISP in your (home) country or through SSH/VPN, particularly before entering a hostile environment.|
|Secure Whonix ™ Download||
|Secure Whonix ™ Operation||From Whonix ™ 7 onwards, it has been unnecessary to turn off the network connection before starting Whonix ™ for the first time,  thanks to Whonix ™ Setup Wizard - Connection Wizard and its sucessor Anon Connection Wizard. Therefore, hiding Tor / Whonix ™ usage relies upon either a SSH/VPN or private obfuscated bridge, as outlined on this page.|
|Trusted Sources||If you think about it, how is it possible to obtain Tor Browser and obfuscated bridges and/or VPN/SSH without the ISP noticing? This is a classic chicken-and-egg problem. The answer is receiving these resources from a trusted source. This problem cannot be solved by Whonix ™ and it is a Tor upstream question.|
Using a Proxy
It is impossible to safely use a proxy! The connection between the user and the proxy is unencrypted and this applies to all proxies: http, https, socks4, socks4a and socks5.  This means the ISP can still clearly see that connections are made to the Tor network. This fact is only mentioned here because proxies are constantly (falsely) suggested as a solution whenever this topic comes up in public arenas.
Using SSH or VPN
See the Warnings above first. By default all Whonix-Gateway ™ traffic is routed through Tor, meaning that traffic must first be routed through SSH/VPN. To tunnel all Tor-related traffic this way:
- See Combining Tunnels with Tor and ignore the proxy-related material.
- Next read:
Either of these configurations will hide Tor use from the ISP. If the server is outside a national firewall, then this is also a way to circumvent Tor censorship.
If zero trust is placed in any SSH or VPN providers, then anonymously host your own in a safe place. However, this cannot be hosted in the same location where you want to hide Tor -- a safe, remote place is required which has a different IP from your own.
Using Private and Obfuscated Bridges
See the Warnings above first. Anon Connection Wizard can configure Tor to use private and obfuscated Bridges. This will make it harder for ISPs and national firewalls to detect and block Tor, but it does not prevent a determined and well-resourced adversary from finding out that you are using Tor; research is ongoing, see obfsproxy.
- Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
- To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
- For reader interest: If DNS settings on Whonix-Gateway ™ are changed in Stream Isolation). , this only affects Whonix-Gateway ™s's own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, timesync) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see
- Whonix-Workstation ™ default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example - will use the default DNS server configured in Whonix-Workstation ™ (via ), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™ does not affect Whonix-Workstation ™ DNS requests.
- For a reference for VPN/SSH Fingerprinting (w). , see
- In previous versions (up to Whonix ™ v0.5.6) this was necessary to prevent connections to the public Tor network.
- Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN_Services
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)