Host a Bridge or Tor Relay

From Whonix
Jump to navigation Jump to search

Hosting a bridge, private bridge, or obfuscated bridge in Whonix. Hosting a middle or exit Tor relay in Whonix.


When using Whonix, it is still possible to volunteer to Tor by hosting a bridge, private bridge, obfuscated bridge, private obfuscated bridge, middle node or exit relay. This configuration is set up either inside Whonix-Gateway or directly on the host.


Info This configuration is recommended for advanced users.

Anonymity might or might be improved by hosting a Tor relay and/or bridge and using it to mix personal client Tor traffic. The reason is adversaries observing traffic will need to perform classification of both traffic generated by the Tor relay or bridge and your personal client traffic. To learn more about this topic, refer to posts by The Tor Project (developers of the Tor software). [1]

Quote The Tor Project New low cost traffic analysis attacks and

In terms of mitigating the use of these vectors in attacks against Tor, here's our recommendations for various groups in our community:

Users: Do multiple things at once with your Tor client

Because Tor uses encrypted TLS connections to carry multiple circuits, an adversary that externally observes Tor client traffic to a Tor Guard node will have a significantly harder time performing classification if that Tor client is doing multiple things at the same time. This was studied in section 6.3 of this by Tao Wang and Ian Goldberg. A similar argument can be made for mixing your client traffic with your own Tor Relay or Tor Bridge that you run, but that is very tricky to do for it to actually help.


Outside Whonix-Gateway[edit]

This procedure is currently Undocumented. Help is most welcome to complete this section.

Inside Whonix-Gateway[edit]


This procedure has not been tested for a significant period; please contact Whonix developers if you are interested in this configuration.

This configuration is non-trivial for reasons outside of Whonix control and is mostly unspecific to the platform. An open port is required to allow unsolicited incoming connections; see Ports for an explanation.

Prerequisite Knowledge[edit]

Before attempting this setup, various learning exercises are recommended beforehand.

  1. Set up a web server reachable on PC. For example: Internethome routerPCweb server
  2. Set up a web server reachable in VM. For example: Internethome routerPCDebian (not Whonix) VMweb server

After succeeding with the above configurations, then try the same with Tor in Whonix.


Perform these steps in Whonix-Gateway (sys-whonix).

1. Follow all the usual instructions on the website inside Whonix-Gateway; the fact that Tor is being run inside a virtual machine does not change the procedure.

2. Set up a port forwarding from the host to the virtual machine.

Navigate to Whonix-GatewaySettingsNetwork InterfacePort Forwarding

3. Inspect /etc/whonix_firewall/

4. Read the introductory comment about flexible modular configuration files.

5. Read the comment about Tor Relay Settings.

6. Close the file.

7. Modify Whonix-Gateway User Firewall Settings.

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Gateway App Qube (commonly called sys-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start MenuApplicationsSettingsUser Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-gateway-17Whonix Global Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf

8. Paste the following content and make adjustments if necessary.

## Allow incoming DIRPORT connections for an optional Tor relay. GATEWAY_ALLOW_INCOMING_DIR_PORT=1 ## Allow incoming ORPORT connections for an optional Tor relay. GATEWAY_ALLOW_INCOMING_OR_PORT=1 ## DIRPORT incoming port. DIR_PORT=80 ## ORPORT incoming port. OR_PORT=443

9. Reload Whonix-Gateway Firewall.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ProxyVM (commonly named sys-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall

10. The procedure is complete.

Easy Option: Snowflake Pluggable Transport[edit]

It was previously possible to install the Flashproxy bridge add-on in Chrome, Chromium and Firefox to help censored users access Tor. Essentially this performed as a miniature proxy that ran in the web browser, checked for clients needing access, and conveyed data between them and a Tor relay. [2] However, after being operational between 2013 and 2016, Flashproxy was deprecated in 2017.

The modern alternative to Flashproxy is Snowflake: [3] [4]

Snowflake is an improvement upon Flashproxy. It sends your traffic through WebRTC, a peer-to-peer protocol with built-in NAT punching.

This system is composed of three components: volunteers running Snowflake proxies, Tor users that want to connect to the internet, and a broker, that delivers snowflake proxies to users. ... Volunteers willing to help users on censored networks can help by spinning short-lived proxies on their regular browsers. ... Snowflake uses the highly effective domain technique to make a connection to one of the thousands of snowflake proxies run by volunteers. These proxies are lightweight, ephemeral, and easy to run, allowing us to scale Snowflake more easily than previous techniques.

To assist censored users, the Snowflake pluggable transport can be installed in Tor Browser / Firefox or Chrome. Note that websites that are browsed by censored users will match their Tor exit node, not yours:

To learn more about Snowflake, see (v3onion). Note that it is also possible to run a standalone Snowflake (v3onion) on a server, but this configuration has not yet been attempted in Whonix.


We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!