From Whonix
< Dev
(Redirected from Inspiration)
Jump to navigation Jump to search

Inspiration for developing new Whonix Features.


This page is intended for people interested in developing Whonix, NOT for users. It contains only partial-finished attempts adding new features to Whonix.

Rudimentary Whonix Support for Other Anonymizing Networks[edit]

See Other Anonymizing Networks


Installing I2P on Whonix-Gateway (I2PBOX)[edit]

Development stalled due to lack of interest from Whonix developers and ip2 community. See:

  • Development thread: Support for I2P WAIT for contributors/more mature upstream]
  • http://forum.i2p/viewtopic.php?t=7037 I2P thread ( re)
  • Dev/Anonymity Network#I2P
  • I2P

Anyone feel free it take it.

Guide by i2p:

  • reachable only when using i2p: http://killyourtv.i2p/howtos/whonix/ (down...)
  • i2p to clearnet service ".re", reachable over clearnet and Tor: (down, but see below...)

Currently in development by goldstein:



Not finished yet. UNTESTED! [Dev] "#SupportforVPNsasTorreplacementOPTIONALFEATURE dev thread"

Read first: Tunnels/Examples.

Third party VPN-Gateway

VPN's as a Tor replacement (VPNBOX)[edit]

Small update: there is now VPN-Firewall.

Development stalled. UNTESTED! [Dev] "#SupportforVPNsasTorreplacementOPTIONALFEATURE dev thread"

In this chapter we explain, how you can replace Tor with a VPN. Regarding security see 'Introduction' on this page at the top. It is your responsibility to find a (non-logging, safe) free/paid VPN provider or to stick with Tor.

(1). Test if your host internet connection is working.

(2). Test if your tor internet connection is working.

(3). Store your routing table before starting the VPN and before modifying anything. Type in console:


(4). Start VPN.

sudo openvpn /etc/openvpn/client.conf

(5). Test if your ISP IP gets replaced with the VPN IP.

(6). Store the modified routing table. Type in console:


(7). Delete your default route and set your new default route to the virtual VPN network adapter.

sudo route del default
sudo route add default dev tun0

(8). Test if your VPN IP is still valid.

(9). Store the modified routing table. Type in console:


(10). For testing purposes, kill your OpenVPN connection.

sudo killall openvpn

(11). Test if you can NOT connect to anything anymore. That's the whole point to prevent any leaks in the clear.


  • Testing.
  • Autostart everything.
  • Use up in /etc/network/interfaces.
  • Final step: forwarding traffic from the Workstation to the Gateway.
  • Extra: VPNchains (two or more independent VPN providers in a chain)



Required reading:

Recommended reading:

Proxies in addition to Tor[edit]

See Advantages of Whonix, "It is possible to use Whonix setup in conjunction with VPNs, ssh and other proxies....".

ProxyBOX - a VM or machine running Proxy Software - similar to Whonix-Gateway[edit]

Some development: ProxyBOX

Development stalled. Not finished yet.

[Dev] "#SupportforproxiesasTorreplacementOPTIONALFEATURE dev thread"

It is possible to create another VM (or physically isolated machine) which runs a proxy software or enfofced connections are going through The proxy. Whonix-Gateway / Tor could be combined with local or remote proxies.

  • Whonix-WorkstationProxy-GatewayWhonix-Gateway
  • UserTorProxyInternet

It would also be possible to replace Tor on Whonix-Gateway with any other proxy. Note that anonymity is sufficiently lower with (single hop) proxies.

The technical difficulty is, that most proxies lack a TransPort and DnsPort.

It also depends, what kind of proxy you want to use.

See also Transparent Proxying (Describes Transparent Proxying inside Whonix-Workstation to an extra proxy, i.e. Whonix-Workstation → Tor → Proxy.)

There are two options available. 1. Transparent Proxying Method or 2. The Proxy Settings Method.

Depending on Proxy type[edit]

http proxies are not suited, because we would not be able to connect to https protected websites. The setup for https, socks4(a)/5 proxies should be very similar.

Transparent Proxying Method[edit]

Development stalled. Unfinished.

Issue: Transparent Proxying (like in Whonix thanks to Tor's TransPort) is, due to technical limitations, not fully supported by proxies. Proxies do not offer a feature similar to Tor's DnsPort and also do not act as a DNS resolver. While it is possible to relay TCP and UDP traffic through the proxy on the IP level (using firewalls such as iptables, nftables, ...), the user would still always require known (as in the user knows the IP) DNS resolver. (i.e. public DNS server such as OpenDNS, Google, httpsdnsd)

DNS resolution would look like: Proxy-Workstation → Proxy-Gateway → Proxy → DNS server.

It is technically not possible to let the proxy transparently (!) do the DNS resolution (no tools available) - at least not as far as the author knows after extended research. This is because proxies offer hostname resolution, but not DNS resolution. These are different protocols.

redsocks (and probably also transocks_ev) can translate transparently proxyied TCP traffic to proxy protocols (http, https, socks4(a), socks5). There is however no translation available from transparently proxied DNS traffic to hostname resolution as supported by proxies.

Some applications have support for various proxy protocols. This means developers did teach the application how to communicate with the proxy in order to use hostname resolution. No developer is maintaining functionality to translate transparently proxyied TCP traffic to proxy protocols.

This issue is unspecific to Whonix.

Future: This technical limitation may be lifted if redsocks Feature Request: fake DNS ever gets implemented. At time of writing the last commit to redsocks was 4 years ago with unmerged pull requests. Redsocks being unmaintained makes this feature even less likely.

Impact: Due to the DNS issue, the user cannot completely hide behind the proxy (using it transparently). The user would always have to reveal, that the user is using a public (or private) extra DNS resolver. Of course, the user would also not only have to trust the proxy, but also the extra DNS server, which can see, log and correlate all DNS queries.

For TCP and UDP: Proxy-Workstation → Proxy-Gateway → network layer → redsocks → proxy For DNS: Proxy-Workstation → Proxy-Gateway → network layer → redsocks → proxy → public DNS server


Update: Maybe could help?

Proxy Settings Method[edit]

Development stalled. Not finished.

Design: The Proxy-Workstation is on an isolated internal LAN (similar to Whonix Whonix-Workstation design) and can't connect to the internet directly. (Iptables rules on the Proxy-Gateway forbid that.) All applications installed inside the Proxy-Workstation have to use the correct proxy or a wrapper

For TCP, UDP and DNS: Proxy-Workstation → Proxy-Gateway → proxy


Freenet on the Whonix-Gateway (FreenetBOX)[edit]

Can be also potentially only be used parallel to Tor. It is impossible to tunnel Freenet through Tor (see above). Also replacing Tor with Freenet is impossible, as freenet is a separated network, not designed to exit the network. Apt-get couldn't work.

Not written yet.


RetroShare as Anonymizer[edit]

In fact is not an anonymizing, it is a (F2F) network, or optionally a RetroShare has a very different audience and threat model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the Whonix-Gateway.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!