Combining Whonix ™ with JonDonym

From Whonix


JonDonym Software[edit]

Figure: Java Anon Proxy (JonDonym) Client Software in Whonix ™


Figure: JonDonym Client Software Settings


Analysis by an Advanced Adversary[edit]

Intelligence disclosures in recent years have revealed the assessment of JonDonym by government agencies. [1]

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Championed by German University (Dresden)

(S//REL) (Mostly?) Open source software - some Docs in German (S//REL) Uses a technology known as Cascades

  • (S//REL) Each cascade is set of 2 or 3 Mixes
  • (S//REL) All internal traffic encrypted
  • (S//REL) Free service AN.ON: 5 Cascades
  • (S//REL) Premium service JonDoNym: 10 Cascades

(S//REL) Countries: BG, CA, CH, CZ, DE, DK, FR, GB, IT, LU, US, (S//REL) Less than 50 mixes total

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Comparison with Tor

• (S//REL) Not nearly as well studied

  • (S//REL) Much smaller contained development community

• (S//REL) More centralized structure (all mixes centrally approved)

• (S//REL) Not as diverse geographically or scalable

  • (S//REL) Not as well used or publicized

(S//REL) Not analyzed in great detail here at NSA (or FVEY?) (TS//SI//REL) Much better chance for Global Adversary (SIGINT :-))

  • (TS//SI//REL) Sessionization of DNI still would be a problem

Technical Overview[edit]

This JonDonym overview is the opinion of lead Whonix ™ developer Patrick Schleizer.

JonDonym is an alternative anonymity network which will be compared with Tor in this Introduction chapter. It is easy to tunnel JonDonym over Tor inside Whonix-Workstation ™ which we go into in the next chapter. In theory, Tor on Whonix-Gateway ™ could be replaced with JonDo.

The JonDonym network[2] is much smaller than the Tor network. At time of writing (February 2012 [archive], snapshot random week day, random time), there were 5 two hop free mix cascades, 11 three hop premium mix cascades and 1 test/experimental free one hop service.

The two hop free mix cascades had 1940 users with a maximum available capacity of 2750 users. 1367 users were using the test/experimental free one hope service which didn't advertise a maximum user capacity. From 16 to 63 users used one of the 11 three hop premium mix cascades and no maximum user restriction was advertised. There were 350 premium users in total.

In comparison, according to Tor metrics page (on that day [archive] the Tor network had on that day had ~3000 relays. (~1000 had the guard flag and ~900 hard the entry guard flag, i.e. where useable in that position.) ~500.000 users were using the Tor network on that day [archive].

The path (circuit), Tor client chooses is non-predictable and changes every 10 minutes while in comparison to JonDonym, for example a user who has chosen the Speedy-Sektor free two hop mix cascade, will have a predictable entry and exit until the user manually changes it. That goes for all mix cascades. If someone knows the entry or exit, the whole path the client is using through the network is known.

The Tor network is run by volunteers from many different countries. There is no formal process to apply as a Tor node and no verification of identity for Tor node admins. Anyone can download the Tor software and volunteer a node. Therefore there are legit and malicious nodes.

In comparison to JonDonym, mix servers are operated by independent and non interrelated organizations or private individuals who all publish their identity[3]. The operators have to abide by strict provisions which prohibit saving connection data or exchanging such data with other operators.

While private data such as usernames and passwords have been already sniffed by Tor exit relays on unencrypted or sslstripped connections, no such headline about JonDonym. Tor clearly states, that unencrypted connections can be sniffed by Tor exit relays. (Exit Nodes Eavesdropping) Trusting in JonDonym is more like trusting in their policy and server administration skills. Neither the mix server administration nor the JonDo software can prevent a man-in-the-middle attack between the mix server and the destination server.

JonDonym might be faster than Tor.

Quoted from the JonDonym Law enforcement page [4]:

JonDonym does not make it impossible to uncover individual users, as there is no such thing as a 100% security. However, such a disclosure is by magnitudes more difficult than for other VPN or proxy services, as this would require the cooperation of several states and organizations.

JonDonym is no technology for preventing law enforcement on the internet. In very serious cases, it is possible to uncover the abuse of Mix services. User connections may be individually observed, if all operators of a Mix cascade get such an official order, valid in their respective country (in Germany accourding to §100a/b StPO).

A respective legal obligation may moreover force some Mix operators to retain certain connection data. In contrast to surveillance (where this is often not allowed), the operator has to make this transparent to the users of his JonDonym Mixes via JonDo. Usually, such a data retention does neither comprise target addresses (websites) nor contents, but IP addresses of users only. At the moment no JonDonym mix operator retain connection data.

However, the independence of JonDonym operators vastly lowers the danger of an illegitimate law enforcement done by non-democratic states or arbitrary individual public officers. Any disclosure basically needs the cooperation of all operators of a Mix cascade. This was never realized for premium mix cascades in the past.

Surveillance reports

Each year, we will publish a short report of all surveillance actions that were taken and have been reported to us by the operators.

In 2012 there has been one surveillance court order to all German mix operators and JonDos GmbH. It concerned one JonDonym account number which was known to the law enforcement agency before start of surveillance. No premium cascade and no free cascade was able to provide the requested communication data because not all operators of any cascade got a court order.


If single mix operators inform JonDos GmbH about a surveillance court order then that does not mean JonDonym as a whole has been under surveillance or JonDos GmbH was involved. Rather, single operators had to comply with these orders.

In summary there where surveillance court orders for the last four years, but until now, no JonDonym user has ever been de-anonymized. The Tor network also suffers from legal attacks, there have been some raids of Tor exit servers, which also didn't and couldn't lead to de-anonymization. Both networks, when correctly used, i.e. not de-anonymizing oneself by posting private information, without connecting once without going through the anonymity network, without proxy bypass, without viruses, following documentation and so on, ever had any news headlines about network compromise.

The JonDo developers, although they are selling a product, seem to be honest about their network. They are also generally friendly (Whonix ™ is allowed to re-use their documentation content under Open Source license with or without modification to improve Whonix ™ documentation) and are also constructively participating the Tor bug tracker. It will be interesting if and what they answer will be on the thread " some false values and confuses TBB users [archive]" (w [archive]).

The JonDonym receives much less attention from security researchers compared to Tor.

In some aspects JonDonym is more/less secure than Tor. Depends on your threat model Reading network comparison [archive] and law enforcement [archive] yourself may be worth reading.

Tunneling JonDonym over Tor makes sense in some cases. I wouldn't do it for a longer amount of time, as it adds a permanent exit server. (See Tor plus VPN or proxy [archive] for background.)

Conclusion: if you want to download something, which you can not download over SSL (and if there are also no hash sums or signatures), the JonDo exit might be, in your threat model, more trustworthy than a random Tor exit. However, you could also try to use a specific Tor exit from someone you trust.


According JonDo, it is safe to tunnel JonDonym over Tor: UserTorJonDonymInternet.

Quoted from the JonDonym network comparison page[5]:

[...] making surfing considerably slower but, in some individual cases, even more secure than with JonDonym alone.

According to the JonDonym page, chapter Access to the Tor network with JonDo[6], JonDo natively supports to get tunneled over Tor. This also implies, that the JonDo developers do not argue, that tunneling JonDo through Tor is any less safe. Having such an option helps JonDo users to tunnel through Tor: UserTorJonDonymInternet. You won't need this option in Whonix ™, since all traffic originating from Whonix-Workstation ™, will be tunneled through Tor first in any case. Enabling that JonDo option is inside Whonix-Workstation ™ is discouraged, since it would lead in Tor over Tor.

Connecting to Tor before JonDonym[edit]


It is possible to run JonDonym inside Whonix-Workstation ™: UserTorJonDonymInternet

If this tunnel configuration is desired, it is recommended to first read the following two related wiki articles:

You can tunnel JonDonym over Tor. This could be useful, to circumvent Tor bans. But note Tor Plus VPN or Proxy [archive] (it adds a permanent exit relay, like explained and the article). Not many changes are required. Either download [archive] and install it as usual. You need 'JonDo – the IP changer', either as the gui or console version.

Or you could try to install from their GNU/Linux repository. They have their own documentation page about the JonDo repository [archive]. Whonix ™ is based on Debian Wheezy. The only difference when using their repository instructions is, that your distribution is wheezy and not maverick.

For better security, it is recommended to download their signing key over https with your browser, i.e. where it says "The repository is signed with the OpenPGP key 0xF1305880" right click on 0xF1305880 and save as. Save it in your home folder and use "gpg --import 0xF1305880". Downloading the key from a keyserver with apt-key would be less secure.[7]

JonDo IP Changer Proxy Tool Installation[edit]

Info Note:

  • Non-Qubes-Whonix only. Qubes-Whonix steps will be added soon.
  • If packages are installed by hand, it is not possible to update the software automatically. You will receive a notice later on if new software versions are ready for download. In this case, the new deb package must be downloaded and installed again manually.
  • Perform the following steps in Whonix-Workstation ™ terminal. It is recommended to clone the Whonix-Workstation ™ beforehand, as numerous dependencies are installed during this procedure.

1. Download the signing key. [8]


Note: All PGP signature files were created with the OpenPGP key 0x2B3CAA3E.

2. Display the fingerprint without importing anything.

gpg --keyid-format long --import --import-options show-only --with-fingerprint Software_JonDos_GmbH.asc

3. Verify the output.

The output should be identical to the following.

pub   rsa4096/2146D0CD2B3CAA3E 2014-10-20 [SC] [expires: 2024-10-17]
      Key fingerprint = 6899 5C53 D2CE E11B 0E41  82F6 2146 D0CD 2B3C AA3E
uid   JonDos GmbH (Software Signing Key) <>
sub   rsa4096/435B56FDF9115DBF 2014-10-20 [E] [expires: 2024-10-17]

4. Import the key.

gpg --import Software_JonDos_GmbH.asc

The output should confirm the key was imported.

gpg: key 0x2146D0CD2B3CAA3E: public key "JonDos GmbH (Software Signing Key) <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

5. Download the JonDo Debian package (jondo_all.deb). [9]


6. Download the package signature (jondo_all.deb.asc). [10]


7. Verify the JonDo Debian package.

gpg --verify jondo_all.deb.asc

The output should show.

gpg: Signature made Mon 06 Feb 2017 10:14:57 AM UTC
gpg:                using RSA key 0x2146D0CD2B3CAA3E
gpg: Good signature from "JonDos GmbH (Software Signing Key) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6899 5C53 D2CE E11B 0E41  82F6 2146 D0CD 2B3C AA3E

8. Install the JonDo deb package.

sudo dpkg -i jondo_all.deb

9. Install all unmet dependencies.

sudo apt-get -f install

Launch JonDonym[edit]

After installation a placeholder for JonDonym should appear in the application menu. If it does not appear, it can simply be launched from the terminal.


Free vs Premium Accounts[edit]

Free accounts can connect only to ports 80 and 443 and provide only a https proxy interface, no socks. [11] Premium accounts to any port and support socks. Full comparison: [archive]

JonDo Https Proxy Test[edit]

This works also with JonDo free accounts.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --proxytunnel --proxy

JonDo Socks Proxy Test[edit]

This requires JonDo premium, a paid account.

Try this test command.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h://

If you see the following, it indicates, that the local JonDo has not opened a listener. Probably you have not started JonDo yet or configured it to use a non-default port?

curl: (7) couldn't connect to host

If you see the following, you likely are only using a free account. Therefore socks is not available to you.

curl: (7) Unable to receive initial SOCKS5 response.

JonDoFox vs Tor Browser[edit]

You must make an informed decision, if you prefer to use JonDoFox or the Tor Browser.

A quick thought tells me, that blending in with JonDo users, i.e. using JonDoFox in this case would make more sense - could be wrong. No special settings would be required in this case.

If you want to use the Tor Browser for surfing → user → Tor → JonDonym → destination server, you have to change the proxy settings in Tor Button. start Tor Browser, open Tor Button settings, choose custom proxy settings, http port 4001 and leave all other fields expect no proxy for free. You can check [archive] if it is working.

Future Integration[edit]

If you are interested in a development discussion about JonDo(Fox) getting pre-installed on Whonix ™, see Dev/JonDo.

Connecting to JonDonym before Tor[edit]

Testers only!

It is possible to configure Tor to use JonDo as proxy to establish the following tunnel:
User → JonDonym → Tor → Internet

If you want to do this, apply the following instructions.

Qubes-Whonix ™ only! Non-Qubes-Whonix ™ is unsupported.

No JonDo premium account required. Works with JonDo free.

In case you want to do that, it is recommended to read the following related wiki article: Tunnels/Introduction

For current limitations, see also blog post / forum discussion: [archive]

Create a new standalone ProxyVM called JonDo-Gateway.

Install JonDo in your new JonDo-Gateway ProxyVM. To do that, the following instructions will install JonDo from JonDo's Debian APT repository: [archive] Installation method using chapter Using the repository at command line is recommended.

After you installed JonDo in your JonDo-Gateway ProxyVM, test if JonDo's https proxy is functional.

curl --tlsv1.2 --proto =https --proxytunnel --proxy


You need to enable the extended view.

Config → user interface → extended view.

You must make JonDo listen on all interfaces so it will be reachable from sys-whonix. Under network, __un__check:
[ ] Allow access to JAP/JonDo from localhost only (recommended)

In JonDo-Gateway ProxyVM, The iptables rules must be unloaded.

If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.

sudo systemctl mask qubes-iptables
sudo systemctl stop qubes-iptables
sudo systemctl mask qubes-firewall
sudo systemctl stop qubes-firewall

Open ~/fw-unload in an editor as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/fw-unload

If you are using a terminal, run.

nano ~/fw-unload



## Copyright (C) 2012 - 2015 Patrick Schleizer <>
## See the file COPYING for copying conditions.

set -o pipefail

error_handler() {
  echo "ERROR!" >&2
  exit 1

trap "error_handler" ERR

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT

$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X

$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT

$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X

exit 0


Make ~/fw-unload executable.

chmod +x ~/fw-unload

Unload all iptables firewall rules.

sudo ~/fw-unload

After firewall unload, run the following command to see if all firewall rules are really unloaded.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

The output should show.


IP Forwarding in the JonDo-Gateway ProxyVM could/should be disabled since it is not required. TODO: document how

Shut down sys-whonix. Set sys-whonix NetVM to JonDo-Gateway. Restart sys-whonix.

In sys-whonix. Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add the following. is just an example. You need to replace with the IP of your JonDo-Gateway ProxyVM. You could run the following command within sys-whonix to find out the IP of your JonDo-Gateway ProxyVM. qubesdb-read /qubes-gateway



Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

In sys-whonix, test if Tor is able to the https proxy that JonDo is providing.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h://

Done. Tor will use JonDo as proxy.

JonDonym as a Tor replacement (JonDoBOX)[edit]

This was just a development idea with some limited progress. The material has moved to Dev/Inspiration.


Gratitude is expressed to JonDos [archive] for permission [archive] to use material from their website. (w [archive]) (w [archive]) [13] The "Whonix ™ JonDonym" wiki page contains content from the JonDonym documentation Network [archive] page.

Footnotes / References[edit]

  1. [archive]
  2. [archive]
  3. [archive]
  4. [archive] (w [archive])
  5. [archive]
  6. [archive]
  7. Less secure using the short key fingerprint as in JonDo documentation. Using the long key fingerprint should be equally secure.
  8. Alternatively use Tor Browser to download the signing key here [archive].
  9. Alternatively use Tor Browser to download the package from here [archive].
  10. Alternatively use Tor Browser to download the signature from here [archive]. Right-click and select "Save Page As..." to save the signature.
  11. [archive]
  12. Socks proxy test - premium only.
    curl --tlsv1.2 --proto =https --socks5-hostname socks5h://
  13. Broken link: [archive]

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.