Connecting to JonDonym before Tor/Testing

From Whonix
Jump to navigation Jump to search

Note: This Page is for Testing Only![edit]

Please use the stable Connecting to JonDonym before Tor Wiki chapter for JonDonym configuration.


Introduction to Tunnels[edit]

It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. The potential positive or negative effects on anonymity are being controversially debated.

The Whonix ™ project remains technologically neutral in the anonymity discussion. The improper combination of Tor and another service may actually degrade a user's security and anonymity. One such case is using a proxy to hide Tor network traffic from your ISP.

While proxies are a type of tunnel-link they should not be thought of as a replacement for a VPN and SSH in this configuration. This is because connections to proxies are unencrypted and therefore should not be used to hide Tor use. Proxies are ok for circumvention of censorship if that has been shown to work from the users location but are unsuitable for hiding Tor due to lack of encryption.

Combinations of tunnels-links with Tor are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix ™ users, using Tor in isolation – without a tunnel-link (VPN, proxy or SSH) – is the correct choice.

Tunnel-link before Tor use cases[edit]


In this configuration network traffic will (1) enter the tunnel-link and pass through your ISP → (2) exit your tunnel-link server as encrypted Tor traffic→ (3) enter to the Tor network→ (4) exit the Tor network at a Tor exit node as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • You must connect to your tunnel-link to access the internet.
  • Your ISP blocks Tor and Tor bridges but doesn’t block the tunnel-link.
  • Fear of de-anonymizing attacks against the Tor network; belief that your tunnel-link is able to protect your identity in such case.


Note: The following warnings are not Whonix ™ specific issues. They are general issues associated with combining Tor with tunnel-links.

Info Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor.

In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. [1]

Trusting Service Providers[edit]

Warning A tunnel service provider that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.

Failed Closed Configurations[edit]

Warning If your software configuration doesn’t block all traffic when your tunnel-link connection suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most tunnel configurations and not an issue specific to Whonix ™.[2]

Tunnel-links can Affect Anonymity[edit]

Warning Using any extra tunnel, for example a VPN, proxy or SSH can can negatively affect anonymity under some circumstances. [3] [4]

To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.

Using the same Tunnel Provider in Multiple VMs at the same Time[edit]

Warning Don't use the same tunnel provider / configuration in more than one place at the same time.

For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time.

Reusing Tunnel-links[edit]

Warning Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. Doing so could tie any anonymous identities associated with the tunnel-link to the user's ISP assigned IP address.


In tunnel-chain 1, the ISP assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the users ISP assigned IP address was previously linked to that same tunnel-link, that anonymous identity can now be linked to the user actual IP address.

  • Tunnel-chain 1: (UserTunnel-link[users IP address is linked] → TorInternet)
  • Tunnel-chain 2: (UserTorTunnel-link[anonymous activities linked] → Internet)

The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. If this were done, all anonymous activities conducted with tunnel-chain 2 would then be link with the users ISP assigned IP address.

Qubes-Whonix ™ TemplateVMs[edit]

Warning Qubes-Whonix ™ users note:
You probably do not want to run the tunnel software from within a TemplateVM. This is because the \{\{project_name_gateway_template\}\} TemplateVM "is more like a workstation". It is behind sys-whonix. It is not sys-whonix itself.

(If you are using openvpn inside Whonix-Gateway ™ (commonly called sys-whonix) or Whonix-Workstation ™ (commonly called anon-whonix) while following Whonix ™ documentation, openvpn will not start inside the \{\{project_name_gateway_template\}\} or whonix-ws-16 TemplateVM.) [5]
In Qubes R4 and above, the TemplateVMs's NetVM is purposely set to none by Qubes default. (They are upgraded through the qrexec based updates proxy that will be running on sys-whonix.)

Introduction to JonDonym[edit]

Figure: Java Anon Proxy (JonDonym) Client Software


JonDoNym Analysis by an Advanced Adversary [6]

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Championed by German University (Dresden)

(S//REL) (Mostly?) Open source software - some Docs in German (S//REL) Uses a technology known as Cascades

  • (S//REL) Each cascade is set of 2 or 3 Mixes
  • (S//REL) All internal traffic encrypted
  • (S//REL) Free service AN.ON: 5 Cascades
  • (S//REL) Premium service JonDoNym: 10 Cascades

(S//REL) Countries: BG, CA, CH, CZ, DE, DK, FR, GB, IT, LU, US, (S//REL) Less than 50 mixes total

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Comparison with Tor

• (S//REL) Not nearly as well studied

  • (S//REL) Much smaller contained development community

• (S//REL) More centralized structure (all mixes centrally approved)

• (S//REL) Not as diverse geographically or scalable

  • (S//REL) Not as well used or publicized

(S//REL) Not analyzed in great detail here at NSA (or FVEY?) (TS//SI//REL) Much better chance for Global Adversary (SIGINT :-))

  • (TS//SI//REL) Sessionization of DNI still would be a problem

Whonix Developer View of JonDonym [7]

JonDonym is an alternative anonymity network which will be compared with Tor in this Introduction chapter. It is easy to tunnel JonDonym over Tor inside Whonix-Workstation ™ and in theory, Tor on Whonix-Gateway ™ could be replaced with JonDo.

The JonDonym network[8] is much smaller than the Tor network. At time of writing (February 2012, snapshot random week day, random time), there were 5 two hop free mix cascades, 11 three hop premium mix cascades and 1 test/experimental free one hop service.

The two hop free mix cascades had 1940 users with a maximum available capacity of 2750 users. 1367 users were using the test/experimental free one hope service which didn't advertise a maximum user capacity. From 16 to 63 users used one of the 11 three hop premium mix cascades and no maximum user restriction was advertised. There were 350 premium users in total.

In comparison, according to Tor metrics page (on that day the Tor network had on that day had ~3000 relays. (~1000 had the guard flag and ~900 hard the entry guard flag, i.e. where useable in that position.) ~500.000 users were using the Tor network on that day.

The path (circuit), Tor client chooses is non-predictable and changes every 10 minutes while in comparison to JonDonym, for example a user who has chosen the Speedy-Sektor free two hop mix cascade, will have a predictable entry and exit until the user manually changes it. That goes for all mix cascades. If someone knows the entry or exit, the whole path the client is using through the network is known.

The Tor network is run by volunteers from many different countries. There is no formal process to apply as a Tor node and no verification of identity for Tor node admins. Anyone can download the Tor software and volunteer a node. Therefore there are legit and malicious nodes.

In comparison to JonDonym, mix servers are operated by independent and non interrelated organizations or private individuals who all publish their identity[9]. The operators have to abide by strict provisions which prohibit saving connection data or exchanging such data with other operators.

While private data such as usernames and passwords have been already sniffed by Tor exit relays on unencrypted or sslstripped connections, no such headline about JonDonym. Tor clearly states, that unencrypted connections can be sniffed by Tor exit relays. (Exit Nodes Eavesdropping) Trusting in JonDonym is more like trusting in their policy and server administration skills. Neither the mix server administration nor the JonDo software can prevent a man-in-the-middle attack between the mix server and the destination server.

JonDonym might be faster than Tor.

Quoted from the JonDonym Law enforcement page [10]:

JonDonym does not make it impossible to uncover individual users, as there is no such thing as a 100% security. However, such a disclosure is by magnitudes more difficult than for other VPN or proxy services, as this would require the cooperation of several states and organizations.

JonDonym is no technology for preventing law enforcement on the internet. In very serious cases, it is possible to uncover the abuse of Mix services. User connections may be individually observed, if all operators of a Mix cascade get such an official order, valid in their respective country (in Germany accourding to §100a/b StPO).

A respective legal obligation may moreover force some Mix operators to retain certain connection data. In contrast to surveillance (where this is often not allowed), the operator has to make this transparent to the users of his JonDonym Mixes via JonDo. Usually, such a data retention does neither comprise target addresses (websites) nor contents, but IP addresses of users only. At the moment no JonDonym mix operator retain connection data.

However, the independence of JonDonym operators vastly lowers the danger of an illegitimate law enforcement done by non-democratic states or arbitrary individual public officers. Any disclosure basically needs the cooperation of all operators of a Mix cascade. This was never realized for premium mix cascades in the past.

Surveillance reports

Each year, we will publish a short report of all surveillance actions that were taken and have been reported to us by the operators.

In 2012 there has been one surveillance court order to all German mix operators and JonDos GmbH. It concerned one JonDonym account number which was known to the law enforcement agency before start of surveillance. No premium cascade and no free cascade was able to provide the requested communication data because not all operators of any cascade got a court order.


If single mix operators inform JonDos GmbH about a surveillance court order then that does not mean JonDonym as a whole has been under surveillance or JonDos GmbH was involved. Rather, single operators had to comply with these orders.

In summary there where surveillance court orders for the last four years, but until now, no JonDonym user has ever been de-anonymized. The Tor network also suffers from legal attacks, there have been some raids of Tor exit servers, which also didn't and couldn't lead to de-anonymization. Both networks, when correctly used, i.e. not de-anonymizing oneself by posting private information, without connecting once without going through the anonymity network, without proxy bypass, without viruses, following documentation and so on, ever had any news headlines about network compromise.

The JonDo developers, although they are selling a product, seem to be honest about their network. They are also generally friendly (Whonix is allowed to re-use their documentation content under Open Source license with or without modification to improve Whonix ™ documentation) and are also constructively participating the Tor bug tracker. It will be interesting if and what they answer will be on the thread " some false values and confuses TBB users" (w).

The JonDonym receives much less attention from security researchers compared to Tor.

In some aspects JonDonym is more/less secure than Tor. Depends on your threat model Reading network comparison and law enforcement yourself may be worth reading.

JonDonym Setup[edit]

Testers only!

It is possible to configure Tor to use JonDo as proxy to establish the following tunnel:
User → JonDonym → Tor → Internet

If you want to do this, apply the following instructions.

Qubes-Whonix ™ only! Non-Qubes-Whonix ™ is unsupported.

No JonDo premium account required. Works with JonDo free.

For current limitations, see also blog post / forum discussion:

Create a new standalone ProxyVM called JonDo-Gateway.

Install JonDo in your new JonDo-Gateway ProxyVM. To do that, the following instructions will install JonDo from JonDo's Debian APT repository: Installation method using chapter Using the repository at command line is recommended.

After you installed JonDo in your JonDo-Gateway ProxyVM, test if JonDo's https proxy is functional.

curl --tlsv1.3 --proto =https --proxytunnel --proxy


You need to enable the extended view.

Config → user interface → extended view.

You must make JonDo listen on all interfaces so it will be reachable from sys-whonix. Under network, __un__check:
[ ] Allow access to JAP/JonDo from localhost only (recommended)

In JonDo-Gateway ProxyVM, The iptables rules must be unloaded.

If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.

sudo systemctl mask qubes-iptables
sudo systemctl stop qubes-iptables
sudo systemctl mask qubes-firewall
sudo systemctl stop qubes-firewall

Open file ~/fw-unload in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/fw-unload

If you are using a terminal, run.

nano ~/fw-unload



## Copyright (C) 2012 - 2015 Patrick Schleizer <>
## See the file COPYING for copying conditions.

set -o pipefail

error_handler() {
  echo "ERROR!" >&2
  exit 1

trap "error_handler" ERR

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT

$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X

$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT

$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X

exit 0


Make ~/fw-unload executable.

chmod +x ~/fw-unload

Unload all iptables firewall rules.

sudo ~/fw-unload

After firewall unload, run the following command to see if all firewall rules are really unloaded.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

The output should show.


IP Forwarding in the JonDo-Gateway ProxyVM could/should be disabled since it is not required. TODO: document how

Shut down sys-whonix. Set sys-whonix NetVM to JonDo-Gateway. Restart sys-whonix.

In sys-whonix. Open file /usr/local/etc/torrc.d/50_user.conf in a text editor of your choice with sudoedit.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudoedit /usr/local/etc/torrc.d/50_user.conf

Add the following. is just an example. You need to replace with the IP of your JonDo-Gateway ProxyVM. You could run the following command within sys-whonix to find out the IP of your JonDo-Gateway ProxyVM. qubesdb-read /qubes-gateway



Reload Tor.

After changing Tor configuration, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

In sys-whonix, test if Tor is able to the https proxy that JonDo is providing.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proto =https --socks5-hostname socks5h://

Done. Tor will use JonDo as proxy.

JonDonym as Tor replacement (JonDoBOX)[edit]

Was just a development idea with some progress. Moved to Dev/Inspiration.

Footnotes / References[edit]

  1. Users in China are unlikely to circumvent government censorship with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
  2. For example, VPNs require a failed closed configuration to prevent DNS leaks.
  4. research / document impact for tunnel users if Tor relays hosted at the same tunnel provider
  5. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf checks the following condition

    Which means, if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix ™ templateVMs, the openvpn@openvpn service will not be started.

  7. Lead developer Patrick Schleizer.
  10. (w)
  11. Socks proxy test - premium only.
    curl --tlsv1.3 --proto =https --socks5-hostname socks5h://


Gratitude is expressed to JonDos for permission to use material from their website. (w) (w) [1] The "Whonix ™ JonDonym" wiki page contains content from the JonDonym documentation Network page.