Non Anonymous Onion Encryption and NAT Traversal

From Whonix


Ambox warning pn.svg.png Not anonymous!

Ambox warning pn.svg.png Documentation for this entry is incomplete. Contributions are happily considered!


It is possible to make Tor on a server using a single Tor hop (only one Tor relay instead of three) by using Tor configuration options HiddenServiceNonAnonymousMode 1, HiddenServiceSingleHopMode 1. This is non-anonymous but faster. Server should use Onions Services Authentication. The advantage of this is to have a server which is:

  • reachable (for users having access to Tor) for NAT traversal, i.e. it works behind common NAT routers.
  • capable to secure inherently insecure protocols (such as VNC) by using the encryption / authentication provided by Tor Onion Services

Independently, if clients prefer speed over anonymity, they can configure Tor in Tor2Web mode, which means outgoing Tor circuits will have a length of one rather than three.

These two options combined reduce a 6 hop Tor connection to a 2 hop Tor connection. It's not anonymous, but providing NAT traversal as well as onion encryption / authentication. [archive]

Server Side[edit]

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf


HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
SocksPort 0

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22
HiddenServicePort 5900
HiddenServiceVersion 3
## syntax:
## HiddenServiceAuthorizeClient auth-type client-name,client-name,…
## The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients.
## Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). 
HiddenServiceAuthorizeClient stealth 1234567890123456

Save and exit.

Client Side[edit]

Update the package lists.

sudo apt-get update

Install Tor's build dependencies.

sudo apt-get build-dep tor


Create directory ~/tor-src.

mkdir ~/tor-src

Change directory to ~/tor-src.

cd tor-src

Download the Tor source package.

apt-get source tor

Change directory to Tor source directory.

cd tor-*/

Open debian/rules in an editor as a regular, non-root user.

If you are using a graphical environment, run.

mousepad debian/rules

If you are using a terminal, run.

nano debian/rules


dh_auto_configure \
        $(confflags) \
        --prefix=/usr \
        --mandir=\$${prefix}/share/man \
        --infodir=\$${prefix}/share/info \
        --localstatedir=/var \
        --sysconfdir=/etc \
        --disable-silent-rules \


dh_auto_configure \
        $(confflags) \
        --prefix=/usr \
        --mandir=\$${prefix}/share/man \
        --infodir=\$${prefix}/share/info \
        --localstatedir=/var \
        --sysconfdir=/etc \
        --disable-silent-rules \
        --enable-gcc-warnings-advisory \

Open src/or/config.c in an editor as a regular, non-root user.

If you are using a graphical environment, run.

mousepad src/or/config.c

If you are using a terminal, run.

nano src/or/config.c


V(Tor2webMode,                 BOOL,     "0"),


V(Tor2webMode,                 BOOL,     "1"),

Build the Tor package.




Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Non Anonymous Onion Encryption and NAT Traversal&body= link= Anonymous Onion Encryption and NAT Traversal link= Anonymous Onion Encryption and NAT Traversal link= Anonymous Onion Encryption and NAT Traversal%20 Anonymous Onion Encryption and NAT Traversal

Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

  1. sudo apt-get install zlib1g-dev libevent-dev asciidoc xmlto libsystemd-dev

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.