From Whonix
Jump to navigation Jump to search


Developed for and tested in Qubes Debian / Kicksecure only.


TODO: write introduction

Before combining Tor with other tunnels, be sure to read and understand the risks!

Too difficult? Consider purchasing Premium Support.

This is for advanced users only!

Advantage: IP forwarding not required

For background information, see also: Dev/Inspiration#Proxy



Install package(s) redsocks.

A. Update the package lists and upgrade the

sudo apt update && sudo apt full-upgrade

B. Install the redsocks package(s).

Using apt command line parameter is in most cases optional.

sudo apt install --no-install-recommends redsocks

C. Done.

The procedure of installing package(s) redsocks is complete.

VM Setup[edit]

1. Create a VM sys-proxy with checked provides network based on Debian 12 Template.

2. Create a VM anon-proxy which uses net qube: sys-proxy.

sys-proxy Setup[edit]

redsocks Configuration[edit]

In sys-proxy.

file: ~/redsocks.conf

base {
	// debug: connection progress & client list on SIGUSR1
	log_debug = off;

	// info: start and end of client session
	log_info = on;

	/* possible `log' values are:
	 *   stderr
	 *   "file:/path/to/file"
	 *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
	log = "syslog:daemon";

	// detach from console
	daemon = on;

	/* Change uid, gid and root directory, these options require root
	 * privilegies on startup.
	 * Note, your chroot may requre /etc/localtime if you write log to syslog.
	 * Log is opened before chroot & uid changing.
	user = redsocks;
	group = redsocks;
	// chroot = "/var/chroot";

	/* possible `redirector' values are:
	 *   iptables   - for Linux
	 *   ipf        - for FreeBSD
	 *   pf         - for OpenBSD
	 *   generic    - some generic redirector that MAY work
	redirector = iptables;

redsocks {
	/* `local_ip' defaults to for security reasons,
	 * use if you want to listen on every interface.
	 * `local_*' are used as port to redirect to.
	// local_ip =;
	local_ip =;
	local_port = 12345;

	// `ip' and `port' are IP and tcp-port of proxy-server
	// You can also use hostname instead of IP, only one (random)
	// address of multihomed host will be used.
	ip =;
	port = 9050;
	// known types: socks4, socks5, http-connect, http-relay
	type = socks5;
	// login = "username";
	// password = "password";

redudp {
	// `local_ip' should not be as it's also used for outgoing
	// packets that are sent as replies - and it should be fixed
	// if we want NAT to work properly.
	// local_ip =;
	local_ip =;
	local_port = 10053;

	// `ip' and `port' of socks5 proxy server.
	ip =;
	port = 9050;
	// login = "username";
	// password = "password";

	// kernel does not give us this information, so we have to duplicate it
	// in both iptables rules and configuration file.  By the way, you can
	// set `local_ip' to if you need more than 65535 ports to
	// forward ;-)
	// This limitation may be relaxed in future versions using contrack-tools.
	dest_ip =;
	dest_port = 53;

	udp_timeout = 30;
	udp_timeout_stream = 180;

dnstc {
	// fake and really dumb DNS server that returns "truncated answer" to
	// every query via UDP, RFC-compliant resolver should repeat same query
	// via TCP in this case.
	// local_ip =;
	local_ip =;
	local_port = 5300;

// you can add more `redsocks' and `redudp' sections if you need.


In sys-proxy.

file: ~/firewall


set -x
set -e

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv4.conf.all.forwarding=0

ls /home/user/redsocks.conf /etc/redsocks.conf
cp /home/user/redsocks.conf /etc/redsocks.conf
systemctl --no-pager --full restart redsocks
systemctl --no-pager --full status redsocks

echo "options use-vc
nameserver" | tee /etc/resolv.conf

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT DROP
$iptables_cmd -P FORWARD DROP
$iptables_cmd -P OUTPUT DROP

## Flush old rules.
$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X

## Allow unlimited traffic on the loopback interface.
$iptables_cmd -A INPUT -i lo -j ACCEPT
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
$iptables_cmd -A OUTPUT --dst -j ACCEPT

## Established incoming connections are accepted.
$iptables_cmd -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Established outgoing connections are accepted.
$iptables_cmd -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#$iptables_cmd -A OUTPUT --dst -p udp --dport 53 -j ACCEPT
#$iptables_cmd -A OUTPUT --dst -p tcp --dport 53 -j ACCEPT

$iptables_cmd -t nat -A OUTPUT --dst -p udp --dport 53 -j ACCEPT
$iptables_cmd -t nat -A OUTPUT --dst -p tcp --dport 53 -j ACCEPT

## redsocks must be allowed to establish direct connections.
$iptables_cmd -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
$iptables_cmd -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks

## Used Tor in absence of a stable proxy for testing purposes.
#$iptables_cmd -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
#$iptables_cmd -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor

## redsocks dnstc
$iptables_cmd -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-port 5300

## redsocks redudp
$iptables_cmd -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053

## redsocks redsocks
$iptables_cmd -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345

$iptables_cmd -A INPUT -i vif+ -j ACCEPT

## Best not interering with DNS resolution from anon-proxy VM.
## redsocks dnstc
## This fixes "nslookup" when the "proxy is Tor".
#$iptables_cmd -t nat -A PREROUTING -i vif+ -p udp --dport 53 -j REDIRECT --to-ports 5300
## redsocks redudp
#$iptables_cmd -t nat -A PREROUTING -i vif+ -p udp -j REDIRECT --to-ports 10053
## Would it make sense to set up a DNS server in sys-proxy?
#$iptables_cmd -t nat -A PREROUTING -i vif+ -p tcp --dport 53 -j REDIRECT --to-ports 53

## redsocks redsocks
$iptables_cmd -t nat -A PREROUTING -i vif+ -p tcp --syn -j REDIRECT --to-ports 12345

## Log blocked traffic for debugging.
$iptables_cmd -A INPUT -j LOG --log-level 4 --log-prefix "iptables blocked input: "
$iptables_cmd -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables blocked output: "
$iptables_cmd -A FORWARD -j LOG --log-level 4 --log-prefix "iptables blocked forward: "

## Reject all other traffic.
$iptables_cmd -A OUTPUT -j REJECT

cat /etc/resolv.conf

chmod +x ~/firewall


In sys-proxy.

sudo ~/firewall

anon-proxy VM setup[edit]

In anon-proxy VM.

Open file /etc/resolv.conf in an editor with root rights.


This box uses sudoedit for better security.


NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

Public DNS server. Warning: this example uses cloudflare.

options use-vc nameserver ## alternative: Google #nameserver


TCP test:

curl -H 'Host:' -k

TCP + DNS test:


DNS test:


Leak Testing[edit]

When running sudo systemctl stop tor in sys-proxy, TCP test, TCP + DNS test, as well as DNS test will be dysfuctional.


We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!