Stream Isolation: Easy

From Whonix

< Stream Isolation


Applications such as Tor Browser, ssh, gpg, wget, curl, git, and apt-get are configured for stream isolation by default; the full list can be found here. The advantage of this configuration is that these applications will take different paths through the Tor network and will therefore be more anonymous, since it protects against identity correlation through Tor circuit sharing. [1]

This arrangement comes with a small usability impact in corner cases:

Further information:

Learn more about stream isolation Disable stream isolation: easy Disable stream isolation: more options


  1. If stream isolation is not enforced, different activities conducted in separate applications may pass through the same Tor circuit and exit relay, correlating these activities to the same pseudonym.
  2. It might be required to disable stream isolation for applications that require local connections. For example, this is the case for opening a local ssh listener:
      • If the following command is run: ssh, uwt will actually execute torsocks /usr/bin/ssh.anondist-orig In this case, traffic would flow though torsocks via a Tor SocksPort. This will fail for local connections and lead to the following error message:
        • libtorsocks(12021): connect: Connection is to a local address (, may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to [archive] if this is preventing a program from working properly with torsocks

      • This is possibly no longer required thanks to the Whonix ™ default /etc/tor/torsocks.conf [archive] configuration file which sets AllowOutboundLocalhost 1.
    # Set Torsocks to allow outbound connections to the loopback interface.
    # If set to 1, connect() will be allowed to be used to the loopback interface
    # bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to
    # the loopback interface will also be allowed, bypassing Tor. This option
    # should not be used by most users. (Default: 0)
    AllowOutboundLocalhost 1

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Stream Isolation/Easy&body= link= Isolation/Easy link= Isolation/Easy link= Isolation/Easy%20 Isolation/Easy

Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.