Actions

Stream Isolation: Easy

From Whonix

< Stream Isolation



Streamisolationme.jpg

Applications such as ssh, gpg, wget, curl, git, and apt-get are configured for stream isolation by default; the full list can be found here. The advantage of this configuration is that these applications will take different paths through the Tor network and will therefore be more anonymous, since it protects against identity correlation through Tor circuit sharing. [1]

This arrangement comes with a small usability impact in corner cases:

  • For some tunnels it may be necessary to disable stream isolation -- this is covered in the Combining Tunnels with Tor chapter.
  • It might be required to disable stream isolation for applications that require local connections. For example, this is the case for opening a local ssh listener:
    • If the following command is run: ssh 10.152.152.11, uwt will actually execute torsocks /usr/bin/ssh.anondist-orig 10.152.152.11. In this case, traffic would flow though torsocks via a Tor SocksPort. This will fail for local connections and lead to the following error message:
      • libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to http://code.google.com/p/torsocks/issues/entry [archive] if this is preventing a program from working properly with torsocks

    • This is possibly no longer required thanks to Whonix ™ default /etc/tor/torsocks.conf [archive] configuration file which sets AllowOutboundLocalhost 1. [2]

Further information:

Learn more about stream isolation Disable stream isolation: easy Disable stream isolation: more options

Footnotes[edit]

  1. If stream isolation is not enforced, different activities conducted in separate applications may pass through the same Tor circuit and exit relay, correlating these activities to the same pseudonym.
  2. # Set Torsocks to allow outbound connections to the loopback interface.
    # If set to 1, connect() will be allowed to be used to the loopback interface
    # bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to
    # the loopback interface will also be allowed, bypassing Tor. This option
    # should not be used by most users. (Default: 0)
    AllowOutboundLocalhost 1
    


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.