Disable Stream Isolation Easy
Deactivate uwt Wrappers
The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt wrapped applications system-wide. Consequently, all uwt wrapped applications revert to the default system networking configuration.
If you want more granular control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.
Open /etc/uwt.d/50_user.conf in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix with KDE, run.
kdesudo kwrite /etc/uwt.d/50_user.conf
If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.
kdesudo mousepad /etc/uwt.d/50_user.conf
If you are using a terminal-only Whonix, run.
sudo nano /etc/uwt.d/50_user.conf
Add.
uwtwrapper_global="0"
Save and exit.
Tor Browser Remove Proxy Settings
Introduction
This configuration causes Tor Browser to no longer use proxy settings. With no proxy, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside the Whonix-Workstation that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [1]
Note: This action will break both the Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and causes the user to be pseudonymous, rather than anonymous. To mitigate these risks, consider using More than one Tor Browser in Whonix, or better yet, Multiple Whonix-Workstations.
If these settings are changed, expect Tor Button to show a red sign and state "Tor Disabled" if a mouse is hovered over it.
To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1
environment variable. There are several methods, but the #/etc/environment Method is the simplest one.
Note: Choose only 1 method to enable transparent torification.
For other methods with finer granulated settings, please press on Expand on the right.
Command Line Method
Navigate to the Tor Browser folder.
cd ~/tor-browser_en-US
Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1
environment variable.
TOR_TRANSPROXY=1 ./start-tor-browser.desktop
start-tor-browser Method
This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.
Find and open start-tor-browser in the Tor Browser folder in an editor.
This is most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.
Set.
export TOR_TRANSPROXY=1
/etc/environment Method
This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [2]
Open /etc/environment in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix with KDE, run.
kdesudo kwrite /etc/environment
If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.
kdesudo mousepad /etc/environment
If you are using a terminal-only Whonix, run.
sudo nano /etc/environment
Add the following line.
TOR_TRANSPROXY=1
Save and reboot.
Undo
Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!
Ignore Tor Button's Open Network Settings
Whonix has disabled the Open Network Settings...
menu option in Tor Button. Read the footnote for further information. [3]
Deactivate Miscellaneous Proxy Settings
On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this, the Whonix system default must be removed from the application's settings.
TODO: document and expand.
Remove proxy settings for Tor Browser Downloader by Whonix.
Open /etc/torbrowser.d/50_user.conf in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix with KDE, run.
kdesudo kwrite /etc/torbrowser.d/50_user.conf
If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.
kdesudo mousepad /etc/torbrowser.d/50_user.conf
If you are using a terminal-only Whonix, run.
sudo nano /etc/torbrowser.d/50_user.conf
TB_NO_TOR_CON_CHECK=1 CURL_PROXY="--fail"
Save.
For some applications, this is impossible:
- sdwdate
- onionshare
- Ricochet IM
These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.
- ↑ This term was coined in context of a Tor Transparent Proxy. It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
- ↑ Unless this environment variable is manually unset before starting Tor Browser.
- ↑ The regular Tor Browser Bundle from The Tor Project (without Whonix) allows networking settings to changed inside Tor via the
Open Network Settings
menu option. It has the same effect as editing Tor's config file torrc. In Whonix, the environment variableexport TOR_NO_DISPLAY_NETWORK_SETTINGS=1
has been set to disable theTorButton
->Open Network Settings...
menu item. It is not useful and confusing to have in the Whonix-Workstation because:- In Whonix, there is only limited access to Tor's control port (see Dev/CPFP for more information).
- For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on the Whonix-Gateway, and not from the Whonix-Workstation (see VPN/Tunnel support for more information).
- ↑
TB_NO_TOR_CON_CHECK=1
needs to be set because there is no filtered Tor ControlPort access when Whonix tunnel firewall is enabled, which would break tb-updater's Tor connectivity check. - ↑
By tb-updater default, if unset, variable
CURL_PROXY
will be dynamically set to a Tor SocksPort on Whonix-Gateway. For example toCURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115"
.
By using a curl parameter we are using anyhow, i.e.CURL_PROXY="--fail"
we can in effect disable the environment variable even if it's technically still set. This will result in downloading by using the system's default networking.