Jump to: navigation, search

Template:Prevent Bypassing the Tunnel-Link

In essence, you prevent bypassing the tunnel-link by disabling stream isolation.

By Whonix default, a lot pre-installed applications are configured for Stream Isolation. These applications are by default configured to use Tor SocksPorts, instead of Tor's TransPort.

All applications, which are configured to use Tor SocksPort's, will not be tunneled through the tunnel-link. They will be "only" tunneled through Tor. This is because, the following configuration will not touch local connections to, which is the Whonix-Gateway. For example, if you wish to tunnel Tor Browser the route User -> Tor -> tunnel-link -> Internet, you have to remove all proxy settings from Tor Browser, see below.

Deactivate uwt wrappers
To deactivate all uwt wrappers permanently... To deactivate stream isolation for all uwt wrapped applications... To make all uwt wrapped applications use the system default networking again... See below...

(Otherwise, if you want more fine granulated control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.)

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/uwt.d/50_user.conf

And add.



Tor Browser Remove Proxy Settings

Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [1] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.


/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[2]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.




Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[3]

Deactivate Misc Proxy Settings

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. If you want to disable this, you must go to the application's settings and remove the Whonix system default.

TO DO: document and expand.

For some applications, this is impossible:

  • sdwdate
  • Ricochet IM

These can only talk to Tor Hidden Services directly. You cannot configure them to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

  1. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  2. Unless you manually unset this environment variable before starting Tor Browser.
  3. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.