Tunnel-link Warnings/Common

From Whonix

Info Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor.

In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. [1]

Trusting Service Providers[edit]

Warning A tunnel service provider that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.

Failed Closed Configurations[edit]

Warning If your software configuration doesn’t block all traffic when your tunnel-link connection suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most tunnel configurations and not an issue specific to Whonix ™.[2]

Tunnel-links can Affect Anonymity[edit]

Warning Using any extra tunnel, for example a VPN, proxy or SSH can can negatively affect anonymity under some circumstances. [3] [4]

To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.

Using the same Tunnel Provider in Multiple VMs at the same Time[edit]

Warning Don't use the same tunnel provider / configuration in more than one place at the same time.

For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time.

Reusing Tunnel-links[edit]

Warning Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. Doing so could tie any anonymous identities associated with the tunnel-link to the user's ISP assigned IP address.


In tunnel-chain 1, the ISP assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the users ISP assigned IP address was previously linked to that same tunnel-link, that anonymous identity can now be linked to the user actual IP address.

  • Tunnel-chain 1: (UserTunnel-link[users IP address is linked] → TorInternet)
  • Tunnel-chain 2: (UserTorTunnel-link[anonymous activities linked] → Internet)

The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. If this were done, all anonymous activities conducted with tunnel-chain 2 would then be link with the users ISP assigned IP address.

Qubes-Whonix ™ TemplateVMs[edit]

Warning Qubes-Whonix ™ users note:
You probably do not want to run the tunnel software from within a TemplateVM. This is because the whonix-gw-15 TemplateVM "is more like a workstation". It is behind sys-whonix. It is not sys-whonix itself.

(If you are using openvpn inside Whonix-Gateway ™ (commonly called sys-whonix) or Whonix-Workstation ™ (commonly called anon-whonix) while following Whonix documentation, openvpn will not start inside the whonix-gw-15 or whonix-ws-15 TemplateVM.) [5]
In Qubes R4 and above, the TemplateVMs's NetVM is purposely set to none by Qubes default [archive]. (They are upgraded through the qrexec based updates proxy that will be running on sys-whonix.)

  1. Users in China are unlikely to circumvent government censorship [archive] with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
  2. For example, VPNs require a failed closed configuration to prevent DNS leaks.
  3. [archive]
  4. research / document impact for tunnel users if Tor relays hosted at the same tunnel provider [archive]
  5. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf [archive] checks the following condition

    Which means, if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix TemplateVMs, the openvpn@openvpn service will not be started.