Tunnel Introduction/Tor before Tunnel-link

From Whonix

< Template:Tunnel Introduction


In this configuration network traffic will (1) pass through your ISP as encrypted Tor traffic→ (2) exit the Tor network as tunnel-link traffic→ (3) exit your tunnel-link as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • As one part of using tunnel-link anonymously for some specific reason.
  • You must use Tor, but need to connect to an internet server who bans Tor exit nodes.
  • Fear of de-anonymizing attacks against the Tor network; belief that your tunnel-link will protect your identity in such cases.


Note: The following warnings are not Whonix specific issues. They are general issues associated with combining Tor with tunnel-links.

  • Even though Tor will hide your IP address from your tunnel-link, you can still be located with your payment method, usage logs, or other identifying information the tunnel-link service knows about you.
  • You will not be able to access Tor onion services. (.onion) [1]
  • Malware on Whonix-Workstation ™ can't bypass Tor but can ignore your tunnel-link unless you are using a separate Tunnel-Gateway.
  • It is not simple to configure tunnel-links in a foolproof, leak free manner. However, when combined with Whonix ™, it is impossible for traffic to bypass Tor, even if the tunnel-link is misconfigured.[2]
  • Most of the pre-installed software in Whonix-Workstation ™, including Tor Browser, is configured take advantage of Stream Isolation. As a side effect, this software will ignore tunnel-links such as VPNs by default. You must reconfigure this software to disable stream isolation.
  • When using a browser, while you are connecting to Tor before a tunnel link, you probably will not be able to make use of the browser tab stream isolation feature of Tor Browser. [3] This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the tunnel-link instead.
  • When using a browser, connecting to Tor before a tunnel-link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH →) TorProxy / VPN / SSHTor BrowserWebsite are unknown. How many people are likely to use a proxy, VPN or SSH IP in this manner? This setup is so specialized that probably very few are doing it, reducing the user pool to a small subset. Due to potential fingerprinting harm, it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (e.g. Firefox, Chrome), due to an even greater browser fingerprinting risk. [4]
  • When using UserTortunnel-linkInternet, i.e. if the last server is not a Tor relay, you will be no longer able to connect to Onion Services. (Unless you run another Tor client on top, but this would lead to Tor over Tor, which is discouraged for security reasons.
  • If setting up socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak free manner were easy, this means while ensuring nothing will bypass the VPN, SSH or proxy, there would have been no reason to develop Whonix in the first place. The methods described in the tunnel documentation are all tested and should all more or less work. Should there be any misconfiguration or leak bug, you are left to the protections by Whonix and Tor. This means, the leak will still go through Whonix-Gateway ™ and therefore forced through Tor. The methods in the tunnel documentation are not as safe as a Whonix-Gateway ™. There were development discussions and some progress (see Dev/Inspiration), about chaining multiple Gateways, VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX, but nothing was finished due to the lack of community interest, support and developers.
  • Bug #3455: Tor Browser should set SOCKS username for a request based on referer [archive]
  • [archive]