Combining Tunnels with Tor

From Whonix

< Tunnels(Redirected from Tunnel Proxy or SSH or VPN through Tor)



Ambox notice.png Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.

It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. The potential positive or negative effects on anonymity are being controversially debated.

The Whonix ™ project remains technologically neutral in the anonymity discussion. The improper combination of Tor and another service may actually degrade a user's security and anonymity. These configurations are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix ™ users, using Tor in isolation – without a VPN or proxy – is the correct choice.

Info Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor.

In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. [1]

Warning Using any extra tunnel, for example a VPN, proxy or SSH can can negatively affect anonymity under some circumstances. [2] [3]

To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.

Warning Don't use the same tunnel provider / configuration in more than one place at the same time.

For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time.

Warning Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. Doing so could tie any anonymous identities associated with the tunnel-link to the user's ISP assigned IP address.


In tunnel-chain 1, the ISP assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the users ISP assigned IP address was previously linked to that same tunnel-link, that anonymous identity can now be linked to the user actual IP address.

  • Tunnel-chain 1: (UserTunnel-link[users IP address is linked] → TorInternet)
  • Tunnel-chain 2: (UserTorTunnel-link[anonymous activities linked] → Internet)

The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. If this were done, all anonymous activities conducted with tunnel-chain 2 would then be link with the users ISP assigned IP address.

Warning Qubes-Whonix ™ users note:
You probably do not want to run the tunnel software from within a TemplateVM. This is because the whonix-gw-14 TemplateVM "is more like a workstation". It is behind sys-whonix. It is not sys-whonix itself.

(If you are using openvpn inside Whonix-Gateway ™ (commonly called sys-whonix) or Whonix-Workstation ™ (commonly called anon-whonix) while following Whonix ™ documentation, openvpn will not start inside the whonix-gw-14 or whonix-ws-14 TemplateVM.) [4]
In Qubes R4 and above, the TemplateVMs's NetVM is purposely set to none by Qubes default. (They are upgraded through the qrexec based updates proxy that will be running on sys-whonix.)

Challenges in Provider Location Selection[edit]

  • Tor avoids using more than one relay belonging to the same operator in the circuits it is building. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. [5] Tor however does not take into account your real external IP nor destination IP addresses. [6] In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up end-to-end correlation attacks.
  • Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On one hand this is good since that is similar to Tor, where many users share the same Tor exit relays. On the other hand, this can in some situations lead to actually making you less safe.
  • It is possible to host Tor relays [any... bridges, entry, middle or exit] behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwarding. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. Therefore, there can be situation, where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
  • In an economy with a deep labor division, ones are providing the service to host servers (VPS etc.). Others provide VPN and other tunnel-link services and rent such servers. It is common, that diverse customers run share the same IP address. This is another situation where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
  • By adding arbitrary tunnel-links to your connection chain, you could unknowingly use the same operator/network twice in your connection chain.
    • scenario 1)
      • a) User uses VPN IP A on the host, thereby using it as it is first relay.
        • b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
        • Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
          • -→ By using the VPN the user did not get more, but less secure.
    • different scenario 2)
      • a) User sets up a VPN inside Whonix-Workstation ™. Thereby that results in UserTorVPNInternet. Using VPN IP A.
      • b) A Tor entry guard is being hosted on VPN IP A.
      • Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
        • -→ By using the VPN the user did not get more, but less secure.
  • Choose your tunnel providers wisely.
    • Find out in which physical and legal jurisdiction and network their servers are located.
    • Perhaps avoid using VPN or SSH providers that support port forwarding.
    • Perhaps use only tunnel-link providers that are assigning private - as in not shared with others - unique - IP addresses, however it is not clear if this does more harm than gain as noted above.
    • Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
  • Perhaps manually pick your Tor relay[s]. Specifically your entry guard[s] or bridge[s]).
    • Tor documentation generally discourages tampering with Tor's routing algorithm by manually choosing your relays, but since you are trying to be more clever by extending your Tor chain despite all information about the difficulty of this endeavor, perhaps it would make sense to pick your entry guard manually.
    • Using Bridges might be an alternative, but note the following quote. "Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity."

Comparison Table[edit]

UserProxyTorInternet UserVPN / SSHTorInternet UserTorProxy / VPN / SSHInternet
Modified Configuration Location Whonix-Gateway ™ Whonix-Gateway ™ [or host (FAQ)] Whonix-Workstation ™
Evade Website Tor Bans No No Maybe
Evade Network Censor Tor Bans Maybe [7] [8] Maybe [9] No
Hide Tor and Whonix ™ from ISPs Very weak [10] Maybe [11] No
No Loss of Stream Isolation Yes Yes No
Browser Web Fingerprint is not Worsened Yes Yes No
Extra Tunnel Link does not Require Reconfiguration [12] of Pre-configured Software [13] Yes Yes No
No Permanent Exit Relay Unaffected Unaffected No
Tor Onion Services (.onion) Connections Yes Yes No
Hosting Location Hidden Services No No Proxy: No

VPN: If the VPN supports Remote Port Forwarding, yes
SSH: If the SSH supports Remote Port Forwarding, yes

Increased Tunnel Length Yes Yes Yes
Anonymity Effects Disputed [14] Disputed [14] Disputed [14]
Tunnel UDP over Tor No No Proxy: No

VPN: If supported by the VPN, yes
SSH: Undocumented

Connecting to a tunnel-link (proxy/VPN/SSH) before Tor[edit]


In this case, your internet traffic will (1) pass through your ISP as proxy/VPN/SSH traffic; (2) exit your proxy/VPN/SSH server as encrypted Tor traffic; (3) enter to the Tor network; (4) exit the Tor network at a Tor exit node as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • You must connect to your VPN or proxy to access the internet.
  • Your ISP blocks Tor and Tor bridges but doesn’t block the tunnel-link.
  • Fear of de-anonymizing attacks against the Tor network; belief that your VPN or proxy is able to protect your identity in such case.


  • Note, the following warnings are not Whonix ™ specific issues. Those are general issues with combining Tor with tunnel-links.
  • A VPN or proxy that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.
  • If your software configuration doesn’t block all traffic when your connection to your VPN suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most VPN configurations and not an issue specific to Whonix ™. Workarounds described [in links] below.
  • If the use of Tor is dangerous in your area, VPNs or SSH may not provide enough protection (due to software misconfiguration or sophisticated packet inspection). Proxies do not provide encryption and should not be used to hide Tor use.

How to connect to a VPN before Tor (UserVPNTorInternet)

How to connect to a proxy before Tor (UserproxyTorInternet)

How to connect to SSH before Tor (UserSSHTorInternet)

How to connect to JonDonym before Tor (UserJonDonymTorInternet)

How to connect to Lantern before Tor (UserLanternTorInternet)

Connecting to Tor before a tunnel-link (proxy/VPN/SSH)[edit]


In this case, your internet traffic will (1) pass through your ISP as encrypted Tor traffic; (2) exit the Tor network at a Tor exit node as proxy/VPN/SSH traffic; (3) exit your proxy/VPN/SSH as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • As one part of using a VPN or proxy anonymously for some specific reason.
  • You must use Tor, but need to connect to an internet server who bans Tor exit nodes.
  • Fear of de-anonymizing attacks against the Tor network; belief that your VPN or proxy is able to protect your identity in such case.


  • Note, the following warnings are not Whonix ™ specific issues. Those are general issues with combining Tor with tunnel-links.
  • Even though Tor will hide your IP address from your VPN or proxy, you can still be located with your payment method, usage logs, or other identifying information the tunnel-link service knows about you.
  • You will not be able to access Tor onion services. (.onion) [15]
  • Malware on Whonix-Workstation ™ can't bypass Tor but can ignore your VPN or proxy unless you are using a separate Tunnel-Gateway.
  • It is not simple to configure VPNs, SSH or proxies in a foolproof, leak free manner. However, in case of Whonix ™, it is impossible for traffic to bybass Tor, even if the VPN or proxy is misconfigured.[16]
  • Most the pre-installed software on Whonix-Workstation ™, including Tor Browser, is configured take advantage of Stream Isolation. As a side effect, this software will ignore the VPN by default. You must reconfigure this software to disable stream isolation.
  • When using a browser, while you are connecting to Tor before a tunnel link, you probably will not be able to make use of the browser tab stream isolation feature of Tor Browser. [17] This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the tunnel-link instead.
  • When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH →) TorProxy / VPN / SSHTor BrowserWebsite are unknown. How many people are likely to use a proxy, VPN or SSH IP in this manner? This setup is so specialized that probably very few are doing it, reducing the user pool to a small subset. Due to potential fingerprinting harm, it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (e.g. Firefox, Chrome), due to an even greater browser fingerprinting risk. [18]

How to connect to Tor before a VPN (UserTorVPNInternet)

How to connect to Tor before a proxy (UserTorproxyInternet)

How to connect to Tor before SSH (UserTorSSHInternet)

How to connect to Tor before I2P (UserTorI2PInternet)

How to connect to Tor before JonDonym (UserTorJonDonymInternet)

See Also[edit]


  1. Users in China are unlikely to circumvent government censorship with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
  3. research / document impact for tunnel users if Tor relays hosted at the same tunnel provider
  4. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf checks the following condition

    Which means, if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix ™ TemplateVMs, the openvpn@openvpn service will not be started.

  7. See Hide_Tor_and_Whonix_from_your_ISP#Using_a_Proxy.
  8. This only works against simple IP blocking lists, because connections to proxies are usually not encrypted.
  9. In these situations, VPNs are also often censored. You might be better off using Bridges.
  10. See Hide_Tor_and_Whonix_from_your_ISP#Using_a_Proxy.
  11. See Hide_Tor_and_Whonix_from_your_ISP.
  12. Disabling Stream Isolation.
  13. If you did not disable Stream Isolation, then applications still pre-configured for Stream Isolation would only go through Tor and not through the extra tunnel link. You must decide which applications should have Stream Isolation disabled. For example, if for some reason you wanted to use gpg through the extra tunnel link, but not Tor Browser, then only disable stream isolation for gpg.
  14. 14.0 14.1 14.2 See Tor Plus VPN or proxy.
  15. When using UserTorproxy/VPN/SSHInternet, i.e. if the last server is not a Tor relay, you will be no longer able to connect to Onion Services. (Unless you would run another Tor client on top, but this would lead to Tor over Tor, which is discouraged for security reasons.
  16. If setting up socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak free manner were easy, this means while ensuring nothing will bypass the VPN, SSH or proxy, there would have been no reason to develop Whonix ™ in the first place. The methods described in the tunnel documentation are all tested and should all more or less work. Should there be any misconfiguration or leak bug, you are left to the protections by Whonix ™ and Tor. This means, the leak will still go through Whonix-Gateway ™ and therefore forced through Tor. The methods in the tunnel documentation are not as safe as a Whonix-Gateway ™. There were development discussions and some progress (see Dev/Inspiration), about chaining multiple Gateways, VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX, but nothing was finished due to the lack of community interest, support and developers.
  17. Bug #3455: Tor Browser should set SOCKS username for a request based on referer

No comments for now due to spam. Use Whonix forums instead.

Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.