Tunnel UDP over Tor
The Tor software does not yet support UDP,  although Tor provides a
If UDP is urgently required in Whonix ™, a limited workaround is provided - see the VPN Method below.
On top of the workaround, it would be required to allow UDP in Whonix-Workstation ™ firewall.
This tutorial uses OpenVPN and works well inside Whonix ™. Additional VPN implementations like PPTP might be useful -- as well as other VPN protocols which are free and support UDP -- but further research is required.
Before setting up the VPN:
- Refer to related VPN documentation: How to connect to Tor before a VPN (User → Tor → VPN → Internet).
- Familiarize yourself with
rdatecommand line switch
-presults in just showing the date and time, without setting it.
-uuses UDP instead of TCP (the default).
1. Test the Whonix ™ setup is generally working.  
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 https://check.torproject.org
This should output "Congratulations. Your browser is configured to use Tor."
2. Whonix-Workstation Firewall configuration
See allow UDP in Whonix-Workstation ™ firewall.
rdate for UDP and TCP testing.
sudo apt update
sudo apt install rdate
4. Run commands for TCP testing.
rdate -p time.u.washington.edu
rdate -p time.nist.gov
rdate -p ptbtime1.ptb.de
5. Run commands for UDP testing.
rdate -u -p time.u.washington.edu
rdate -u -p time.nist.gov
rdate -u -p ptbtime1.ptb.de
The tests should reveal that without a VPN, TCP works over Tor, but not UDP.
6. Configure a VPN tunnel link in Whonix ™.
Obviously a VPN provider that does not block UDP is required. Follow the setup instructions on the VPN Tunnel Setup Examples page; the riseup and usaip examples are functional for this purpose.
rdate again, first in TCP mode and then in UDP mode -- both should work correctly.
This method is currently undocumented. In theory, SSH servers could be utilized to tunnel UDP over Tor. Obstacles:
- Free SSH services are rarely available.
- The existing free SSH services block certain ports, which makes this even harder.
- Even though SSH can provide a SOCKS5 proxy, it is not capable of providing tunneling support for UDP itself.
- Extra software needs to be installed on both the client and (even worse) the server with root access. Most administrators of free SSH services will not allow this configuration.
- Acquiring a server comes with its own challenges.
- Easy: allow UDP in Whonix-Workstation ™ firewall.
Therefore this method is only useful if you have your own server, but even then the VPN method is usually preferable.
SOCKS5 Proxy Method
Attempts to tunnel UDP with this configuration have failed. See the Design Archive for full details: Tunneling UDP over Tor.
Footnotes / References
- ↑ https://gitlab.torproject.org/legacy/trac/-/issues/7830
- ↑ While enforcing SSL.
- ↑ Alternatively the test can be run without enforcing SSL because some VPN services appear to block it. UWT_DEV_PASSTHROUGH=1 curl https://check.torproject.org