Tunnel UDP over Tor
Introduction[edit]
The Tor software does not yet support UDP, [1] although Tor provides a
DnsPort
.
If UDP is urgently required in Whonix ™, a limited workaround is provided - see the VPN Method below.
On top of the workaround, it would be required to allow UDP in Whonix-Workstation ™ firewall.
VPN Method[edit]
This tutorial uses OpenVPN and works well inside Whonix ™. Additional VPN implementations like PPTP might be useful -- as well as other VPN protocols which are free and support UDP -- but further research is required.
Before setting up the VPN:
- Refer to related VPN documentation: How to connect to Tor before a VPN (User → Tor → VPN → Internet).
- Familiarize yourself with
curl
andrdate
. Therdate
command line switch-p
results in just showing the date and time, without setting it.-u
uses UDP instead of TCP (the default).
1. Test the Whonix ™ setup is generally working. [2] [3]
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 https://check.torproject.org
This should output "Congratulations. Your browser is configured to use Tor."
2. Whonix-Workstation Firewall configuration
See allow UDP in Whonix-Workstation ™ firewall.
3. Install rdate
for UDP and TCP testing.
sudo apt update
sudo apt install rdate
4. Run commands for TCP testing.
rdate -p time.u.washington.edu
rdate -p time.nist.gov
rdate -p ptbtime1.ptb.de
5. Run commands for UDP testing.
rdate -u -p time.u.washington.edu
rdate -u -p time.nist.gov
rdate -u -p ptbtime1.ptb.de
The tests should reveal that without a VPN, TCP works over Tor, but not UDP.
6. Configure a VPN tunnel link in Whonix ™.
Obviously a VPN provider that does not block UDP is required. Follow the setup instructions on the VPN Tunnel Setup Examples page; the riseup and usaip examples are functional for this purpose.
Afterwards test rdate
again, first in TCP mode and then in UDP mode -- both should work correctly.
SSH Method[edit]
This method is currently undocumented. In theory, SSH servers could be utilized to tunnel UDP over Tor. Obstacles:
- Free SSH services are rarely available.
- The existing free SSH services block certain ports, which makes this even harder.
- Even though SSH can provide a SOCKS5 proxy, it is not capable of providing tunneling support for UDP itself
.
- Extra software needs to be installed on both the client and (even worse) the server with root access. Most administrators of free SSH services will not allow this configuration.
- Acquiring a server comes with its own challenges.
- Easy: allow UDP in Whonix-Workstation ™ firewall.
Therefore this method is only useful if you have your own server, but even then the VPN method is usually preferable.
SOCKS5 Proxy Method[edit]
Attempts to tunnel UDP with this configuration have failed. See the Design Archive for full details: Tunneling UDP over Tor.
Footnotes / References[edit]
- ↑
https://gitlab.torproject.org/legacy/trac/-/issues/7830
- ↑ While enforcing SSL.
- ↑ Alternatively the test can be run without enforcing SSL because some VPN services appear to block it. UWT_DEV_PASSTHROUGH=1 curl https://check.torproject.org