Tunnel UDP over Tor

From Whonix
Jump to navigation Jump to search



Ambox notice.png The Tor software does not yet support UDP, [1] although Tor provides a DnsPort.

If UDP is urgently required in Whonix ™, a limited workaround is provided - see the VPN Method below.

On top of the workaround, it would be required to allow UDP in Whonix-Workstation ™ firewall.

VPN Method[edit]

This tutorial uses OpenVPN and works well inside Whonix ™. Additional VPN implementations like PPTP might be useful -- as well as other VPN protocols which are free and support UDP -- but further research is required.

Before setting up the VPN:

1. Test the Whonix ™ setup is generally working. [2] [3]

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 https://check.torproject.org

This should output "Congratulations. Your browser is configured to use Tor."

2. Whonix-Workstation Firewall configuration

See allow UDP in Whonix-Workstation ™ firewall.

3. Install rdate for UDP and TCP testing.

sudo apt update

sudo apt install rdate

4. Run commands for TCP testing.

rdate -p time.u.washington.edu

rdate -p time.nist.gov

rdate -p ptbtime1.ptb.de

5. Run commands for UDP testing.

rdate -u -p time.u.washington.edu

rdate -u -p time.nist.gov

rdate -u -p ptbtime1.ptb.de

The tests should reveal that without a VPN, TCP works over Tor, but not UDP.

6. Configure a VPN tunnel link in Whonix ™.

Obviously a VPN provider that does not block UDP is required. Follow the setup instructions on the VPN Tunnel Setup Examples page; the riseup and usaip examples are functional for this purpose.

Afterwards test rdate again, first in TCP mode and then in UDP mode -- both should work correctly.

SSH Method[edit]

This method is currently undocumented. In theory, SSH servers could be utilized to tunnel UDP over Tor. Obstacles:

Therefore this method is only useful if you have your own server, but even then the VPN method is usually preferable.

SOCKS5 Proxy Method[edit]

Attempts to tunnel UDP with this configuration have failed. See the Design Archive for full details: Tunneling UDP over Torarchive.org.

Footnotes / References[edit]

  1. https://gitlab.torproject.org/legacy/trac/-/issues/7830archive.org
  2. While enforcing SSL.
  3. Alternatively the test can be run without enforcing SSL because some VPN services appear to block it. UWT_DEV_PASSTHROUGH=1 curl https://check.torproject.org