Tunnel UDP over Tor
Donate
Workaround for Tunneling UDP over Tor. Connection Scheme:
User → Tor → Destination
Introduction[edit]
The Tor software does not yet support UDP, [1] although Tor provides a DnsPort.
If UDP is urgently required in Whonix, a limited workaround is provided - see the VPN Method below.
On top of the workaround, it would be required to allow UDP in Whonix-Workstation™ firewall.
Tor Design[edit]
According to the Tor Project: [2]
Tor transports data over encrypted TLS tunnels between nodes, which is in turn carried by TCP.
The current Tor design does not support the transport of UDP-based protocols
through exit nodes in the network. [3] This is unlikely to be supported in the near future due to incompatibility with cryptographic protocols in use and those planned.
The consequence is that UDP-based protocols and applications cannot be used to transmit UDP datagrams between guards and exit nodes in the default configuration. This affects a number of activities, such as VoIP or video applications. [4]
Methods[edit]
Transporting UDP Tunnels over Tor with a VPN[edit]
A solution to this problem is to use a tunneling protocol. In simple terms, this allows a user to access a foreign protocol or network service that the underlying (Tor) network does not support or provide directly.
The tested and working method in Whonix is to utilize a Virtual Private Network (VPN) with a trusted provider that does not block UDP traffic in the following configuration: User → Tor → VPN → [Other Anonymizing Network] → Internet. Some VPN protocols like OpenVPN can use UDP while implementing reliable connections and error checking at the application level. [5]
Before following the instructions to tunnel UDP over Tor, please first read the related VPN documentation and warnings:
- Connecting to Tor before a VPN (
User→Tor→VPN→Internet). - Tor Plus VPN or Proxy.
- Tunneling comparison table.
- Whonix VPN disclaimer
The current Tor architecture may lead to a negative performance impact on user activities. This arises from high latency due to congestion in the network, queue length on nodes (mixing of traffic across multiple nodes), and TCP mechanisms which attempt to account for lost packets and hold delivery of future packets until a resend is complete. [6]
Warnings[edit]
Always remember that adding a second connection in the tunneling chain adds significant complexity. This potentially increases the security and anonymity risks due to:
- Misconfiguration.
- The increased attack surface of secure tunneling software.
- The difficulty in anonymously paying for VPN services - a money trail is potentially the weakest link probed by adversaries.
- Potential bottlenecks with VPN providers.
Depending on the final configuration this may also: increase fingerprinting risk, remove stream isolation of activities, and lead to a permanent destination (exit node) "X" in the Tor network.
Table: Tor Project VPN/SSH Warnings [7]
| Factor | Warning |
|---|---|
| Activity Profiling | If the VPN is the last part of the tunnel connection, the provider can build a profile of all activities which is dangerous for anonymity. |
| Anonymity Impact |
|
| Attack Surface and Data | Passive attacks by global adversaries might be more difficult, but this is counter-balanced by a larger attack surface and additional data generated by this configuration. On the other hand, this configuration provides better protection against colluding Tor nodes and hackers targeting Tor client code. |
| Tunnel Fragility | If/when the VPN connection breaks down, direct Tor connections are made without the VPN unless a fail closed mechanism has been configured; see VPN Firewall. [8] |
| VPN/SSH Honeypots | If the VPN/SSH server is adversary-controlled, Tor protection is weakened. [9] For example, a malicious VPN provider could maintain detailed traffic and session logs, along with meta-data. [10] This configuration is also reportedly susceptible to end-to-end timing attacks, since the times users were connected to anonymity services can be measured. [11] |
| Website Traffic Fingerprinting | VPN and SSH protocols are vulnerable to website traffic fingerprinting: [12]
In this UDP tunneling context, this means that a Tor exit relay could apply website traffic fingerprinting and determine which website is being visited, even though a VPN/SSH tunnel is in effect. [13] |
VPN Method[edit]
This tutorial uses OpenVPN and works well inside Whonix. Additional VPN implementations like PPTP might be useful -- as well as other VPN protocols which are free and support UDP -- but further research is required.
Before setting up the VPN:
- Refer to related VPN documentation: How to connect to Tor before a VPN (User → Tor → VPN → Internet).
- Familiarize yourself with
curlandrdate. Therdatecommand line switch-presults in just showing the date and time, without setting it.-uuses UDP instead of TCP (the default).
1. Test the Whonix setup is generally working. [14] [15]
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 https://check.torproject.org
This should output "Congratulations. Your browser is configured to use Tor."
2. Whonix-Workstation Firewall configuration
See allow UDP in Whonix-Workstation firewall.
3. Install rdate for UDP and TCP testing.
sudo apt update
sudo apt install rdate
4. Run commands for TCP testing.
rdate -p time.u.washington.edu
rdate -p time.nist.gov
rdate -p ptbtime1.ptb.de
5. Run commands for UDP testing.
rdate -u -p time.u.washington.edu
rdate -u -p time.nist.gov
rdate -u -p ptbtime1.ptb.de
The tests should reveal that without a VPN, TCP works over Tor, but not UDP.
6. Configure a VPN tunnel link in Whonix.
Obviously a VPN provider that does not block UDP is required. Most VPN providers allow UDP.
Follow the setup instructions on the VPN Tunnel Setup Examples page; the riseup and usaip examples are functional for this purpose.
Afterwards test rdate again, first in TCP mode and then in UDP mode -- both should work correctly.
SSH Method[edit]
This method is currently undocumented. In theory, SSH servers could be utilized to tunnel UDP over Tor. Obstacles:
- Free SSH services are rarely available.
- The existing free SSH services block certain ports, which makes this even harder.
- Even though SSH can provide a SOCKS5 proxy, it is not capable of providing tunneling support for UDP itself.
- Extra software needs to be installed on both the client and (even worse) the server with root access. Most administrators of free SSH services will not allow this configuration.
- Acquiring a server comes with its own challenges.
- Easy: allow UDP in Whonix-Workstation firewall.
Therefore this method is only useful if you have your own server, but even then the VPN method is usually preferable.
SOCKS5 Proxy Method[edit]
Attempts to tunnel UDP with this configuration have failed. See the Design Archive for full details: Tunneling UDP over Tor.
Whonix Recommendations[edit]
Whonix recommends the use of OpenVPN as the most secure (SSL/TLS-based) protocol, rather than reliance upon IKE, L2TP/IPsec or PPTP. OpenVPN is considered extremely secure when used with encryption algorithms such as AES. [16]
Wireguard was invented after this documentation was written. Whonix developer Patrick Schleizer experienced many issues with wireguard not re-establishing connection. There are many existing bug reports and discussions on reddit about this issue. Therefore wireguard remains undocumented. Also, Wireguard explicitly does not support tunneling over TCP. Quote:
TCP Mode
WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw.Known limitations - Wireguard
A dedicated virtual machine is recommended for this activity; see Multiple Whonix-Workstation.
Footnotes / References[edit]
- ↑
https://gitlab.torproject.org/legacy/trac/-/issues/7830
- ↑ https://blog.torproject.org/moving-tor-datagram-transport
- ↑ The Tor ticket was closed as "wontfix" in 2017.
- ↑ https://en.wikipedia.org/wiki/User_Datagram_Protocol
- ↑ Other VPN implementations may also be useful, but they have not been researched yet.
- ↑ https://guardianproject.info/2012/12/10/voice-over-tor/
- ↑ https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN
- ↑ Without a fail closed mechanism, if the VPN "breaks down" (the connection is interrupted) then traffic is sent without the VPN. It is far safer to shut down the entire Internet connection in this event, until the VPN connection is restored.
- ↑ It is impossible to absolutely confirm whether a VPN service is a legitimate provider.
- ↑ https://www.comparitech.com/blog/vpn-privacy/access-dark-web-safely-vpn/
- ↑ https://web.archive.org/web/20171021025438/https://www.sunnyhoi.com/which-is-better-tor-over-vpn-or-vpn-over-tor/
- ↑ See: Touching from a Distance: Website Fingerprinting Attacks and Defenses
- ↑ This is a relatively minor threat overall. On the other hand, if a VPN/SSH tunnel is established without Tor, “website traffic fingerprinting” is a far more impressive feat.
- ↑ While enforcing SSL.
- ↑ Alternatively the test can be run without enforcing SSL because some VPN services appear to block it. UWT_DEV_PASSTHROUGH=1 curl https://check.torproject.org
- ↑
IKE is being exploited by advanced agencies to decrypt IPSec traffic. IPsec configured with pre-shared keys is vulnerable to MITM attacks. PPTP is an obsolete method for VPN implementation with a host of security weaknesses. For further reading on adversary capabilities against VPN protocols see: https://web.archive.org/web/20190324102418/https://www.spiegel.de/media/media-35515.pdf
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!