Connecting to SSH before Tor
Donate
Instructions on how to connect to SSH before Tor.
User → SSH → Tor → Internet
Introduction[edit]
Before combining Tor with other tunnels, be sure to read and understand the risks!
Connecting to SSH before Tor might enhance privacy and security in certain use cases. This setup is particularly useful for bypassing restrictive firewalls or for situations where Tor is blocked but SSH is allowed.
The SSH tunnel can be configured on the host operating system (OS) (outside any virtual machine (VM)) or inside Whonix-Gateway™.
Prerequisites[edit]
- SSH server: The user needs an already existing SSH server where the user is able to successfully login using
sshon the command line. - Prerequisite knowledge:
- How to setup a SSH server: Setting up an SSH server is currently out-of-scope for this wiki page. The process of setting up an SSH server is unspecific to Whonix. The SSH server can be set up as usual as if Whonix is not involved. Please use search engines first.
- How to bypass Tor: The clearnet User
- Platform specific:
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: It is required to know about how to apply Qubes Template Modifications.
Install SSH Client[edit]
Install package(s) openssh-client following these instructions
1 Platform specific notice.
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: In Template.
2 
Update the package lists and upgrade the system
.
sudo apt update && sudo apt full-upgrade
3 Install the openssh-client package(s).
Using apt command line --no-install-recommends option is in most cases optional.
sudo apt install --no-install-recommends openssh-client
4 Platform specific notice.
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.
5 Done.
The procedure of installing package(s) openssh-client is complete.
Make Clearnet home persistent[edit]
There is no persistent home for the clearnet user by default. Therefore make it persistent so SSH user data (keys, known_hosts file) can be saved there.
Follow instructions to make the clearnet home persistent.
This will most likely be simplified in a future Whonix version, where user clearnet will have a persistent home folder by default.
DNS Setup[edit]
There are two options for accessing the SSH server. Choose one.
By IP Address
Recommended. Connecting to your SSH server by IP address is easier. In this case, no DNS setup is required.
Most SSH servers have static IP addresses. Static here means that these do not change.
Do you already know the IP address of your SSH server?
- A) Yes, known: Great. No further action required.
- B) No, unknown: Resolve the SSH server domain name to IP address. This command can be run on any Linux system such as on your SSH server.
dig +short example.com
By Domain Name
Connecting to your SSH server by domain name is possible but a bit more difficult. DNS setup is required.
Allow user clearnet on Whonix-Gateway to use clearnet DNS.
1. DNS setup.
See Whonix-Gateway System DNS over Clearnet.
2. Test.
Check if the clearnet user can resolve DNS:
sudo -u clearnet curl.anondist-orig --tlsv1.3 --proto =https https://check.torproject.org/api/ip
Expected output:
Note: The following output would not contain YOUR_SSH_SERVER_PUBLIC_IP but the actual public IP address of your SSH server.
{"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"}
3. Done.
Whonix-Gateway System DNS over Clearnet setup is complete.
Configure Remote SSH Server[edit]
Note: Every key generation and installation must be made with the clearnet user.
1. Notice.
Be cautious: When using the clearnet user account on Whonix-Gateway, traffic will bypass Tor and use the standard internet, compromising anonymity! In the context of setting up User → SSH → Tor → Internet this is OK.
2. Start a shell as user clearnet.
sudo -u clearnet bash
3. SSH key setup.
Folder /home/clearnet/.ssh needs to be populated. In practice, this means that the following files (or similar) need to exist:
/home/clearnet/.ssh/id_ed25519/home/clearnet/.ssh/id_ed25519.pub/home/clearnet/.ssh/known_hosts
How to get these files? There are two options. Choose one.
- A) Use existing files: The user could copy these files over from an existing SSH client setup. Or,
- B) Create a new SSH keypair: See also Generate SSH keys and Install keys to the SSH server.
4. Test login to the SSH server:
Notes:
- User name: Replace
ssh-userwith the actual SSH user name. - IP: Replace
example.comwith the actual IP address or hostname of your server.
ssh.anondist-orig ssh-user@example.com
5. SSH server configuration.
- A) SSH default configuration: SSH daemon defaults to
AllowTcpForwarding yesin/etc/ssh/sshd_config. - B) User hardened SSH configuration: If the user has configured
AllowTcpForwarding noin/etc/ssh/sshd_config, then see footnote. [1]
6. Restart the ssh daemon service in case you have modified its settings in the item above:
sudo systemctl restart sshd
7. Exit the SSH session after the connection has succeeded:
exit
8. Exit from the clearnet user back to the user user:
exit
9. Done.
Test SSH Socks Proxy[edit]
1. Create a local SOCKS proxy.
Open a localhost SOCKS proxy listening on port 1080 connected to your SSH server.
Notes:
- User name: Replace
ssh-userwith the actual SSH user name. - IP: Replace
example.comwith the actual IP address or hostname of your server. - Port: Replace
22with the actual SSH server port. If you have not changed the SSH server port, it will be the default22and no port change will be required.
sudo -u clearnet ssh.anondist-orig -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22
Expected output: None.
2. Test.
Check if the clearnet user can use the SOCKS5 proxy created by the SSH connection.
Open another terminal tab.
sudo -u clearnet curl.anondist-orig --proxy socks5h://127.0.0.1:1080 --tlsv1.3 --proto =https https://check.torproject.org/api/ip
Expected output:
Note: The following output would not contain YOUR_SSH_SERVER_PUBLIC_IP but the actual public IP address of your SSH server.
{"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"}
3. Close SSH proxy.
Terminate the local SSH proxy created in step 1 by using the keyboard and entering CTRL + C or by closing the terminal tab. This is required because for automating the above command, the port must not be in use. To ensure the port is closed, the SSH client needs to be terminated.
4. Done.
The SSH SOCKS proxy test has been completed.
Configure Proxy Autostart[edit]
After all of the above tests have been completed successfully, you should configure the SSH connection to start on boot.
1. Apply the following changes to Whonix-Gateway™ or the host.
- Non-Qubes-Whonix: On Whonix-Gateway.
- Qubes-Whonix: On
sys-whonixApp Qube.
Open file /usr/lib/systemd/system/socks-before-tor.service in an editor with root rights.
Select your platform.
Non-Qubes-Whonix™
See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.
Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.
sudoedit /usr/lib/systemd/system/socks-before-tor.service
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /usr/lib/systemd/system/socks-before-tor.service
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /usr/lib/systemd/system/socks-before-tor.service
2. Add the following to the file:
Notes:
- User name: Replace
ssh-userwith the actual SSH user name. - IP: Replace
example.comwith the actual IP address or hostname of your server. - Port: Replace
22with the actual SSH server port. If you have not changed the SSH server port, it will be the default22and no change is required.
[Unit] Description=SOCKS5 Proxy for Tor OR connections After=network-online.target nss-lookup.target qubes-sysinit.service Before=tor.service ConditionPathExists=!/var/run/qubes/this-is-templatevm [Service] ExecStart=ssh.anondist-orig -vv -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22 Restart=on-failure RestartSec=5 User=clearnet Group=clearnet [Install] WantedBy=multi-user.target
3. Reload the systemd system daemon:
sudo systemctl daemon-reload
4. Enable the systemd system service socks-before-tor:
sudo systemctl enable socks-before-tor
5. Platform specific.
Non-Qubes-Whonix
1. Start the service socks-before-tor:
sudo systemctl restart socks-before-tor
2. Watch the journal of socks-before-tor service:
sudo journalctl -fu socks-before-tor
Qubes-Whonix
1. Shut down whonix-gateway-17 Template.
2. Restart sys-whonix App Qube.
3. Watch the journal of socks-before-tor service:
On sys-whonix App Qube.
sudo journalctl -fu socks-before-tor
Configure Tor[edit]
Tor needs to be configured to make use of the locally running SOCKS interface.
Use either Option 1 or Option 2.
Option 1: Use Anon Connection Wizard[edit]
A proxy can be configured easily using Anon Connection Wizard.
Step 1: Start Anon Connection Wizard[edit]
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Anon Connection Wizard
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → System → Anon Connection Wizard
If you are using a terminal emulator (such as for example xfce4-terminal) on Whonix-Gateway, type.
lxsudo anon-connection-wizard
If you are using a CLI Whonix-Gateway, see footnote. [2]
Step 2: Use Proxy Configuration Page[edit]
- Proxy type:
SOCKS5 - IP:
127.0.0.1 - Port:
1080
Select "Use proxy before connecting to the Tor network" on the Proxy Configuration page → Choose the proxy type → Fill out other necessary information
Tips:
1. Proxy Type
The proxy type is the protocol which is used to communicate with the proxy server. Since there are only three options, they can all be tried until one works.
2. Proxy IP/hostname
It is necessary to know the proxy IP for attempted connections. If the user is trying to connect to a local proxy, then 127.0.0.1 should be specified since it is the localhost.
3. Proxy Port number
It is necessary to know the port number for attempted connections. It should be a positive integer from 1 to 65535. If searching for the listening port number of a well-known censorship circumvention tool, it can be found online.
4. Username and Password
If the username and password are unknown, they should be left blank to see if the connection will succeed. In most cases they are not needed.
Option 2: Manually Configure Proxy[edit]
Manual Tor configuration is an alternative.
1. Open file /usr/local/etc/torrc.d/50_user.conf in a text editor of your choice, with administrative rights.
Platform specific. Select your platform.
Non-Qubes
If you are using a graphical Whonix-Gateway, take the following step.
Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf
Qubes-Whonix
If you are using Qubes-Whonix™, take the following step.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)
CLI
If you are using Whonix-Gateway with command line interface (CLI), take the following step. sudoedit /usr/local/etc/torrc.d/50_user.conf
2. Paste.
Note: Change IP:PORT as needed.
- A) If SSH tunnel was set up from Whonix-Gateway:
Socks5Proxy 127.0.0.1:1080
- B) If SSH tunnel was set up from host operating system:
Socks5Proxy IP:PORT
3. Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix') → Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
4. Done.
Footnotes[edit]
- ↑
You can change it on a per-user basis. For example, to allow TCP forwarding only for user
ssh-user, append to the following file: Match User ssh-user AllowTcpForwarding yes - ↑
Anon Connection Wizard is a graphical user interface (GUI) application. It does not have command line interface (CLI) support yet.
It is therefore unavailable on Whonix-Gateway CLI. Use setup-distinstead; note that functionality is limited and does not support Bridges.
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!