Jump to: navigation, search

Tunnels/Connecting to Tor before a proxy

This page contains changes which are not marked for translation.


Connecting to Tor before a proxy

User -> Tor -> proxy -> Internet

Introduction[edit]

Proxy Warning[edit]

Generally[edit]

There are three different methods.

#Proxy Settings Method #Proxifier Method #Transparent Proxying Method
application requires no support for proxy settings No Yes Yes
likelihood of leaks [2] going user -> Tor -> Internet depends [3] depends [4] lower [5]
DNS can be resolved by the same proxy Yes Yes needs extra DNS resolver [6]
per application configuration required Yes Yes No
system wide configuration No No Yes
proxy chains possible No Yes, but see footnote

[7]

No [8]
setup difficulty different per application always very similar initial setup difficult

Proxy Settings Method[edit]

Introduction[edit]

You could use an application's native proxy settings to configure applications in Whonix to use an extra proxy. This of course supposes, that the application has proxy settings. After understanding Whonix's default stream isolation configuration, there is no difference from using proxy settings in an ordinary way, other than that it's running inside Whonix-Workstation. If proxy settings are honored by an application or not is another question and out of scope, see TorifyHOWTO. There is a list of applications that come pre-configured with Whonix for Stream Isolation. If you plan on changing the proxy settings of any of those, you must read the notes below.

Tor Browser Notes[edit]

Due to a bug in Tor Browser [9], extra steps are required to use proxies with Tor Browser.

It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

Inside Whonix-Workstation.

1. Install FoxyProxy add-on in Tor Browser

2. Change Tor Browser Settings:

  • Double click Default proxy in FoxyProxy and setup the IP and port of the proxy. If configuring a SOCKS proxy check the option and specify the type.
  • Set Mode: Use Proxy "Default" for all URLs

Misc Application Notes[edit]

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings using application configuration files. If you want to disable this...

You must go to the applications settings and remove what Whonix has applied by default.

TODO: document, expland

For some applications this is impossible.

  • sdwdate
  • Ricochet IM

Those can only talk to Tor Hidden Services directly. You cannot configure them to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

uwt wrapped application notes[edit]

Whonix ships a list of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.

On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers using. If you want to disable this...

To deactivate all uwt wrappers permanently... To deactivate stream isolation for all uwt wrapped applications... To make all uwt wrapped applications use the system default networking again... See below...

(Otherwise, if you want more fine granulated control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.)

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/uwt.d/50_user.conf

And add.

uwtwrapper_global="0"

Save.


Proxyfier Method[edit]

General[edit]

After understanding Whonix's default stream isolation configuration, there is no difference from using a Proxyfier in an ordinary way, other than that it's running inside Whonix-Workstation. There is a list of applications that come pre-configured with Whonix for Stream Isolation. If you plan on changing the proxy settings of any of those, you must read the notes below.

If the Proxifier is leak free or in worst case leaks through Tor alone (thanks to Whonix), is another question and not in Whonix's power, see TorifyHOWTO.

Tor Browser Notes[edit]

Introduction
Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [10] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

export TOR_TRANSPROXY=1

/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[11]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.

TOR_TRANSPROXY=1

Save.

Reboot.

Undo
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[12]

Misc Application Notes[edit]

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings using application configuration files. If you want to disable this...

You must go to the applications settings and remove what Whonix has applied by default.

TODO: document, expland

For some applications this is impossible.

  • sdwdate
  • Ricochet IM

Those can only talk to Tor Hidden Services directly. You cannot configure them to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

uwt wrapped application notes[edit]

Whonix ships a list of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.

On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers using. If you want to disable this...

To deactivate all uwt wrappers permanently... To deactivate stream isolation for all uwt wrapped applications... To make all uwt wrapped applications use the system default networking again... See below...

(Otherwise, if you want more fine granulated control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.)

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/uwt.d/50_user.conf

And add.

uwtwrapper_global="0"

Save.

uwt[edit]

Introduction[edit]

uwt uses torsocks. While the name torsocks implies it's Tor specific, it's not. You can point it to any socks proxy.

uwt wrapped application example[edit]

uwt -t 5 -i 10.152.152.10 -p 9153 /usr/bin/wget.anondist-orig -c https://check.torproject.org

regular application example[edit]

Requires deactivated wget uwt wrapper!

uwt -t 5 -i 10.152.152.10 -p 9156 /usr/bin/wget -c https://check.torproject.org

[13] [14] [15]

Tor Browser Example[edit]

(Untested! Please leave feedback if it worked for you!)

First, you must remove Tor Browser proxy settings before you can combine it with a proxifier.

Introduction
Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [16] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

export TOR_TRANSPROXY=1

/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[17]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.

TOR_TRANSPROXY=1

Save.

Reboot.

Undo
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[18]

Then try this command. (Untested! Please leave feedback if it worked for you!)

uwt -t 5 -i 10.152.152.10 -p 9153 ~/tor-browser_en-US/App/Firefox/firefox --profile ~/tor-browser_en-US/Data/profile

[19]

proxychains[edit]

Warnings[edit]

  • We don't know how well proxychains works. For example torsocks has a IPv6 leak bug[20]. We don't know if proxychains forces everything through the proxies. Whonix only ensures, should their be leaks, they go only through Tor.
  • There are at least three different versions of proxychains. The old/original/unmaintained version on sourceforge.net and two forks on github. We don't know about that status of any of them and haven't heard of anyone looking if they do really work as expected. The two authors argue with each other and we weren't motivated to understand the conflict and to determine which version is better. However, any leaks not going through the proxy(chain) will go through Tor.

Setup[edit]

Install proxychains.

sudo apt-get install proxychains

Open proxychains configuration file.

Open /etc/proxychains.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/proxychains.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/proxychains.conf

Go to the bottom of the settings file. Comment out "socks4 127.0.0.1 9050" and add for example "socks5 10.152.152.10 9152" (for Tor stream isolation) or "socks5 ip port" with an IP and port of your choice to set the proxy settings.

[ProxyList]
## add proxy here ...
## meanwhile
## defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 10.152.152.10 9152
# socks5 x.x.x.x xxxx

[21]

Save the configuration file. Test afterwards.

example uwt wrapped application[edit]

proxychains /usr/bin/wget.anondist-orig https://check.torproject.org

[22]

example regular application[edit]

Requires deactivated wget uwt wrapper!

proxychains /usr/bin/wget https://check.torproject.org

Tor Browser example[edit]

The combination of proxychains and Tor Browser does currently not work. Someone needs to Contribute by figuring this out. Otherwise this will not be possible for a very long time. See forum discussion.

First, you must remove Tor Browser proxy settings before you can combine it with a proxifier.

Introduction
Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [23] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

export TOR_TRANSPROXY=1

/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[24]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.

TOR_TRANSPROXY=1

Save.

Reboot.

Undo
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[25]

Then try this command.

proxychains ~/tor-browser_en-US/start-tor-browser

Might be also interesting:


Transparent Proxying Method[edit]

Introduction[edit]

Advanced users only!

To make clear, what this is about. Whonix-Gateway is already serving as a Transparent Proxy [26], which means, that all applications not explicitly configured [27] to use a SocksPort, can connect through Tor without any settings. This section is about configuring Whonix-Workstation also to act as a Transparent Proxy [28]. Use case: a user wants to ensure all traffic goes through Tor (by using Whonix-Gateway) and want to additionally ensure, all traffic goes through a proxy choosen by the user after the Tor link, i.e. user -> Tor -> proxy -> internet.

[29]

You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.

In case you redirect the network layer directly with iptables, you need a TransPort. Unfortunately very few applications, do offer a TransPort. For example, Tor supports a TransPort. In most other cases, you need to translate the different kinds of data.

Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.

Required reading:

Tools[edit]

Tor is a socks proxy and also has a TransPort. Unfortunately, Tor can not be directly used as a http proxy. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort.

redsocks can also accept "Trans data streams" and can forward them to https, socks4 and socks5 proxies. If you were to use a http proxy (no https, without connect-method, see proxy article), you could access only http sites, no https sites. Rather redsocks can convert UDP DNS queries to TCP DNS queries.

DNS resolution[edit]

The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.

It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see Transparent Proxying Method for explanation. You need an extra DNS server, which answers over TCP.

You have several options to resolve DNS.

Either leave the setup as it is, Tor's DnsPort and therefore the Tor exit relays will still do the DNS requests. (See DNS rule #1.) This is probably not what you want, since you wanted to cloak your identity with an additional proxy after Tor.

Alternatively you can use a public DNS resolver. The instructions for Secondary DNS Resolver#DNSCrypt by OpenDNS should work out of the box (tested). (See DNS rule #2.)

All DNS resolvers [30] should work, as long TCP is supported and as long you are querying a TCP enabled DNS server. [31] [32] [33] [34]

Read the DNS related warnings.

Prevent Bypassing the Tunnel-Link[edit]

Introduction
In essence, you prevent bypassing the tunnel-link by disabling stream isolation.

By Whonix default, a lot pre-installed applications are configured for Stream Isolation. These applications are by default configured to use Tor SocksPorts, instead of Tor's TransPort.

All applications, which are configured to use Tor SocksPort's, will not be tunneled through the tunnel-link. They will be "only" tunneled through Tor. This is because, the following configuration will not touch local connections to 10.152.152.10, which is the Whonix-Gateway. For example, if you wish to tunnel Tor Browser the route User -> Tor -> tunnel-link -> Internet, you have to remove all proxy settings from Tor Browser, see below.

deactivate uwt wrappers
To deactivate all uwt wrappers permanently... To deactivate stream isolation for all uwt wrapped applications... To make all uwt wrapped applications use the system default networking again... See below...

(Otherwise, if you want more fine granulated control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.)

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/uwt.d/50_user.conf

And add.

uwtwrapper_global="0"

Save.


Tor Browser Remove Proxy Settings

Introduction
Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [35] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

export TOR_TRANSPROXY=1

/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[36]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.

TOR_TRANSPROXY=1

Save.

Reboot.

Undo
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[37]


Deactivate Misc Proxy Settings

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings using application configuration files. If you want to disable this...

You must go to the applications settings and remove what Whonix has applied by default.

TODO: document, expland

For some applications this is impossible.

  • sdwdate
  • Ricochet IM

Those can only talk to Tor Hidden Services directly. You cannot configure them to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

How to setup proxy tunnel-link after Tor (User->Tor->Proxy->Internet)[edit]

Unfinished!
Advanced users only!

Everything on Whonix-Workstation.

Get a working proxy and test (with any of the above methods) if it works reliable.

Install redsocks.

sudo apt-get install redsocks

Enable redsocks autostart.

Open /etc/default/redsocks in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/default/redsocks

If you are using a terminal-only Whonix, run:

sudo nano /etc/default/redsocks

Look for.

START=no

And replace it with.

START=yes

Configure redsocks by editing /etc/redsocks.conf to your needs.

Open /etc/redsocks.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/redsocks.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/redsocks.conf

Under.

redsocks {

You have to edit.

        ip = 127.0.0.1;
        port = 1080;
        type = socks5

To your needs.

Start redsocks.

sudo service redsocks start

Create a file fw.bsh.

And use the following firewall rules.

#!/bin/bash
## These iptables rules redirect the traffic for all users,
## including root, with the exception of the user redsocks,
## through the proxy.

## TODO: these iptables rules need review.
## TODO: use iptables default policy drop.

## Choose either DNS rule #1 or DNS rule #2.

## For debugging/testing use this command in console.
## tail -f /var/log/syslog

## Flush old rules.
iptables -F
iptables -t nat -F
iptables -X

## Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT --dst 127.0.0.1 -j ACCEPT

## Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## Established outgoing connections are accepted.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## DNS rule #1.
## Allow DNS directly through Whonix-Gateway.
#iptables -A OUTPUT --dst 10.152.152.10 -p udp --dport 53 -j ACCEPT

## DNS rule #2.
## For DNSCrypt set /etc/resolv.conf to
## nameserver 127.0.0.1
##
## sudo dnscrypt-proxy --tcp-only --user=user
##
## DNSCrypt listening on port 53
iptables -t nat -A OUTPUT --dst 127.0.0.1 -p udp --dport 53 -j ACCEPT
iptables -t nat -A OUTPUT --dst 127.0.0.1 -p tcp --dport 53 -j ACCEPT

## redsocks must be allowed to establish direct connections.
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks

## Redirect remaining traffic to redsocks.
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345

## TODO: UDP rule untested.
#iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053

## Log blocked traffic for debugging.
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables: "

## Reject all other traffic.
iptables -A OUTPUT -j REJECT

Make the firewall script executable.

sudo chmod +x fw.bsh

Apply the firewall rules.

sudo fw.bsh


Footnotes[edit]

  1. Such as the Tor, JonDonym or I2P software.
  2. TCP or DNS
  3. Depends if the application has any proxy bypass bugs.
  4. Depends on how bug free the socksifier is.
  5. Because redirection happens at the iptables level, not at the application level.
  6. See #DNS_resolution.
  7. Questionable if that adds anything. See: Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor
  8. Would require adding such a feature to redsocks.
  9. Circuit isolation by SOCKS proxy may be breaking other proxies or non-proxies
  10. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  11. Unless you manually unset this environment variable before starting Tor Browser.
  12. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.
  13. Using .anondist-orig, i.e. /usr/bin/wget.anondist-orig will circumvent the wget uwt wrapper.
  14. For testing, you could compare the IP shown by the above command with the next one. If you didn't disable the wget uwt wrapper, the following command will most likely fetch another IP, because still using Stream Isolation. Using Tor's TransPort.
    (/usr/bin/wget.anondist-orig original non-uwt-wrapped version) wget.anondist-orig https://check.torproject.org
  15. For further explanation only... If you disabled wget's uwt wrapper, to use Tor's TransPort, you could use the following command. wget https://check.torproject.org
  16. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  17. Unless you manually unset this environment variable before starting Tor Browser.
  18. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.
  19. Might be also interesting: Advanced Security Guide#More than one Tor Browser in Whonix
  20. https://trac.torproject.org/projects/tor/wiki/doc/torsocks#WorkaroundforIPv6leakbug
  21. Advanced. Recommendation: Why not use Tor stream isolation for the proxychains connection?
    [ProxyList]
    ## add proxy here ...
    ## meanwhile
    ## defaults set to "tor"
    #socks4 127.0.0.1 9050
    socks5 10.152.152.10 9152
    socks5 x.x.x.x xxxx
    
  22. For testing, you could compare the IP shown by the above command with the next one. If you didn't disable the wget uwt wrapper, the following command will most likely fetch another IP, because still using Stream Isolation. Using Tor's TransPort. (/usr/bin/wget.anondist-orig original non-uwt-wrapped version) wget.anondist-orig https://check.torproject.org
  23. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  24. Unless you manually unset this environment variable before starting Tor Browser.
  25. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.
  26. anonymizing middlebox
  27. by uwt socksifier or proxy settings
  28. local redirection
  29. torproject.org wiki version 129 contains an old example using privoxy, JonDo and httpsdnsd. The new example uses redsocks and is simpler.
  30. https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
  31. You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to /etc/resolv.conf in Whonix-Workstation (i.e. Tor -> public DNS resolver), it would have no effect, as explained under Whonix-Workstation is firewalled.
  32. Also Secondary DNS Resolver#httpsdnsd by JonDos might work, but you'd need to make some changes (use httpsdnsd as a system wide, Whonix-Workstation wide, DNS resolver, not just for a specific user account).
  33. DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit relay can sniff or manipulate your DNS requests, since they are encrypted and authenticated.
  34. Or perhaps also ttdnsd with Google could work.
  35. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  36. Unless you manually unset this environment variable before starting Tor Browser.
  37. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.

Random News:

Please consider a recurring donation!


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.