Connecting to Tor before a Proxy using Proxyfier Method

From Whonix
Jump to navigation Jump to search

There are 3 different ways to configure an additional proxy.

UserTorProxyInternet

Before combining Tor with other tunnels, be sure to read and understand the risks!

See also proxy warning!

Configure Applications to use Proxyfier Method[edit]

After understanding Whonix default stream isolation configuration, there is no difference from using a proxyfier in an ordinary way, other than that it is running inside Whonix-Workstation. There is a list of applications that come pre-configured with Whonix for Stream Isolation. If you plan on changing the proxy settings of any of those, you must read the notes below.

If the proxifier is leak free or in worst case leaks through Tor alone (thanks to Whonix), is another question and not in Whonix power, see TorifyHOWTOarchive.org.


  • Apply the instructions Prevent Bypassing the Tunnel-Link to avoid unexpected results such as broken connectivity and/or traffic bypassing the tunnel-link and traffic only going through Tor.
    • Qubes-Whonix exception: There is one tunnel configuration where Qubes-Whonix users are better placed. When a separate tunnel-link VM is used between anon-whonix and sys-whonix (anon-whonixTunnel-linksys-whonix), these connections will fail without the following modifications.

Important Application Specific Notes[edit]

Tor Browser Notes[edit]

info Why is this difficult?

This is difficult and may not work for you.

To learn why this is difficult, please press on Expand on the right.

Tor Browser, which is developed by upstream, The Tor Project (TPO), an independent entity has hard configured to use Tor as a proxy.

  • Upstream does not support user using Tor Browser with an additional extra proxy at the end of the chain, i.e.: userTorproxydestination
  • Upstream does also not support using Tor Browser with a proxy other than Tor, i.e.: usercustom proxydestination. This may or may not currently be possible but upstream does not provide documentation on how to do this.
  • Upstream does also not support using Tor Browser with a VPN instead of Tor, i.e. userVPNdestination.
  • Upstream does also not support using Tor Browser with a VPN in addition before Tor, i.e. userTorVPNdestination.

That makes sense from TPO's perspective as a project that maintains a browser that should always connect using the Tor network. Due to that perspective, proxy settings have been removed from Tor Browser to avoid user confusion and accidental misconfiguration. Little attention is spend on custom proxy settings. That, from TPO's perspective is assumed to only make sense for users using a Tor transparent proxy and that are already running Tor on a different computer in their LAN. Only a minority of users is using such configurations.

Because of this organisational and technical background, the highly specialized use case of configuring Tor Browser running inside Whonix-Workstation to use an additional proxy (user -> Tor -> proxy -> destination) is difficult to accomplish.

To learn more about this organisational and technical background see also Kicksecure logo Linux User Experience versus Commercial Operating Systems Onion Version

Info COMMUNITY SUPPORT ONLY : THIS wiki CHAPTER only is only supported by the community. Whonix developers are very unlikely to provide free support for this content. See Community Support for further information, including implications and possible alternatives.

Undocumented. Documentation is incomplete. There is currently no tested, known to work solution for using Tor Browser with the Proxyfier Method.

This issue is unspecific to Whonix. This is not a Whonix issue but rather an issue with proxyfier / socksifier software and Tor Browser. This would also happen if Whonix was not involved. (For a basic architectural explanation, see Self Support First Policy.)

Researching this is up to you. Please contribute. Without contributions, this situation should be expected to remain the same forever.

Alternatively consider other methods which however might also have issue and might also be difficult. See the mini navigation at the very top of this wiki page.

1. Check applicability of these instructions.

Does the user need to follow these instructions? Only if the user intents to use Tor Browser with an extra tunnel-link. For example, if the user only intents to use a different application such as curl with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see the other wiki chapters on this page.

2. Remove default proxy settings by Tor Browser.

For information on how to remove Tor Browser default proxy settings, please press Expand on the right.

Introduction

This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [1] [2]

info Why is this difficult?

This is difficult and may not work for you.

To learn why this is difficult, please press on Expand on the right.

Tor Browser, which is developed by upstream, The Tor Project (TPO), an independent entity has hard configured to use Tor as a proxy.

  • Upstream does not support user using Tor Browser with an additional extra proxy at the end of the chain, i.e.: userTorproxydestination
  • Upstream does also not support using Tor Browser with a proxy other than Tor, i.e.: usercustom proxydestination. This may or may not currently be possible but upstream does not provide documentation on how to do this.
  • Upstream does also not support using Tor Browser with a VPN instead of Tor, i.e. userVPNdestination.
  • Upstream does also not support using Tor Browser with a VPN in addition before Tor, i.e. userTorVPNdestination.

That makes sense from TPO's perspective as a project that maintains a browser that should always connect using the Tor network. Due to that perspective, proxy settings have been removed from Tor Browser to avoid user confusion and accidental misconfiguration. Little attention is spend on custom proxy settings. That, from TPO's perspective is assumed to only make sense for users using a Tor transparent proxy and that are already running Tor on a different computer in their LAN. Only a minority of users is using such configurations.

Because of this organisational and technical background, the highly specialized use case of configuring Tor Browser running inside Whonix-Workstation to use an additional proxy (user -> Tor -> proxy -> destination) is difficult to accomplish.

To learn more about this organisational and technical background see also Kicksecure logo Linux User Experience versus Commercial Operating Systems Onion Version

Info COMMUNITY SUPPORT ONLY : THIS wiki CHAPTER only is only supported by the community. Whonix developers are very unlikely to provide free support for this content. See Community Support for further information, including implications and possible alternatives.

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's SOCKS username for a request based on first party domainarchive.org feature. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix, or preferably Multiple Whonix-Workstation.

Local socks proxy Method

This method works for removal of proxy settings but is rather lengthy and complicated. In case the user wants to have a look anyhow, please press on Expand on the right.

Since other methods to configure Tor Browser to use system default networking are broken due to Tor Browser changes by upstream, this new local socks proxy method stops anon-ws-disable-stacked-tor local port 9150 redirection to Whonix-Gateway 9150 (where a Tor SocksPort is listening). As a replacement, a local socks proxy listens on Whonix-Workstation local port 9150 which then forwards the traffic using system default networking. In result, if the user is using a VPN inside Whonix-Workstation or in a VPN-Gateway wretched between Whonix-Gateway and Whonix-Workstation, Tor Browser would use the VPN.

In this documentation, Dante is used as a local socks proxy. Development notes are kept on Dev/Dante.

1. Legacy notices.

  • New users, that did not apply instructions from this page again: No special notice.
  • Existing users: See below.

A few settings need to be undone.

  • A) Previous changes to /etc/environment as documented previously for other methods need to be undone.
  • B) Tor Browser needs to be re-installed. This is because undoing the previous configuration is difficult and undocumented.

2. Stop default anon-ws-disable-stacked-tor service for port 9150.

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In whonix-workstation-17 Template.

sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl stop anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

3. Prevent default anon-ws-disable-stacked-tor systemd unit from starting.

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In whonix-workstation-17 Template.

sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen_port_9150.service sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.socket sudo systemctl mask anon-ws-disable-stacked-tor_autogen__run_anon-ws-disable-stacked-tor_127.0.0.1_9150.sock.service

4. Install the local socks proxy server.

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In whonix-workstation-17 Template.

A) Add Debian source repository.

Open file /etc/apt/sources.list.d/debian-src.list in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/apt/sources.list.d/debian-src.list

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/apt/sources.list.d/debian-src.list

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian-src.list

Paste.

deb-src https://deb.debian.org/debian bookworm main contrib non-free

Save and exit.

sudo apt update

B) Install build dependencies.

sudo apt build-dep dante-server

C) Get dante source code.

apt-get source dante-server

D) Open the dante accesscheck.c source file.

mousepad ~/dante-1.4.2+dfsg/sockd/accesscheck.c

Paste the contents. Here we rewrite the authentication method to always return true. For the reasons see Dev/Dante.

/* * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006, 2008, * 2009, 2010, 2011, 2012, 2013 * Inferno Nettverk A/S, Norway. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. The above copyright notice, this list of conditions and the following * disclaimer must appear in all copies of the software, derivative works * or modified versions, and any portions thereof, aswell as in all * supporting documentation. * 2. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by * Inferno Nettverk A/S, Norway. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * Inferno Nettverk A/S requests users of this software to return to * * Software Distribution Coordinator or sdc@inet.no * Inferno Nettverk A/S * Oslo Research Park * Gaustadalléen 21 * NO-0349 Oslo * Norway * * any improvements or extensions that they make and grant Inferno Nettverk A/S * the rights to redistribute these changes. * */ #include "common.h" static const char rcsid[] = "$Id: accesscheck.c,v 1.89 2013/10/27 15:24:42 karls Exp $"; int usermatch(auth, userlist) const authmethod_t *auth; const linkedname_t *userlist; { /* const char *function = "usermatch()"; */ const char *name; if ((name = authname(auth)) == NULL) return 0; /* no username, no match. */ do if (strcmp(name, userlist->name) == 0) break; while ((userlist = userlist->next) != NULL); if (userlist == NULL) return 0; /* no match. */ return 1; } int groupmatch(auth, grouplist) const authmethod_t *auth; const linkedname_t *grouplist; { const char *function = "groupmatch()"; const char *username; struct passwd *pw; struct group *groupent; SASSERTX(grouplist != NULL); if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ /* * First check the primary group of the user against grouplist. * If the groupname given there matches, we don't need to go through * all users in the list of group. */ if ((pw = getpwnam(username)) != NULL && (groupent = getgrgid(pw->pw_gid)) != NULL) { const linkedname_t *listent = grouplist; do if (strcmp(groupent->gr_name, listent->name) == 0) return 1; while ((listent = listent->next) != NULL); } else { if (pw == NULL) slog(LOG_DEBUG, "%s: unknown username \"%s\"", function, username); else if (groupent == NULL) slog(LOG_DEBUG, "%s: unknown primary groupid %ld", function, (long)pw->pw_gid); } /* * Go through grouplist, matching username against each groupmember of * all the groups in grouplist. */ do { char **groupname; if ((groupent = getgrnam(grouplist->name)) == NULL) { swarn("%s: unknown groupname \"%s\"", function, grouplist->name); continue; } groupname = groupent->gr_mem; while (*groupname != NULL) { if (strcmp(username, *groupname) == 0) return 1; /* match. */ ++groupname; } } while ((grouplist = grouplist->next) != NULL); return 0; } #if HAVE_LDAP int ldapgroupmatch(auth, rule) const authmethod_t *auth; const rule_t *rule; { const char *function = "ldapgroupmatch()"; const linkedname_t *grouplist; const char *username; char *userdomain, *groupdomain; int retval; if ((username = authname(auth)) == NULL) return 0; /* no username, no match. */ #if !HAVE_GSSAPI if (!rule->state.ldap.ldapurl) SERRX(rule->state.ldap.ldapurl != NULL); #endif /* !HAVE_GSSAPI */ if ((userdomain = strchr(username, '@')) != NULL) ++userdomain; if (userdomain == NULL && *rule->state.ldap.domain == NUL && rule->state.ldap.ldapurl == NULL) { slog(LOG_DEBUG, "%s: cannot check ldap group membership for user %s: " "user has no domain postfix and no ldap url is defined", function, username); return 0; } if ((retval = ldap_user_is_cached(username)) >= 0) return retval; /* go through grouplist, matching username against members of each group. */ grouplist = rule->ldapgroup; do { char groupname[MAXNAMELEN]; slog(LOG_DEBUG, "%s: checking if user %s is member of ldap group %s", function, username, grouplist->name); STRCPY_ASSERTLEN(groupname, grouplist->name); if ((groupdomain = strchr(groupname, '@')) != NULL) { *groupdomain = NUL; /* separates groupname from groupdomain. */ ++groupdomain; } if (groupdomain != NULL && userdomain != NULL) { if (strcmp(groupdomain, userdomain) != 0 && strcmp(groupdomain, "") != 0) { slog(LOG_DEBUG, "%s: userdomain \"%s\" does not match groupdomain " "\"%s\" and groupdomain is not default domain. " "Trying next entry", function, userdomain, groupdomain); continue; } } if (ldapgroupmatches(username, userdomain, groupname, groupdomain, rule)){ cache_ldap_user(username, 1); return 1; } } while ((grouplist = grouplist->next) != NULL); cache_ldap_user(username, 0); return 0; } #endif /* HAVE_LDAP */ int accesscheck(s, auth, src, dst, emsg, emsgsize) int s; authmethod_t *auth; const struct sockaddr_storage *src, *dst; char *emsg; size_t emsgsize; { int match, authresultisfixed; match = 1; /* * HACK-FORK-EDIT-OK */ return match; }

E) Change directory into the dante source code folder.

pushd dante-1.4.2+dfsg

F) Build the Debian package.

dpkg-buildpackage -b --no-sign

E) Change directory back to the home folder.

popd

F) Install the modified dante package.

sudo dpkg -i dante-server_1.4.2+dfsg-7_amd64.deb

G) Block updates of dante-server.

sudo apt-mark hold dante-server

5. Open file /etc/danted.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/danted.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/danted.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/danted.conf

6. Local socks proxy configuration.

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In whonix-workstation-17 Template.

Delete all contents from the file and replace it with the following configuration.

debug: 0 logoutput: stderr internal: 127.0.0.1 port = 9150 external: eth0 socksmethod: none username clientmethod: none user.privileged: root user.notprivileged: root user.libwrap: root # allow connections only from localhost client pass { from: 127.0.0.1/8 port 1-65535 to: 0.0.0.0/0 log: connect disconnect error # comment on some logs if you don't want to keep them } socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: bind connect udpassociate log: error connect disconnect iooperation }

7. Restart the local socks proxy.

This is to apply the changed configuration and to test if the configuration is valid.

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In whonix-workstation-17 Template.

sudo systemctl restart danted.service

8. tb-starter Configuration

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In whonix-workstation-17 Template.

Stop Tor from using unix domain socket files for socks so it uses socks on IP 127.0.0.1 port 9150 instead.

Open file /etc/torbrowser.d/50_user.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/torbrowser.d/50_user.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/torbrowser.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

Paste.

unset TOR_SOCKS_IPC_PATH

Save and exit.

9. Platform specific notice:

  • Non-Qubes-Whonix: No special notice required.
  • Qubes-Whonix: Shutdown Template. Once done, restart App Qube.

10. Start Tor Browser.

  • Non-Qubes-Whonix: In Whonix-Workstation.
  • Qubes-Whonix: In Whonix-Workstation App Qube.

torbrowser

Tor Browser should now be using system default networking thanks to the local socks proxy.

No additional configuration of Tor Browser is required.

11. Done.

Older Methods:

For older methods, which might be broken due to Tor Browser changes by upstream, please press on Expand on the right.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [3]

1. Platform specific notice.

2. Open file /etc/environment in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/environment

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/environment

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/environment

3. Add the following line.

TOR_TRANSPROXY=1 ## newline at the end

4. Save and exit.

5. Reboot.

Reboot is required to make changes to configuration file /etc/environment take effect.

6. Done.

/etc/environment method configuration has been completed.

Tor Browser Settings Changes

This step is required since Tor Browser 10. [4]

1. Platform specific notice.

2. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

3. network.dns.disabled → set to false

4. extensions.torbutton.launch_warning → set to false

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Command Line Method

1. Platform specific notice:

2. Navigate to the Tor Browser folder.

cd ~/.tb/tor-browser

3. Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

4. Done.

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

1. Platform specific notice:

2. Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/.tb/tor-browser/Browser/start-tor-browser below #!/usr/bin/env bash.

3. Set.

export TOR_TRANSPROXY=1

4. Done.

start-tor-browser Method configuration has been completed.

Ignore Tor Button's Open Network Settings

Whonix has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [5]

3. Use proxification software with Tor Browser.

Options:

  • A) uwt: If using a socks proxy. Try with uwt which is a proxifier or more specifically a socksifier. Untested! Please leave feedback if it worked for you! uwt -t 5 -i 10.152.152.10 -p 9153 ~/.tb/tor-browser/App/Firefox/firefox --profile ~/.tb/tor-browser/Data/profile
  • B) proxychains: Method using proxychains is currently broken and a contributor is required to fix it.
  • C) Different proxifier: Any other proxificaiton software could be used. This is unspecific to Whonix and undocumented.

4. Done.

The process of configuring an extra tunnel-link for Tor Browser has been completed.

Misc Application Notes[edit]

1. Check applicability of these instructions.

Do the user need to follow these instructions? Only if the user intents to use any of the applications which are on the list of stream isolated by proxy settings with an extra tunnel-link. For example, if the user only intents to use Tor Browser with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see above chapter.

2. Remove default proxy settings by Whonix.

For information on how to remove Whonix default proxy settings, please press Expand on the right.

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this the Whonix system default must be removed from the application's settings.

TODO: document and expand.

Remove proxy settings for APT repository files.

1. Platform specific notice:

2. If you previously onionized any repositories, that has to be undone; see Onionizing Repositories.

3. Remove any mention of tor+ in file /etc/apt/sources.list (if it was previously configured; that file is empty by default in Whonix / Kicksecure) or any file in folder /etc/apt/sources.list.d.

4. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

5. Remove any mention of tor+.

6. Done.

The process of removing proxy settings from APT repository files is now complete.

Remove proxy settings for Tor Browser Downloader by Whonix.

1. Platform specific notice:

2. Open file /etc/torbrowser.d/50_user.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/torbrowser.d/50_user.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/torbrowser.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

3. Paste. [7] [8]

TB_NO_TOR_CON_CHECK=1 CURL_PROXY="--fail"

4. Save and exit.

5. Done.

Proxy settings have been removed from Tor Browser Downloader by Whonix (and Mullvad Browser by Kicksecure developers).

For some applications, this is impossible:

These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. Therefore you can only deactivate sdwdate and/or not use applications like OnionShare and Ricochet IM.

3. Use proxification software with the miscellaneous application.

This is unspecific to Whonix and undocumented. uwt, proxychains which are mentioned below on this wiki page or other proxification software found elsewhere to be researched by the user could be considered.

4. Done.

The process of configuring an extra tunnel-link for a miscellaneous application has been completed.

uwt wrapped application notes[edit]

1. Check applicability of these instructions.

Do the user need to follow these instructions? Only if the user intents to use any application in the list of uwt wrapped applications with an extra tunnel-link. For example, if the user only intents to use Tor Browser with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see above chapter.

2. Remove uwt wrapper by Whonix.

Whonix ships a list of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.

For information on how to disable Whonix uwt wrappers, please press Expand on the right.

On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers. Follow the instructions below in order to disable this.

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.

For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.

1. Platform specific notice:

2. Open file /etc/uwt.d/50_user.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/uwt.d/50_user.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/uwt.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/uwt.d/50_user.conf

3. Add.

uwtwrapper_global="0"

4. Save and exit.

5. Check that the changes have taken effect. Run in terminal: uwt_settings_show

It should print

uwt INFO: disabled.

6. Done.

3. Use proxification software with the miscellaneous application.

This is unspecific to Whonix and undocumented. uwt, proxychains which are mentioned below on this wiki page or other proxification software found elsewhere to be researched by the user could be considered.

4. Done.

The process of configuring an extra tunnel-link for a uwt wrapped application has been completed.

Example Proxyfier Software[edit]

uwt[edit]

Introduction[edit]

uwt uses torsocks. While the name torsocks implies it is Tor specific, it is not. You can point it to any socks proxy.

Mandatory prerequisite knowledge: Configure Applications to use Proxyfier Method

uwt wrapped application example[edit]

uwt -t 5 -i 10.152.152.10 -p 9153 /usr/bin/wget.anondist-orig -c https://check.torproject.org

regular application example[edit]

Requires deactivated wget uwt wrapper!

uwt -t 5 -i 10.152.152.10 -p 9156 /usr/bin/wget -c https://check.torproject.org

[10] [11] [12]

proxychains[edit]

Warnings[edit]

  • It is unknown how well proxychains works. For example torsocks has a IPv6 leak bug[13]. It is unknown if proxychains forces everything through the proxies. No research / leak testing has been performed by anyone to the knowledge of the author of this wiki page. Whonix only ensures, should their be leaks, they go only through Tor.
  • There are at least three different versions of proxychains. The old/original/unmaintained version on sourceforge.net and two forks on github. The project status of any of them is unknown. The two different proxychains authors have different opinions. However, any leaks not going through the proxy(chain) will go through Tor.
  • Mandatory prerequisite knowledge: Configure Applications to use Proxyfier Method

Setup[edit]

Install proxychains.

sudo apt install proxychains

Open proxychains configuration file.

Open file /etc/proxychains.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/proxychains.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/proxychains.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/proxychains.conf

Go to the bottom of the settings file. Comment out "socks4 127.0.0.1 9050" and add for example "socks5 10.152.152.10 9152" (for Tor stream isolation) or "socks5 ip port" with an IP and port of your choice to set the proxy settings.

[ProxyList]
## add proxy here ...
## meanwhile
## defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 10.152.152.10 9152
# socks5 x.x.x.x xxxx

[14]

Save the configuration file. Test afterwards.

example uwt wrapped application[edit]

proxychains /usr/bin/wget.anondist-orig https://check.torproject.org

[15]

example regular application[edit]

Requires deactivated wget uwt wrapper!

proxychains /usr/bin/wget https://check.torproject.org

Tor Browser example[edit]

Broken: The combination of proxychains and Tor Browser does currently not work. This issue is caused by proxychains and unspecific to Whonix.

Someone needs to Contribute by figuring this out. Otherwise this will probably never be possible. See forum discussionarchive.org.

Archived instructions.

NOTE: The following archived instructions are most likely currently broken due to changes by upstream, The Tor Project. To resolve this issue, the user would have to proceed as per Self Support First Policy. Please post in Whonix forums to notify if this method is currently working, broken or if any solution has been found. To view the archived instructions, please press on Expand on the right.

Complete the following steps inside Whonix-Workstation (anon-whonix).

1. Remove proxy settings.

First, you must remove Tor Browser proxy settings before you can combine it with a proxifier. This is documented above.

2. Run proxychains.

Then try this command.

proxychains ~/.tb/tor-browser/start-tor-browser

3. Done.

Footnotes[edit]

  1. This term was coined in context of a Tor Transparent Proxyarchive.org (.oniononion). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  2. If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
  3. Unless this environment variable is manually unset before starting Tor Browser.
  4. The regular Tor Browser Bundle from The Tor Project (without Whonix) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been setarchive.org to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation because:
  5. Qubes-Whonix users note: In App Qube (whonix-workstation-17) could also use file /usr/local/etc/torbrowser.d/50_user.conf instead.

    1. Create folder /usr/local/etc/torbrowser.d (if using Tor Browser Downloader by Whonix developers) and optionally /usr/local/etc/mullvadbrowser.d (if using Mullvad Browser by Kicksecure developers).

    mkdir -p /usr/local/etc/torbrowser.d

    mkdir -p /usr/local/etc/mullvadbrowser.d

    2. Open file /usr/local/etc/torbrowser.d/50_user.conf in an editor with root rights.

    Non-Qubes-Whonix

    This box uses sudoedit for better security.

    sudoedit /usr/local/etc/torbrowser.d/50_user.conf

    Qubes-Whonix

    NOTES:

    • When using Qubes-Whonix, this needs to be done inside the Template.

    sudoedit /usr/local/etc/torbrowser.d/50_user.conf

    • After applying this change, shutdown the Template.
    • All App Qubes based on the Template need to be restarted if they were already running.
    • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

    Others and Alternatives

    • This is just an example. Other tools could achieve the same goal.
    • If this example does not work for you or if you are not using Whonix, please refer to this link.

    sudoedit /usr/local/etc/torbrowser.d/50_user.conf

    And/or:

    sudoedit /usr/local/etc/mullvadbrowser.d/50_user.conf

  6. TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
  7. By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
    By utilizing a curl parameter we are using anyhow -- CURL_PROXY="--fail" -- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking.
  8. Qubes-Whonix users note: Or alternatively in App Qube.

    1. Create folder /usr/local/etc/uwt.d.

    sudo mkdir -p /usr/local/etc/uwt.d

    2. Open with root rights: sudoedit /usr/local/etc/uwt.d/50_user.conf

  9. Using .anondist-orig, i.e. /usr/bin/wget.anondist-orig will circumvent the wget uwt wrapper.
  10. For testing, you could compare the IP shown by the above command with the next one. If you didn't disable the wget uwt wrapper, the following command will most likely fetch another IP, because still using Stream Isolation. Using Tor's TransPort.
    (/usr/bin/wget.anondist-orig original non-uwt-wrapped version) wget.anondist-orig https://check.torproject.org
  11. For further explanation only... If you disabled wget's uwt wrapper, to use Tor's TransPort, you could use the following command. wget https://check.torproject.org
  12. https://gitlab.torproject.org/legacy/trac/-/wikis/doc/torsocks#WorkaroundforIPv6leakbugarchive.org
  13. Advanced. Recommendation: Why not use Tor stream isolation for the proxychains connection?
    [ProxyList]
    ## add proxy here ...
    ## meanwhile
    ## defaults set to "tor"
    #socks4 127.0.0.1 9050
    socks5 10.152.152.10 9152
    socks5 x.x.x.x xxxx
    
  14. For testing, you could compare the IP shown by the above command with the next one. If you didn't disable the wget uwt wrapper, the following command will most likely fetch another IP, because still using Stream Isolation. Using Tor's TransPort. (/usr/bin/wget.anondist-orig original non-uwt-wrapped version) wget.anondist-orig https://check.torproject.org

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!