Connecting to a Proxy before Tor

From Whonix

< Tunnels

Ambox warning pn.svg.png Before combining Tor with other tunnels, be sure to read and understand the risks!

Ambox notice.png Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.


Proxy Warning[edit]

Whonix ™ first time users warning Warning! Users should be aware of several issues when using standard, common http(s)/socks4(a)/5 proxies (anonymizers that only use http(s)/socks4(a)/5 as an interface[1] are exempt).

  • Most problems with these proxies are not caused by Whonix ™.
  • Connections to proxies are unencrypted and therefore should not be used to hide Tor use. This is because proxies are a type of tunnel-link which are not VPNs or SSH. However, in certain circumstances proxies might be useful to circumvent censorship if it has been shown to work for the user but are unsuitable for hiding Tor due to lack of encryption.
  • If users need to circumvent state-level censorship of the Tor network, then a better solution may be Bridges or other alternative circumvention tools. [2]
  • Be especially careful with http(s) proxies. Some of them send the "http forwarded for [archive]" header which discloses the IP address. Http(s) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies.
  • When using "http forwarded for" http(s) proxies, Tor entry guards and Tor bridges can determine the IP address.
  • The unencrypted nature of proxies makes them unsuitable to hide Tor from destination websites. For simple IP logging / IP detection they might work unless they’re http(s) proxies and send the "http forwarded for" header.

See also: Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN_Services.

Proxy Configuration Prerequisites[edit]

Info Tip: In order to configure a proxy, three things must be known: where the proxy is running, the IP and port of the proxy, and what type of proxy is being used.

Location of the Running Proxy[edit]

The location of the running proxy is variable and depends on the user's system. Refer to the following resources for examples:

  • Proxy software (such as lantern) create a proxy tunnel on the local computer.
  • Proxy software might run on a remote computer, which is easier to set up.

The Proxy IP and Port[edit]

  • If the proxy IP and port is known, the user can skip this section.
  • If the user wants to run custom proxy software on Whonix-Gateway ™, then this is also called localhost. Usually the proxy IP is
  • Note: The user must use the IP instead of the hostname ( If the proxy IP is unknown, then in a terminal (Konsole) on the host operating system, run nslookup (replace with the hostname of your actual proxy). Using IP instead of hostname might cause subtle fingerprinting issues, see [3] for more information.

Type of Proxy in Use[edit]

The user needs to know the proxy type from the following list:

  • HTTPProxy
  • HTTPSProxy
  • Socks4Proxy
  • Socks5Proxy

The user must also ascertain whether the proxy requires a username and/or password.

Configure Whonix-Gateway ™[edit]


Tor natively supports proxy settings and only requires editing of the torrc file.

Option 1: Use Anon Connection Wizard[edit]

Beginning with Whonix ™ 14, a prefixed proxy can be configured easily using Anon Connection Wizard.

Step 1: Start Anon Connection Wizard[edit]

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Anon Connection Wizard

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSystemAnon Connection Wizard

If you are using a terminal Whonix-Gateway ™, type.

kdesudo anon-connection-wizard

Step 2: Use proxy configuration page[edit]

Select "Use proxy before connecting to the Tor network" on the Proxy Configuration pageChoose the proxy typeFill out other necessary information

Info Tips: 1. Proxy Type

The proxy type is the protocol which is used to communicate with the proxy server. Since there are only three options, they can all be tried until one works.

2. Proxy IP/hostname

It is necessary to know the proxy IP for attempted connections. If the user is trying to connect to a local proxy, then should be specified since it is the localhost.

3. Proxy Port number

It is necessary to know the port number for attempted connections. It should be a positive integer from 1 to 65535. If searching for the listening port number of a well-known censorship circumvention tool, it can be found online.

4. Username and Password If the username and password are unknown, they should be left blank to see if the connection will succeed. In most cases they are not needed.

Option 2: Manually configure proxy[edit]

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Depending on your proxy configuration, add the settings you'll need to your /usr/local/etc/torrc.d/50_user.conf. For more information on these settings, have a look in the Tor manual [archive] and read the FAQ [archive].

HTTPProxy host[:port]
HTTPProxyAuthenticator username:password
HTTPSProxy host[:port]
HTTPSProxyAuthenticator username:password

Socks4Proxy host[:port]

Socks5Proxy host[:port]
Socks5ProxyUsername username
Socks5ProxyPassword password

FascistFirewall 0|1 

ReachableAddresses ADDR[/MASK][:PORT]… 
ReachableDirAddresses ADDR[/MASK][:PORT]… 
ReachableORAddresses ADDR[/MASK][:PORT]… 

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

Optional: Test. Run whonixcheck.



  1. Such as the Tor, JonDonym or I2P software.
  2. Users in China are unlikely to circumvent government censorship [archive] with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
  3. [archive]

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Please help us to improve the Whonix Wikipedia Page [archive]. Also see the feedback thread [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.