Connecting to a Proxy before Tor
Instructions on how to connect to a proxy before Tor.
User
→ Proxy
→ Tor
→ Internet
Introduction[edit]
Proxy Warning[edit]
Proxy Configuration Prerequisites[edit]
Location of the Running Proxy[edit]
The location of the running proxy is variable and depends on the user's system. Refer to the following resources for examples:
- A) Proxy software might run on a remote computer, which is easier to set up.
- B) Proxy software (such as Lantern) create a proxy tunnel on the local computer.
- Qubes-Whonix™ VM: Lantern as an example.
- Non-Qubes-Whonix VM: This is not yet fully documented, please contribute.
- The proxy software must run either:
- B1) Whonix-Gateway™ under the Linux user account
tunnel
; or - B2) on the host operating system (OS) (outside any virtual machine (VM)); or
- B3) in another VM.
- B1) Whonix-Gateway™ under the Linux user account
- All of this is undocumented.
- how to autostart custom software after reboot (systemd etc.)
- custom proxy software setup example.
- The proxy software must run either:
The Proxy IP and Port[edit]
- If custom proxy software will be run on Whonix-Gateway, then this configuration is also called
localhost
. Usually the proxy IP address is127.0.0.1
. - Note: It is necessary to use the IP address instead of the hostname (
proxy.example.com
). If the proxy IP address is unknown, then in a terminal on the host operating system (OS) (outside of any virtual machine (VM)), run (Linux)nslookup proxy.example.com
; replaceproxy.example.com
with the hostname of your actual proxy. Using the IP address instead of hostname might cause subtle fingerprinting issues -- see the footnote [3] for more information.
Type of Proxy in Use[edit]
It is necessary to know the proxy type from the following list:
HTTPProxy
HTTPSProxy
Socks4Proxy
Socks5Proxy
Also check whether the proxy requires a username and/or password beforehand.
Configure Whonix-Gateway[edit]
User
→ proxy
→ Tor
→ Internet
Tor natively supports proxy settings and only requires editing of the torrc file.
Option 1: Use Anon Connection Wizard[edit]
A prefixed proxy can be configured easily using Anon Connection Wizard.
Step 1: Start Anon Connection Wizard[edit]
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway™ ProxyVM (commonly named sys-whonix)
→ Anon Connection Wizard
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu
→ Applications
→ System
→ Anon Connection Wizard
If you are using a terminal emulator (such as for example xfce4-terminal) on Whonix-Gateway, type.
lxsudo anon-connection-wizard
If you are using a CLI Whonix-Gateway, see footnote. [4]
Step 2: Use Proxy Configuration Page[edit]
Select "Use proxy before connecting to the Tor network" on the Proxy Configuration page
→ Choose the proxy type
→ Fill out other necessary information
Option 2: Manually Configure Proxy[edit]
Manual Tor configuration is an alternative.
1. Open file /usr/local/etc/torrc.d/50_user.conf
in a text editor of your choice with sudoedit
.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway, complete the following steps. sudoedit /usr/local/etc/torrc.d/50_user.conf
2. Add necessary settings to /usr/local/etc/torrc.d/50_user.conf
.
Depending on your proxy configuration, add the necessary settings to the /usr/local/etc/torrc.d/50_user.conf
file. For more information on these settings, refer to the Tor manual (.onion) and read the FAQ.
HTTPProxy host[:port] HTTPProxyAuthenticator username:password HTTPSProxy host[:port] HTTPSProxyAuthenticator username:password Socks4Proxy host[:port] Socks5Proxy host[:port] Socks5ProxyUsername username Socks5ProxyPassword password FascistFirewall 0|1 ReachableAddresses ADDR[/MASK][:PORT]… ReachableDirAddresses ADDR[/MASK][:PORT]… ReachableORAddresses ADDR[/MASK][:PORT]…
3. Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf
and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix')
→ Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu
→ Applications
→ Settings
→ Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE
for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
4. Optional: Test the configuration by running systemcheck.
The procedure is complete.
Footnotes[edit]
- ↑ Like the Tor, or I2P software.
- ↑ Users in China are unlikely to circumvent government censorship with vanilla bridges, as they are uniformly blocked. That said, Anon Connection Wizard configured with the
meek-amazon
ormeek-azure
pluggable transport was reported to bypass Chinese censorship in late 2017. Unfortunately themeek-amazon
pluggable transport was deprecated in 2018 after Amazon removed the domain fronting option. - ↑ https://web.archive.org/web/20201214130728/https://github.com/Whonix/Whonix/issues/94
- ↑
Anon Connection Wizard is a graphical user interface (GUI) application. It does not have command line interface (CLI) support yet. It is therefore unavailable on Whonix-Gateway CLI. Use
setup-dist
instead; note that functionality is limited and does not support Bridges.
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!