Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Tunnels/Connecting to a proxy before Tor/Testing

< Tunnels‎ | Connecting to a proxy before Tor

Note: This Page is for Testing Only![edit]

Please use the stable Connecting to a proxy before Tor Wiki page for proxy configuration.


User -> Proxy -> Tor -> Internet

Introduction[edit]

It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. The potential positive or negative effects on anonymity are being controversially debated.

The Whonix project remains technologically neutral in the anonymity discussion. The improper combination of Tor and another service may actually degrade a user's security and anonymity. One such case is using a proxy to hide Tor network traffic from your ISP.

While proxies are a type of tunnel-link they should not be thought of as a replacement for a VPN and SSH in this configuration. This is because connections to proxies are unencrypted and therefore should not be used to hide Tor use. Proxies are ok for circumvention of censorship if that has been shown to work from the users location but are unsuitable for hiding Tor due to lack of encryption.

Combinations of tunnels-links with Tor are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix users, using Tor in isolation – without a tunnel-link (VPN, proxy or SSH) – is the correct choice.

Tunnel-link before Tor use cases[edit]

User -> tunnel-link -> Tor -> Internet


In this configuration network traffic will (1) enter the tunnel-link and pass through your ISP -> (2) exit your tunnel-link server as encrypted Tor traffic-> (3) enter to the Tor network-> (4) exit the Tor network at a Tor exit node as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • You must connect to your tunnel-link to access the internet.
  • Your ISP blocks Tor and Tor bridges but doesn’t block the tunnel-link.
  • Fear of de-anonymizing attacks against the Tor network; belief that your tunnel-link is able to protect your identity in such case.

Warnings[edit]

Note: The following warnings are not Whonix ™ specific issues. They are general issues associated with combining Tor with tunnel-links.

Trusting Service Providers[edit]


Failed Closed Configurations[edit]


Tunnel-links can Affect Anonymity[edit]


Using the same Tunnel Provider in Multiple VMs at the same Time[edit]


Reusing Tunnel-links[edit]


Qubes-Whonix ™ TemplateVMs[edit]


Hiding Tor Usage from ISPs[edit]


Proxy Secific Issues[edit]

Selecting a Service Provider[edit]

Selecting a provider location presents unique challenges that must be accounted for when chaining tunnel-links with Tor.

  • Tor avoids using more than one relay belonging to the same operator when building circuits. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. [7] Tor however does not take into account your real external IP nor destination IP addresses. [8] In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up end-to-end correlation attacks.
  • Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On one hand this is good since that is similar to Tor, where many users share the same Tor exit relays. On the other hand, this can in some situations lead to actually making you less safe.
  • It is possible to host Tor relays [any... bridges, entry, middle or exit] behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwarding. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. However, in certain situations it is possible a VPN or other tunnel-link and a Tor relay could be hosted by the same operator, in the same network or even on the same IP.
  • In an economy with a deep labor division, there are those that provide the service to host servers (VPS etc.). While others provide VPN and other tunnel-link services and rent such servers. It is common that diverse customers run and/or share the same IP address. This is another situation where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
  • By adding arbitrary tunnel-links to your connection chain, you could unknowingly use the same operator/network twice in your connection chain.
    • Scenario 1)
      • a) User uses VPN IP A on the host, thereby using it as it is first relay.
      • b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
        • Conditions a and b match at the same time. The user is now using the same IP address as first and last proxy.
        • --> By using the VPN the user did not get more, but less secure.
    • Scenario 2)
      • a) User sets up a VPN inside Whonix-Workstation ™. This configuration results in User -> Tor -> VPN -> Internet. Using VPN IP A.
      • b) A Tor entry guard is being hosted on VPN IP A.
        • Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
        • --> By using the VPN the user did not get more, but less secure.
  • Choose your tunnel providers wisely.
    • Find out in which physical and legal jurisdiction and network their servers are located.
    • Perhaps avoid using VPN or SSH providers that support port forwarding.
    • Perhaps use only tunnel-link providers that are assigning private - as in not shared with others - unique - IP addresses. However, it is not clear if this does more harm than gain as noted above.
    • Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
  • Perhaps manually pick your Tor relay[s]. Specifically your entry guard[s] or bridge[s]).
    • Tor documentation generally discourages tampering with Tor's routing algorithm by manually choosing your relays, but since you are trying to be clever by extending your Tor chain despite of all the information regarding the difficulty of this endeavor, perhaps it would make sense to pick your entry guard manually.
    • Using Bridges might be an alternative, but note the following quote. "Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity."

Proxy Configuration Prerequisites[edit]

Location of the Running Proxy[edit]

The location of the running proxy is variable and depends on the user's system. Refer to the following resources for examples:

  • Proxy software (such as lantern) create a proxy tunnel on the local computer.
  • Proxy software might run on a remote computer, which is easier to set up.


The Proxy IP and Port[edit]

  • If the proxy IP and port is known, the user can skip this section.
  • If the user wants to run custom proxy software on Whonix-Gateway ™, then this is also called localhost. Usually the proxy IP is 127.0.0.1.
  • Note: The user must use the IP instead of the hostname (proxy.example.com). If the proxy IP is unknown, then in a terminal (Konsole) on the host operating system, run nslookup proxy.example.com (replace proxy.example.com with the hostname of your actual proxy). Using IP instead of hostname might cause subtle fingerprinting issues, see [9] for more information.


Type of Proxy in Use[edit]

The user needs to know the proxy type from the following list:

  • HTTPProxy
  • HTTPSProxy
  • Socks4Proxy
  • Socks5Proxy

The user must also ascertain whether the proxy requires a username and/or password.


Configure Whonix-Gateway ™[edit]

User -> proxy -> Tor -> Internet

Tor natively supports proxy settings and only requires editing of the torrc file.

Option 1: Use Anon Connection Wizard[edit]

Beginning with Whonix ™ 14, a prefixed proxy can be configured easily using Anon Connection Wizard.

Step 1: Start Anon Connection Wizard[edit]

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ™ ProxyVM (commonly named sys-whonix) -> Anon Connection Wizard

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start Menu -> Applications -> System -> Anon Connection Wizard

If you are using a terminal Whonix-Gateway ™, type.

kdesudo anon-connection-wizard

Step 2: Use proxy configuration page[edit]

Select "Use proxy before connecting to the Tor network" on the Proxy Configuration page -> Choose the proxy type -> Fill out other necessary information

Option 2: Manually configure proxy[edit]


Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ™ ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start Menu -> Applications -> Settings -> /usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Depending on your proxy configuration, add the settings you'll need to your /usr/local/etc/torrc.d/50_user.conf. For more information on these settings, have a look in the Tor manual and read the FAQ.

HTTPProxy host[:port]
HTTPProxyAuthenticator username:password
HTTPSProxy host[:port]
HTTPSProxyAuthenticator username:password

Socks4Proxy host[:port]

Socks5Proxy host[:port]
Socks5ProxyUsername username
Socks5ProxyPassword password

FascistFirewall 0|1 

ReachableAddresses ADDR[/MASK][:PORT]… 
ReachableDirAddresses ADDR[/MASK][:PORT]… 
ReachableORAddresses ADDR[/MASK][:PORT]… 

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix') -> Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start Menu -> Applications -> Settings -> Reload Tor

If you are using a terminal-only Whonix-Gateway ™, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

Optional: Test. Run whonixcheck.

Done.


Footnotes[edit]

  1. Users in China are unlikely to circumvent government censorship with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
  2. For example, VPNs require a failed closed configuration to prevent DNS leaks.
  3. https://lists.torproject.org/pipermail/tor-talk/2016-July/041757.html
  4. research / document impact for tunnel users if Tor relays hosted at the same tunnel provider
  5. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf checks the following condition
    ConditionPathExists=!/var/run/qubes-service/whonix-template
    

    Which means, if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix TemplateVMs, the openvpn@openvpn service will not be started.

  6. Such as the Tor, JonDonym or I2P software.
  7. http://tor.stackexchange.com/a/114/80
  8. https://lists.torproject.org/pipermail/tor-talk/2016-July/041753.html
  9. https://github.com/Whonix/Whonix/issues/94

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Have you contributed to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix authorship page.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.