Tunnels/Connecting to a proxy before Tor/Testing

From Whonix

< Tunnels‎ | Connecting to a proxy before Tor

Note: This Page is for Testing Only![edit]

Please use the stable Connecting to a proxy before Tor Wiki page for proxy configuration.

Ambox notice.png Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.



It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. The potential positive or negative effects on anonymity are being controversially debated [archive].

The Whonix project remains technologically neutral in the anonymity discussion. The improper combination of Tor and another service may actually degrade a user's security and anonymity. One such case is using a proxy to hide Tor network traffic from your ISP.

While proxies are a type of tunnel-link they should not be thought of as a replacement for a VPN and SSH in this configuration. This is because connections to proxies are unencrypted and therefore should not be used to hide Tor use. Proxies are ok for circumvention of censorship if that has been shown to work from the users location but are unsuitable for hiding Tor due to lack of encryption.

Combinations of tunnels-links with Tor are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix users, using Tor in isolation – without a tunnel-link (VPN, proxy or SSH) – is the correct choice.

Tunnel-link before Tor use cases[edit]


In this configuration network traffic will (1) enter the tunnel-link and pass through your ISP → (2) exit your tunnel-link server as encrypted Tor traffic→ (3) enter to the Tor network→ (4) exit the Tor network at a Tor exit node as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • You must connect to your tunnel-link to access the internet.
  • Your ISP blocks Tor and Tor bridges but doesn’t block the tunnel-link.
  • Fear of de-anonymizing attacks against the Tor network; belief that your tunnel-link is able to protect your identity in such case.


Note: The following warnings are not Whonix ™ specific issues. They are general issues associated with combining Tor with tunnel-links.

Info Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor.

In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. [1]

Trusting Service Providers[edit]

Warning A tunnel service provider that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.

Failed Closed Configurations[edit]

Warning If your software configuration doesn’t block all traffic when your tunnel-link connection suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most tunnel configurations and not an issue specific to Whonix ™.[2]

Tunnel-links can Affect Anonymity[edit]

Warning Using any extra tunnel, for example a VPN, proxy or SSH can can negatively affect anonymity under some circumstances. [3] [4]

To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.

Using the same Tunnel Provider in Multiple VMs at the same Time[edit]

Warning Don't use the same tunnel provider / configuration in more than one place at the same time.

For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time.

Reusing Tunnel-links[edit]

Warning Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. Doing so could tie any anonymous identities associated with the tunnel-link to the user's ISP assigned IP address.


In tunnel-chain 1, the ISP assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the users ISP assigned IP address was previously linked to that same tunnel-link, that anonymous identity can now be linked to the user actual IP address.

  • Tunnel-chain 1: (UserTunnel-link[users IP address is linked] → TorInternet)
  • Tunnel-chain 2: (UserTorTunnel-link[anonymous activities linked] → Internet)

The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. If this were done, all anonymous activities conducted with tunnel-chain 2 would then be link with the users ISP assigned IP address.

Qubes-Whonix ™ TemplateVMs[edit]

Warning Qubes-Whonix ™ users note:
You probably do not want to run the tunnel software from within a TemplateVM. This is because the whonix-gw-15 TemplateVM "is more like a workstation". It is behind sys-whonix. It is not sys-whonix itself.

(If you are using openvpn inside Whonix-Gateway ™ (commonly called sys-whonix) or Whonix-Workstation ™ (commonly called anon-whonix) while following Whonix documentation, openvpn will not start inside the whonix-gw-15 or whonix-ws-15 TemplateVM.) [5]
In Qubes R4 and above, the TemplateVMs's NetVM is purposely set to none by Qubes default [archive]. (They are upgraded through the qrexec based updates proxy that will be running on sys-whonix.)

Hiding Tor Usage from ISPs[edit]

Warning If using Tor is dangerous in your area, VPNs or SSH may not provide enough protection (due to software misconfiguration or sophisticated packet inspection).

Proxy Secific Issues[edit]

Whonix first time users warning Users should be aware of several issues when using standard, common http(s)/socks4(a)/5 proxies (anonymizers that only use http(s)/socks4(a)/5 as an interface[6] are exempt).

  • Most problems with these proxies are not caused by Whonix ™.
  • Be especially careful with http(s) proxies. Some of them send the "http forwarded for [archive]" header which discloses the IP address. Http(s) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies.
  • When using "http forwarded for" http(s) proxies, Tor entry guards and Tor bridges can determine the IP address.
  • The unencrypted nature of proxies makes them unsuitable to hide Tor from destination websites. For simple IP logging / IP detection they might work unless they’re http(s) proxies and send the "http forwarded for" header.

Selecting a Service Provider[edit]

Selecting a provider location presents unique challenges that must be accounted for when chaining tunnel-links with Tor.

  • Tor avoids using more than one relay belonging to the same operator when building circuits. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. [7] Tor however does not take into account your real external IP nor destination IP addresses. [8] In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up end-to-end correlation attacks.
  • Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On one hand this is good since that is similar to Tor, where many users share the same Tor exit relays. On the other hand, this can in some situations lead to actually making you less safe.
  • It is possible to host Tor relays [any... bridges, entry, middle or exit] behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwarding. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. However, in certain situations it is possible a VPN or other tunnel-link and a Tor relay could be hosted by the same operator, in the same network or even on the same IP.
  • In an economy with a deep labor division, there are those that provide the service to host servers (VPS etc.). While others provide VPN and other tunnel-link services and rent such servers. It is common that diverse customers run and/or share the same IP address. This is another situation where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
  • By adding arbitrary tunnel-links to your connection chain, you could unknowingly use the same operator/network twice in your connection chain.
    • Scenario 1)
      • a) User uses VPN IP A on the host, thereby using it as it is first relay.
      • b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
        • Conditions a and b match at the same time. The user is now using the same IP address as first and last proxy.
        • --> By using the VPN the user did not get more, but less secure.
    • Scenario 2)
      • a) User sets up a VPN inside Whonix-Workstation ™. This configuration results in UserTorVPNInternet. Using VPN IP A.
      • b) A Tor entry guard is being hosted on VPN IP A.
        • Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
        • --> By using the VPN the user did not get more, but less secure.
  • Choose your tunnel providers wisely.
    • Find out in which physical and legal jurisdiction and network their servers are located.
    • Perhaps avoid using VPN or SSH providers that support port forwarding.
    • Perhaps use only tunnel-link providers that are assigning private - as in not shared with others - unique - IP addresses. However, it is not clear if this does more harm than gain as noted above.
    • Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
  • Perhaps manually pick your Tor relay[s]. Specifically your entry guard[s] or bridge[s]).
    • Tor documentation generally discourages tampering with Tor's routing algorithm by manually choosing your relays, but since you are trying to be clever by extending your Tor chain despite of all the information regarding the difficulty of this endeavor, perhaps it would make sense to pick your entry guard manually.
    • Using Bridges might be an alternative, but note the following quote. "Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity [archive]."

Proxy Configuration Prerequisites[edit]

Info Tip: In order to configure a proxy, three things must be known: where the proxy is running, the IP and port of the proxy, and what type of proxy is being used.

Location of the Running Proxy[edit]

The location of the running proxy is variable and depends on the user's system. Refer to the following resources for examples:

  • Proxy software (such as lantern) create a proxy tunnel on the local computer.
  • Proxy software might run on a remote computer, which is easier to set up.

The Proxy IP and Port[edit]

  • If the proxy IP and port is known, the user can skip this section.
  • If the user wants to run custom proxy software on Whonix-Gateway ™, then this is also called localhost. Usually the proxy IP is
  • Note: The user must use the IP instead of the hostname ( If the proxy IP is unknown, then in a terminal (Konsole) on the host operating system, run nslookup (replace with the hostname of your actual proxy). Using IP instead of hostname might cause subtle fingerprinting issues, see [9] for more information.

Type of Proxy in Use[edit]

The user needs to know the proxy type from the following list:

  • HTTPProxy
  • HTTPSProxy
  • Socks4Proxy
  • Socks5Proxy

The user must also ascertain whether the proxy requires a username and/or password.

Configure Whonix-Gateway ™[edit]


Tor natively supports proxy settings and only requires editing of the torrc file.

Option 1: Use Anon Connection Wizard[edit]

Beginning with Whonix ™ 14, a prefixed proxy can be configured easily using Anon Connection Wizard.

Step 1: Start Anon Connection Wizard[edit]

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Anon Connection Wizard

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSystemAnon Connection Wizard

If you are using a terminal Whonix-Gateway ™, type.

lxsudo anon-connection-wizard

Step 2: Use proxy configuration page[edit]

Select "Use proxy before connecting to the Tor network" on the Proxy Configuration pageChoose the proxy typeFill out other necessary information

Info Tips: 1. Proxy Type

The proxy type is the protocol which is used to communicate with the proxy server. Since there are only three options, they can all be tried until one works.

2. Proxy IP/hostname

It is necessary to know the proxy IP for attempted connections. If the user is trying to connect to a local proxy, then should be specified since it is the localhost.

3. Proxy Port number

It is necessary to know the port number for attempted connections. It should be a positive integer from 1 to 65535. If searching for the listening port number of a well-known censorship circumvention tool, it can be found online.

4. Username and Password If the username and password are unknown, they should be left blank to see if the connection will succeed. In most cases they are not needed.

Option 2: Manually configure proxy[edit]

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Depending on your proxy configuration, add the settings you'll need to your /usr/local/etc/torrc.d/50_user.conf. For more information on these settings, have a look in the Tor manual [archive] and read the FAQ [archive].

HTTPProxy host[:port]
HTTPProxyAuthenticator username:password
HTTPSProxy host[:port]
HTTPSProxyAuthenticator username:password

Socks4Proxy host[:port]

Socks5Proxy host[:port]
Socks5ProxyUsername username
Socks5ProxyPassword password

FascistFirewall 0|1 

ReachableAddresses ADDR[/MASK][:PORT]… 
ReachableDirAddresses ADDR[/MASK][:PORT]… 
ReachableORAddresses ADDR[/MASK][:PORT]… 

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

Optional: Test. Run whonixcheck.



  1. Users in China are unlikely to circumvent government censorship [archive] with vanilla bridges, as they are uniformly blocked. That said, anon-connection-wizard configured with the meek-amazon or meek-azure pluggable transport is reported to bypass Chinese censorship in late 2017.
  2. For example, VPNs require a failed closed configuration to prevent DNS leaks.
  3. [archive]
  4. research / document impact for tunnel users if Tor relays hosted at the same tunnel provider [archive]
  5. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf [archive] checks the following condition

    Which means, if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix TemplateVMs, the openvpn@openvpn service will not be started.

  6. Such as the Tor, JonDonym or I2P software.
  7. [archive]
  8. [archive]
  9. [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Want to help create awesome, up-to-date screenshots for the Whonix ™ wiki? Help is most welcome!

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.