Jump to: navigation, search


(Redirected from Voip)

Voice over IP[edit]


The Voice over IP Introduction chapter and instructions about mumble voice chat are finished. Instructions for other Voip clients aren't finished yet, but this shouldn't stop you from using mumble or experimenting with other clients. Please test and leave feedback!

Anonymizing Voice over IP is somewhat difficult, but possible. It's not so much about hiding the IP, which is easy with Whonix, it's about voice recognition and slow Tor network speed (latency). Pseudonymous use or hidden voice communication with known contacts depends on your threat model.

For people behind Tor, who know each other, talking to each other, it is possible to hide the fact that they are talking with each other, from their ISP, government, exit relays, man-in-the-middle, etc. That wouldn't be anonymous, because they know each other.

You can't anonymously use your own voice and whistleblow over Voip, be a snitch or whatever. Voice gets recorded and voice recognition works well. When you are having a phone call later over a non anonymous connection (which almost everyone had at least once in its life, so everyone supplied a sample of their voice and name), they can correlate the two identities. You would have to use a voice scrambler and how good that works is a whole new field for research, which is outside the scope of Whonix.

You could type and let a artificial voice speak (like in anonymous videos), that could work. But is that the point? You better write a mail then.

It's also recommended against to voice chat with other anonymous people. (Like you can talk in a forum.) You don't know who you are talking to. That voice also could be correlated later, putting aside voice scrambler, or artificial voice, which wouldn't make sense.

If you are not calling from .onion to .onion (which delegates encryption to Tor), you should use a Voip client supporting encryption, such as ZRTP[1]. You'll find recommendations later below in the clients section. ZRTP End-to-End Encryption cannot Protect VBR Streams. When using ZRTP + SRTP for encryption in any stretch that goes on the clearnet, be sure to never select a VBR (variable bitrate) codec as the pauses in a conversations produce fingerprints in the encrypted stream that allow the adversary to infer what words are being said.[2] [3]

Communicating via a clearnet VoIP server is not possible at the moment as SIP based clients all use UDP with a few exceptions. However, a viable candidate is Jitsi. Their 2014 GSOC project this year is concentrating on creating XMPP Jingle based VOIP server nodes that uses TCP instead of UDP for the censorship-prone aspects of UDP that make it vulnerable.

Other than the things said above, no additional anonymity/security problems are expected. It's less tested, so as for performance and voice quality, just try it and see yourself and please leave feedback.

Please don't expect phone calls over Tor can't to be as convenient as phone calls over ordinary networks. This is because traffic is routed through the Tor network

Push to talk will always work however, which is more like using walkie-talkie[4], push-to-talk[5].

Useful advice has been given by guardianproject.info. They recommend to use prowords[6]. Acknowledge the end of transmission (your speech, your sentence, what you just said) with the word "Roger". Once your calling partner hears "Roger", it knows, it's safe to answer and also terminate the answer with "Roger" or "Out" when leaving the conversation.

Voip Server[edit]

You most likely still require a Voip server. If no one of your group is interested in configuring a hidden Voip server, you could use a free one on clearnet. Latency is possibly a bit better (due to using clearnet).

If the Voip ID gets anonymously registered, i.e. if no personal data is required for signing up, everyone only and always connects over Tor, never connected or will ever connect without Tor, and all calls are encrypted and you won't talk to strangers, there is probably very little a malicious server could log or do. [7]

Note that the mentioned relative safety is only present when the clients are exchanging _all_ of their traffic encrypted _and_ _all_ of their traffic via the server. Most VoIP programs go out of their way to try to talk to each other directly. As of today (April 2014) there is no known program capable of using public VoIP servers together with TCP/Tor.

Voip Clients[edit]


Tox[8][9] looks like a promising solution. The official client implementation the official project implementation based on a protocol library, Toxcore. Its very feature rich and can do a variety of functions besides VOIP. It can work over Tor which allows communications with others even if they are not anonymous.[10] There are clients developed for every major OS platform both desktop and mobile.[11]

Users are assigned a public and private key, and they connect to each other directly in a peer-to-peer network. Users have the ability to message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl library[12].

In February 2014, audio and video calls as well as conferences were still being implemented, as of August 2014 those features are ready in all the main clients. The official client aims to provide support for messaging, group messaging, voice and video calling, voice and video conferencing, typing indicators, read-receipts, push-to-talk technology, file sharing technology, and desktop streaming. Additional features can be implemented by any client as long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client.[13]

Install How-To[edit]

1. Before adding the repo[14], fetch the key and verify fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  4096R/0xA2B076511A171ABE 2015-08-26 Tox Project <admin@tox.chat>
      Key fingerprint = 0BC7 82D5 57DA 04D8 C542  87F3 A2B0 7651 1A17 1ABE

Download key with scurl to home folder.

scurl -o tox-pubkey.asc https://pkg.tox.chat/debian/pkg.gpg.key

Check fingerprints/owners without importing anything.

gpg --with-fingerprint tox-pubkey.asc

If it looks good import into trusted.gpg.d.

gpg --no-default-keyring --keyring ./tox-pubkey.gpg --import tox-pubkey.asc
sudo cp tox-pubkey.gpg /etc/apt/trusted.gpg.d/tox-pubkey.gpg
sudo sh -c 'echo "deb https://pkg.tox.chat/debian nightly release" > /etc/apt/sources.list.d/tox.list'
sudo apt-get update -qq

The Tox Repository has now been installed.

You can now install utox, qtox, toxic, ratox and tox-bootstrapd.

2. For info about clients see this page then install your client of choice.

On the desktop your choices are to install utox, qtox, toxic or ratox with sudo apt-get install.


  • Add instructions on how to use it in Whonix.
  • Add instructions on how to use it with Stream Isolation without Tor over Tor.



Linphone is one of the most feature-rich Free Software clients available, second only to Jitsi in that respect, but second to none is stability and performance from testing. It can also support conferencing (audio only as of 2014).[15] Additionally it has fully developed clients for all desktop and mobile operating systems.

Should an Android port of Onioncat ever become a reality by the Guardian Project, Linphone can be used for anonymous VoIP between all combinations of device form factors. There is headway on that front.[16]

Setup with Whonix[edit]

Technically, only one member of the chat party needs to configure a Tor Hidden Service (be a callee). Others can run Onioncat in 'client' only mode (be ca caller).

Bidirectional communication can only be established after the client party (caller) connects to the one running a hidden service 'server' mode (callee), because the latter can accept incoming connections while the former cannot.

callee caller
Can make outgoing calls Yes Yes
Can initially receive incoming calls Yes No
Needs to host a Tor hidden service Yes No
Difficulty setup medium easy
Setup as Both, Callee or Caller[edit]

You only have to read this, if you want to use linphone as both, callee or caller. As a caller, you can only make outgoing calls. As a callee (that includes ability of being a caller), you can make outgoing calls and receive incoming calls. Only one of both calling parters has to follow these instructions. However, it doesn't matter if both calling partners follow these following instructions. If you are interested, click on Expand on the right.

On your Whonix-Gateway.

If you want to read and introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

Open your /etc/tor/torrc.

sudo nano /etc/tor/torrc

Add. [17]

HiddenServiceDir /var/lib/tor/linphone_service/
HiddenServicePort 64739 :64739

Reload Tor.

sudo service tor reload

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/linphone_service/hostname

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and need sudo to access it.


On your Whonix-Workstation.

Update your package lists

sudo apt-get update

Install onioncat and linphone.

sudo apt-get install onioncat linphone

Start onioncat. Replace address.onion with your actual hidden service url from above.

sudo ocat address.onion -U -l :64739

As of onioncat r555 (only applies to Jessie onwards) onioncat starts in unidirection 'client' mode by default. To accept incoming connections -U must be used. Mutual authentication is also available in this newer version which is needed to ensure that the identities of all endpoints engaged in a transaction are verified. [18]

Find out your onioncat IPv6 address.

ip addr show dev tun0

Open Linphone settings and select IPv6. Apply and restart Linphone.

Setup only as Caller[edit]

You only have to read this, if you want to use linphone caller only. As a caller, you can only make outgoing calls. Only one of both calling parters can follow these instructions. If both calling partners would follow these instructions, would not be able to call each other. If you are interested, click on Expand on the right.

On your Whonix-Workstation.

Update your package lists

sudo apt-get update

Install onioncat and linphone.

sudo apt-get install onioncat linphone

Start onioncat.

sudo ocat -R

Open Linphone settings and select IPv6. Apply and restart Linphone.


On your Whonix-Workstation.

At this point you should have exchanged IPv6 addresses of the callee. To call someone put in the call box. You can keep user. Must use brackets. Replace onioncat IPv6 address with the actual IPv6 of your calling partner.

user@[onioncat ipv6 address]

On your Whonix-Workstation.

To terminate onioncat you could use.

sudo kill -sigint $(pgrep ocat)


To make Onioncat to autostart with the system using the parameters listed above. editing its configuration file:

sudo nano /etc/default/onioncat

Enable the autostart comment by removing '#':


Add your settings:

DAEMON_OPTS="Paramters go here"

Credits go to HulaHoop for researching how to use Linphone with Tor for sharing instructions in Whonix User Forum.


Jacob Appelbaum (Tor researcher) recommends[19] Jitsi[20] (this applies if _not_ using Tor). It supports OTR encryption and ZRTP and is available in Debian Testing.

Jitsi supports push to talk.

Jitsi is the most feature-rich Free Software VoIP client. The team behind it is very innovative, constantly focusing on adding new functionality. It supports many protocols and advanced features like Multi-party video conferencing - in which someone's client will be running into server mode for that purpose because of latency management.[21]

Its stability leaves more to be desired however. Alpha stage clients are available for Android.

Unfortunately it is not usable with Tor, because the Tor network does not support UDP and because Jitsi does not support TCP for audio/video at time of writing (April 2014).

TODO: write a guide on how to connect to a free public server, having a secure ZRTP encrypted conversation with someone using the same client (note: impossible as of April 2014 without revealing the ip numbers of the corresponding parties to both eavesdroppers and the server).


Nathan Freitas (Tor Orbot developer) likes[22] sflphone[23]. Can be installed from Debian package sources.

It does not support OTR. You would have to keep that in mind and use another way to exchange encrypted text. This isn't a reason, not to use it, if you are aware of that.

TODO: research, does sflphone support push to talk?

TODO: write a guide how to connect to a free public server, having a secure ZRTP encrypted conversation with someone using the same client.


OnionPhone [24] is the successor to TOR Fone, improving the ciphers used among other problems[25]. Repo here [26]

The main improvement is that OnionPhone can now be used as a VoIP plugin that integrates it with with TorChat, using the Tor network to protect and anonymize your communication in this mode. It is also the only mode that makes sense in terns of usability because otherwise its a command line utility.

OnionPhone works on Linux and Windows, with Android support planned.

Other modes of operation include using the Tor network as a decentralized and secure alternative for SIP signalling. The call streams are then initiated directly using either TCP or UDP (for NAT traversal). Note that metadata is not concealed in that mode.

It can be run standalone with direct connections with OnionCat.

TODO: Encourage Debian Packaging TODO: Build, test and document usage instructions with TorChat




  • Looks a bit like Team Speak without its disadvantages.
  • It's Open Source.
  • And supports client to server encryption.[28]
  • Supports push to talk.[29]
  • You can (and must) force TCP mode[30], because the Tor network does not support UDP yet.
  • One has to act as server.
  • Everyone else can act as client.
  • If the server admin runs the server on its local machine and also wants to connect to the server, the admin should connect locally to the server, i.e. to and not the hidden service domain to have faster connection.
  • For group chats you have to consider, that there is no end-to-end encryption and once the server has been compromised, conversions are no longer private. However, if two people use mumble just to talk to each other this doesn't matter and you could safely do that with mumble.
  • When one of the two communication partners hosts a mumble server as Tor hidden service and the other one connects over Tor, encryption is already provided by Tor. There are different ways to achieve security. In this case, setting a server password (explained below), should be sufficient. Mumble's own encryption isn't required. Alternatively, feel free to learn about mumble certificates for defense in depth, channel passwords instead of server password and so on.
Mumble Server Instructions[edit]

If you want to read and introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

On Whonix-Gateway.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc


HiddenServiceDir /var/lib/tor/mumble_service/
HiddenServicePort 64738


Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

To get your Tor hidden service url.

sudo cat /var/lib/tor/hidden_service/hostname

Reminder: Backup your hidden service key, in case you want to be able to restore it, on another machine, on a newer Whonix-Gateway, after hdd failure, etc. You can find it here and you require root to access it.



You can use the usual Qubes tools. The following example shows how to copy /var/lib/tor/hidden_service/private_key from your sys-whonix VM to your vault VM (should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/hidden_service/private_key

Using that exact example, you could then find the Tor hidden service private key in your vault VM in file.


Consider moving the file from QubesIncoming folder to a location of your choice.

You can then use the usual Qubes capabilities to backup your vault (and/or other) VMs. Can be conveniently done using QubesManager. Please refer to the Qubes documentation about backups on how to do that.


TODO document
See also, File Transfer.

On Whonix-Workstation.

Update package lists.

sudo apt-get update

Install the mumble-server package.

sudo apt-get install mumble-server

Configure the server.

sudo dpkg-reconfigure mumble-server

The following questions...

  • Autostart, better yes. Otherwise you would have to "sudo service mumble-server start", which didn't work for me.
  • Higher priority? Yes.
  • Password: choose a secure password.

There is also an upstream Murmur, i.e. mumble server guide. The upstream guide does not consider hidden services, that's the part already described here. For any other questions regarding the server setup, you can also refer to the upstream documentation.

Set a server password. Open /etc/mumble-server.ini.

Open /etc/mumble-server.ini in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/mumble-server.ini

If you are using a terminal-only Whonix, run:

sudo nano /etc/mumble-server.ini

Search for "serverpassword=" and file in.


Restart mumble-server.

sudo service mumble-server restart

Mumble Client[edit]

Update package lists.

sudo apt-get update

Install mumble.

sudo apt-get install mumble


Start mumble.

Start menu -> Applications -> Internet -> Voice Chat

Configure mumble to your liking.

Enable Force TCP mode.

Go to Configure -> Check "Advanced" -> Network -> Check "Force TCP mode" -> Ok
Add Server[edit]

Add a new server:

Server -> Connect -> Add new ->

    Label   : anything, can be same as .onion domain name
    Address : your .onion domain name or,
              if the mumble server is running in your own
              Whonix-Workstation choose
    Port    : 64738
    Username: anything

You can now connect to the server.

Technical Comments[edit]

[31] Implementing privacy critical software in a browser is seen as a bad and dangerous idea by security conscious Free Software developers. Browser security holes and lack of adequate process isolation, could lead to theft of private encryption keys by a malicious code running in the browser.


USB Webcam Passthrough[edit]

The firmware of USB devices could be flashed by malware and cross infect the host.

TOR Fone[edit]

The developer of TOR Fone (a fork of SpeakFreely) recommends against[32] using TOR Fone. Quote: "I did not think this project as a finished product for practical use." The project got overall a pretty bad review in the mailing list thread.


Does this mean that, for example, is my IP and location safe when using Skype?

Yes, IP and location is safe. Skype has been tested in Whonix, it "works" quite well (does it? it seems to have stopped working in 2013 - see [33]), still recommended against. Some further comments you should be aware of:

Those are not Whonix or Tor issues, those are Skype issues. Consider Skype usage pseudonymous rather than anonymous. Skype is closed source and given Skype's history (reading BIOS etc. just research) it's very much likely that they link all your account names inside Whonix-Workstation to the same pseudonym.

Also obviously, if you log into an account, which you have ever used without Tor, consider the account non-anonymous. You really should assume, that they have logs and link your Tor and non-Tor use together.

Security doesn't depend on your local security and key management, but on a third party, the Skype authority. Consider the Skype encryption broken by the Skype authority.

Another obvious thing, if you chat with people, who have not created their account over Tor and who have not always connected over Tor, it's also not so hard to guess who you are. Remember, you are not in control of Skype's encryption keys and Skype is not Open Source, thus do not rely on Skype's encryption.

Voice recognition software also got very sophisticated. Since you should be unsure if the Skype encryption is broken or not, voice recognition software could be used to find out who you are.

Also read Do not mix Modes of Anonymity!

In conclusion Skype usage does not leak IP/location, but is discouraged anyway, unless you want to use it for circumvention only, without wanting to be anonymous or pseudonymous.

What's the point in using Skype if you and all your chat partners are also willing to create and use their accounts only over Tor? You are advised to use Skype alternatives.

If you are wondering, why Skype works at all in Whonix over Tor, since Tor only supports TCP, see technical details: [34]


There is a Comparison of VoIP software in wikipedia. The client should be Open Source and if you are not calling from .onion to .onion (and let Tor handle encryption) it should also support voice encryption such as ZRTP.

Development Ideas[edit]


OnionCat could be useful if tunneling UDP and/or ICMP tunneling over Tor should be required. It should be avoided if possible, because it add complexity to the setup. Does it introduce more latency because connection always goes from hidden service to hidden service?


External Resources[edit]


  1. https://en.wikipedia.org/wiki/ZRTP
  2. http://zfoneproject.com/faq.html#vbr
  3. http://www.webcitation.org/6RrGGaAho
  4. https://en.wikipedia.org/wiki/Walkie-talkie
  5. https://en.wikipedia.org/wiki/Push-to-talk
  6. http://en.wikipedia.org/wiki/Procedure_word
  7. Apart from trying to exploit random Tor users.
  8. https://wiki.tox.chat/users/faq#what_is_tox
  9. https://tox.chat
  10. https://wiki.tox.chat/users/tox_over_tor_tot
  11. https://wiki.tox.chat/clients
  12. http://nacl.cr.yp.to
  13. https://en.wikipedia.org/wiki/Tox_(software)
  14. https://wiki.tox.chat/binaries
  15. http://www.linphone.org/docs/liblinphone/group__conferencing.html
  16. https://github.com/guardianproject/ChatSecureAndroid/issues/495
  17. Arbitrary choice of port to avoid conflicts with custom onioncat setups.
  18. http://manpages.debian.org/cgi-bin/man.cgi?query=ocat&apropos=0&sektion=0&manpath=Debian+testing+jessie&format=html&locale=en
  19. https://jitsi.org/Main/News
  20. https://jitsi.org/
  21. https://archive.fosdem.org/2013/schedule/event/hangout_conferences_with_jitsi/
  22. https://lists.torproject.org/pipermail/tor-talk/2013-February/027204.html
  23. http://sflphone.org/
  24. http://www.torfone.org/onionphone
  25. https://lists.torproject.org/pipermail/tor-talk/2013-February/027215.html
  26. https://github.com/gegel/onionphone
  27. http://sourceforge.net/projects/mumble/
  28. http://mumble.sourceforge.net/FAQ/English#Is_Mumble_encrypted.3F
  29. http://www.mumble.com/support/mumble-server-push-to-talk.php
  30. http://en.kioskea.net/faq/26187-mumble-force-tcp-mode
  31. Mumble (and mumble-server)'s connections go through Tor's TransPort. This shouldn't matter, because (connections to and ) hidden services (itself) are stream isolated so or so, see Stream Isolation for more information on TransPort, SocksPort, Stream Isolation and so on.
  32. https://lists.torproject.org/pipermail/tor-talk/2013-February/027215.html
  33. http://community.skype.com/t5/Security-Privacy-Trust-and/Is-Skype-blocking-TOR-exit-nodes/td-p/1706941
  34. Skype can’t work without a TCP connection
    But Skype can work without UDP
    Blocking UDP is not sufficient

Random News:

Please Contribute by answering questions.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.