Getting Transparent Proxying working for traffic originating from Whonix-Gateway itself.

Introduction[edit]

All traffic originating from Whonix-Workstation^™ and Whonix-Gateway^™ is routed over Tor. ^[1] ^[2] ^[3] ^[4] ^[5] ^[6] ^[7]

Whonix-Workstation^™ has the transparent proxying feature enabled by default. (You could disable it if you wanted to.)

Whonix-Gateway has by default no transparent proxying feature.

The same in other words: Whonix-Gateway by default transparently proxies traffic originating from Whonix-Workstation, but does not transparently proxy traffic that is generated by Whonix-Gateway.

Instructions below document how you could enable it. There are no known use cases besides leak testing.

How-to: Enable Transparent Proxying for Whonix-Gateway own Traffic[edit]

Advanced users only!
Usually recommended against and unnecessary!

Modify Whonix-Gateway^™ User Firewall Settings.

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix^™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start Menu → Applications → Settings → User Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start Menu → Applications → Settings → Global Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf

Add the following content.

GATEWAY_TRANSPARENT_TCP=1 GATEWAY_TRANSPARENT_DNS=1

Save.

Reload Whonix-Gateway^™ Firewall.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu → Applications → System → Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall

Open file /usr/local/etc/torrc.d/50_user.conf in a text editor of your choice, with administrative rights.

Platform specific. Select your platform.

Non-Qubes

If you are using a graphical Whonix-Gateway, take the following step.

Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf

Qubes-Whonix

If you are using Qubes-Whonix^™, take the following step.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway^™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)

CLI

If you are using Whonix-Gateway with command line interface (CLI), take the following step. sudoedit /usr/local/etc/torrc.d/50_user.conf

Add the following content.

TransPort 127.0.0.1:9041 DnsPort 127.0.0.1:54

Save.

Reload Tor.

After changing Tor configuration, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway^™ ProxyVM (commonly named 'sys-whonix') → Reload Tor

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu → Applications → Settings → Reload Tor

If you are using a terminal-only Whonix-Gateway, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

Test if you wish.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 -H 'Host: check.torproject.org' -k https://116.202.120.181

Footnotes[edit]

↑ Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.
↑ For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.
↑ For those interested: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).
↑ Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will employ the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's /etc/resolv.conf don't influence Whonix-Workstation's DNS queries.
↑ Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor originating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet.
↑ Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.
↑
Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.

[2] For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.

[3] For those interested: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).

[4] Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will employ the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's /etc/resolv.conf don't influence Whonix-Workstation's DNS queries.

[5] Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor originating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet.

[6] Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.

[7] Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
Proxy settings that use proxies with domain names instead of IP addresses.

Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

[8] Proxy settings that use proxies with domain names instead of IP addresses.

[9] Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Whonix-Gateway^™ Traffic: Transparent Proxying

Contents

Introduction[edit]

How-to: Enable Transparent Proxying for Whonix-Gateway own Traffic[edit]

Non-Qubes

Qubes-Whonix

CLI

See Also[edit]

Footnotes[edit]

Navigation menu

Whonix-Gateway™ Traffic: Transparent Proxying

Introduction[edit]

How-to: Enable Transparent Proxying for Whonix-Gateway own Traffic[edit]

Non-Qubes

Qubes-Whonix

CLI

See Also[edit]

Footnotes[edit]

Navigation menu

Search

Whonix-Gateway^™ Traffic: Transparent Proxying