Whonix-Gateway™ Traffic: Transparent Proxying
Donate
Getting Transparent Proxying working for traffic originating from Whonix-Gateway itself.
Introduction[edit]
All traffic originating from Whonix-Workstation™ and Whonix-Gateway™ is routed over Tor. [1] [2] [3] [4] [5] [6] [7]
Whonix-Workstation™ has the transparent proxying feature enabled by default. (You could disable it if you wanted to.)
Whonix-Gateway has by default no transparent proxying feature.
The same in other words: Whonix-Gateway by default transparently proxies traffic originating from Whonix-Workstation, but does not transparently proxy traffic that is generated by Whonix-Gateway.
Instructions below document how you could enable it. There are no known use cases besides leak testing.
How-to: Enable Transparent Proxying for Whonix-Gateway own Traffic[edit]
Advanced users only!
Usually recommended against and unnecessary!
Modify Whonix-Gateway™ User Firewall Settings.
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → User Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.
Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
Add the following content.
GATEWAY_TRANSPARENT_TCP=1 GATEWAY_TRANSPARENT_DNS=1
Save.
Reload Whonix-Gateway™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall
Open file /usr/local/etc/torrc.d/50_user.conf in a text editor
of your choice with sudoedit.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway, complete the following steps. sudoedit /usr/local/etc/torrc.d/50_user.conf
Add the following content.
TransPort 127.0.0.1:9041 DnsPort 127.0.0.1:54
Save.
Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix') → Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
Test if you wish.
UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 -H 'Host: check.torproject.org' -k https://116.202.120.181
See Also[edit]
Footnotes[edit]
- ↑
Starting from Whonix version
0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network. - ↑ For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.
- ↑
For those interested: Altering DNS settings on Whonix-Gateway in
/etc/resolv.confonly impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort(refer to Stream Isolation). - ↑
Whonix-Workstation's default applications are configured to use dedicated Tor
SocksPorts(see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such asnslookup- will employ the default DNS server configured in Whonix-Workstation (through/etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's/etc/resolv.confdon't influence Whonix-Workstation's DNS queries. - ↑
Traffic produced by the Tor process, which by Debian's default operates under the user
debian-tororiginating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user accountdebian-toris exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet. - ↑
Tor version
0.4.5.6(with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote. - ↑
Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports such as meek lite, which resolves domains set in
url=andfront=to IP addresses or snowflake's-front.
The most watertight privacy operating system in the world.
At Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-2023 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!