Jump to: navigation, search

Whonix-Gateways Own Traffic Transparent Proxy

Advanced users only!
Usually recommended against and unnecessary!

All traffic from Whonix-Workstation and Whonix-Gateway is routed over Tor. [1] [2] [3] [4]

Whonix-Workstation has the transparent proxying feature enabled by default. (You could disable it if you wanted to.)

Whonix-Gateway has by default no transparent proxying feature. This article explains how you could enable it. There are no known use cases besides leak testing.

On Whonix-Gateway.

For explanation, open /etc/whonix_firewall.d/30_user and read what the settings GATEWAY_TRANSPARENT_TCP and GATEWAY_TRANSPARENT_DNS are about.

Open /etc/whonix_firewall.d/30_user in an editor.

If you are using a graphical environment, run:

kwrite /etc/whonix_firewall.d/30_user

If you are using a terminal (Konsole), run:

nano /etc/whonix_firewall.d/30_user

Open /etc/whonix_firewall.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/whonix_firewall.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/whonix_firewall.d/50_user.conf

Add the following content.

GATEWAY_TRANSPARENT_TCP=1
GATEWAY_TRANSPARENT_DNS=1

Save.

Reload Whonix-Gateway Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run:

sudo whonix_firewall

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add the following content.

TransPort 127.0.0.1:9041
DnsPort 127.0.0.1:54

Save.

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Test if you wish.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212

See Also[edit]

Footnotes[edit]

  1. Since Whonix 0.2.1 also the Whonix-Gateway traffic is routed over Tor. This prevents telling the world that the user is a Whonix user.
  2. To preserve anonymity of activities the user is doing inside Whonix-Workstation, it would not be required to torify Whonix-Gateway's own traffic.
  3. For your interest: if you were to change DNS settings on Whonix-Gateway in /etc/resolv.conf, this would only affect Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. Actually, by default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway issuing network traffic (apt-get, whonixcheck, timesync) are explicitly configured (or forced by uwt wrappers) to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation's default applications are configured to use separate Tor SocksPort's (see Stream Isolation), thus not using the system's default DNS resolver. Any applications on Whonix-Workstation, not configured for stream isolation (for example nslookup), will use the default DNS server configured in Whonix-Workstation in /etc/network/interfaces, which is Whonix-Gateway. Those DNS requests will be redirected to Tor's DnsPort by Whonix-Gateway's firewall. (Therefore Whonix-Gateway's /etc/resolv.conf does not affect Whonix-Workstation's DNS requests.

Random News:

Please consider a recurring donation!


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.