Connecting to Tor before a Proxy using Proxy Settings Method

From Whonix
< Tunnels‎ | Connecting to Tor before a proxy
Revision as of 17:40, 1 October 2023 by Patrick (talk | contribs) (mediawiki-shell-bot-default-edit-message)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

There are 3 different ways to configure an additional proxy.

UserTorProxyInternet

Before combining Tor with other tunnels, be sure to read and understand the risks!

See also proxy warning!

UserTorProxyInternet

Configure Applications to use Proxy Settings Method[edit]

General information (unspecific to Whonix):

  • Essentials: See the notices on top of this wiki chapter. These links should be read first.
  • Different methods available: One option to make an application use a proxy is to use the application's native proxy settings. This is explained in this wiki chapter. For alternative methods, see the mini navigation on the very top of this wiki page.
  • Essentials: This of course supposes, that the application has proxy settings.
  • Leak Potential: There could be leaks.
  • Leak Definition: What is a leak in this context? A means, that the user thinks the application is using the proxy but actually the application is not using the proxy.
    • Application Specific: If proxy settings are honored by an application or not is another question and out of scope of this documentation because this is difficult.
    • Difficulty: Since manual proxy configuration using the application's proxy settings is very difficult and very vulnerable to leaks, the Whonix project had been founded.
    • Reliability: Whonix is a project which does only one thing but does that one thing well. That one thing is to configure a (virtual) machine to securely, reliability and always use Tor which is similar to a proxy but much better. Also called a leak shield or fail-safe mechanism.
    • No dedicated proxy project: There is no software / project that ensures that a proxy is always reliably used, i.e. a leak shield / fail-safe mechanism for proxies.
    • Instructions Quality: There is generally very little information on the subject of configuring a proxy including a leak shield. Development activity is very low to non-existing. For some old instructions on how to set proxy settings for some applications, the user could have a look at the TorifyHOWTOarchive.org iconarchive.today icon.

Whonix specific part:

  • Location: Run the application inside inside Whonix-Workstation.
  • Deactivation of Stream Isolation required: There is a list of applications that come where extra steps are required. Before proceeding, it is highly recommended for the user to look up the application which should be configured for use with an extra-tunnel link in that list. This is because these applications are pre-configured for Stream Isolation. These settings have to be undone. This is documented in the chapters below on this wiki page.
  • Proxy Settings: Other than that there is no difference from using proxy settings in a usual way it would be done outside of Whonix.
  • Internet Traffic Routing: If the application:
    • A) honors the proxy settings: traffic goes: UserTorProxyInternet
    • B) does not honor the proxy settings / has a leak bug: traffic goes UserTorInternet

Important Application Specific Notes[edit]

Tor Browser Notes[edit]

1. Check applicability of these instructions.

Does the user need to follow these instructions? Only if the user intents to use Tor Browser with an extra tunnel-link. For example, if the user only intents to use a different application such as curl with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see the other wiki chapters on this page.

2. Remove default proxy settings by Tor Browser and set custom proxy settings.

Configuration for use of Tor Browser with a HTTP, HTTPS or SOCKS proxy using proxy settings method.

info Why is this difficult?

This is difficult and may not work for you.

To learn why this is difficult, please press on Expand on the right.

Info COMMUNITY SUPPORT ONLY : THIS wiki CHAPTER only is only supported by the community. Whonix developers are very unlikely to provide free support for this content. See Community Support for further information, including implications and possible alternatives.

Archived instructions.

NOTE: The following archived instructions are most likely currently broken due to changes by upstream, The Tor Project. To resolve this issue, the user would have to proceed as per Self Support First Policy. Please post in Whonix forums to notify if this method is currently working, broken or if any solution has been found. To view the archived instructions, please press on Expand on the right.

3. Done.

The process of configuring an extra tunnel-link for Tor Browser has been completed.

Misc Application Notes[edit]

1. Check applicability of these instructions.

Do the user need to follow these instructions? Only if the user intents to use any of the applications which are on the list of stream isolated by proxy settings with an extra tunnel-link. For example, if the user only intents to use Tor Browser with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see above chapter.

2. Remove default proxy settings by Whonix.

Whonix ships a number of applications pre-configured for using proxy settings by default. This is for a different purpose. For the purpose of Stream Isolation. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to first remove these proxy settings.

For information on how to remove Whonix default proxy settings, please press Expand on the right.

3. Set custom proxy settings.

This is unspecific to Whonix and undocumented.

4. Done.

The process of configuring an extra tunnel-link for a miscellaneous application has been completed.

uwt wrapped application notes[edit]

1. Check applicability of these instructions.

Do the user need to follow these instructions? Only if the user intents to use any application in the list of uwt wrapped applications with an extra tunnel-link. For example, if the user only intents to use Tor Browser with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see above chapter.

2. Remove uwt wrapper by Whonix.

Whonix ships a number of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.

For information on how to disable Whonix uwt wrappers, please press Expand on the right.

3. Set custom proxy settings.

This is unspecific to Whonix and undocumented.

4. Done.

The process of configuring an extra tunnel-link for a miscellaneous application has been completed.

Footnotes[edit]

  1. Qubes-Whonix users note: In App Qube (whonix-workstation-17) could also use file /usr/local/etc/torbrowser.d/50_user.conf instead.

    1. Create folder /usr/local/etc/torbrowser.d (if using Tor Browser Downloader by Whonix developers) and optionally /usr/local/etc/mullvadbrowser.d (if using Mullvad Browser by Kicksecure developers).

    Click = Copy Copied to clipboard! mkdir -p /usr/local/etc/torbrowser.d

    Click = Copy Copied to clipboard! mkdir -p /usr/local/etc/mullvadbrowser.d

    2. Open file /usr/local/etc/torbrowser.d/50_user.conf in an editor with root rights.

    Non-Qubes-Whonix

    See Kicksecure logo Open File with Root RightsOnion Logo for detailed instructions on why to use sudoedit for better security and how to use it.

    Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

    Click = Copy Copied to clipboard! sudoedit /usr/local/etc/torbrowser.d/50_user.conf

    Qubes-Whonix

    NOTES:

    • When using Qubes-Whonix, this needs to be done inside the Template.

    Click = Copy Copied to clipboard! sudoedit /usr/local/etc/torbrowser.d/50_user.conf

    • After applying this change, shutdown the Template.
    • All App Qubes based on the Template need to be restarted if they were already running.
    • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

    Others and Alternatives

    • This is just an example. Other tools could achieve the same goal.
    • If this example does not work for you or if you are not using Whonix, please refer to this link.

    Click = Copy Copied to clipboard! sudoedit /usr/local/etc/torbrowser.d/50_user.conf

    And/or:

    Click = Copy Copied to clipboard! sudoedit /usr/local/etc/mullvadbrowser.d/50_user.conf

  2. TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
  3. By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
    By utilizing a curl parameter we are using anyhow -- CURL_PROXY="--fail" -- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking.
  4. Qubes-Whonix users note: Or alternatively in App Qube.

    1. Create folder /usr/local/etc/uwt.d.

    Click = Copy Copied to clipboard! sudo mkdir -p /usr/local/etc/uwt.d

    2. Open with root rights: Click = Copy Copied to clipboard! sudoedit /usr/local/etc/uwt.d/50_user.conf

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.whonix.org/w/index.php?title=Tunnels/Connecting_to_Tor_before_a_proxy/Proxy_Settings_Method&oldid=97251"