Chaining Anonymizing Gateways
Donate
By default, all Whonix-Workstation traffic is forced through Whonix-Gateway. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.
Introduction[edit]
Only advanced users should attempt these configurations!
Before attempting complex tunnel configurations, the following basic knowledge is required:
This Inspiration resource may also be useful.
Possible Configurations[edit]
Pre-Tor-VPN[edit]
## chain: Whonix-Workstation -> VPN-Gateway -> Whonix-Gateway -> clearnet ## connection scheme: user -> VPN -> Tor -> Internet
For instructions, see here. To learn more details about this configuration, refer to this entry.
Post-Tor-VPN[edit]
## chain: Whonix-Workstation -> Whonix-Gateway -> VPN-Gateway -> clearnet ## connection scheme: user -> Tor -> VPN -> Internet
For instructions, see here. To learn more details about this configuration, refer to this entry.
Pre- and Post-Tor-VPN[edit]
## chain: Whonix-Workstation -> VPN-Gateway -> Whonix-Gateway -> VPN-Gateway -> Internet ## connection scheme: user -> VPN -> Tor -> VPN -> Internet
Whonix is not limited to VPN-Gateways; the VPN can be replaced with a Proxy-Gateway.
Post-Tor-Proxy[edit]
## chain: Whonix-Workstation -> Proxy-Gateway -> Whonix-Gateway -> clearnet ## connection scheme: user -> Tor -> Proxy -> Internet
For instructions, see here. To learn more details about this configuration, refer to this entry.
Other Connection Schemes[edit]
Virtually any combination is possible: a Post-Tor-Proxy; a Pre/Post-Tor-SSH; or the proxy being replaced with JonDo or perhaps I2P.
Always remember that the connection will be created in reverse order; see the example below. [1]
## chain: Whonix-Workstation -> Proxy-Gateway -> Whonix-Gateway -> VPN-Gateway -> clearnet ## connection scheme: user -> VPN -> Tor -> Proxy -> Internet
Upon reflection, it becomes clear why the connection happens in reverse order:
- Whonix-Workstation has no option but to pass through the Proxy-Gateway.
- The Proxy-Gateway has no option but to pass through Whonix-Gateway.
- In this case, the last element in the chain is the VPN-Gateway, which must obviously connect via clearnet.
In other terms:
- The VPN-Gateway uses clearnet.
- Whonix-Gateway uses the VPN-Gateway to connect.
- The Proxy-Gateway uses Whonix-Gateway to connect.
- Whonix-Workstation uses the Proxy-Gateway to connect.
Since the Proxy-Gateway can only pass through Whonix-Gateway followed by the VPN-Gateway, it is clear why it will be the last hop in front of the destination server.
Other Considerations[edit]
Whether these combinations make sense in terms of security and anonymity is hotly debated and depends on your personal threat model, see Tor plus VPN or Proxy
. Advanced tunneling configurations also require knowledge of how to properly edit /etc/network/interfaces on Whonix-Gateway and/or on Whonix-Workstation. In the case of Non-Qubes-Whonix, this refers to the virtual internal network name in VirtualBox settings.
This process is generally difficult because there are no other anonymizing gateways (VPN / JonDo / I2P / Proxy / SSH / VPN) available for download in Whonix, just the Whonix-Gateway which uses Tor to anonymize traffic. This means a search for instructions is often required and/or an anonymizing gateway must be built from scratch. [2]
For a VPN-Gateway, see also:
Footnotes[edit]
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!