Host a Bridge or Tor Relay
Donate
Hosting a bridge, private bridge, or obfuscated bridge in Whonix. Hosting a middle or exit Tor relay in Whonix.
Introduction[edit]
When using Whonix, it is still possible to volunteer to Tor by hosting a bridge, private bridge, obfuscated bridge, private obfuscated bridge, middle node or exit relay. This configuration is set up either inside Whonix-Gateway™ or directly on the host.
Rationale[edit]
This configuration is recommended for advanced users.
Anonymity might or might not
be improved by hosting a Tor relay and/or bridge and using it to mix personal client Tor traffic. The reason is adversaries observing traffic will need to perform classification of both traffic generated by the Tor relay or bridge and your personal client traffic. To learn more about this topic, refer to posts by The Tor Project (developers of the Tor software). [1]
Quote The Tor Project New low cost traffic analysis attacks and mitigations:
In terms of mitigating the use of these vectors in attacks against Tor, here's our recommendations for various groups in our community:
Users: Do multiple things at once with your Tor client
Because Tor uses encrypted TLS connections to carry multiple circuits, an adversary that externally observes Tor client traffic to a Tor Guard node will have a significantly harder time performing classification if that Tor client is doing multiple things at the same time. This was studied in section 6.3 of this paper
Configuration[edit]
Outside Whonix-Gateway[edit]
This procedure is currently Undocumented. Help is most welcome to complete this section.
Inside Whonix-Gateway[edit]
Introduction[edit]
This procedure has not been tested for a significant period; please contact Whonix developers if you are interested in this configuration.
This configuration is non-trivial for reasons outside of Whonix control and is mostly unspecific to the platform. An open port is required to allow unsolicited incoming connections; see Ports for an explanation.
Prerequisite Knowledge[edit]
Before attempting this setup, various learning exercises are recommended beforehand.
- Set up a web server reachable on PC. For example:
Internet→home router→PC→web server - Set up a web server reachable in VM. For example:
Internet→home router→PC→Debian (not Whonix) VM→web server
After succeeding with the above configurations, then try the same with Tor in Whonix.
Instructions[edit]
Perform these steps in Whonix-Gateway (sys-whonix).
1. Follow all the usual instructions on the torproject.org website inside Whonix-Gateway; the fact that Tor is being run inside a virtual machine does not change the procedure.
2. Set up a port forwarding from the host to the virtual machine.
- KVM: Follow the NAT port forwarding instructions for Whonix-Gateway.
- VirtualBox: Port forwarding can also be set using the VirtualBox GUI.
Navigate to Whonix-Gateway → Settings → Network Interface → Port Forwarding
3. Inspect /etc/whonix_firewall/30_default.conf.
4. Read the introductory comment about flexible modular configuration files.
5. Read the comment about Tor Relay Settings.
6. Close the file.
7. Modify Whonix-Gateway™ User Firewall Settings.
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → User Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.
Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
8. Paste the following content and make adjustments if necessary.
## Allow incoming DIRPORT connections for an optional Tor relay. GATEWAY_ALLOW_INCOMING_DIR_PORT=1 ## Allow incoming ORPORT connections for an optional Tor relay. GATEWAY_ALLOW_INCOMING_OR_PORT=1 ## DIRPORT incoming port. DIR_PORT=80 ## ORPORT incoming port. OR_PORT=443
9. Reload Whonix-Gateway™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall
10. The procedure is complete.
Easy Option: Snowflake Pluggable Transport[edit]
It was previously possible to install the Flashproxy bridge add-on in Chrome, Chromium and Firefox to help censored users access Tor. Essentially this performed as a miniature proxy that ran in the web browser, checked for clients needing access, and conveyed data between them and a Tor relay. [2] However, after being operational between 2013 and 2016, Flashproxy was deprecated in 2017.
The modern alternative to Flashproxy is Snowflake: [3] [4]
Snowflake is an improvement upon Flashproxy. It sends your traffic through WebRTC, a peer-to-peer protocol with built-in NAT punching.
This system is composed of three components: volunteers running Snowflake proxies, Tor users that want to connect to the internet, and a broker, that delivers snowflake proxies to users. ... Volunteers willing to help users on censored networks can help by spinning short-lived proxies on their regular browsers. ... Snowflake uses the highly effective domain fronting
To assist censored users, the Snowflake pluggable transport can be installed in Tor Browser / Firefox or Chrome. Note that websites that are browsed by censored users will match their Tor exit node, not yours:
To learn more about Snowflake, see here (v3
). Note that it is also possible to run a standalone Snowflake proxy (v3) on a server, but this configuration has not yet been attempted in Whonix.
Footnotes[edit]
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!