Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Combining Whonix with JonDonym. JonDonym over Tor. Connecting to Tor before JonDonym (User → Tor → JonDonym → Internet ) OR Connecting to JonDonym before Tor (User → JonDonym → Tor → Internet ).

Introduction[edit]

As of June 2021, the JonDonym website states:

Unfortunately, we have to close our service until 2021-08-31. Until then, our operators will ensure you that you can consume your existing plans. Purchasing new plans is not possible any more.

Similar to Tor, JonDonym has a design based on multiple layers of encryption: ^[1]

The JonDonym / AN.ON technology is based on the principle of multiple (layered) encryption, distribution and processing. This procedure does not only protect your Internet activities from being observed by third parties (against your access provider, WLAN hackers, advertising services and websites), but also against observation by the individual JonDonym providers themselves.

... It consists of multiple user selectable mix cascades. A cascade consists of two or three separately encrypted mix servers. These mix servers are operated by independent and non interrelated organizations or private individuals who all publish their identity. The operators have to abide by strict provisions which prohibit saving connection data or exchanging such data with other operators.

Every connection from a user is differently encrypted for every mix server within a cascade and transferred through the cascade to the target, e.g. a website. Thereby no mix operator alone can by himself expose the user. Eavesdroppers on the connections to JonDonym cascades get garbage data only, as the connection to every mix is separately encrypted. Also, since a lot of users surf the anonymization service simultaneously, and thus share the same IP address, all connections of every user are concealed amidst each other: a correlation is not possible any more.

JonDonym vs Tor Comparison[edit]

JonDonym[edit]

JonDonym is an alternative anonymity network which is briefly compared with Tor. ^[2] It is easy to tunnel JonDonym over Tor inside Whonix-Workstation (anon-whonix), which will be discussed further below. In theory, Tor on Whonix-Gateway sys-whonix could be replaced with JonDonym.

The JonDonym network is much smaller than the Tor network, but may be faster. In general, the JonDonym network receives far less attention from security researchers compared to Tor. In 2020, there are 4 premium cascades, 1 free cascade and 2 experimental services. ^[3] The size of the network has decreased since February 2012], when a random snapshot at that time revealed there were 5 two hop free mix cascades, 11 three hop premium mix cascades and 1 test/experimental, free one-hop service.

Mix servers are operated by independent and unassociated organizations or private individuals who publish their identity. ^[4]. All JonDonym operators must abide by strict provisions which prohibit saving connection data or exchanging such data with other operators. Placing faith in JonDonym requires trusting in their policy and server administration skills. Neither the mix server administration nor the JonDo software can prevent a man-in-the-middle attack between the mix server and the destination server.

The free two-hop mix cascade currently has a limit of 600 free users, while the premium three-hop mixes have an unlimited amount of users. ^[5] Free users also have other restrictions such as a maximum file size for up- and downloads (2 MB), no SOCKS5 support, and a maximum of two different countries in the path. ^[6] A random snapshot of user data in 2020 showed: ^[7]

• 30 premium users active.
• 133 users relying on free cascades.
• 185 users relaying on experimental cascades. ^[8]

Tor Network[edit]

The JonDonym network is tiny in comparison to the Tor network. A snapshot of Tor metrics on the same day in 2020 reveals around 2.1 million users ^[9], nearly 7,000 relays and over 1,000 bridges. ^{[10] [11]}

The path (circuit) chosen by a Tor client is not predictable and changes every 10 minutes, unless a long-lived onion connection is established. In contrast, a JonDonym user relying on a free two-hop mix cascade will have a predictable entry and exit to the network until the user manually changes it; this similarly applies to all other mix cascades. If a network observer knows the entry or exit, the whole path the client is using through the network is obvious.

The Tor network is run by volunteers from many different countries. Anybody can run a Tor relay -- no formal process or verification of identity is necessary for administrators. The open source software can simply be downloaded, configured and a node volunteered to the network. Due to the open nature of the network, there are obviously both legitimate and malicious nodes. This stands in contrast to JonDonym's small network of known private operators and companies.

A number of attacks have already been performed on the Tor network, such as sniffing of private usernames and passwords by Tor exit relays on unencrypted or SSL-stripped connections. Tor attracts significant interest from researchers, government agencies and adherents due to its popularity and proven track record. Far less attention is given to JonDonym due to the size of the network and user pool which are both serious weaknesses. ^[12]

Summary[edit]

Although they are selling a product, the JonDonym developers seem to be honest about the capabilities and limitations of their network. They constructively participate in the Tor bug tracker, on JonDonym forums, ^[13] and have been amenable to Whonix reusing their material under an Open Source license (with or without modification) to improve our own documentation.

In some aspects JonDonym is more or less secure than Tor; this depends on the the threat model adopted by the user. Interested readers are suggested to review the network comparison and law enforcement entries to draw a conclusion for their own circumstances.

Tunneling JonDonym over Tor (User → Tor → JonDonym → Internet) makes sense in some cases and the JonDonym developers state it is safe; see footnotes. ^{[14] [15]} It is inadvisable to do this for a long period of time, because it adds a permanent exit server, see: Combining Tunnels with Tor for background details.

In conclusion, if it is necessary to download something which cannot be done over TLS (and if there are also no hash sums or signatures), the JonDonym exit might be more trustworthy than a random Tor exit in your personal threat model. However, an alternative is to try and use a specific Tor exit from someone that is trusted.

Surveillance Concerns[edit]

Advanced Adversary Analysis[edit]

Intelligence disclosures in recent years have revealed the assessment of JonDonym by government agencies. ^[16]

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Championed by German University (Dresden)

(S//REL) (Mostly?) Open source software - some Docs in German (S//REL) Uses a technology known as Cascades

• (S//REL) Each cascade is set of 2 or 3 Mixes

• (S//REL) All internal traffic encrypted

• (S//REL) Free service AN.ON: 5 Cascades

• (S//REL) Premium service JonDoNym: 10 Cascades

(S//REL) Countries: BG, CA, CH, CZ, DE, DK, FR, GB, IT, LU, US, (S//REL) Less than 50 mixes total

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Comparison with Tor

• (S//REL) Not nearly as well studied

• (S//REL) Much smaller contained development community

• (S//REL) More centralized structure (all mixes centrally approved)

• (S//REL) Not as diverse geographically or scalable

• (S//REL) Not as well used or publicized

(S//REL) Not analyzed in great detail here at NSA (or FVEY?) (TS//SI//REL) Much better chance for Global Adversary (SIGINT :-))

• (TS//SI//REL) Sessionization of DNI still would be a problem

In summary, the tone of the IC disclosure suggests they have greater confidence in deanonymizing JonDonym users due to: less geographical divergence; the smaller network size; a relative lack of scrutiny from researchers; and the centralized structure.

Law Enforcement Assessment[edit]

Quoted from the JonDonym Law enforcement page ^[17]:

JonDonym does not make it impossible to uncover individual users, as there is no such thing as a 100% security. However, such a disclosure is by magnitudes more difficult than for other VPN or proxy services, as this would require the cooperation of several states and organizations.

JonDonym is no technology for preventing law enforcement on the internet. In very serious cases, it is possible to uncover the abuse of Mix services. User connections may be individually observed, if all operators of a Mix cascade get such an official order, valid in their respective country (in Germany accourding to §100a/b StPO). The official order has to provide an identification feature for individually observed connections (like the IP address used by the observed person or something else).

However, the independence of JonDonym operators vastly lowers the danger of an illegitimate law enforcement done by non-democratic states or arbitrary individual public officers. Any disclosure basically needs the cooperation of all operators of a Mix cascade. This was never realized for premium mix cascades in the past.

Each year, JonDonym publishes a report regarding any surveillance actions that have been taken and reported by mix operators. It shows that since 2006, five surveillance court orders have been received which affected a total of 6 years of operation (2006, 2009-12, 2014). It is believed that up until now, no JonDonym user has ever been de-anonymized.

It should be noted the Tor network also suffers from legal attacks -- for instance there have been some raids of Tor exit servers -- but this also did not (and could not) lead to de-anonymization. It is suspected that both networks provide strong protections against compromise if they are correctly used. However, they will fail to protect users who deanonymize themselves by posting private information, failing to follow documentation, connecting without going through the anonymity network / without proxy bypass, being affected by viruses and so on.

Connecting to Tor before JonDonym[edit]

Introduction[edit]

It is possible to run JonDonym inside Whonix-Workstation: User → Tor → JonDonym → Internet

If this tunnel configuration is desired, it is suggested to first read the following two related wiki entries:

• Combining Tunnels with Tor
• Connecting to Tor before a Proxy

By tunneling JonDonym over Tor, this might be useful in circumventing Tor bans. However, this configuration will also add a permanent exit relay, which is harmful to anonymity. ^[18] Other negative impacts include the loss of stream isolation, a worsened browser fingerprint, and unavailability of Tor onion services connections.

The instructions below install JonDo - the IP changer software package (GUI version) manually by hand; a console version is also available. If installation from the JonDonym GNU/Linux repository is preferred, follow the relevant steps here. At the time of writing, the JonDonym repository does not appear to support Debian buster which Whonix is based on; also see footnote. ^[19]

JonDo IP Changer Proxy Tool Installation[edit]

pub   rsa4096/2146D0CD2B3CAA3E 2014-10-20 [SC] [expires: 2024-10-17]
      Key fingerprint = 6899 5C53 D2CE E11B 0E41  82F6 2146 D0CD 2B3C AA3E
uid   JonDos GmbH (Software Signing Key) <software@jondos.de>
sub   rsa4096/435B56FDF9115DBF 2014-10-20 [E] [expires: 2024-10-17]

gpg: key 0x2146D0CD2B3CAA3E: public key "JonDos GmbH (Software Signing Key) <software@jondos.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Mon 06 Feb 2017 10:14:57 AM UTC
gpg:                using RSA key 0x2146D0CD2B3CAA3E
gpg: Good signature from "JonDos GmbH (Software Signing Key) <software@jondos.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6899 5C53 D2CE E11B 0E41  82F6 2146 D0CD 2B3C AA3E

Launch JonDonym[edit]

After installation a placeholder for JonDonym should appear in the application menu. If it does not appear, it can simply be launched from the terminal.

jondo

Free vs Premium Accounts[edit]

Free accounts can connect only to ports 80 and 443. Further, only a HTTPS proxy interface is provided, not a SOCKS proxy. ^[23] Premium accounts have unrestricted port options and support the SOCKS proxy. The full comparison can be found here.

JonDonym HTTPS Proxy Test[edit]

This also works with JonDonym free accounts.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --proxytunnel --proxy 127.0.0.1:4001 https://check.torproject.org

JonDonym SOCKS Proxy Test[edit]

This requires a JonDonym premium (paid) account.

Try this test command. UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 --socks5-hostname socks5h://127.0.0.1:4001 https://check.torproject.org

If the following message appears, it indicates the local JonDo has not opened a listener. Check if JonDonym has been started or configured to use a non-default port.

curl: (7) couldn't connect to host

If the following message appears, you are likely only using a free account (therefore SOCKS is unavailable).

curl: (7) Unable to receive initial SOCKS5 response.

JonDoFox vs Tor Browser[edit]

Users must make an informed decision whether to prefer JonDoFox or Tor Browser.

It may be more sensible to use JonDoFox in order to blend in better with other JonDonym users, but this is unclear. In this case, no special settings are required.

If Tor Browser is preferred for browsing: user → Tor → JonDonym → destination server, then the proxy settings must be changed via TorButton. Start Tor Browser, open TorButton settings and choose custom proxy settings. HTTP should be set to 127.0.0.1, with port set to 4001 and leave all other fields free except no proxy for 127.0.0.1. Browse to https://ip-check.info/ to see if it correctly configured.

Future Integration[edit]

See Dev/JonDo if you are interested in a development discussion about JonDo(Fox) being pre-installed in Whonix.

Connecting to JonDonym before Tor[edit]

Introduction[edit]

It is possible to configure Tor to use JonDonym as a proxy to establish the following tunnel: User → JonDonym → Tor → Internet

A JonDonym premium account is not required; this configuration is functional with JonDonym free. If this tunnel configuration is desired, it is recommended to first read the following two related wiki entries:

• Combining Tunnels with Tor
• Connecting to Proxy before Tor

The anonymity effects are disputed when tunneling Tor over JonDonym; see here for further information. The instructions below also have a number of current limitations: ^[24]

• JonDonym is installed in a separate ProxyVM behind sys-whonix. ^[25]
• This configuration is very impractical. Since Qubes does not yet support static IP addresses, the Tor configuration setting /etc/tor/torrc 'HTTPSProxy 10.137.10.1:4001' is not stable. When the JonDonym ProxyVM has its IP changed, connectivity breaks and /etc/tor/torrc in sys-whonix needs a manual update.
• It would be preferable to increased usability by documenting how to run JonDonym directly in sys-whonix -- under user tunnel with TUNNEL_FIREWALL=true etc. -- however, this would mean less isolation.
• This configuration does not yet autostart JonDonym.

Installation and Configuration[edit]

Config → user interface → extended view.

sudo systemctl mask qubes-iptables
sudo systemctl stop qubes-iptables
sudo systemctl mask qubes-firewall
sudo systemctl stop qubes-firewall

#!/bin/bash

## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -o pipefail

error_handler() {
  echo "ERROR!" >&2
  exit 1
}

trap "error_handler" ERR

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT

$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X

$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT

$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X

exit 0

chmod +x ~/fw-unload

sudo ~/fw-unload

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*raw
:PREROUTING ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
COMMIT

HTTPSProxy 10.137.10.1:4001

Active: active (running) since ...

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

JonDoBox: Substituting Tor with JonDonym[edit]

This was just a development idea with some limited progress. Interested readers can review the material here.

Screenshots[edit]

Figure: Java Anon Proxy (JonDonym) Client Software in Whonix

Figure: JonDonym Client Software Settings

License[edit]

Gratitude is expressed to JonDos for permission to use material from their website. The "Whonix JonDonym" wiki page contains content from the JonDonym documentation Network page.

Footnotes / References[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!