New illustrative Whonix stream isolation image with 4 Tor relays. (Instead of 3 in the past.) See also vanguards.

Whonix Tor Stream Isolation Short Introduction

Default Stream Isolation Configuration: Applications such as Tor Browser, ssh, gpg, wget, curl, git, and apt are configured for stream isolation by default; the full list can be found here.
Stream Isolation Advantages: The advantage of this configuration is that these applications will take different paths through the Tor network and will therefore be more anonymous, since it protects against identity correlation through Tor circuit sharing. ^[1]
Impact on IP Address: Stream isolation will likely result in a different Tor exit relay and IP Address, but this is not guaranteed. Related: Tor Routing Algorithm and New Identity and Tor Circuits.
Stream Isolation Disadvantages: This arrangement comes with a small usability impact in corner cases:
- For some tunnels, it may be necessary to disable stream isolation -- this is covered in the Combining Tunnels with Tor chapter.
- ^[2]
Further information:

Footnotes[edit]

↑ If stream isolation is not enforced, different activities conducted in separate applications may pass through the same Tor circuit and exit relay, correlating these activities to the same pseudonym.
↑
It might be required to disable stream isolation for applications that require local connections. For example, this is the case when opening a local ssh listener:
- If the following command is run: ssh 10.152.152.11, uwt will actually execute torsocks /usr/bin/ssh.anondist-orig 10.152.152.11. In this case, traffic would flow through torsocks via a Tor SocksPort. This will fail for local connections and lead to the following error message:
  - libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to https://gitweb.torproject.org/torsocks.git/ if this is preventing a program from working properly with torsocks
- This is possibly no longer required thanks to the Whonix default /etc/tor/torsocks.conf configuration file which sets AllowOutboundLocalhost 1.
```
# Set Torsocks to allow outbound connections to the loopback interface.
# If set to 1, connect() will be allowed to be used to the loopback interface
# bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to
# the loopback interface will also be allowed, bypassing Tor. This option
# should not be used by most users. (Default: 0)
AllowOutboundLocalhost 1
```

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] If stream isolation is not enforced, different activities conducted in separate applications may pass through the same Tor circuit and exit relay, correlating these activities to the same pseudonym.

[2] It might be required to disable stream isolation for applications that require local connections. For example, this is the case when opening a local ssh listener:
If the following command is run: ssh 10.152.152.11, uwt will actually execute torsocks /usr/bin/ssh.anondist-orig 10.152.152.11. In this case, traffic would flow through torsocks via a Tor SocksPort. This will fail for local connections and lead to the following error message:
libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to https://gitweb.torproject.org/torsocks.git/ if this is preventing a program from working properly with torsocks

This is possibly no longer required thanks to the Whonix default /etc/tor/torsocks.conf configuration file which sets AllowOutboundLocalhost 1.

# Set Torsocks to allow outbound connections to the loopback interface. # If set to 1, connect() will be allowed to be used to the loopback interface # bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to # the loopback interface will also be allowed, bypassing Tor. This option # should not be used by most users. (Default: 0) AllowOutboundLocalhost 1

[3] If the following command is run: ssh 10.152.152.11, uwt will actually execute torsocks /usr/bin/ssh.anondist-orig 10.152.152.11. In this case, traffic would flow through torsocks via a Tor SocksPort. This will fail for local connections and lead to the following error message:
libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to https://gitweb.torproject.org/torsocks.git/ if this is preventing a program from working properly with torsocks

[4] torsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to https://gitweb.torproject.org/torsocks.git/ if this is preventing a program from working properly with torsocks

[5] This is possibly no longer required thanks to the Whonix default /etc/tor/torsocks.conf configuration file which sets AllowOutboundLocalhost 1.

[1]

[2]

Stream Isolation: Easy

Footnotes[edit]

Navigation menu

Stream Isolation: Easy

Footnotes[edit]

Navigation menu

Search