Connecting to SSH before Tor
Instructions on how to connect to SSH before Tor.
User
→ SSH
→ Tor
→ Internet
Introduction[edit]
Connecting to SSH before Tor might enhance privacy and security in certain use cases. This setup is particularly useful for bypassing restrictive firewalls or for situations where Tor is blocked but SSH is allowed.
The SSH tunnel can be configured on the host operating system (OS) (outside any virtual machine (VM)) or inside Whonix-Gateway™.
Prerequisites[edit]
- SSH server: The user needs an already existing SSH server where the user is able to successfully login using
ssh
on the command line. - Prerequisite knowledge:
- How to setup a SSH server: Setting up an SSH server is currently out-of-scope for this wiki page. The process of setting up an SSH server is unspecific to Whonix. The SSH server can be set up as usual as if Whonix is not involved. Please use search engines first.
- How to bypass Tor: The clearnet User
- Platform specific:
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: It is required to know about how to apply Qubes Template Modifications.
Install SSH Client[edit]
Install package(s) openssh-client
following these instructions
1 Platform specific notice.
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: In Template.
2 Update the package lists and upgrade the system .
sudo apt update && sudo apt full-upgrade
3 Install the openssh-client
package(s).
Using apt
command line
--no-install-recommends
option
is in most cases optional.
sudo apt install --no-install-recommends openssh-client
4 Platform specific notice.
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Qubes Template Modification .
5 Done.
The procedure of installing package(s) openssh-client
is complete.
Make Clearnet home persistent[edit]
There is no persistent home for the clearnet
user by default. Therefore make it persistent so SSH user data (keys, known_hosts file) can be saved there.
Follow instructions to make the clearnet home persistent.
This will most likely be simplified in a future Whonix version, where user clearnet
will have a persistent home folder by default.
DNS Setup[edit]
There are two options for accessing the SSH server. Choose one.
By IP Address
Recommended. Connecting to your SSH server by IP address is easier. In this case, no DNS setup is required.
Most SSH servers have static IP addresses. Static here means that these do not change.
Do you already know the IP address of your SSH server?
- A) Yes, known: Great. No further action required.
- B) No, unknown: Resolve the SSH server domain name to IP address. This command can be run on any Linux system such as on your SSH server.
dig +short example.com
By Domain Name
Connecting to your SSH server by domain name is possible but a bit more difficult. DNS setup is required.
Allow user clearnet
on Whonix-Gateway to use clearnet DNS.
1. DNS setup.
See Whonix-Gateway System DNS over Clearnet.
2. Test.
Check if the clearnet
user can resolve DNS:
sudo -u clearnet curl.anondist-orig --tlsv1.3 --proto =https https://check.torproject.org/api/ip
Expected output:
Note: The following output would not contain YOUR_SSH_SERVER_PUBLIC_IP
but the actual public IP address of your SSH server.
{"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"}
3. Done.
Whonix-Gateway System DNS over Clearnet setup is complete.
Configure Remote SSH Server[edit]
Note: Every key generation and installation must be made with the clearnet
user.
1. Notice.
2. Start a shell as user clearnet
.
sudo -u clearnet bash
3. SSH key setup.
Folder /home/clearnet/.ssh
needs to be populated. In practice, this means that the following files (or similar) need to exist:
/home/clearnet/.ssh/id_ed25519
/home/clearnet/.ssh/id_ed25519.pub
/home/clearnet/.ssh/known_hosts
How to get these files? There are two options. Choose one.
- A) Use existing files: The user could copy these files over from an existing SSH client setup. Or,
- B) Create a new SSH keypair: See also Generate SSH keys and Install keys to the SSH server .
4. Test login to the SSH server:
Notes:
- User name: Replace
ssh-user
with the actual SSH user name. - IP: Replace
example.com
with the actual IP address or hostname of your server.
ssh.anondist-orig ssh-user@example.com
5. SSH server configuration.
- A) SSH default configuration: SSH daemon defaults to
AllowTcpForwarding yes
in/etc/ssh/sshd_config
. - B) User hardened SSH configuration: If the user has configured
AllowTcpForwarding no
in/etc/ssh/sshd_config
, then see footnote. [1]
6. Restart the ssh
daemon service in case you have modified its settings in the item above:
sudo systemctl restart sshd
7. Exit the SSH session after the connection has succeeded:
exit
8. Exit from the clearnet
user back to the user
user:
exit
9. Done.
Test SSH Socks Proxy[edit]
1. Create a local SOCKS proxy.
Open a localhost SOCKS proxy listening on port 1080
connected to your SSH server.
Notes:
- User name: Replace
ssh-user
with the actual SSH user name. - IP: Replace
example.com
with the actual IP address or hostname of your server. - Port: Replace
22
with the actual SSH server port. If you have not changed the SSH server port, it will be the default22
and no port change will be required.
sudo -u clearnet ssh.anondist-orig -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22
Expected output: None.
2. Test.
Check if the clearnet
user can use the SOCKS5 proxy created by the SSH connection.
Open another terminal tab.
sudo -u clearnet curl.anondist-orig --proxy socks5h://127.0.0.1:1080 --tlsv1.3 --proto =https https://check.torproject.org/api/ip
Expected output:
Note: The following output would not contain YOUR_SSH_SERVER_PUBLIC_IP
but the actual public IP address of your SSH server.
{"IsTor":false,"IP":"YOUR_SSH_SERVER_PUBLIC_IP"}
3. Close SSH proxy.
Terminate the local SSH proxy created in step 1 by using the keyboard and entering CTRL + C or by closing the terminal tab. This is required because for automating the above command, the port must not be in use. To ensure the port is closed, the SSH client needs to be terminated.
4. Done.
The SSH SOCKS proxy test has been completed.
Configure Proxy Autostart[edit]
After all of the above tests have been completed successfully, you should configure the SSH connection to start on boot.
1. Apply the following changes to Whonix-Gateway™ or the host.
- Non-Qubes-Whonix: On Whonix-Gateway.
- Qubes-Whonix: On
sys-whonix
App Qube.
Open file /usr/lib/systemd/system/socks-before-tor.service
in an editor with root rights.
Non-Qubes-Whonix™
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit
command.
sudoedit /usr/lib/systemd/system/socks-before-tor.service
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /usr/lib/systemd/system/socks-before-tor.service
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /usr/lib/systemd/system/socks-before-tor.service
2. Add the following to the file:
Notes:
- User name: Replace
ssh-user
with the actual SSH user name. - IP: Replace
example.com
with the actual IP address or hostname of your server. - Port: Replace
22
with the actual SSH server port. If you have not changed the SSH server port, it will be the default22
and no change is required.
[Unit] Description=SOCKS5 Proxy for Tor OR connections After=network-online.target nss-lookup.target qubes-sysinit.service Before=tor.service ConditionPathExists=!/var/run/qubes/this-is-templatevm [Service] ExecStart=ssh.anondist-orig -vv -N -D 127.0.0.1:1080 ssh://ssh-user@example.com:22 Restart=on-failure RestartSec=5 User=clearnet Group=clearnet [Install] WantedBy=multi-user.target
3. Reload the systemd system daemon:
sudo systemctl daemon-reload
4. Enable the systemd system service socks-before-tor
:
sudo systemctl enable socks-before-tor
5. Platform specific.
Non-Qubes-Whonix
1. Start the service socks-before-tor
:
sudo systemctl restart socks-before-tor
2. Watch the journal of socks-before-tor
service:
sudo journalctl -fu socks-before-tor
Configure Tor[edit]
Tor needs to be configured to make use of the locally running SOCKS interface.
Use either Option 1 or Option 2.
Option 1: Use Anon Connection Wizard[edit]
A proxy can be configured easily using Anon Connection Wizard.
Step 1: Start Anon Connection Wizard[edit]
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway™ ProxyVM (commonly named sys-whonix)
→ Anon Connection Wizard
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu
→ Applications
→ System
→ Anon Connection Wizard
If you are using a terminal emulator (such as for example xfce4-terminal) on Whonix-Gateway, type.
lxsudo anon-connection-wizard
If you are using a CLI Whonix-Gateway, see footnote. [2]
Step 2: Use Proxy Configuration Page[edit]
- Proxy type:
SOCKS5
- IP:
127.0.0.1
- Port:
1080
Select "Use proxy before connecting to the Tor network" on the Proxy Configuration page
→ Choose the proxy type
→ Fill out other necessary information
Option 2: Manually Configure Proxy[edit]
Manual Tor configuration is an alternative.
1. Open file /usr/local/etc/torrc.d/50_user.conf
in a text editor of your choice with sudoedit
.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway, complete the following steps. sudoedit /usr/local/etc/torrc.d/50_user.conf
2. Paste.
Note: Change IP:PORT
as needed.
- A) If SSH tunnel was set up from Whonix-Gateway:
Socks5Proxy 127.0.0.1:1080
- B) If SSH tunnel was set up from host operating system:
Socks5Proxy IP:PORT
3. Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf
and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix')
→ Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu
→ Applications
→ Settings
→ Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE
for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
4. Done.
Footnotes[edit]
- ↑
You can change it on a per-user basis. For example, to allow TCP forwarding only for user
ssh-user
, append to the following file: Match User ssh-user AllowTcpForwarding yes - ↑
Anon Connection Wizard is a graphical user interface (GUI) application. It does not have command line interface (CLI) support yet. It is therefore unavailable on Whonix-Gateway CLI. Use
setup-dist
instead; note that functionality is limited and does not support Bridges.
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!