Connecting to Tor before a Proxy using Proxy Settings Method
Donate
There are 3 different ways to configure an additional proxy.
User → Tor → Proxy → Internet
Before combining Tor with other tunnels, be sure to read and understand the risks!
See also proxy warning!
User → Tor → Proxy → Internet
Configure Applications to use Proxy Settings Method[edit]
General information (unspecific to Whonix):
- Essentials: See the notices on top of this wiki chapter. These links should be read first.
- Different methods available: One option to make an application use a proxy is to use the application's native proxy settings. This is explained in this wiki chapter. For alternative methods, see the mini navigation on the very top of this wiki page.
- Essentials: This of course supposes, that the application has proxy settings.
- Leak Potential: There could be leaks.
- Leak Definition: What is a leak in this context? A means, that the user thinks the application is using the proxy but actually the application is not using the proxy.
- Application Specific: If proxy settings are honored by an application or not is another question and out of scope of this documentation because this is difficult.
- Difficulty: Since manual proxy configuration using the application's proxy settings is very difficult and very vulnerable to leaks, the Whonix project had been founded.
- Reliability: Whonix is a project which does only one thing but does that one thing well. That one thing is to configure a (virtual) machine to securely, reliability and always use Tor which is similar to a proxy but much better. Also called a leak shield or fail-safe mechanism.
- No dedicated proxy project: There is no software / project that ensures that a proxy is always reliably used, i.e. a leak shield / fail-safe mechanism for proxies.
- Instructions Quality: There is generally very little information on the subject of configuring a proxy including a leak shield. Development activity is very low to non-existing. For some old instructions on how to set proxy settings for some applications, the user could have a look at the TorifyHOWTO
.
Whonix specific part:
- Location: Run the application inside inside Whonix-Workstation™.
- Deactivation of Stream Isolation required: There is a list of applications that come where extra steps are required. Before proceeding, it is highly recommended for the user to look up the application which should be configured for use with an extra-tunnel link in that list. This is because these applications are pre-configured for Stream Isolation. These settings have to be undone. This is documented in the chapters below on this wiki page.
- Proxy Settings: Other than that there is no difference from using proxy settings in a usual way it would be done outside of Whonix.
- Internet Traffic Routing: If the application:
- A) honors the proxy settings: traffic goes:
User→Tor→Proxy→Internet - B) does not honor the proxy settings / has a leak bug: traffic goes
User→Tor→Internet
- A) honors the proxy settings: traffic goes:
Important Application Specific Notes[edit]
Tor Browser Notes[edit]
1. Check applicability of these instructions.
Does the user need to follow these instructions? Only if the user intents to use Tor Browser with an extra tunnel-link. For example, if the user only intents to use a different application such as curl with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see the other wiki chapters on this page.
2. Remove default proxy settings by Tor Browser and set custom proxy settings.
Configuration for use of Tor Browser with a HTTP, HTTPS or SOCKS proxy using proxy settings method.
Why is this difficult?
This is difficult and may not work for you.
To learn why this is difficult, please press on Expand on the right.
Tor Browser, which is developed by upstream, The Tor Project (TPO), an independent entity has hard configured to use Tor as a proxy.
- Upstream does not support user using Tor Browser with an additional extra proxy at the end of the chain, i.e.:
user→Tor→proxy→destination - Upstream does also not support using Tor Browser with a proxy other than Tor, i.e.:
user→custom proxy→destination. This may or may not currently be possible but upstream does not provide documentation on how to do this. - Upstream does also not support using Tor Browser with a VPN instead of Tor, i.e.
user→VPN→destination. - Upstream does also not support using Tor Browser with a VPN in addition before Tor, i.e.
user→Tor→VPN→destination.
That makes sense from TPO's perspective as a project that maintains a browser that should always connect using the Tor network. Due to that perspective, proxy settings have been removed from Tor Browser to avoid user confusion and accidental misconfiguration. Little attention is spend on custom proxy settings. That, from TPO's perspective is assumed to only make sense for users using a Tor transparent proxy and that are already running Tor on a different computer in their LAN. Only a minority of users is using such configurations.
Because of this organisational and technical background, the highly specialized use case of configuring Tor Browser running inside Whonix-Workstation™ to use an additional proxy (user -> Tor -> proxy -> destination) is difficult to accomplish.
To learn more about this organisational and technical background see also 
Linux User Experience versus Commercial Operating Systems
COMMUNITY SUPPORT ONLY :
THIS wiki CHAPTER only
is only supported by the community. Whonix developers are very unlikely to provide free support for this content.
See Community Support for further information, including implications and possible alternatives.
Archived instructions.
NOTE: The following archived instructions are most likely currently broken due to changes by upstream, The Tor Project. To resolve this issue, the user would have to proceed as per Self Support First Policy. Please post in Whonix forums to notify if this method is currently working, broken or if any solution has been found. To view the archived instructions, please press on Expand on the right.
Complete the following steps inside Whonix-Workstation™ (anon-whonix).
1. Launch Tor Browser.
2. And enter about:config into the URL bar and press enter.
3. Change the following settings.
4. Set extensions.torbutton.use_nontor_proxy to true.
5. Set network.proxy.no_proxies_on to 0.
6. Proxy specific settings.
Depending on using a HTTP, HTTPS or SOCKS proxy.
A) HTTP proxy
If a HTTP proxy is being used, modify address and port number to the following strings.
network.proxy.httpnetwork.proxy.http_port
B) HTTPS proxy
If a HTTPS proxy is being used, modify the following strings instead.
network.proxy.sslnetwork.proxy.ssl_port
C) SOCKS proxy
This process can be repeated with socks proxies, but it is redundant and does not provide any advantage over the former types. The reason is because only Tor Browser is modified and no other programs are being tunneled through it.
- Set
network.proxy.socksto the IP of proxy server. - Set
network.proxy.socks_portto the port number of the proxy server. - Set
network.proxy.socks_remote_dnstofalse- if the proxy server does not support resolving DNS. In this case, DNS will go through Tor exit nodes thanks to Whonix, ortrue- if the proxy server does resolving DNS which is better.
- Set
network.proxy.socks_versionto either4or5depending on the version of the proxy server.
7. Done.
Tor Browser proxy configuration has been completed.
3. Done.
The process of configuring an extra tunnel-link for Tor Browser has been completed.
Misc Application Notes[edit]
1. Check applicability of these instructions.
Do the user need to follow these instructions? Only if the user intents to use any of the applications which are on the list of stream isolated by proxy settings with an extra tunnel-link. For example, if the user only intents to use Tor Browser with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see above chapter.
2. Remove default proxy settings by Whonix.
Whonix ships a number of applications pre-configured for using proxy settings by default. This is for a different purpose. For the purpose of Stream Isolation. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to first remove these proxy settings.
For information on how to remove Whonix default proxy settings, please press Expand on the right.
On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this the Whonix system default must be removed from the application's settings.
TODO: document and expand.
Remove proxy settings for APT repository files.
1. Platform specific notice:
- Non-Qubes-Whonix™: No platform specific notice.
- Qubes-Whonix™: In Template. (
whonix-workstation-17)
2. If you previously onionized any repositories, that has to be undone; see Onionizing Repositories.
3. Remove any mention of tor+ in file /etc/apt/sources.list (if it was previously configured; that file is empty by default in Whonix / Kicksecure) or any file in folder /etc/apt/sources.list.d.
4. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*
5. Remove any mention of tor+.
6. Done.
The process of removing proxy settings from APT repository files is now complete.
Remove proxy settings for Tor Browser Downloader by Whonix.
1. Platform specific notice:
- Non-Qubes-Whonix: No platform specific notice.
- Qubes-Whonix: In Template. (
whonix-workstation-17) [1]
2. Open file /etc/torbrowser.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /etc/torbrowser.d/50_user.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/torbrowser.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/torbrowser.d/50_user.conf
TB_NO_TOR_CON_CHECK=1 CURL_PROXY="--fail"
4. Save and exit.
5. Done.
Proxy settings have been removed from Tor Browser Downloader by Whonix (and Mullvad Browser by Kicksecure developers).
For some applications, this is impossible:
These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. Therefore you can only deactivate sdwdate and/or not use applications like OnionShare and Ricochet IM.
3. Set custom proxy settings.
This is unspecific to Whonix and undocumented.
4. Done.
The process of configuring an extra tunnel-link for a miscellaneous application has been completed.
uwt wrapped application notes[edit]
1. Check applicability of these instructions.
Do the user need to follow these instructions? Only if the user intents to use any application in the list of uwt wrapped applications with an extra tunnel-link. For example, if the user only intents to use Tor Browser with an extra tunnel-link, then the instructions in this very wiki chapter can be skipped. In that case, see above chapter.
2. Remove uwt wrapper by Whonix.
Whonix ships a number of applications pre-configured for using uwt wrappers by default. If the application you want to tunnel through the extra tunnel-link is on that list, it would conflict with your custom proxy settings. In that case, you need to disable that uwt wrapper first.
For information on how to disable Whonix uwt wrappers, please press Expand on the right.
On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers. Follow the instructions below in order to disable this.
The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.
For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.
1. Platform specific notice:
- Non-Qubes-Whonix™: No platform specific notice.
- Qubes-Whonix™: In Template. (
whonix-workstation-17) [4]
2. Open file /etc/uwt.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /etc/uwt.d/50_user.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/uwt.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/uwt.d/50_user.conf
3. Add.
uwtwrapper_global="0"
4. Save and exit.
5. Check that the changes have taken effect. Run in terminal: uwt_settings_show
It should print
uwt INFO: disabled.
6. Done.
3. Set custom proxy settings.
This is unspecific to Whonix and undocumented.
4. Done.
The process of configuring an extra tunnel-link for a miscellaneous application has been completed.
Footnotes[edit]
- ↑
Qubes-Whonix users note: In App Qube (
whonix-workstation-17) could also use file/usr/local/etc/torbrowser.d/50_user.confinstead.1. Create folder
/usr/local/etc/torbrowser.d(if using Tor Browser Downloader by Whonix developers) and optionally/usr/local/etc/mullvadbrowser.d(if using Mullvad Browser by Kicksecure developers).mkdir -p /usr/local/etc/torbrowser.d
mkdir -p /usr/local/etc/mullvadbrowser.d
2. Open file
/usr/local/etc/torbrowser.d/50_user.confin an editor with root rights.
Non-Qubes-Whonix™
This box uses
sudoeditfor better security.sudoedit /usr/local/etc/torbrowser.d/50_user.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /usr/local/etc/torbrowser.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /usr/local/etc/torbrowser.d/50_user.conf
And/or:
sudoedit /usr/local/etc/mullvadbrowser.d/50_user.conf
- ↑
TB_NO_TOR_CON_CHECK=1needs to be set because there is no filtered Tor ControlPort access when Whonix tunnel firewall is enabled, which would break tb-updater's Tor connectivity check. - ↑
By tb-updater default, if unset, variable
CURL_PROXYwill be dynamically set to a Tor SocksPort on Whonix-Gateway™. For example toCURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
By utilizing a curl parameter we are using anyhow --CURL_PROXY="--fail"-- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking. - ↑
Qubes-Whonix users note: Or alternatively in App Qube.
1. Create folder
/usr/local/etc/uwt.d.sudo mkdir -p /usr/local/etc/uwt.d
2. Open with root rights: sudoedit /usr/local/etc/uwt.d/50_user.conf
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!