Connecting to Tor before a Proxy using Transparent Proxying Method
There are 3 different ways to configure an additional proxy.
User
→ Tor
→ Proxy
→ Internet
Instructions on how to connect to Tor before a proxy (User → Tor → Proxy → Internet) using Transparent Proxying Method
Introduction[edit]
Advanced users only!
To make clear, what this is about. Whonix-Gateway™ is already serving as a Transparent Proxy [1], which means, that all applications not explicitly configured [2] to use a SocksPort
, can connect through Tor without any settings. This section is about configuring Whonix-Workstation™ also to act as a Transparent Proxy [3]. Use case: a user wants to ensure all traffic goes through Tor (by using Whonix-Gateway™) and want to additionally ensure, all traffic goes through a proxy choosen by the user after the Tor link, i.e. user → Tor → proxy → internet.
You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.
In case you redirect the network layer directly with iptables, you need a TransPort
. Unfortunately very few applications, do offer a TransPort
. For example, Tor supports a TransPort
. In most other cases, you need to translate the different kinds of data.
Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.
Required reading:
Tools[edit]
Tor is a socks proxy and also has a TransPort
. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort
.
redsocks can also accept "Trans data streams" and can forward them to https, socks4 and socks5 proxies. If you were to use a http proxy (no https, without connect-method, see proxy article), you could access only http sites, no https sites. Furthermore redsocks can also convert UDP DNS queries to TCP DNS queries.
DNS resolution[edit]
The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.
It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see Transparent Proxying Method for explanation. You need an extra DNS server, which answers over TCP.
You have several options to resolve DNS.
- A) Tor: Either leave the setup as it is, Tor's
DnsPort
and therefore the Tor exit relays will still do the DNS requests. (See DNS rule #1.) This is probably not what you want, since you wanted to cloak your identity with an additional proxy after Tor. - B) Public DNS resolver: Alternatively you can use a public DNS resolver. The instructions for Alternative DNS Resolver should work out of the box (tested). (See DNS rule #2.)
All DNS resolvers [5] should work, as long TCP is supported and as long you are querying a TCP enabled DNS server. [6] [7] [8] [9]
Read the DNS related warnings.
How to setup proxy tunnel-link after Tor (User→Tor→Proxy→Internet)[edit]
Unfinished!
Advanced users only!
Everything on Whonix-Workstation.
Get a working proxy and test (with any of the above methods) if it works reliable.
Install redsocks.
sudo apt install redsocks
Enable redsocks autostart.
Open file /etc/default/redsocks
in an editor with root rights.
Non-Qubes-Whonix™
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit
command.
sudoedit /etc/default/redsocks
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/default/redsocks
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/default/redsocks
Look for.
START=no
And replace it with.
START=yes
Configure redsocks by editing /etc/redsocks.conf to your needs.
Open file /etc/redsocks.conf
in an editor with root rights.
Non-Qubes-Whonix™
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit
command.
sudoedit /etc/redsocks.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/redsocks.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/redsocks.conf
Under.
redsocks {
You have to edit.
ip = 127.0.0.1; port = 1080; type = socks5
To your needs.
Start redsocks.
sudo service redsocks start
Create a file fw.bsh.
And use the following firewall rules.
TODO: convert to nftables
#!/bin/bash ## These iptables rules redirect the traffic for all users, ## including root, with the exception of the user redsocks, ## through the proxy. ## TODO: these iptables rules need review. ## TODO: use iptables default policy drop. ## Choose either DNS rule #1 or DNS rule #2. ## For debugging/testing use this command in console. ## tail -f /var/log/syslog ## Flush old rules. iptables -F iptables -t nat -F iptables -X ## Allow unlimited traffic on the loopback interface. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT --dst 127.0.0.1 -j ACCEPT ## Established incoming connections are accepted. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ## Established outgoing connections are accepted. iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ## DNS rule #1. ## Allow DNS directly through {{project_name_gateway_short}}. #iptables -A OUTPUT --dst 10.152.152.10 -p udp --dport 53 -j ACCEPT ## DNS rule #2. ## For DNSCrypt set /etc/resolv.conf to ## nameserver 127.0.0.1 ## ## sudo dnscrypt-proxy --tcp-only --user=user ## ## DNSCrypt listening on port 53 iptables -t nat -A OUTPUT --dst 127.0.0.1 -p udp --dport 53 -j ACCEPT iptables -t nat -A OUTPUT --dst 127.0.0.1 -p tcp --dport 53 -j ACCEPT ## redsocks must be allowed to establish direct connections. iptables -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks ## Redirect remaining traffic to redsocks. iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345 ## TODO: UDP rule untested. #iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053 ## Log blocked traffic for debugging. iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables: " ## Reject all other traffic. iptables -A OUTPUT -j REJECT
Make the firewall script executable.
sudo chmod +x fw.bsh
Apply the firewall rules.
sudo fw.bsh
Footnotes[edit]
- ↑ anonymizing middlebox
- ↑ by uwt socksifier or proxy settings
- ↑ local redirection
- ↑ torproject.org wiki version 129 contains an old example using privoxy, JonDo and httpsdnsd. The new example uses redsocks and is simpler.
- ↑ https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
- ↑
You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to
/etc/resolv.conf
in Whonix-Workstation (i.e. Tor → public DNS resolver), it would have no effect, as explained under Whonix-Workstation is Firewalled. - ↑ Also httpsdnsd by JonDos might work, but you'd need to make some changes (use httpsdnsd as a system wide, Whonix-Workstation wide, DNS resolver, not just for a specific user account).
- ↑ DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit relay can sniff or manipulate your DNS requests, since they are encrypted and authenticated.
- ↑ Or perhaps also ttdnsd with Google could work.
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!