Actions

Chaining Anonymizing Gateways

From Whonix


Chaininganon23234.jpg

Introduction[edit]

Info Only advanced users should attempt these configurations!

By default, all Whonix-Workstation ™ traffic is forced through Whonix-Gateway ™. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.

Before attempting complex tunnel configurations, the following basic knowledge is required:

This Inspiration resource may also be useful.

Possible Configurations[edit]

Pre-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> VPN-Gateway -> Whonix-Gateway ™ -> clearnet
## connection scheme:
user -> VPN -> Tor -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Post-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> Whonix-Gateway ™ -> VPN-Gateway -> clearnet
## connection scheme:
user -> Tor -> VPN -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Pre- and Post-Tor-VPN[edit]

## chain:
Whonix-Workstation ™ -> VPN-Gateway -> Whonix-Gateway ™ -> VPN-Gateway -> Internet
## connection scheme:
user -> VPN -> Tor -> VPN -> Internet

Whonix ™ is not limited to VPN-Gateways; the VPN can be replaced with a Proxy-Gateway.

Post-Tor-Proxy[edit]

## chain:
Whonix-Workstation ™ -> Proxy-Gateway -> Whonix-Gateway ™ -> clearnet
## connection scheme:
user -> Tor -> Proxy -> Internet

For instructions, see here. To learn more details about this configuration, refer to this entry.

Other Connection Schemes[edit]

Virtually any combination is possible: a Post-Tor-Proxy; a Pre/Post-Tor-SSH; or the proxy being replaced with JonDo or perhaps I2P.

Always remember that the connection will be created in reverse order; see the example below. [1] 

## chain:
Whonix-Workstation ™ -> Proxy-Gateway -> Whonix-Gateway ™ -> VPN-Gateway -> clearnet
## connection scheme:
user -> VPN -> Tor -> Proxy -> Internet

Upon reflection, it becomes clear why the connection happens in reverse order:

  • Whonix-Workstation ™ has no option but to pass through the Proxy-Gateway.
  • The Proxy-Gateway has no option but to pass through Whonix-Gateway ™.
  • In this case, the last element in the chain is the VPN-Gateway, which must obviously connect via clearnet.

In other terms:

  • The VPN-Gateway uses clearnet.
  • Whonix-Gateway ™ uses the VPN-Gateway to connect.
  • The Proxy-Gateway uses Whonix-Gateway ™ to connect.
  • Whonix-Workstation ™ uses the Proxy-Gateway to connect.

Since the Proxy-Gateway can only pass through Whonix-Gateway ™ followed by the VPN-Gateway, it is clear why it will be the last hop in front of the destination server.

Other Considerations[edit]

Whether these combinations make sense in terms of security and anonymity is hotly debated and depends on your personal threat model, see Tor plus VPN or Proxy [archive]. Advanced tunneling configurations also require knowledge of how to properly edit /etc/network/interfaces on Whonix-Gateway ™ and/or on Whonix-Workstation ™. In the case of Non-Qubes-Whonix ™, this refers to the virtual internal network name in VirtualBox settings.

This process is generally difficult because there are no other anonymizing gateways (VPN / JonDo / I2P / Proxy / SSH / VPN) available for download in Whonix ™, just the Whonix-Gateway ™ which uses Tor to anonymize traffic. This means a search for instructions is often required and/or an anonymizing gateway must be built from scratch. [2]

For a VPN-Gateway, see also:

Footnotes[edit]

  1. "Internet" below refers to the destination server, such as a website.
  2. Instructions for a pfSense based VPN-Gateway can be found with search engines, but it is untested for leaks.
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Chaining Anonymizing Gateways&body=./Chaining_Anonymizing_Gateways link=https://reddit.com/submit?url=./Chaining_Anonymizing_Gateways&title=Chaining Anonymizing Gateways link=https://news.ycombinator.com/submitlink?u=./Chaining_Anonymizing_Gateways&t=Chaining Anonymizing Gateways link=https://mastodon.technology/share?message=Chaining Anonymizing Gateways%20./Chaining_Anonymizing_Gateways&t=Chaining Anonymizing Gateways

Interested in becoming an author for the Whonix ™ News Blog or writing about anonymity, privacy and security? Please get in touch!

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Chaining_Anonymizing_Gateways&oldid=71007"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information