The easiest and most common stream isolation methods are:

Deactivate uwt Wrappers
Tor Browser Remove Proxy Settings
Deactivate Miscellaneous Proxy Settings

Full background on stream isolation	More options

Deactivate uwt Wrappers

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt-wrapped applications system-wide. Consequently, all uwt-wrapped applications revert to the default system networking configuration.

For more granular control of uwt wrapper deactivation, see: Deactivate uwt Stream Isolation Wrapper.

Open file /etc/uwt.d/50_user.conf in an editor with root rights.

This box uses sudoedit for better security ^[archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/uwt.d/50_user.conf

sudoedit /etc/uwt.d/50_user.conf

Add.

uwtwrapper_global="0"

uwtwrapper_global="0"

Save and exit.

Tor Browser Remove Proxy Settings

Introduction

This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. ^[1] ^[2]

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name ^[archive]. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or preferably Multiple Whonix-Workstation ™.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

For other methods with finer granulated settings, please press on Expand on the right.

Command Line Method

Navigate to the Tor Browser folder.

cd ~/tor-browser_en-US

cd ~/tor-browser_en-US

Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

Set.

export TOR_TRANSPROXY=1

export TOR_TRANSPROXY=1

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. ^[3]

Open file /etc/environment in an editor with root rights.

sudoedit /etc/environment

sudoedit /etc/environment

Add the following line.

TOR_TRANSPROXY=1
## newline at the end

TOR_TRANSPROXY=1
## newline at the end

Save and reboot.

Tor Browser Settings Changes

This step is required since Tor Browser 10. ^[4]

1. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

2. network.dns.disabled → set to false

3. extensions.torbutton.launch_warning → set to false

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Ignore Tor Button's Open Network Settings
Whonix ™ has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. ^[5]

Deactivate Miscellaneous Proxy Settings

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this the Whonix ™ system default must be removed from the application's settings.

TODO: document and expand.

Remove proxy settings for APT repository files.

1. If you previously onionized any repositories, that has to be undone; see Onionizing Repositories.

2. Remove any mention of tor+ in file /etc/apt/sources.list (if it was previously configured; that file is empty by default in Whonix ™ / Kicksecure) or any file in folder /etc/apt/sources.list.d.

3. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with root rights.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

4. Remove any mention of tor+.

The process of removing proxy settings from APT repository files is now complete.

Remove proxy settings for Tor Browser Downloader by Whonix ™.

Open file /etc/torbrowser.d/50_user.conf in an editor with root rights.

sudoedit /etc/torbrowser.d/50_user.conf

sudoedit /etc/torbrowser.d/50_user.conf

Paste. ^[6] ^[7]

TB_NO_TOR_CON_CHECK=1
CURL_PROXY="--fail"

TB_NO_TOR_CON_CHECK=1
CURL_PROXY="--fail"

Save.

For some applications, this is impossible:

These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. Therefore you can only deactivate sdwdate and/or not use applications like OnionShare and Ricochet IM.

Footnotes[edit]

↑ This term was coined in context of a Tor Transparent Proxy ^[archive] (.onion ^[archive]). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
↑ If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
↑ Unless this environment variable is manually unset before starting Tor Browser.
↑
↑
The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set ^[archive] to disable the Tor Browser → Open Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
- In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
- For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on Whonix-Gateway ™, and not from Whonix-Workstation ™ (see VPN/Tunnel support for more information).
↑ TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix ™ tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
↑ By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway ™. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
By utilizing a curl parameter we are using anyhow -- CURL_PROXY="--fail" -- the environment variable can be disabled even if it is technically still set. This will result in downloading via the system's default networking.