{{Header}}
{{title|
Chaining Anonymizing Gateways
}}
{{#seo:
|description=By default, all {{project_name_workstation_long}} traffic is forced through {{project_name_gateway_long}}. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.
|image=Chaininganon23234.jpg
}}
[[File:Chaininganon23234.jpg|thumb]]
{{intro|
By default, all {{project_name_workstation_short}} traffic is forced through {{project_name_gateway_short}}. Alternatively, a chain of anonymizing gateways can be built, with sample tunnel configurations outlined below.
}}
= Introduction =
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Only advanced users should attempt these configurations!
}}
Before attempting complex tunnel configurations, the following basic knowledge is required:
* [[Tunnels/Introduction|Tunnels Introduction]]
* [[Stream Isolation]]
This [[Dev/Inspiration|Inspiration]] resource may also be useful.
= Possible Configurations =
== Pre-Tor-VPN ==
{{CodeSelect|code=
## chain:
{{project_name_workstation_short}} -> VPN-Gateway -> {{project_name_gateway_short}} -> clearnet
## connection scheme:
user -> VPN -> Tor -> Internet
}}
For instructions, see [[Tunnels/Connecting_to_a_VPN_before_Tor|here]]. To learn more details about this configuration, refer to this [[Tunnels/Introduction#Connecting_to_a_tunnel-link_.28proxy.2FVPN.2FSSH.29_before_Tor|entry]].
== Post-Tor-VPN ==
{{CodeSelect|code=
## chain:
{{project_name_workstation_short}} -> {{project_name_gateway_short}} -> VPN-Gateway -> clearnet
## connection scheme:
user -> Tor -> VPN -> Internet
}}
For instructions, see [[Tunnels/Connecting_to_Tor_before_a_VPN|here]]. To learn more details about this configuration, refer to this [[Tunnels/Introduction#Connecting_to_Tor_before_a_tunnel-link_.28proxy.2FVPN.2FSSH.29|entry]].
== Pre- and Post-Tor-VPN ==
{{CodeSelect|code=
## chain:
{{project_name_workstation_short}} -> VPN-Gateway -> {{project_name_gateway_short}} -> VPN-Gateway -> Internet
## connection scheme:
user -> VPN -> Tor -> VPN -> Internet
}}
{{project_name_long}} is not limited to VPN-Gateways; the VPN can be replaced with a Proxy-Gateway.
== Post-Tor-Proxy ==
{{CodeSelect|code=
## chain:
{{project_name_workstation_short}} -> Proxy-Gateway -> {{project_name_gateway_short}} -> clearnet
## connection scheme:
user -> Tor -> Proxy -> Internet
}}
For instructions, see [[Tunnels/Connecting_to_Tor_before_a_proxy|here]]. To learn more details about this configuration, refer to this [[Tunnels/Introduction#Connecting_to_Tor_before_a_tunnel-link_.28proxy.2FVPN.2FSSH.29|entry]].
== Other Connection Schemes ==
Virtually any combination is possible: a Post-Tor-Proxy; a Pre/Post-Tor-SSH; or the proxy being replaced with JonDo or perhaps I2P.
Always remember that the connection will be created in reverse order; see the example below. ["Internet" below refers to the destination server, such as a website.]
{{CodeSelect|code=
## chain:
{{project_name_workstation_short}} -> Proxy-Gateway -> {{project_name_gateway_short}} -> VPN-Gateway -> clearnet
## connection scheme:
user -> VPN -> Tor -> Proxy -> Internet
}}
Upon reflection, it becomes clear why the connection happens in reverse order:
* {{project_name_workstation_short}} has no option but to pass through the Proxy-Gateway.
* The Proxy-Gateway has no option but to pass through {{project_name_gateway_short}}.
* In this case, the last element in the chain is the VPN-Gateway, which must obviously connect via [[FAQ#What_is_Clearnet.3F|clearnet]].
In other terms:
* The VPN-Gateway uses clearnet.
* {{project_name_gateway_short}} uses the VPN-Gateway to connect.
* The Proxy-Gateway uses {{project_name_gateway_short}} to connect.
* {{project_name_workstation_short}} uses the Proxy-Gateway to connect.
Since the Proxy-Gateway can only pass through {{project_name_gateway_short}} followed by the VPN-Gateway, it is clear why it will be the last hop in front of the destination server.
= Other Considerations =
Whether these combinations make sense in terms of security and anonymity is hotly debated and depends on your personal threat model, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN Tor plus VPN or Proxy]. Advanced tunneling configurations also require knowledge of how to properly edit ''/etc/network/interfaces'' on {{project_name_gateway_short}} and/or on {{project_name_workstation_short}}. In the case of [[Non-Qubes-Whonix|{{non_q_project_name_short}}]], this refers to the virtual internal network name in VirtualBox settings.
This process is generally difficult because there are no other anonymizing gateways (VPN / JonDo / I2P / Proxy / SSH / VPN) available for download in {{project_name_short}}, just the {{project_name_gateway_short}} which uses Tor to anonymize traffic. This means a search for instructions is often required and/or an anonymizing gateway must be built from scratch. [Instructions for a pfSense based VPN-Gateway can be found with search engines, but it is untested for leaks.]
For a VPN-Gateway, see also:
* [https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-6 VPN-Gateway]
= Forum Discussions =
* [https://forums.whonix.org/t/a-proxy-between-whonix-workstation-and-whonix-gateway-whonix-workstation-another-vm-whonix-gateway/10525 a Proxy between Whonix-Workstation and Whonix-Gateway (Whonix-Workstation -> another VM -> Whonix-Gateway)]
* https://forums.whonix.org/t/connecting-another-virtual-machine-to-the-same-nat-subnet-of-the-whonix-gateway-whonix-external/9052
* https://forums.whonix.org/t/how-to-add-a-proxyvm-between-anon-whonix-and-sys-whonix-whonix-ws-email-sys-fw-whonix-whonix-gw-sys-firewall-sys-net/2238
* https://forums.whonix.org/t/how-to-configure-tor-in-whonix-gateway-connect-to-other-vm-running-proxy/10727
* https://forums.whonix.org/t/whonix-gateway-stuck-at-5-bootstrapping-behind-pfsense-in-proxmox-default-route-10-0-2-2/23149
= Related =
* [[Tunnels/Introduction|Combining Tunnels with Tor]]
* [[Dev/Inspiration|Dev/Inspiration - Whonix]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]