Hide Tor and [[:Template:Project name]] use from the ISP
TODO: this page needs to be updated. See: Hiding Tor / Whonix is difficult beyond practicality![]()
Introduction
In many cases Template:Project name users are likely to be Tor "power users" who:
- Have higher security and anonymity goals than normal Tor users; and
- Often host Onion Services and pair other advanced configurations with Tor.
Various adversaries might ask themselves why individuals are choosing to adopt a hardened platform. Depending on your assessed threat model and location, government policies on Tor might necessitate the hiding of Template:Project name and/or Tor use from the Internet Service Provider (ISP).
General Advice
Table: General Advice
| Category | Description |
|---|---|
| Bridges Only | Using private and obfuscated bridges alone does not provide strong guarantees of hiding Tor use from the ISP. As Jacob Appelbaum has noted: [1] [2]
|
| Hide Tor Use |
Hiding the fact that you are a Tor user is difficult and you must be very careful. Some tips are below, but it is recommended to read this entire page:
|
| Hide Template:Project name Use |
For technical details, click on "Learn More" on the right side.
|
| VPN/SSH Strength | Using a VPN or SSH does not provide a strong guarantee of hiding Tor use from the ISP either. [3] VPNs and SSHs are vulnerable to an attack called website traffic fingerprinting. [4] |
Warnings
Table: Hiding Tor / Template:Project name Considerations
| Category | Description |
|---|---|
| Building from Source |
|
| Known VPN/SSH User | Consider whether the ISP knowing you are a VPN/SSH user is an acceptable risk. |
| Safe Configuration | Setup the SSH/VPN tunnel and/or private obfuscated bridges first -- depending on the desired configuration, read this entire section. |
| Secure Tor Download | Download Tor through a trusted ISP in your (home) country or through SSH/VPN, particularly before entering a hostile environment. |
| Secure Template:Project name Download |
|
| Secure Template:Project name Operation | From Template:Project name 7 onwards, it has been unnecessary to turn off the network connection before starting Template:Project name for the first time, [5] thanks to Template:Project name Setup Wizard - Connection Wizard and its sucessor Anon Connection Wizard. Therefore, hiding Tor / Template:Project name usage relies upon either a SSH/VPN or private obfuscated bridge, as outlined on this page. |
| Trusted Sources | If you think about it, how is it possible to obtain Tor Browser and obfuscated bridges and/or VPN/SSH without the ISP noticing? This is a classic chicken-and-egg problem. The answer is receiving these resources from a trusted source. This problem cannot be solved by Template:Project name and it is a Tor upstream question. |
Methods
Using a Proxy
It is impossible to safely use a proxy! The connection between the user and the proxy is unencrypted and this applies to all proxies: http, https, socks4, socks4a and socks5. [6] This means the ISP can still clearly see that connections are made to the Tor network. This fact is only mentioned here because proxies are constantly (falsely) suggested as a solution whenever this topic comes up in public arenas.
Using SSH or VPN
See the Warnings above first. By default all Template:Gateway product name traffic is routed through Tor, meaning that traffic must first be routed through SSH/VPN. To tunnel all Tor-related traffic this way:
- See Combining Tunnels with Tor and ignore the proxy-related material.
- Next read:
Either of these configurations will hide Tor use from the ISP. If the server is outside a national firewall, then this is also a way to circumvent Tor censorship.
If zero trust is placed in any SSH or VPN providers, then anonymously host your own in a safe place. However, this cannot be hosted in the same location where you want to hide Tor -- a safe, remote place is required which has a different IP from your own.
Using Private and Obfuscated Bridges
See the Warnings above first. Anon Connection Wizard can configure Tor to use private and obfuscated Bridges. This will make it harder for ISPs and national firewalls to detect and block Tor, but it does not prevent a determined and well-resourced adversary from finding out that you are using Tor; research is ongoing, see obfsproxy.
Footnotes
We believe security software like Whonix needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!
- ↑ https://mailman.boum.org/pipermail/tails-dev/2013-April/002950.html

- ↑ http://www.webcitation.org/6G67ltL45

- ↑ Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services
- ↑ For a reference for website traffic fingerprinting, see VPN/SSH Fingerprinting

(w)

.
- ↑ In previous versions (up to Template:Project name v0.5.6) this was necessary to prevent connections to the public Tor network.
- ↑ Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN_Services