Best practice for using socks5, obfs4 bridges, etc.?


I have configured a sys-vpn for my qubes using this tutorial:

“Set up a ProxyVM as a VPN gateway using iptables and CLI scripts”

I then set my sys-whonix vm to connect through the sys-vpn and it works perfectly.

Now I wish to take it a few steps further. I have my socks5 connection info from my VPN provider. What is the best practice for using socks5? Do I simply update my existing openvpn-config in my sys-vpn vm to use the socks5 connection instead of the regular one?

Also, I’ve been reading about obfs4 bridges. What is best practice for implementation of that? Can this be done in addition socks5? Part of my goal is to also avoid all relays and bridges which are in the US, is that possible?

Lastly, I’m trying to figure out how to configure my sys-whonix from attempting to connect to ANY clearnet url for any reason. Is this done at the vm level, template level, or Tor browser level, and how do I do that?



Configuring your VPN inside whonix gateway may be something that would interest you. It is a failed-closed config with another added bonus. It is also set up to prevent your VPN provider from seeing your clearnet traffic. This is a feature that your current config does not provide. If you are interested https://whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#Inside_Whonix-Gateway

That is not really a whonix specific issue. Your VPN provider should be able to help you out with that.

Also if you are planning to use your socks5 to download torrents. Please keep in mind that you should not be downloading torrents over Tor. It makes the network even slower than it already is.

To exclude using US relays you should put this configuration option in your torcc ( /etc/tor/torcc ) .

 ExcludeExitNodes US

You can find all the Tor configuration options ( including bridges ) at https://www.torproject.org/docs/tor-manual.html.en .

You may want to look at https://github.com/chris-barry/darkweb-everywhere. It is a fork of HTTPS Everywhere that will redirect you to the hidden service equvalent of a website if present.

Whonix Forcing Onion will show you how to configure it so you only connect to the whonix onion site when you want to visit the forum or docs.

This may not be what you are looking for but it may be helpful for the sites you visit frequently.


Hi anguilla1980

I wanted to add addition links that you may find useful if you are using VPNs , proxies, bridges etc…

Tor Project:
Using Tor with VPN, SSH, or proxy

Whonix wiki:
Comparison or Tor with CGI Proxies, Proxy Chains and VPN Services

Whonix wiki:
Using Bridges with Whonix

Whonix wiki:
Whonix Features



I believe I have correctly config’d for the obfs4 bridges in the torrc file of my sys-whonix vm located /etc/tor

The vm reports correctly after rebootign that it’s connecting to Tor then shows connected.

Is there a command I can run to verify that I am indeed connected using the obfs4 bridge and not just the usual Tor entry nodes?


I’m not sure if there is a specific command just for checking bridge connectivity.

I came across this this thread that may be helpful. The UseBridges 1 option in your torcc makes sure Tor only connects to bridges.

Whonix forum:

I hope this helps.


Thanks. Yeah, I have that command already, I have this before the bridges in my Torrc file:

DisableNetwork 0
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed

I’ll take a look at that thread for ideas on how to check.