Configure “host -> ssh(encrypted socks5 proxy) -> Tor -> destination”

The goal is to create an encrypted connection all the way between host and tor exit node, while hiding the use of tor from the host isp and masking host network activity as ssh encrypted traffic when using whonix.

Inside whonix-gateway stop tor, then connect to a vps using ssh:

ssh -f -N -D 1080 vps-ip-address

This establishes an encrypted tunnel between whonix-gateway and the vps, creating a socks5 proxy on inside whonix-gateway that tunnels all traffic to the vps encrypted (unlike using directly the vps as socks5 proxy).

The host real ip address is exposed to the vps (ssh bypasses tor inside whonix-gateway).

Inside whonix-gateway open the tor configuration (gui or text file) and add as socks5 proxy to use “before connecting to tor”. If using the text file configuration use:


This followed the instructions on the whonix wiki page: whonix. org/wiki/Tunnels/Connecting_to_SSH_before_Tor but there is no mention if it works with bridges, as Im currently using obfs4 bridges.

Also, using Socks5Proxy prevents tor from working if the socks5 proxy (vps) goes offline or ssh connection drops?

Is this persistent after a reboot?

Is correct to assume that now the isp only sees encrypted ssh traffic to/from the vps ip, and the tunnel is encrypted all the way to tor exit node?

(host -> ssh -> vps -> obfs4 bridge -> tor -> destination)

(asked also on tor stackexchange )

That is because bridge settings are unrelated. Tor config bridges + Tor proxy config changes are Tor questions as per Free Support for Whonix ™

Should. That is entirely up to Tor. Free Support for Whonix ™ applies.

Instructions for Edit Tor Configuration are persistent by default - unless you select to boot into live mode at grub boot menu.


No good idea.