Continuing the discussion from Connecting to JonDonym before Tor (User -> JonDonym -> Tor -> Internet):
I’m really thrilled to see this post since I’m trying to do a similar work these days and you offers a lot of helpful information!
What I’m doing can be called “Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) on qubes-whonix”. And I believe the implement of that is very important for people in Tor-censored area, especially China, who use Whonix, because:
1. Sadly, Tor Bridges and all kinds of Pluggable Transports provided by Tor project are no longer useful for people to circumvent the Internet censorship in China;
2. OpenVPN which do have a introduction in Qubes Doc is completely censored by the GFW, so it is also impossible to use it to circumvent censorship. And I’m not aware of any reliable VPN to do that job (Of course there’re some VPN working in China but it is very likely they are all under the control and surveillance of CCP);
3. Lantern (https://github.com/getlantern/lantern) is one of the two effective tools on linux to cirvmvent the censorship;
4. Another one is called Shadowsocks (https://github.com/shadowsocks/shadowsocks-qt5/wiki/Installation), however, it relys on a VPS builed by the user themselves, so it is a little bit hard to use by normal people;
5. It is hard and extremely time-consuming for individuals to install lantern in VM themselves.
Apart from the most significant advantage that lantern makes Whonix useable in China, as far as I know, there’re some other benefit to use lantern before Tor which may also apply to use JonDonym before Tor (correct me if I’m wrong):
1. The behavior Tor performs when connecting to Tor network is very unique so that it is very easy for ISP-level adversaries to know the fact you’re using Tor network; By using Lantern/ JonDonym to hid the fact you’re using Tor, one can mitigate the risk of correlation-attack;
2. One(or more in JonDonym) more public hops might be more difficult for a adversary to perform a trace-back attack?
Personally I prefer the idea that using Lantern is a separated ProxyVM because lantern is still in beta version and once it’s compromised, it is able to gain the traffic data which hasn’t been encrypted by Tor client yet if we installed it in the sys-whonix.
I’ve been using Lantern before Tor in a vbox-based Whonix. The way I implement it can be found in That’s how I circumvent Tor sensorship in China. (And a more detailed version, but in chinese, can be found in my blog:
) However, I do meet some problem when doing it on Qubes-whonix which you guys may be able to help:
I installed lantern in a separate ProxyVM behind sys-whonix.
I make Lantern listen on all interfaces by using Privoxy:
Forward / 127.0.0.1:8787
But then I run ‘netstat’, only to find “127.0.0.1:Privoxy” instead of “0.0.0.0:privoxy”.
Although it can successfully ping the IP of the ProxyVM in sys-whonix, the port ProxyIP:8118 is unreachable. I’ve set the firewall of ProxyVM allow all connects but it doesn’t help:(
Anyone have any suggestions please?