Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) - old

Continuing the discussion from Connecting to JonDonym before Tor (User -> JonDonym -> Tor -> Internet):

I’m really thrilled to see this post since I’m trying to do a similar work these days and you offers a lot of helpful information!

What I’m doing can be called “Connecting to Lantern before Tor (User → Lantern → Tor → Internet) on qubes-whonix”. And I believe the implement of that is very important for people in Tor-censored area, especially China, who use Whonix, because:
1. Sadly, Tor Bridges and all kinds of Pluggable Transports provided by Tor project are no longer useful for people to circumvent the Internet censorship in China;
2. OpenVPN which do have a introduction in Qubes Doc is completely censored by the GFW, so it is also impossible to use it to circumvent censorship. And I’m not aware of any reliable VPN to do that job (Of course there’re some VPN working in China but it is very likely they are all under the control and surveillance of CCP);
3. Lantern (GitHub - getlantern/lantern: Lantern官方版本下载 蓝灯 翻墙 代理 科学上网 外网 加速器 梯子 路由 - Быстрый, надежный и безопасный доступ к открытому интернету - lantern proxy vpn censorship-circumvention censorship gfw accelerator پراکسی لنترن، ضدسانسور، امن، قابل اعتماد و پرسرعت) is one of the two effective tools on linux to cirvmvent the censorship;
4. Another one is called Shadowsocks (Installation · shadowsocks/shadowsocks-qt5 Wiki · GitHub), however, it relys on a VPS builed by the user themselves, so it is a little bit hard to use by normal people;
5. It is hard and extremely time-consuming for individuals to install lantern in VM themselves.

Apart from the most significant advantage that lantern makes Whonix useable in China, as far as I know, there’re some other benefit to use lantern before Tor which may also apply to use JonDonym before Tor (correct me if I’m wrong):
1. The behavior Tor performs when connecting to Tor network is very unique so that it is very easy for ISP-level adversaries to know the fact you’re using Tor network; By using Lantern/ JonDonym to hid the fact you’re using Tor, one can mitigate the risk of correlation-attack;
2. One(or more in JonDonym) more public hops might be more difficult for a adversary to perform a trace-back attack?

Personally I prefer the idea that using Lantern is a separated ProxyVM because lantern is still in beta version and once it’s compromised, it is able to gain the traffic data which hasn’t been encrypted by Tor client yet if we installed it in the sys-whonix.

I’ve been using Lantern before Tor in a vbox-based Whonix. The way I implement it can be found in That's how I circumvent Tor sensorship in China. (And a more detailed version, but in chinese, can be found in my blog:
二翔子的博客: Whonix系列教程[1]: 如何下载、安装并让Whonix联网
) However, I do meet some problem when doing it on Qubes-whonix which you guys may be able to help:

I installed lantern in a separate ProxyVM behind sys-whonix.

I make Lantern listen on all interfaces by using Privoxy:
Forward /

But then I run ‘netstat’, only to find “” instead of “”.

Although it can successfully ping the IP of the ProxyVM in sys-whonix, the port ProxyIP:8118 is unreachable. I’ve set the firewall of ProxyVM allow all connects but it doesn’t help:(

Anyone have any suggestions please?

1 Like

Whonix should definitely cater to Chinese users seeking internet freedom - that’s what this project is all about. Unfortunately learning Chinese doesn’t happen overnight so your translation efforts are much appreciated. I do worry that Whonix devs might get some additional unwanted attention from MSS - and they may not play by the same rules as US/European agencies (whatever those may be).

Just had a lengthy discussion about entry guards so I have a handy quote about this:

Here’s what arma (Roger Dingledine) wrote about that:

Our best bet would be to use an anonymity system to reach Tor – but even then whatever remains as the equivalent of the first hop would still need something like entry guards, assuming we’re aiming for a system that scales to millions of people and doesn’t involve having each user set up ‘trusted’ infrastructure (whatever trusted would even mean on this fine Internet we have).

So yes, it is a good idea to use another anonymity system with Tor if those entry guards are not monitored along with your current exit points. We don’t know how many Tor or JonDo Entries are evil or whether or not separate anonymity networks are cross-correlated with each other. (I don’t know anything about JonDo but it might be easier to control a larger portion of their Entries - legally, or otherwise).

It’s unlikely that anyone is performing trace-back attacks against Tor when it’s much easier to attack the ends.

Re: Lantern: I’m more interested in user -> tor -> lantern -> internet but I’ll take a look at your setup as well.

Not sure if this is what you meant, but FYI, using the Firewall settings in Qubes GUI affects the iptables of the netVM that the machine is connected to, not the machine itself. Example: if you have:
sys-net - proxyVM - whonix-gw - ubuntu

  1. sys-net has no firewall settings, because it’s not connected to a netVM.
  2. Changing proxyVM’s firewall settings, changes iptables rules on sys-net
  3. Changing ubuntu’s firewall settings does nothing because whonix doesn’t care.

As a circumvention technique Lantern will have a very short life and blocking it will have zero collateral for Chinese censors. Lantern does not use advanced techniques to protect it from DPI like pluggable transports AFAIK. I saw a recent paper about it being blocked by the GFW as far back as 2013.

@2xiangzi please share your experiences about the blocking you are experiencing to Tor devs on their mailing list. They are always interested in your reports and part of the project’s work is dedicated to helping people living in censored areas.

obfsproxy 5 is in the works BTW.

No need to invoke privoxy.

I figured it out. The heavy lifting is done. Now it is up to you, the community and lantern to bring this solution from a proof of concept to a usable solution ready for production use.

blog post:

forum discussion:

Thank you entr0py for sharing your opinion and knowledge!

In my opinion, based on my observation, although whonix is a great project, it is less likely to be “cared” by CCP in near future. That’s because, due to the limitation on money/manpower, they can only focus on those “high-value” “easy-to-catch” target(ex. the author of Shadowsocks who developed a very popular censorship circumvent tool without doing any anonymous protection ). So don’t worry too much:)

By the way, even if whonix project was under pressure, we shouldn’t do self-censorship , should we?:slight_smile:

Thank you for the useful information!

Using lantern behind Tor to avoid recaptcha may no longer be a good idea since recaptcha has appeared on at least google site when using lantern.

I’m curious about how you implement using Lantern behind Tor? A way to do this is using Privoxy:
forward-socks5t / by default)

That’s great! Actually I did met some difficulties when trying to set it up, which will be described later on this post: Connecting to Lantern before Tor (User -> Lantern -> Tor -> Internet) - new

That explanation is really clear and neat, thank you!

I agree with you that we have to assume every circumvention technique/tool have a short life since to some extent, their lives depend on the technique used by GFW. So I guess what we should do is not just to develop a ‘Lantern-Gateway’, but a ‘Circumvention-Gateway’ which contains up-to-date circumvention tools that works in censored area. ( It will be a lot of work to do, I understand.)

That‘s strange since the fact is Lantern works fine in China now while the only pluggable transports survived is meek-amazon(which is not contained in Whonix as far as I know).

That’s true.

Thank you for your advise!

I know censorship circumvention can be considered as an upstream problem, however, there’re other benefits of connecting lantern before Tor, which makes it worth a try?

Well we try :slight_smile: We coordinate with Tor to package their latest and greatest transports for Debian so you can use them. meek should be available soon if not already AFAIK. Also keep an eye out for snowflake.

Not really. The performance and availability will be worse then using Tor bridges.