gateway as proxy for tor

I know that this has been many times discussed through several subject but I would like to know if it’s possible.
here: How to route Windows internal network to Whonix?
or here : Using whonix gateway as virtual access point

but would it be possible to open a third netword card, apply some rules, open the 9050 port in the rules of virtualbox and use it to reach the proxy. Like for example to get thunderbird reach tor with torbirdy through your gateway?

I know it’s not supported, I jsut want to know if it’s feasable or if you locked everything to render that impossible?

Whonix is Freedom Software.

In that tradition, Whonix doesn’t implement deliberate technical hurdles to prevent what advanced users and/or developers from custom modifications.

Feasible possibly yes.

third interface:

Whonix Firewall contains options to configure multiple interfaces.

Also then Tor config needs to be modified to bind on that IP.

But likely a third interface maybe isn’t even needed. Access Tor running inside Whonix-Gateway from the host was accomplished years ago. On https://www.whonix.org/wiki/Advanced_Documentation under Esoteric Issues we have this wiki page:

This is very esoteric and you probably don’t need it! Advanced users only!

Not tested since Whonix ™ 0.5.6. May or may not work. Might need changes for later versions.

Indeed. For reference:

1 Like

Thanks. Will cautious read the esoteric way and see if I have any question :slight_smile:
Thanks again

I can confirm that the solution through the first interface connected to NAT is working still hard and strong on whonix but with some modification since virtualbox change a bit or maybe I’m being too obessional.
it would be better to link the VM through a NAT network you created in place of NAT to have the ability to redirect ports. And when you redirect ports, it would be best to put the guest IP. I don’t know we didn’t do it before actually since if not, I don’t see how the process could know where to direct the packet.
I will try later for the third connection, I would find it less messy to pass it through in a third interface.

Redirect ports from where to where?


between the host and the VM-gateway. At least to let the possibility to do that for the user, don’t you think? Because if just NAT is selected then there is no port translation possible.

because I don’t know you but I managed several VM on my workstation and I use port translation a lot, and so since I use translation port a lot, I need to specify the guest IP to make the translation port to work.

And yes yes, I know, this configuration is not supported blablabla… But in the mean time, it’s not like it’s that complciated to activated the possibility.

By the way I wanted to document my experience and ask some quesitons in the mean time if I may.
So what I discover and what was not documented, is that you don’t use only one port for the use of the proxy apparently. Between gateway and workstation I mean.

  • hexchat is on 9101
  • tor browser seems on something else too
  • swtdate is on another one than 9050 too

so obviously you just opened the range to communicate or maybe you configured it in a specific file?

Another thing is that, since I had to activate the file 50_user.conf by filling it some information. I had’nt only need to put the guest ip adresse from the nat network I created for the VM.

  • But I also had to put for the gateway itself to be able to connect to apt mirrors for example
  • also the interface from internal network Whonix for the workstation to let it access TOR for the primary services like nslookup, apt , etc…

The problem now is that since every single one of the processes installed in the workstation has it’s own port number to communicate to the proxy, I can’t add them all to the file in the gateway VM, or it would be a long and heavy task.
So is it possible to open a range in place of “Socksport” and put 9000-9200 for example?

And more conceptual question, since without fill the file 50_user.conf with information it works fine, does that mean that because of filling this file, your configuration file got disabled or something like that?

Thanks in advance for all the enlightment you would be able to provide me.


Search Whonix source code.



General Tor question as per https://www.whonix.org/wiki/Free_Support_Principle
And no, I am not aware of such as Tor feature.
Consider posting a feature request against Tor.
You be able have to auto generate such a config file with a script.

Variables set in lexical lower configuration files will persist if they are not chaned in lexical higher configuration files.




source_config_folder() {
   shopt -s nullglob
   local i
   for i in /etc/whonix_firewall.d/*.conf /rw/config/whonix_firewall.d/*.conf; do
      bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
      if [ ! "$bash_n_exit_code" = "0" ]; then
         echo "Invalid config file: $i
   bash_n_exit_code: $bash_n_exit_code
   $bash_n_output" >&2
         exit 1
      source "$i"

simpler for illustration:

for i in /etc/whonix_firewall.d/*.conf ; do
   source "$i"

Okey so I4ve seen:
On Whonix-Gateway ™ in /usr/share/tor/tor-service-defaults-torrc are already a lot custom socks ports prepared for custom installed applications:

Without IsolateDestAddr and without IsolateDestPort: SocksPort to 9159
With IsolateDestAddr, but without IsolateDestPort: SocksPort to 9169
Without IsolateDestAddr, but with IsolateDestPort: SocksPort: to 9179
With IsolateDestAddr and with IsolateDestPort: SocksPort: to 9189
If those are not enough, you can add your own.

and indeed in this file there are a lot of custom ports. But so do you mean that I can’t fill anything in 50_user.conf because then the one in /usr/share is not read? So should I put a copy of this conf file into /usr/loca/etc/torc.d/ then?
Because in the end it’s not a firewall problem, or is the file in /usr/local/etc/torrc.d/ linked to the firewall configruation? I was under the impression that it was not since for that there is a part

Modify Whonix-Gateway ™ User Firewall Settings

in here

so my problem is really the proxy not the firewall. IT’s not listening to the ports described in usr/share . it only listens to the one in /usr/local/
So I’m going to make a copy paste from share to local but is this really the proper way? or am I missing something?





One of us is not understanding the point of the other one here.
Because for me you are not seeing what I’m trying to do which is :
-> just add a listening adress which is with the port 9050 for the host to be able to connect to it
Or maybe then I don’t get your point that you are trying to explain to me.
But that need to be in addition of all the others SockPort which are already configured and working when you do a fresh isntall.
As you know when you do a fresh install there is no problem for workstation to contact with hexchat the proxy through 9101 by default, etc…
When I just add the line in the 50_usr.conf file : SockPort then everything else goes to the toilet.

Sorry but I don’t understand the logic here. The common sense would say, since there are all those socksports already configured that means the proxy is meant to be versatile enough. So the basic configuration file shouldn’t be disabled but read after the 50_user.conf and all the rules should be applied unless there is a rule that is already mentioned in 50_user.conf and so this one will be applied in place of the specific one in share folder.

in your link it is well said:

This rule is simple for options that take a single value, but it can become complicated for options that are allowed to occur more than once: if you specify four SOCKSPorts in your configuration file, and one more SOCKSPort on the command line, the option on the command line will replace all of the SOCKSPorts in the configuration file. If this is not what you want, prefix the option name with a plus sign, and it will be appended to the previous set of options instead.

But I’m not using commandline to add my port here, just one line in the 50_user.conf file, so the other lines in the basic file shouldn’t be ignored. That’s what I’m not understanding.

Is it more clear?

https://www.whonix.org/wiki/Tor#Additional_SocksPorts tries to explain that.

I suggest to simplify the setup. Reproduce what you want outside of Whonix with Debian and Tor only. That way your question becomes a pure, non-Whonix related Debian/Tor question and you can ask Tor Project support about this.
As per https://www.whonix.org/wiki/Free_Support_Principle

Me too. Quote https://www.whonix.org/wiki/Tor#Additional_SocksPorts

Adding additional Tor SocksPorts to /usr/local/etc/torrc.d/50_user.conf is non-intuitive.


This implementation is purely up to Tor, not Whonix.

okey quick question then.

When you ever need a new SockPort… I do’nt know for a new VM linked to your gateway for example, what do you do?
Do you use the command line then ?

No, not command line.

Adding new SocksPorts hasn’t happened for a long time.

If I needed to do for whole of Whonix, these would be added here:


Otherwise I would re-read here https://www.whonix.org/wiki/Tor#Additional_SocksPorts and if that doesn’t work produce outside of Whonix (Debian and Tor only) and then contact The Tor Project in case of questions / bugs.

Also extra VMs don’t require new ports so this doesn’t come up either.

Quote https://www.whonix.org/wiki/Stream_Isolation

Multiple Whonix-Workstation ™ using different internal IP’s are automatically separated by Tor (IsolateClientAddr is Tor’s default).

okey I found the solution

in 50_user.conf
to not override completely your config file that you just mentionned, you need to put +SocksPort blablabla in place of SocksPort blablabla
Apparently just SocksPort is only within the same primary basic config file.

Well it depends if you want to isolate the traffic and put the VM on another internal network with other addressing schematics than the basic one you configured. Which yo udon’t do I know but that could be a usecase too.

May I dig a little deeper and take a bit much more of your time (You don’t need to answer it now). but what’s the hierarchy between all your config files in /usr/share/tor ?
Because there is the orig, the instances. I guess the anon is the main config file of the tor project that you modify for the whole whonix project right?

dpkg -S /usr/share/tor/*

tor-geoipdb: /usr/share/tor/geoip
tor-geoipdb: /usr/share/tor/geoip6
diversion by anon-gw-anonymizer-config from: /usr/share/tor/tor-service-defaults-torrc
diversion by anon-gw-anonymizer-config to: /usr/share/tor/tor-service-defaults-torrc.anondist-orig
tor: /usr/share/tor/tor-service-defaults-torrc
anon-gw-anonymizer-config: /usr/share/tor/tor-service-defaults-torrc.anondist
diversion by anon-gw-anonymizer-config from: /usr/share/tor/tor-service-defaults-torrc
diversion by anon-gw-anonymizer-config to: /usr/share/tor/tor-service-defaults-torrc.anondist-orig
tor: /usr/share/tor/tor-service-defaults-torrc-instances
ls -la /usr/share/tor/*

-rw-r--r-- 1 root root 4913550 Dec 16 09:56 /usr/share/tor/geoip
-rw-r--r-- 1 root root 3156350 Dec 16 09:56 /usr/share/tor/geoip6
lrwxrwxrwx 1 root root      35 Oct 11 00:55 /usr/share/tor/tor-service-defaults-torrc -> tor-service-defaults-torrc.anondist
-rw-r--r-- 1 root root   21243 Jan 25 08:28 /usr/share/tor/tor-service-defaults-torrc.anondist
-rw-r--r-- 1 root root     351 Dec 16 09:56 /usr/share/tor/tor-service-defaults-torrc.anondist-orig
-rw-r--r-- 1 root root     431 Dec 16 09:56 /usr/share/tor/tor-service-defaults-torrc-instances

Not by Whonix.

A symlink from


effectively to



Original by Debian. Was /usr/share/tor/tor-service-defaults-torrc and then renamed to /usr/share/tor/tor-service-defaults-torrc.anondist-orig.

This isn’t a manual process. Using config-pacakge-dev displace action.

By Debian. Used for running multiple Tor instance which can be enabled using systemd. I haven’t researched that yet. Not used in Whonix currently.

Whonix /usr/share/tor/tor-service-defaults-torrc in the git repository is file /usr/share/tor/tor-service-defaults-torrc.anondist which config-package-dev puts into the right place in a good way.

Check folder /usr/share/tor on Debian vs Whonix.
The other files there such as tor-service-defaults-torrc-instances by Debian make it look more complicated than it ought to be.

Tor upstream doesn’t support “proper” torrc.d/*.conf support yet. See torrc.d is comming
That’s why historically Whonix had to use /usr/share/tor/tor-service-defaults-torrc.

Once https://phabricator.whonix.org/T947 is implemented, Whonix can stop modifications of /usr/share/tor/tor-service-defaults-torrc which would be cleaner.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]