How to get all whonix traffic to connect to a proxy after the tor network

webmazter · December 13, 2023, 11:53pm

I’d like to get all Whonix traffic to connect to a free socks5 proxy after it leaves the Tor network. I use Whonix on Qubes but I think you can treat this like a regular whonix question because I’d like to do it in the whonix gateway qube if possible so I don’t have to dedicate more resources to a new qube.

My understanding of a article hosted on this website, that I can’t link to because of forum rules, is that I need to do DNS queries directly if I want to do transparent proxying, but I don’t want the dns resolver to know my real IP, so is there another way?

extraextra · December 14, 2023, 7:36am

Proxy won’t know your real IP. Whatever you’re reading, you’re reading it wrong.

webmazter · December 14, 2023, 8:21am

The DNS resolver will. By the way, that was really insightful and helpful.

extraextra · December 14, 2023, 5:54pm

Unavoidable unless someone solves the hard issues already mentioned in the docs which seems highly unlikely after all of these years.

webmazter · December 15, 2023, 3:12am

I don’t know much about networking, nor programming, nor qubes but I know enough to know that it’s not impossible to run DNS through a proxy server.

extraextra · December 15, 2023, 8:20am

Then please contribute, improve the documentation. It’s an Open Source project. Hit the edit button, write and enlighten us how to do that.

Patrick · December 15, 2023, 9:56am

Related wiki page:

Related wiki chapter:
Connecting to Tor before a Proxy using Transparent Proxying Method chapter DNS resolution in Whonix wiki

Practically: No, there is no other known way to use transparent proxying and have the proxy resolve DNS instead of another known (you know the IP) DNS server.

Theoretically:

4 years of no commits to redsocks. And redsocks being unmaintained with unmerged pull requests complicates this issue further.

So unless you or somebody you pay (not me) steps up to maintain redsocks (or any alternative or yet to be invented solution) and add this feature this most likely won’t be happening.

You can post links now.

(Kicksecure Forums Usage Instructions, Best Practices and FAQ chapter Posting Links for New Users in Kicksecure wiki)

(Whonix is based on Kicksecure.)

webmazter · December 15, 2023, 3:33pm

Patrick, how does tor accomplish this then? Why does this work with a web proxy?

Is it not possible to do something called DNS over HTTPS and put that through the proxy?

If not, I don’t think it’s necessary to proxy my dns. The queries will already be going through tor, and all I’m trying to do is hide the fact that I’m using tor from websites that make life difficult if they see a tor exit node.

Patrick · December 15, 2023, 6:31pm

It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see Transparent Proxying Method for explanation.

Updated documentation, elaborated on that just now.

This issue is unspecific to Whonix:

The only way to resolve it is most likely as per:

Question rephrase suggested. Now:

~~I’d like to get all Whonix traffic to connect to a free socks5 proxy after it leaves the Tor network.~~

Suggested:

How to transparently proxy all Linux traffic through to a socks5 proxy?