TrackHostExits - Whonix configuration

I’ve been struggling with exit IPs changing and logging me out of a site. Is there a secure way to access a site with exit IP that is secure from monitoring and that still allows for secure connections to sites. So you can use it for regularly visited sites without revealing your entry IP?



Consider reporting to website owner.

Any other workaround will be non-ideal. Workarounds:

Exits change every ten minutes when they are not used. You could reload the page every few minutes.


I’ll try your suggestion.

that’s good to know. Wouldn’t a page reload actually trigger a change of exits as well? Or is the exit change solely based on a clock system? Thanks for clarifying.

This is how I know it. Tor Project does make changes, so check behind me on what I tell you.

Exit changes are triggered by 10 minutes without activity by default. (You can see somewhere in the torrc man file.) That’s a tor client setting.

However, TBB uses stream isolation for different tabs. So a new tab will take a different path. That might not be true if a new tab is made from right-clicking an existing webpage.

1 Like

There is a torrc option just for this purpose, called “TrackHostExits”, where you can specify a list of domains for which Tor will reuse the same exit for that domain for as long as possible. There was some talk about deprecating it a while back, so I’m not sure if it still works or not.

In any case, if you use that option, make sure you set up a single-purpose gateway which you only use for visiting that particular site. The anonymity implications for using circuits longer than 10 minutes was never really understood or investigated, so it may make you stick out like a sore thumb. Also, due to a bug that option will completely break whonix’s stream isolation; the gateway will mix together all traffic from all its clients. That’s why it’s important you only use that gateway for one site at a time. TrackHostExits forces circuits to same exit, regardless of SOCKSPort isolation flags (#18200) · Issues · Legacy / Trac · GitLab

TrackHostExits host,.domain,…

For each value in the comma separated list, Tor will track recent connections to hosts that match this value and attempt to reuse the same exit node for each. If the value is prepended with a '.', it is treated as matching an entire domain. If one of the values is just a '.', it means match everything. This option is useful if you frequently connect to sites that will expire all your authentication cookies (i.e. log you out) if your IP address changes. Note that this option does have the disadvantage of making it more clear that a given history is associated with a single user. However, most people who would wish to observe this will observe it through cookies or other protocol-specific means anyhow.

TrackHostExitsExpire NUM

Since exit servers go up and down, it is desirable to expire the association between host and exit server after NUM seconds. The default is 1800 seconds (30 minutes).


It depends. If the TCP connection to the site is still open, the browser will just request the page over the existing connection. If the connection is closed, the browser will open a new connection, and in that case Tor is guaranteed not to use a circuit that was opened more than 10 minutes ago. It is up to the browser, and the server, how long they decide to keep the TCP connection open.

When a new circuit is built and used for the first time, a timer is started, and after 10 minutes, the circuit is marked as “dirty”. Tor won’t close any existing connections that are using that circuit, but it won’t route any new client connections through it. Therefore, you could have a connection still alive from hours ago, but any new connection must use a circuit younger than 10 minutes. The “new identity” button immediately marks all circuits dirty.

MaxCircuitDirtiness NUM

Feel free to reuse a circuit that was first used at most NUM seconds ago, but never attach a new stream to a circuit that is too old. For hidden services, this applies to the last time a circuit was used, not the first. Circuits with streams constructed with SOCKS authentication via SocksPorts that have KeepAliveIsolateSOCKSAuth also remain alive for MaxCircuitDirtiness seconds after carrying the last such stream. (Default: 10 minutes)

You could also hard code a single exit node into your torrc with ExitNodes:

ExitNodes node,node,…

A list of identity fingerprints, country codes, and address patterns of nodes to use as exit node---that is, a node that delivers traffic for you outside the Tor network. See the ExcludeNodes option for more information on how to specify nodes.

Note that if you list too few nodes here, or if you exclude too many exit nodes with ExcludeExitNodes, you can degrade functionality. For example, if none of the exits you list allows traffic on port 80 or 443, you won’t be able to browse the web.

Note also that not every circuit is used to deliver traffic outside of the Tor network. It is normal to see non-exit circuits (such as those used to connect to hidden services, those that do directory fetches, those used for relay reachability self-tests, and so on) that end at a non-exit node. To keep a node from being used entirely, see ExcludeNodes and StrictNodes.

The ExcludeNodes option overrides this option: any node listed in both ExitNodes and ExcludeNodes is treated as excluded.

The .exit address notation, if enabled via MapAddress, overrides this option

Again, any of these options may make your traffic stick out from the crowd, so use a dedicated gateway just for the sites where you need it.

If I’m not mistaken, this only applies when they are on different domains (technically, origins), not tabs. If you open in two tabs at the same time, you get the same exit address. Tabs of the same domain follow the regular isolation rules AFAIK.

1 Like

Thanks for clarifying.