Svoboda

Bypassing Censorship in China, Iran & Russia: Tor Connectivity in QubesOS with Whonix

This guide explains how to connect to Tor in sys-whonix in QubesOS when operating in censorship-heavy countries like China, Iran, or Russia.

We will use Xray as a proxy. If you live in China or Iran, you need to use VLESS REALITY protocol. If you live in Russia, VLESS TLS is enough (writing this in 2025). Please do not listen to bullshit on the internet telling you that you can connect to Tor using bridges. It’s unstable at best and if you found/set up a working bridge, it will be blocked very soon.

Setup Steps

1. Open terminal in dom0. Search for “Terminal” in applications menu.

2. Create and start the Xray proxy StandaloneVM: I’m using debian-12-xfce template. You can use any other linux template. Update the template first though.

   qvm-create --class StandaloneVM --label red --template debian-12-xfce sys-xray
   qvm-start sys-xray
   

3. Install Xray:

   qvm-run sys-xray 'sudo useradd -M -r -s /usr/sbin/nologin xray'
   qvm-run sys-xray 'sudo bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u xray'
   

4. Configure Xray by editing /usr/local/etc/xray/config.json in sys-xray: Make sure “inbounds” has “listen” set to 0.0.0.0 and “port” set to 1080, protocol set to socks

   {
    "log": {
        "loglevel": "debug"
    },
    "routing": {
        "domainStrategy": "AsIs"
    },
    "inbounds": [
        {
            "tag": "socks-in",
            "listen": "0.0.0.0",
            "port": 1080,
            "protocol": "socks",
            "settings": {
                "auth": "noauth",
                "udp": true
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ],
                "routeOnly": true
            }
        }
    ],
    "outbounds": [
        // your VLESS connection
    ]
   }
   

5. Restart Xray:

   sudo systemctl restart xray
   

6. Verify the VPN connection:

   curl -x "socks5://127.0.0.1:1080" ifconfig.me
   

   This should output your VPN’s IP address.

7. Configure Qubes networking policy: In dom0, add the following line to /etc/qubes/policy.d/30-user-networking.policy (if it doesn’t exist, create it):

   qubes.ConnectTCP +1080 sys-whonix sys-xray allow
   

8. Configure Tor to use Xray as a proxy:
   • Go to Application Menu > Services > sys-whonix > Tor User Config
   • Add the following line: Socks5Proxy 127.0.0.1:1080
9. Connect sys-whonix to sys-xray: One time:

   qvm-run sys-whonix 'qvm-connect-tcp 1080:sys-xray:1080'
   qvm-run sys-whonix 'sudo systemctl restart tor'
   

   Persistent (survives reboots): In sys-whonix, create /rw/config/xray.socket: ``` [Unit] Description=xray proxy

[Socket] ListenStream=127.0.0.1:1080 Accept=true

[Install] WantedBy=sockets.target

In **sys-whonix**, create `/rw/config/xray@.service`:

[Unit] Description=xray proxy

[Service] ExecStart=qrexec-client-vm ‘sys-xray’ qubes.ConnectTCP+1080 StandardInput=socket StandardOutput=inherit

In **sys-whonix**, append to `/rw/config/rc.local`:
```bash
cp -r /rw/config/xray.socket /rw/config/xray@.service /lib/systemd/system/
systemctl daemon-reload
systemctl start xray.socket

In sys-whonix, run:

sudo /rw/config/rc.local

1. Verify Tor connection: Inside anon-whonix, run:

   curl https://check.torproject.org
   

   The <title> tag should contain “Congratulations. This browser is configured to use Tor.” Congrats indeed.

Btw you can use sys-xray to proxy your non-whonix qubes now too.

Troubleshooting

If you have any issues, hit me up on Twitter or Tox: FC31427EC043880C59BB875209462462558941F570BEF564F15CB6473F4A6146272986AD2CF8