{{Title|title=
Stream Isolation: Easy
}}
{{Header}}
{{#seo:
|description={{project_name_long}} Tor Stream Isolation Short Introduction
|image=Streamisolationme.jpg
}}
<div class="mininav">
* [[Stream_Isolation/Easy|short stream isolation summary]]
* [[Stream Isolation|all information below]]
</div>
[[File:WhonixStreamIsolation.jpg|thumb|New illustrative {{project_name_short}} stream isolation image with 4 Tor relays. (Instead of 3 in the past.) See also [[vanguards]].]]
{{intro|
{{project_name_short}} Tor Stream Isolation Short Introduction
}}

Applications such as [[Tor Browser]], <code>ssh</code>, <code>gpg</code>, <code>wget</code>, <code>curl</code>, <code>git</code>, and <code>apt</code> are configured for stream isolation by default; the full list can be found [[Stream_Isolation#List|here]]. The advantage of this configuration is that these applications will take different paths through the [[Tor]] network and will therefore be more anonymous, since it protects against identity correlation through Tor circuit sharing. <ref>If stream isolation is not enforced, different activities conducted in separate applications may pass through the same Tor circuit and exit relay, correlating these activities to the same pseudonym.</ref>

This arrangement comes with a small usability impact in corner cases:

* For some tunnels it may be necessary to disable stream isolation -- this is covered in the [[Tunnels/Introduction|Combining Tunnels with Tor]] chapter.
* <ref>
It <u>might</u> be required to [[Stream_Isolation#Deactivate_Stream_Isolation|disable stream isolation]] for applications that require local connections. For example, this is the case for opening a local ssh listener:
** If the following command is run: <code>ssh 10.152.152.11</code>, <code>uwt</code> will actually execute <code>torsocks /usr/bin/ssh.anondist-orig 10.152.152.11</code>. In this case, traffic would flow though <code>torsocks</code> via a Tor <code>SocksPort</code>. This will fail for local connections and lead to the following error message:
*** <blockquote>libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to https://gitweb.torproject.org/torsocks.git/ if this is preventing a program from working properly with torsocks</blockquote>
** This is possibly no longer required thanks to the {{project_name_short}} default [https://github.com/Whonix/uwt/blob/master/etc/tor/torsocks.conf.anondist <code>/etc/tor/torsocks.conf</code>] configuration file which sets <code>AllowOutboundLocalhost 1</code>.

<pre>
# Set Torsocks to allow outbound connections to the loopback interface.
# If set to 1, connect() will be allowed to be used to the loopback interface
# bypassing Tor. If set to 2, in addition to TCP connect(), UDP operations to
# the loopback interface will also be allowed, bypassing Tor. This option
# should not be used by most users. (Default: 0)
AllowOutboundLocalhost 1
</pre>
</ref>

Further information:

<div class="mininav">
* [[Stream_Isolation|Learn more about stream isolation]]
* [[Stream_Isolation/Disable_Easy|Disable stream isolation: easy]]
* [[Stream_Isolation#Deactivate_Stream_Isolation|Disable stream isolation: more options]]
</div>

= Footnotes =

{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]] [[Category:Design]]