From Whonix
< Dev
Jump to navigation Jump to search

Whonix-Gateway Detailed Design Documentation


Whonix-Gateway MUST NOT be ever used for anything other than running Tor on it.

If this machine is compromised the identity (public IP), all destinations and all clear-text (and onion service) communication over Tor is available to the attacker.

Our first goal in securing the Whonix-Gateway is minimizing its attack surface. By installing a "minimal system", the only attack surface to an remote attack is Tor itself, apt, onion-grater and sdwdate. You can verify this with netstat.

Security features that do not prevent exploitation but only restrict what exploits can do, such as chrooting or sandboxing, do not make much sense: A compromise of Tor already results in a compromise of everything the user cares about.

Compile time hardening (see Bug #5024: compile time hardening of TBB (RELRO, canary, PIE) should be done by the Tor package contributor and is beyond the scope of Whonix.

Debian is a good compromise of security and usability. More secure and hardened Linux or BSD based options do exist but they require too much work and/or maintenance to be considered for Whonix. The Dev/Operating System design page elaborates on that topic.

Having said this, you are welcome to use your own distro. The Whonix design is distro agnostic. You just won't be able to thoughtlessly copy and paste commands or to use the source without modifications.

Graphical Whonix-Gateway benefits over Headless Whonix-Gateway[edit]

In the non-graphical version of Whonix-Gateway, it is difficult for users who have never used Linux before to complete tasks like upgrading or configuring obfuscated bridges. Many activities are simpler and easily accessible in a graphical Whonix-Gateway, such as:

A black, text-only window (terminal) is intimidating for normal users. A graphical desktop environment is also a prerequisite for further planed improvements, such as the proposed graphical Whonix which will provide buttons such as:

  • "Create hidden blog", which creates a pre-configured blog.
  • "Backup onion service keys".
  • A Better Circumvention User
  • And more.
  • Also, terminal-only environments can be impractical for users with disabilities.

Headless / CLI (Terminal) Whonix-Gateway[edit]

Info Non-Qubes-Whonix only.

If a user believes the graphical Whonix-Gateway is using too much RAM, or if a terminal version of Whonix-Gateway is generally preferred, then headless Whonix is available: see Whonix for VirtualBox with CLI.

Alternatively, Whonix for VirtualBox with Xfce RAM can be reduced to 256 MB and RAM Adjusted Desktop Starter will automatically boot into a terminal version of Whonix-Gateway.

When building Whonix images from source code, both Whonix VirtualBox and Whonix KVM support build script parameter --flavor whonix-gateway-cli. [1]


  1. Equivalent for Whonix-Gateway --flavor whonix-workstation-cli also exists.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!