Install Additional Software Safely
General Advice[edit]
Whonix ™ users are free to install their favorite software packages, but should be aware that additional software increases the attack surface
of the platform. Since Whonix ™ is a Debian derivative, new users should always follow Debian advice when installing or removing packages to avoid common mistakes which can break or destabilize the system.
Almost any application can be installed, with a few exceptions for programs that are impossible to torify. In addition, Whonix ™ provides:
- protection from IP and DNS leaks (see above for details)
- partial protection against protocol leaks and fingerprinting, but this is far from perfect
Users are responsible for trying to prevent any other protocol leaks using the "Torify: How-to" guide, but most of those are mitigated by Whonix ™.
- Read the protocol leak and fingerprinting protection entry first. It highlights useful information, like the fact that DNS and IP-related leaks do not apply to Whonix ™.
- Refer to the Tor Project's Torify: How-to which discusses various protocol leaks and how to mitigate them.
- Review the Tor Project's Transparent Proxy Leaks documentation, which is particularly relevant for users other custom workstations using Microsoft Windows.
Browsers[edit]
Warning:
In Whonix ™, for better anonymity it is recommended to use only Tor Browser for browsing the internet. Use of any browsers such as Chromium, Firefox, Opera or others is discouraged. Reasons for that are elaborated on the Tor Browser wiki page.
Whonix-Workstation ™ is Firewalled[edit]
Note: This section is relevant to server software or other advanced / uncommon applications.
The Whonix-Gateway ™ firewall [1] has several effects upon Whonix-Workstation ™.
Table: Whonix-Gateway ™ Firewall Effects
| Category | Notes |
|---|---|
| Additional Firewall Restrictions | The firewall on Whonix-Gateway ™ is very restrictive. It can be made even more restrictive by activating options within the firewall script. [2] It is possible to limit which outgoing ports are redirected to Tor's TransPort. Depending on user intentions, it could also be useful to remove all SocksPorts.
|
| DNS Requests | Standard DNS requests on UDP port 53 are redirected to Tor's DnsPort. [3]
|
| Incoming Connections |
|
| IPv6 | Tor only partially supports IPv6, although full implementation is likely in the near term. [4] This is not a Whonix ™-specific issue. [5]
|
| Server Services | Onion Services and/or Location Hidden Services can be hosted. |
| Tor Routing | All traffic originating from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [6] [7] [8] [9] [10] [11] [12] Refer to the footnotes for further information. |
| UDP | Tor does not support UDP. This is not a Whonix ™-specific issue. |
Related topics:
Install Software General[edit]
Since Whonix ™ is based on Kicksecure ™, the user can follow the instructions on Install Software on the Kicksecure ™ website.
Footnotes[edit]
- ↑ The firewall is found on Whonix-Gateway ™: /usr/bin/whonix_firewall
- ↑
## Optionally restrict TransPort. ## Replace above rule with a more restrictive one, e.g.: #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" - ↑ If the DNS server is changed in Whonix-Workstation ™ /etc/resolv.conf, this will likely have no effect. The reason is the firewall on Whonix-Gateway ™ will redirect all those requests to Tor's
DnsPort. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the secondary DNS resolver instructions. - ↑
The only missing elements at the time of writing were automatic client connections and inter-relay connections via IPv6. Bridges are fully supported. See also: IPv6 roadmap.
- ↑
https://phabricator.whonix.org/T509
- ↑
Since Whonix ™ version
0.2.1Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix ™ is hidden from persons or systems observing the network. - ↑ To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
- ↑
For reader interest: If DNS settings on Whonix-Gateway ™ are changed in
/etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt, systemcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own TorSocksPort(see Stream Isolation). - ↑
Whonix-Workstation ™ default applications are configured to use separate Tor
SocksPorts(see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for examplenslookup- will use the default DNS server configured in Whonix-Workstation ™ (via/etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™/etc/resolv.confdoes not affect Whonix-Workstation ™ DNS requests. - ↑
Traffic generated by the Tor process itself which runs by Debian default under user
debian-tororiginating from Whonix-Gateway ™ can use the internet normally. This is because userdebian-toris exempted in Whonix-Gateway ™ Firewall, allowed to use the "normal" internet. - ↑
The Tor software (as of
0.4.5.6) (and no changed were announced at time of writing) almost exclusively uses TCP traffic. See also Tor wiki page, chapter UDP. For DNS, see next footnote. - ↑
Tor does not require, use functional (system) DNS for most functionality. IP addresses of Tor directory authorities are hardcoded in the Tor software as per Tor upstream default. Exceptions include:
- proxy settings using proxies with host names rather than IP addresses
- the Tor pluggable transport meek lite to resolve domains used in setting
url=,front=to IP addresses.
Whonix ™
The most watertight privacy operating system in the world.
Follow us on social media
FREE · PLUS · PREMIUM Support
At Whonix we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.
Learn more.
Whonix ™ is supported by Evolution Host DDoS Protected VPS.
Whonix ™ is the most watertight privacy operating system in the world.
The personal opinions of
moderators
or
contributors
to the
Whonix ™
project do not represent the project as a whole.
By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements:
Terms of Service
,
Privacy Policy
,
Cookie Policy
,
E-Sign Consent
,
DMCA
,
Imprint
Whonix
ENCRYPTED SUPPORT LP,
2022
ENCRYPTED SUPPORT LP,
2022
Scan the QR code or use the wallet address below.
Hardened by Kicksecure ™