Install Additional Software Safely
Donate
Installing additional Software on Whonix. Safety considerations.
General Advice[edit]
Whonix users are free to install their favorite software packages.
Almost any application can be installed, with a few exceptions for programs that are impossible to torify
. In addition, Whonix provides:
- protection from IP and DNS leaks (see above for details)
- partial protection against protocol leaks and fingerprinting, but this is far from perfect
Users are responsible for trying to prevent any other protocol leaks using the "Torify: How-to" guide, but most of those are mitigated by Whonix.
- Read the protocol leak and fingerprinting protection entry first. It highlights useful information, like the fact that DNS and IP-related leaks do not apply to Whonix.
- Refer to the Tor Project's Torify: How-to which discusses various protocol leaks and how to mitigate them.
- Review the Tor Project's Transparent Proxy Leaks documentation, which is particularly relevant for users other custom workstations using Microsoft Windows.
Since Whonix is a Debian derivative, new users should always follow Debian advice when installing or removing packages to avoid common mistakes which can break or destabilize the system.
The user should be aware that additional software increases the attack surface of the platform.
Browsers[edit]
Warning:
In Whonix, for better anonymity it is recommended to use only Tor Browser for browsing the internet. Use of any browsers such as Chromium, 
Firefox
, Opera and others is discouraged. Reasons for that are elaborated on the Tor Browser wiki page.
Whonix is The Everything Tor operating system (OS). All internet traffic is routed through the Tor anonymity network, without exceptions. Whonix is the "All Tor Operating System", featuring reliable IP hiding.
This of course also includes Chromium, Firefox, Opera and other browsers. Due to Whonix's Watertight Privacy Architecture, Whonix provides the strongest protection of your IP address.
The reason why browsers other than Tor Browser are discouraged is because hiding your identity is harder than just hiding your IP. See also IP Hiding is an Outdated Threat Model. This is also elaborated on the Tor Browser wiki page.
Whonix-Workstation is Firewalled[edit]
Note: This section is relevant to server software or other advanced / uncommon applications.
The Whonix-Gateway™ firewall [1] has several effects upon Whonix-Workstation.
Table: Whonix-Gateway Firewall Effects
| Category | Notes |
|---|---|
| Additional Firewall Restrictions | The firewall on Whonix-Gateway is very restrictive. It can be made even more restrictive by activating options within the firewall script. [2] It is possible to limit which outgoing ports are redirected to Tor's TransPort. Depending on user intentions, it could also be useful to remove all SocksPorts.
|
| DNS Requests | Standard DNS requests on UDP port 53 are redirected to Tor's DnsPort. [3]
|
| Incoming Connections |
|
| IPv6 | Tor only partially supports IPv6, although full implementation is likely in the near term. [4] This is not a Whonix-specific issue. [5]
|
| Server Services | Onion Services and/or Location Hidden Services can be hosted. |
| Tor Routing | All traffic originating from Whonix-Workstation™ and Whonix-Gateway™ is routed over Tor. [6] [7] [8] [9] [10] [11] [12] Refer to the footnotes for further information. |
| UDP | Tor does not support UDP. This is not a Whonix-specific issue. |
Related topics:
Install Software General[edit]
Redirection to Kicksecure Documentation
- Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
- Whonix is based on Kicksecure™: Whonix is built on top of Kicksecure. This means it uses many of the same security tools, design concepts, and configurations.
- Kicksecure is based on Debian: Kicksecure is developed using Debian as its base. Debian is a widely used, stable, and free Linux operating system.
- Inheritance: As a result, Whonix is also based on Debian.
- Debian is GNU/Linux-based: Debian is built using the GNU/Linux operating system. GNU provides essential tools and Linux is the system’s kernel (core).
- Shared documentation benefits: Since each system is based on the one below it, a lot of documentation and guides are shared. This reduces the need to duplicate information.
- Inherited documentation: Most instructions and explanations are inherited from Kicksecure or Debian, unless otherwise specified.
- Shared principles: The systems share similar security goals and setup instructions. In most cases, users can follow Kicksecure documentation when using Whonix.
- Keep using Whonix: This does not mean users should switch to Kicksecure. This page only points to related, helpful information.
- Where to apply the instructions: Follow the instructions inside Whonix unless specifically stated otherwise.
- Wiki editors notice: This information is pulled from a reusable wiki template: upstream_wiki. (See which pages use this.)
- Comparison: Whonix versus Kicksecure
- Documentation compatibility: Because Whonix is based on Kicksecure, you can often follow Kicksecure’s instructions as long as you apply them in the right place.
- Summary: Whonix is built on top of Kicksecure, which itself is based on Debian. Debian is a GNU/Linux operating system. This layered design means Whonix inherits many features, tools, and documentation from both Kicksecure and Debian.
- Click here: Visit the related page in the Kicksecure wiki for full documentation and background:
- Note: Re-interpretation...
Kicksecure: Perform these steps inside Kicksecure.
Instead, apply the steps inside Whonix-Workstation.
Kicksecure for Qubes: Perform these steps inside Qubes
kicksecure-17Template.
Instead, use the whonix-workstation-17 Template for these steps.
Footnotes[edit]
- ↑ The firewall is found on Whonix-Gateway™: /usr/bin/whonix_firewall
- ↑
## Optionally restrict TransPort. ## Replace above rule with a more restrictive one, e.g.: #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" - ↑ If the DNS server is changed in Whonix-Workstation /etc/resolv.conf, this will likely have no effect. The reason is the firewall on Whonix-Gateway will redirect all those requests to Tor's
DnsPort. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the secondary DNS resolver instructions. - ↑
The only missing elements at the time of writing were automatic client connections and inter-relay connections via IPv6. Bridges are fully supported. See also: IPv6 roadmap.
- ↑
- ↑
Starting from Whonix version
0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network. - ↑ To preserve the anonymity of a user's Whonix-Workstation activities, it is not essential to route Whonix-Gateway's own traffic through Tor. (Note: The gateway is mainly a tool that helps route traffic; it does not typically contain personal activity data.)
- ↑
For those interested: altering DNS settings on Whonix-Gateway in
/etc/resolv.confonly impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. (DNS is like the internet's phonebook - it translates website names to IP addresses.) By default, no applications on Whonix-Gateway that generate network traffic use this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their dedicated Tor SocksPort(refer to Stream Isolation). - ↑
Whonix-Workstation's default applications are configured to use dedicated Tor
SocksPorts(see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such asnslookup- will use the default DNS server configured in Whonix-Workstation (through/etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor'sDnsPortby the Whonix-Gateway firewall. (This ensures DNS lookups still go through Tor even if they use the default method.) Changes in Whonix-Gateway's/etc/resolv.confdo not influence Whonix-Workstation's DNS queries. - ↑
Traffic produced by the Tor process, which by Debian's default operates under the user
debian-torand originates from Whonix-Gateway, can access the internet directly. This is permitted because the Linux user accountdebian-toris exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet. (This is necessary for Tor to establish its connections.) - ↑
As of Tor version
0.4.5.6(with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. (TCP is a common protocol used for stable internet connections.) For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote. - ↑
Tor does not depend on, nor use, a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. (That means Tor knows important addresses in advance and doesn't need to look them up.) Exceptions include:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports, such as meek lite, which resolve domains set in
url=andfront=to IP addresses, or snowflake's-front.
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!