Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

MAC Address Spoofing and Tracking Threats

MAC Address Documentation[edit]

Redirection to Kicksecure Documentation

Incomplete: This wiki page is incomplete by design. It only includes details specific to Whonix. For full understanding, please follow the link below to the Kicksecure wiki, which provides more complete background and instructions.

• Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
• Whonix is based on Kicksecure^™: Whonix is built on top of Kicksecure. This means it uses many of the same security tools, design concepts, and configurations.
• Kicksecure is based on Debian: Kicksecure is developed using Debian as its base. Debian is a widely used, stable, and free Linux operating system.
• Inheritance: As a result, Whonix is also based on Debian.
• Debian is GNU/Linux-based: Debian is built using the GNU/Linux operating system. GNU provides essential tools and Linux is the system’s kernel (core).
• Shared documentation benefits: Since each system is based on the one below it, a lot of documentation and guides are shared. This reduces the need to duplicate information.
• Inherited documentation: Most instructions and explanations are inherited from Kicksecure or Debian, unless otherwise specified.
• Shared principles: The systems share similar security goals and setup instructions. In most cases, users can follow Kicksecure documentation when using Whonix.
• Keep using Whonix: This does not mean users should switch to Kicksecure. This page only points to related, helpful information.
• Where to apply the instructions: Follow the instructions inside Whonix unless specifically stated otherwise.
• Wiki editors notice: This information is pulled from a reusable wiki template: upstream_wiki. (See which pages use this.)
• Comparison: Whonix versus Kicksecure
• Documentation compatibility: Because Whonix is based on Kicksecure, you can often follow Kicksecure’s instructions as long as you apply them in the right place.
• Summary: Whonix is built on top of Kicksecure, which itself is based on Debian. Debian is a GNU/Linux operating system. This layered design means Whonix inherits many features, tools, and documentation from both Kicksecure and Debian.
• Click here: Visit the related page in the Kicksecure wiki for full documentation and background:

MAC Address

• Note: Re-interpretation...

Apply the instructions inside Whonix, not inside Kicksecure.

Kicksecure: Perform these steps inside Kicksecure.

Instead, apply the steps inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead, use the whonix-workstation-17 Template for these steps.

Auto-connect Risk[edit]

Beyond the challenge of generating an appropriate spoofed MAC address, there are technical hurdles related to preventing automatic network connections.

A spoofed MAC address is ineffective if the computer automatically connects to a public network after booting, thereby exposing the real MAC address:

• Physical Isolation: Whonix-Gateway^™ automatically connects to Tor upon startup.
• USB Wi-Fi Device: Automatic connections may occur depending on the configuration.
• VM Users: The host operating system is likely to automatically connect to the internet for updates, time synchronization, or other background services.

Other Location Tracking Risks[edit]

Tor Entry Guard Fingerprinting[edit]

Addressing MAC address concerns is only one part of a broader location tracking problem. Users must also consider how Tor entry guards are used across different locations to avoid guard fingerprinting. To mitigate this risk, follow one of the recommended configurations:

1. Clone Whonix-Gateway (sys-whonix) with New Entry Guards.
2. Regenerate the Tor State File after Saving the Current Tor State.
3. Configure Tor to use Alternating Bridges.
4. If relocating permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.

To fully mitigate this threat, entry guard changes must be applied to every Tor instance on both the host (e.g., apt-transport-tor) and guest systems.

Using Personal Computers in a Public Network[edit]

In this scenario, the MAC address must be changed, and a new set of Tor entry guards should be configured. ^[1] Additionally, efforts should be made to obscure Tor usage from the network administrator. Depending on the user's setup, this may involve using an obfsproxy bridge or tunneling traffic through SSH or a VPN before connecting to the Tor network.

Depending on the threat model, changing the MAC address and using Tor may prevent revisiting the public network. If reuse is needed, the user must choose between keeping the same MAC address and Tor entry guards or generating new ones.

If the network administrator is suspected of logging MAC addresses, changing the MAC may arouse suspicion. Conversely, if the network is sufficiently public and individual observation is unlikely, it may be safe to use a new MAC address each time -- one that features a popular vendor ID and a random second part.

For further discussion on this complex topic, see Dev/MAC.

Changing MAC Addresses[edit]

Whonix[edit]

TODO: Please help test and improve these instructions.

References[edit]

License[edit]

Whonix MAC Address wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix MAC Address wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos(at)whonix.org (Replace (at) with @.)Please DO NOT use e-mail for one of the following reasons: Private Contact: Please avoid e-mail whenever possible. (Private Communications Policy) User Support Questions: No. (See Support.) Leaks Submissions: No. (No Leaks Policy) Sponsored posts: No. Paid links: No. SEO reviews: No. >

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!