Anonymize Other Operating Systems

From Whonix
(Redirected from OtherOperatingSystems)
Jump to navigation Jump to search

Anonymize any operating system such as Debian, Ubuntu, Microsoft Windows or others.

Whonix-Gateway supports torification of any operating system, such Debian, Kicksecure, Ubuntu, Android or even Microsoft Windows and others by setting up a Whonix-Custom-Workstation.

A Whonix-Custom-Workstation is a VM that does not run the recommended, "normal" Whonix-"Default"-Workstation but instead runs a custom operating system such as Debian, Kicksecure, Ubuntu, Android or even Microsoft Windows.

Info COMMUNITY SUPPORT ONLY : THIS WHOLE WIKI PAGE is only supported by the community. Whonix developers are very unlikely to provide free support for this content. See Community Support for further information, including implications and possible alternatives.

Custom-Workstation Security Introduction[edit]

Info COMMUNITY SUPPORT ONLY : THIS WHOLE WIKI PAGE is only supported by the community. Whonix developers are very unlikely to provide free support for this content. See Community Support for further information, including implications and possible alternatives.

Using a default workstation is easier and provides more Security out of the box! It is the user's responsibility to get the same security features for a Whonix-Custom-Workstation, see Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation at the bottom of the page for details.

Also note that it's strongly discouraged to anonymize VMs that have ever been connected to the clearnet, meaning without Tor. It is conceivable that the custom operating system creates unique identifiers or another unique fingerprint such as network or browser fingerprint. Such fingerprints can lead to de-anonymization even if a VM that was used over clearnet at least once is later used over Tor. In other words, it is highly recommended to configure custom operating systems to use Whonix-Gateway to ensure that Tor is always consistently used.



Microsoft Windows XP, Vista, 7, 8, 10 are known to work behind Whonix-Gateway. While it is possible, it is not recommended and only for advanced users. This is because, there are issues with Windows. Those are not Whonix issues. Whonix developers cannot fix those issues. One issue is, that Windows is closed source. Rather, Windows is affected by Transparent Proxy and other issues. For more information and depending on your security requirements, read the following chapters.


Configure network.

  • Windows 11: Cannot change networking settings according to the following documentation? Check this Then use the settings below.
  • For Windows 7 (similar in Windows XP): In Control Panel → Network and Sharing Center: click on "Change adapter settings" Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:

## increment last octet of IP address on additional workstations IP address Subnet netmask Default gateway Preferred DNS server

Download operating system updates.

Tor Browser Settings[edit]

Warning: Untested and unfinished. Please contribute by testing and finishing these instructions.

To Help finish instruction to Prevent Tor over Tor when using Tor Browser in Windows-Whonix-Workstation, click on Expand on the right.

These steps are required to use Tor Browser when operating a Whonix-Custom-Workstation, specifically a Windows-Whonix-Workstation.

1. Install Tor Browser.

2. Use Tor Browser without bundled Tor.

Create a new text file in the folder where Tor Browser was extracted. For example, the file could have the following name.

Start TB without Tor.bat

Add the following content to that file. [1]


"Start Tor Browser.lnk"


3. Configure network settings.

Start Tor Browser.

The following links for removing and changing proxy settings do not apply one-to-one for Windows! Removal of proxy settings is best avoided, while changing proxy settings is a better choice.

How this is accomplished on Windows is currently undocumented, but user contributions to finish these instructions are most welcome.

4. Figure out missing instructions.

Missing instructions need to be ported from Linux-specific to Windows-specific, see Whonix-Linux-Workstation#Tor Browser Settings.

5. Done.

The process has been completed.


Create a new FreeBSD VM on VirtualBox

VirtualBox → Machine → New → Next → Enter Name (for example: myVM) → Enter Operating System and Version → Next → define RAM → Next → create a new hdd (or not) → Next → disk format doesn't matter, VDI works fine however → Next → dynamically or fixed size is a matter of preference → Next hdd size and location is a matter of preference → Next → Create

Install FreeBSD and upgrade it

This is necessary as freebsd-update or pkg do not support socks.

## Base OS patches as root root_shell> freebsd-update fetch install #Application updates root_shell> pkg upgrade

You will need a http proxy chained to tor gateway to torify pkg or freebsd-update, else you risk loosing patches. Use one of privoxy/proxychains/tsocks when using the Whonix-Gateway.

Install necessary applications.

root_shell> pkg install privoxy

After this shutdown the VM.

root_shell> shutdown -p now

Change the VirtualBox VM settings

Choose the newly created VM (for example: myVM) → Settings → System → Motherboard → Hardware Clock in UTC

System → Motherboard → Pointing Device → PS/2 Mouse (required so that USB controller may be disabled)

System → Processor → Enable PAE/NX if available

Network → Adapter 1 → attached to Internal Network (Important!)

Network → Adapter 1 → Name (of Internal Network) (Important!): Whonix (Note: It is Whonix, not whonix. Case sensitive. Capital W.)

USB → uncheck Enable USB controller

→ OK

Start VM and proceed to configure the OS inside the VM.

Configure network.

In your Custom-Workstation. Open a terminal and edit as a privileged user /etc/rc.conf

You need to configure a single interface, here it is em0, there should not be any other 'ifconfig' statements:

## Increment the octect of IP address for configuring other workstations. ifconfig_em0="inet netmask" defaultrouter=""

For the address resolution to work. Open file /etc/resolv.conf in an editor with root rights.


This box uses sudoedit for better security.


NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

and delete everything, then add


Restart network service:

root_shell> service netif restart

Confirm changes by running ifconfig.


Note: Chapter Whonix-OpenBSD-Workstation not tested, reviewed by Whonix developers. Documentation contribution by anonymous user.

If you are interested, please press expand on the right side.

1. Download OpenBSD iso.

Go to:

Download installXX.iso (current version: install67.iso) from and the SHA256 and SHA256.sig files.

2. Verify OpenBSD iso.

In Whonix-Workstation or Debian-based systems. Install the signify-openbsd package. sudo apt update sudo apt install signify-openbsd

Install OpenBSD keys. The version in buster only contains older keys, so install a newer version of the signify-openbsd-keys package. Temporarily replace your stable repository with testing: sudo sed -i s/bookworm/testing/g /etc/apt/sources.list.d/debian.list

sudo apt update sudo apt install signify-openbsd-keys

Change your repositories back to stable.

sudo sed -i s/testing/bookworm/g /etc/apt/sources.list.d/debian.list

Change directory to where you downloaded install67.iso, SHA256, and SHA256.sig. cd /home/user/Downloads

Verify OpenBSD iso.

signify-openbsd -C -p /usr/share/signify-openbsd-keys/ -x SHA256.sig install67.iso

Must show

install67.iso: OK

3. Begin installation of OpenBSD.

Create, configure and boot your virtual machine from install67.iso according to instructions specific to your hypervisor.

Note: This guide assumes two virtual disks, one for the system and one for the /home partition.

4. Install OpenBSD.

Once the system boots from the iso, you will be prompted by:

Welcome to the OpenBSD/amd64 6.7 installation program. (I)nstall, (U)pgrade, (A)utoinstall, or (S)hell?

Type I to install and press Enter.

Choose your keyboard layout ('?' or 'L' for list) [default]

Keep default and press Enter.

System hostname? (short form, e.g. 'foo')

Type host and press Enter.

Which network interface do you wish to configure? (or 'done') [xxx0]

Press Enter.

IPv4 address for xxx0? (or 'dhcp' or 'none') [dhcp]

Note: xxx0 will be something else instead, em0 or specific to your hypervisor.

Qubes-Whonix: Enter address of the VM (can be viewed in the qube's settings).


Netmask for xxx0? []



IPv6 address for xxx0? (or 'autoconf' or 'none') [none]

Keep none and press Enter.

Which network interface do you wish to configure? (or 'done') [done]


DNS domain name? (e.g. '') [my.domain]

Enter localdomain.

DNS nameservers? (IP address list or 'none') [none]

Qubes-Whonix: Enter address of your Whonix-Gateway (can be viewed in the qube's settings).


Password for root account? (will not echo)

Type your desired root password.

Start sshd(8) by default? [yes]

Type no and press Enter.

Do you expect to run the X Window System? [yes]

Keep default and continue.

Do you want the X Window System to be started by xenodm(1)? [no]

Keep default and continue.

Setup a user? (enter a lower-case loginname, or 'no') [no]

Enter user.

Available disks are: sd0 sd1 sd2 Which disk is the root disk? ('?' for details) [sd0]


Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]


Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a]

E to edit, because /usr will need more space than the default.


Type h or ? for help.

Type p M to print the disk layout in megabytes.

Type d e to remove the /home partition (you will set it up on another disk).

Type w to write label to disk.

Type m d to modify the /usr partition and expand it.

offset: [xxxxxxx]

Keep and press Enter.

size: [xxxxxxx]

Enter your desired size here, either in bytes or megabytes, at least 5120.0M or more recommended.

FS type: [4.2BSD]

Keep and press Enter.

mount point: [/usr]

Keep and press Enter.

w to write label to disk.

p M again to print the disk layout in megabytes and make sure the changes were written correctly.

q to quit and save changes.

Which disk do you wish to initialize? (or 'done') [done]

Enter sd1

Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]

E to edit.

Type edit 0

Type A6 and press Enter.

Do you wish to edit in CHS mode? [n]

Keep n.

Partition offset [0 - xxxxxxx]: [0]


Partition size [1 - xxxxxxx]

Type your desired size or use the maximum and enter.

w to write changes to disk.

quit to save changes and exit.

Label editor (enter '?' for help at any prompt)

p M to print the disk layout in megabytes.

Type a to add a partition.

offset: [0]


size: [xxxxxxx]

Type desired size in megabytes or use the maximum and enter.

FS type: [4.2BSD]


mount point: [none]

Type /home and press Enter.


w to write changes to disk.

q to save changes and exit.

Which disk do you wish to initialize? (or 'done') [done]


Proceed with the installation.

Directory does not contain SHA256.sig. Continue without verification?

yes can be typed safely (explained in OpenBSD installation FAQ).

What timezone are you in? ('?' for list)

Enter UTC.

Exit to (S)hell, (H)alt or (R)eboot? [reboot]


5. Configure Whonix-OpenBSD Workstation.

Login as root.

Connect the Whonix-OpenBSD workstation to the Gateway.

Run vi /etc/mygate

Press a to append text and type the address of the Whonix-Gateway.


Press Esc.

Type :w to write the file. Type :q to exit.

vi /etc/ntpd.conf

a to append text, then comment all lines. They will not be needed as Kicksecure logo ntpd is broken behind Whonix-Gateway The Web Archive Onion Version .

:w to write the file. :q to exit.

rcctl disable ntpd to prevent it from starting.

Configure network interface. ls /etc

Should show a file hostname.xxx0.

vi /etc/hostname.xxx0

Change the cursor position to the end of inet [address of VM] and hold x to delete everything after inet [address of VM] Instead append, enter a new line, and type

Non-Qubes-Whonix: netmask

Qubes-Whonix: netmask

Esc, :w, :q.

Run sh /etc/netstart to apply the changes.

6. Install system updates.

Run syspatch


7. Optional: Install a desktop environment (Xfce used as example here.)

As root: pkg_add xfce consolekit2 slim slim-themes

Configure Xfce.

touch /etc/rc.conf.local /etc/rc.local /root/.xinitrc /home/user/.xinitrc echo "exec /usr/local/bin/ck-launch-session /usr/local/bin/startxfce4" >> /root/.xinitrc echo "exec /usr/local/bin/ck-launch-session /usr/local/bin/startxfce4" >> /home/user/.xinitrc echo 'pkg_scripts="messagebus avahi_daemon"' >> /etc/rc.conf.local echo "/etc/rc.d/slim start" >> /etc/rc.local

8. Optional: Install packages to increase usability.

As root: pkg_add bash sudo nano

Allow user to use sudo.

As root, run: visudo /etc/sudoers

Uncomment the line. %wheel ALL=(ALL) SETENV: ALL

Optional: Change shell to bash. As root: chsh -s /usr/local/bin/bash

Repeat for user user.

9. Install torsocks. sudo pkg_add torsocks

Tor will be installed as a dependency. To prevent it from automatically starting, comment the line RunAsDaemon 1

in /etc/tor/torrc.

Configure torsocks.

sudoedit /etc/torsocks.conf or sudo nano /etc/torsocks.conf

Make sure the following lines are present and uncommented:

TorAddress [address of Whonix-Gateway] TorPort 9050


Select your platform.

1. Create a new VM.

2. Set sys-whonix as your VM's NetVM.

Qube Managerright-click vm-nameNetVMsys-whonixOK [2]

Virtualizer Information

Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes Whonix KVM, Whonix VirtualBox and Whonix Physical Isolation.

Download and Use the Default Whonix-Gateway

Download and import the Whonix-Gateway using the same procedure as per the Whonix-Default / Download-Version. No other Whonix-Gateway changes are required in this case!

Set up a Whonix-Custom-Workstation

There are currently two ways to set up a Whonix-Custom-Workstation. Either:

  • A) Manually create a VM (established, old method), or
  • B) Download and import a Whonix-Custom-Workstation (stable method).

A) Users who want to manually create a VM using the established and old method, click on Expand on the right.

Platform Specific Notice:

1. Create a VirtualBox VM

Follow these steps in order:

VirtualBoxMachineNewNextEnter Name (for example, myVM)Enter Operating System and VersionNextDefine RAMNextCreate a new HDD (or not)NextDisk format doesn't matter (VDI works well)NextSet dynamically or fixed size preferenceNextSet HDD size and location preferenceNextCreate

2. Switch VirtualBox VM Settings

Follow these steps in order:

  • Choose the newly created VM (for example, myVM)SettingsSystemMotherboardHardware Clock in UTC
  • SystemMotherboardPointing DevicePS/2 Mouse (required to disable the USB controller)
  • SystemProcessorEnable PAE/NX (if available)
  • NetworkAdapter 1Attached to Internal Network (important!)
  • NetworkAdapter 1Name (of Internal Network) (important!): Whonix [3]
  • USBUncheck Enable USB controller
  • OK

B) Users who want to download and import a Whonix-Custom-Workstation template using the stable method, click on Expand on the right.


This method's advantage is that there is need to manually create a new VM. The process is greatly simplified; the Whonix-Custom-Workstation only needs to be downloaded and imported. This approach has several benefits: it is easier, all security settings are set for the VM, and users don't have to remember and apply necessary settings.

Platform Specific Notice:

1. Download the Whonix-Custom-Workstation

The latest Whonix-Custom-Workstation Version is:

Although the version number for Whonix-Gateway and Whonix-Default / Download-Version might be far higher than the Whonix-Custom-Workstation version, this is normal. [4]

Download the following image.

Download Whonix-Custom-Workstation (FREE!) WINDOWS OSX LINUX

2. Download the OpenPGP Signature

Download the corresponding OpenPGP signature.

Download Whonix-Custom-Workstation OpenPGP signature (FREE!) WINDOWS OSX LINUX

3. Verify the Whonix Image

Follow these steps to verify the Whonix image.

4. Import and Rename the Virtual Machine

After importing the image, rename the virtual machine to something else. [5] VirtualBoxRight-click on VMSettingsName (for example: myVM)

If this method was used, please report how well it worked in the Whonix forum.

Start VM and Install Operating System

  1. Start the newly created VM (for example: myVM).
  2. Insert the installation DVD.
  3. Updates don't have to installed while installing the OS. Post-install, apply updates after the network has been set up.
  4. The username is: user. The computer name is: host

Configure network.


No additional network configuration required.


In your Custom-Workstation.

Linux Network Management Software Setup

Linux has many applications able to configure networking. To name a few:

  • ifupdown
  • NetworkManager
  • systemd-networkd

See also

This is therefore dependent on the Linux distribution being used.

Choose which inux Network Management Software your custom Linux operating system is using or use the Generic Instructions.

Generic Instructions

Generally, the required settings are the following:

  • Static networking, meaning not using DHCP.
  • gateway:
    • This is the IP address of Whonix-Gateway.
  • address:
    • The VMs self-assigned own local LAN IP address.
    • Increment last octet of IP address on additional workstations.
  • netmask:


In your Custom-Workstation.

Open file /etc/network/interfaces in an editor with root rights.


This box uses sudoedit for better security.


NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/network/interfaces

You only need to configure eth0:


# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface, leave as it is auto lo iface lo inet loopback auto eth0 #iface eth0 inet dhcp iface eth0 inet static # increment last octet of IP address on additional workstations address netmask #network #broadcast gateway

In your Custom-Workstation.

Open file /etc/resolv.conf in an editor with root rights.


This box uses sudoedit for better security.


NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

and delete everything, then add



Other network management software is currently undocumented.

Download operating system updates.

For Debian based Linux, such as Ubuntu, see Updates.

Configure Tor Browser Settings[edit]

When using Tor Browser, users should prevent Tor over Tor, click on Expand on the right.

Warning: These instructions are new and only for willing testers. Some connectivity issues may be experienced. Please contribute by testing these instructions.

Warning: These instructions prevent Tor over Tor for Tor Browser and system-tor. However, it is possible future updates to system-tor or the Tor Browser (TB) could break this custom configuration and fail to prevent Tor over Tor without the users knowledge. Therefore, users should use caution and thoroughly test prior to each use to ensure complete Tor over Tor prevention. See this forum thread for

These instructions have been tested with Tor Browser v8.0.4. Connectivity might break in later Tor Browser versions, particularly if developers modify how Tor Browser networking is configured. [6]

1. Manually Download and Install Tor Browser.

2. Set multiple environment variables.

Note for Qubes users:

  • If a TemplateBasedVM is used, this change must be applied in the Template. The reason is the file modification happens in the root image.
  • If a StandaloneVM is used, no special action is required. These VMs have their own copy of the whole filesystem.

Open file /etc/environment in an editor with root rights.


This box uses sudoedit for better security.


NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/environment


## Deactivate tor-launcher,
## a Vidalia replacement as browser extension,
## to prevent running Tor over Tor.

## Environment variable to disable the "TorButton" →
## "Open Network Settings..." menu item. It is not useful and confusing to have
## on a workstation, because this is forbidden for security reasons. Tor must be
## configured on the gateway.

## environment variable to skip TorButton control port verification

3. Save and reboot.

From this point, only the browser component of Tor Browser will be started.

4. Verify environment variables.


The output should show.


5. Configure network settings. [7]

Now the file ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js must be created. This presupposes Tor Browser has been installed as per step 1 and that a folder ~/.tb/tor-browser exists. If Tor Browser was installed to another folder, the the path must be adjusted.

Open file ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. mousepad ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

If you are using a terminal, run. nano ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js


user_pref("extensions.torbutton.use_privoxy", false);
user_pref("extensions.torbutton.settings_method", "custom");
user_pref("extensions.torbutton.socks_host", "");
user_pref("extensions.torbutton.socks_port", 9100);
user_pref("network.proxy.socks", "");
user_pref("network.proxy.socks_port", 9100);
user_pref("extensions.torbutton.custom.socks_host", "");
user_pref("extensions.torbutton.custom.socks_port", 9100);
user_pref("extensions.torlauncher.control_host", "");
user_pref("extensions.torlauncher.control_port", 9052);


Tor is now disabled in Tor Browser.

The process is now complete.

Disable system-tor over Tor[edit]

system-tor must also be disabled to prevent Tor over Tor.

In the terminal, run.

Stop Tor.

sudo systemctl stop tor

Prevent Tor service from restarting after reboot.

sudo systemctl mask tor

The process is now complete.


User must verify that Tor in Tor Browser and system-tor are disabled, click on Expand on the right.

Note for Qubes users: Tor Browser should only be run the AppVM.

1. To start Tor Browser two options exist.

a) In the desktop file manager, move to the ~/.tb/tor-browser/Browser folder: Double-click: start-tor-browser.desktop


b) In the terminal, move to the Tor Browser folder.

cd ~/.tb/tor-browser/Browser

Next, start Tor Browser.


2. Once Tor Browser is started, verify system-tor is disabled.

sudo systemctl status tor@default

The output should be similar the following showing tor@default service is inactive-(dead).

tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
  Drop-In: /lib/systemd/system/tor@default.service.d
   Active: inactive (dead)

3. Next, reconfirm both system-tor and Tor (in Tor Browser) are not running.

Note: Output will show grep tor (command that was just run). This is of no concern. [8]

sudo ps aux | grep tor

Output similar to the following shows system-tor is running. This indicates Tor over Tor prevention is Broken! Users should immediately stop using Tor Browser and seek advise on the Whonix

debian-+   707  0.1  0.9  89320 36400 ?        Ss   21:15   0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0



Info Community Support Only!

With Static IP[edit]

Configure Android x86 to use a static IP (based on this

Tested on:

VM settings: [Network] tab -> Adapter 1:

  • Check "Enable Network Adapter"
  • "Attached to:" -> Internal Network
  • "Name:" -> Whonix

1. On Android VM disable Wi-Fi in "Settings" -> "Network & Internet"
2. On Android VM in the Terminal Emulator: ip a make sure that wlan0 is "DOWN"
3. On the Android VM run the following in the Terminal Emulator:


ifconfig wlan0 netmask

ip rule add from all lookup main pref 0

busybox route add default gw

ndc resolver setnetdns 100 localdomain

4. Enable Wi-Fi in "Settings" -> "Network & Internet"
5. Go to Wi-Fi network selection screen and long tap on "VirtWifi" -> "Modify Network" -> tap on "Advanced options"

  • "IP settings" -> Static
  • "IP Address" -
  • "Gateway" -
  • "Network prefix length" -> 18
  • "DNS 1" ->
  • tap "Save"

6. Restart (turn off and then on) Wi-Fi

Static IP routing and DNS should now be working. Note that ping uses ICMP and therefore is unsupported, so open the browser to check your connection.

Do not forget that Whonix-Gateway must be running ;-)

If chrome is crashing (once you type something in the address bar) - use any browser BUT chrome :-)
If you insist on using it - change search engine to anything other than google.

With DHCP[edit]

Android warning Warning:

The following instructions are user contributed, untested by Whonix contributors, and require a DHCP server to be installed on Whonix-Gateway. Whonix contributors have not researched yet, if there is any feature in DHCP servers that would be problematic in the use case of anonymity distributions that use a two machine isolation approach. (Help welcome!) Maybe there is such a feature, maybe not. If it exists, maybe it could be easily disabled, maybe not. What is the attack surface here: once an attacker has compromised Whonix-Workstation, an attempt to exploit the DHCP server on Whonix-Gateway could be tried. Worse, maybe DHCP has a feature such as "please tell me the IP address of your upstream router", and that would be your real external IP address and DHCP would answer. To find out if this is actually the case, one would have to read the whole DHCP Forum If you are interested anyway, please click on expand on the right side.

TODO development: Can't you use a static IP?

VM settings are the same: attach the network adapter to the internal network named Whonix


It is possible to use Libvirt's built-in DHCP functionality to safely configure DHCP without running into the traffic leaks privacy concerns discussed above.

Other Hypervisors[edit]

Install a DHCP server package:

Install package(s) isc-dhcp-server.

A. Update the package lists and upgrade the

sudo apt update && sudo apt full-upgrade

B. Install the isc-dhcp-server package(s).

Using apt command line parameter is in most cases optional.

sudo apt install --no-install-recommends isc-dhcp-server

C. Done.

The procedure of installing package(s) isc-dhcp-server is complete.

Note: It won't start, because it is not configured yet.

Open file /etc/dhcp/dhcpd.conf in an editor with root rights.


This box uses sudoedit for better security.


NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/dhcp/dhcpd.conf

Replace its contents with the following.

option domain-name "whonix";
option domain-name-servers;
subnet netmask {
        option subnet-mask;
        option broadcast-address;
        option routers;
default-lease-time 600;
max-lease-time 7200;



sudo dpkg-reconfigure isc-dhcp-server

and choose eth1 as interface for the DHCP server to run on.

After this the DHCP server on workstation starts properly and the Whonix Gateway is ready to serve a dynamic IP to the Android x86 Whonix-Workstation.

More security[edit]


  • Verify operating system installation CD, compare with sha256 hash or even better verify the gpg signature, if available.
  • Install while the Virtual Machine has no internet connection.
  • Set your username to user.
  • Disable Internet Time Syncing.
  • Set your Time Zone to UTC.
  • Set up a static IP.
  • In case you want to run more than one Whonix-Workstation at the same time, it is recommended reading the Introduction in the Multiple Whonix-Workstation article.
  • Read Basic Security Guide, Advanced Security Guide, Documentation and Design (which is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific) and try to apply as much from it to Windows as possible.

Even more security[edit]



  • Prevent Transparent Proxy by disabling Whonix-Gateway Transparent Proxy feature. Instead use your Windows Whonix-Workstation behind an Isolating See Stream Isolation for more information and instructions on how to disable the Transparent Proxy feature.
  • Check your host clock out of band (use a watch or atomic clock).
  • Set your host and your Workstation clock to show seconds as well. After booting the Whonix-Windows-Workstation, add a random skew to your clock, maybe +/- 1 to 30 seconds. Optimal values are still under investigation. For reference, see Whonix Secure And Distributed Time Synchronization Mechanism, it is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific, but most information also applies to Windows. Since we are not aware of a tails_htp alternative for Windows, you have to do it manually.

VM settings[edit]

Select your platform.

Qubes-Whonix users can skip this.

If the Whonix-Custom-Workstation template was downloaded and imported, this section can be skipped. [9]

If a VirtualBox VM was manually created, click on Expand on the right.

Find out the name of the VM you are using.

vboxmanage list vms

Apply these settings. [10]

VBoxManage modifyvm "yourvmname" --synthcpu on
VBoxManage modifyvm "yourvmname" --acpi on
VBoxManage modifyvm "yourvmname" --ioapic on
VBoxManage modifyvm "yourvmname" --rtcuseutc on
VBoxManage setextradata "yourvmname" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" "1"

Disable clipboard sharing. [11]

VBoxManage modifyvm "yourvmname" --clipboard disabled

Disable Drag'n'Drop support. [12]

VBoxManage modifyvm "yourvmname" --draganddrop disabled

Assistance is welcome in verifying that the settings on this wiki page match those we are using in Whonix source code. This ensures that no settings have been forgotten. If interested, click on Expand on the right.

In Whonix source code, examine build-steps.d/2500_create-vbox-vm for the functions general_setup and workstation_specific. Apply any missing settings from build-steps.d/2500_create-vbox-vm. It is also sensible to drop the "sudo -u $USERNAME" setting.

The following settings are not required. They are either recommended earlier on, or done by the gui creation process:

  • --name
  • storagectl
  • storageattach
  • --memory
  • --pae
  • --intnet1
  • --cableconnected
  • --macaddress1
  • --audiocontroller
  • --audio
  • --rtcuseutc

Whonix Packages[edit]

Whonix Debian Packages (, such as for example, are available for installation from source and Whonix apt repository (example Installation (of some) anonymity/security/privacy/usability related ones of them might be interesting for users of Debian and Debian derivatives.

Note, that usage of these package outside of Whonix is untested and there is no contributor that supports this use case.

The current Whonix contributors can only maintain a limited amount of things, has limited resources and focuses on other priorities. If you have developer skills, would you be interested to contribute by co-maintaining one or another package for using them outside of Whonix?

Most security[edit]

Use the default Whonix VMs and build them yourself from source.



  • Potential alternatives:
    • Whonix-Default/Download-Version is already based on Debian bookworm / Stable.

You may be interested to read:


Possible in theory. Unsupported. Discouraged as it would lead to Tor over Tor See Refrain from "Tor over Tor" Scenarios.

Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation[edit]


Read first: Comparison of different Whonix variants!

Note: Whonix-BuildYourselfFromSource-Workstation is of course the same as Whonix-Download-Workstation.


Whonix-Download-Workstation Whonix-Custom-Workstation
Based on Debian bookworm GNU/Linux Any of your choice.
Protection against root exploits (Malware with root rights) on the Workstation [13] Yes [13] Yes [13]
IP/DNS protocol leak protection Full [13] Full [13]
Takes advantage of Entry Guards Yes Yes
Operating System Updates persist once updated Yes Depends if gets installed or is a Live CD.
Hides hardware serials from malicious software Yes [13] Yes [13]
Does not collect (virtual) hardware serials Yes Depends on the custom operating system
Includes Tor Browser Yes Your responsibility to install Tor Browser.

For help using Tor Browser without Tor over Tor (recommended), see:


Includes Firefox privacy patches [15] and Tor Button (=Tor Browser) Yes, because it uses Tor Browser (without Tor/Vidalia). Your responsibility to install Tor Browser.
Prevents Tor over Tor for Tor Browser Yes Your responsibility to prevent Tor over Tor.
Stream isolation to prevent identity correlation through circuit sharing Yes Your responsibility to use Stream Isolation.
Stream isolation in Tor Browser Yes Yes
Encryption Should be applied on host. Should be applied on host.
Cold Boot Attack Protection [13] No No
Secure Distributed Network Time Synchronization Yes, using sdwdate. Your responsibility to install it.
Hides your time zone (set to UTC) Yes Your responsibility to set clock to UTC.
Hides your operating system account name Yes, set to user. Your responsibility to set username to user.
Hides your MAC address from websites Invalid [13] Invalid [13]
Secures your MAC address from local LAN (sometimes ISP) [13] No, planned, see. [13] Your responsibility. [13]
Hides your hosts MAC address from applications Yes [13] Yes [13]
Secure gpg.conf Yes Your responsibility to use a secure gpg.conf.
Privacy enhanced IRC client configuration. Yes Your responsibility to configure the IRC client for enhanced privacy.
Other numerous security/privacy which will not all be listed in this table such as defense against Keystroke Deanonymization or TCP ISN CPU Information Leak Yes Your responsibility to configure these.


The Whonix-Download-Workstation is already preconfigured with all Whonix extra security features.

A Whonix-Custom-Workstation can be made (Your responsibility!) as secure as a Whonix-Download-Workstation. If you simply create [16] a Whonix-Custom-Workstation it has still some security advantages, for example full IP/DNS protocol leak protection, but not all, for example it lacks Secure Distributed Network Time Synchronization. The details are listed in the table above.

Missing Documentation[edit]

You might wonder what "your responsibility" means. Some users are wondering, where the documentation for these aspects can be found. No documentation has been written yet. There is a lack of resources to maintain such instructions. I.e. writing them, and more so, keeping them up to date, testing them, answering support requests, fixing bugs and implementing feature requests. Please contribute. For more detailed explanation, see also Whonix Packages.


  1. It is necessary to set the SET TOR_SKIP_LAUNCH=1 environment variable, then start Tor Browser. The Tor Browser Launcher add-on will detect this, skip the connection wizard and skip launching Tor.
  2. qubes-prefs --set vm-name netvm sys-whonix
  3. Note: It is Whonix, not whonix. Capital W case sensitivity matters.
  4. A newer Whonix-Custom-Workstation only needs to be redistributed if the settings for the VM have changed. For example, these have not changed between Whonix 9 and Whonix 13. Therefore, Whonix-Custom-Workstation version is recent enough to function, because it comes with an empty virtual hard drive (meaning software cannot be outdated).
  5. It is not strictly necessary to rename the VM at this point, but this prevents potential naming conflicts if another Whonix-Custom-Workstation is imported later on.
  6. Once Tor Browser moves to SocksSocket, these instructions will certainly no longer work. References:
  7. Learn more about the network settings.
    • Type: SOCKSv5.
    • IP address:
      • Non-Qubes-Whonix:
      • Qubes-Whonix
        • If Qubes Tools in the custom workstation are:
          • Installed: Find out the IP address of Qubes-Whonix Whonix-Gateway by running qubesdb-read /qubes-gateway inside the custom workstation.
          • Not installed: Find out the IP address of Qubes-Whonix Whonix-Gateway by running qubesdb-read /qubes-ip inside sys-whonix.
        • Unfortunately the IP address will not be static. This means after restarting sys-whonix the connection might break and the IP address setting may need to be manually updated.
    • Port: 9100.
    • Do not change the No Proxies for setting.
    ## The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables
    ## do not work flawlessly, due to an upstream bug in Tor Button:
    ##    "TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
  8. grep tor output:
    user 1053 0.0 0.0 12724 948 pts/1 S+ 20:22 0:00 grep tor
  9. The Whonix-Custom-Workstation template already comes with these settings by default.
  10. For further reading on why these settings are beneficial, see build-steps.d/2500_create-vbox-vm in the Whonix source code folder.
  11. This is a precautionary measure.
  12. This is a precautionary measure.
  13. 13.00 13.01 13.02 13.03 13.04 13.05 13.06 13.07 13.08 13.09 13.10 13.11 13.12 13.13 13.14 Same footnote(s) as in Comparison of Whonix, Tails, Tor Browser, Qubes OS TorVM and Corridor and Tor Browser.
  14. For explanation of the about:tor "Something went wrong" error, please see this forum
  16. Install or use a Live CD/DVD into Whonix-Workstation.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!