UniStation - A Tor TransparentProxy with only One Machine
Whonix ™ needs at least two systems. One running Tor, Whonix-Gateway. The other running clients that are routed through Tor, Whonix-Workstation ™. This ensures the highest possible security and isolation. We can implement this using different strategies: Two VMs (Gateway VM and Workstation VM) or bare metal.
A different approach is to run Tor and applications all on the same machine. This can be either a VM or bare metal host.
This site will guide you through all required steps to set up a UniStation. A machine which routes all traffic through the Tor anonymity network. This is an implementation of a Tor TransparentProxy.
- Only one machine required.
- Lower system requirements.
- More difficult to install.
- User might have to set the network interface setting.
- If using VMs: Guest VM can see MAC address of host?
- Less secure than Whonix ™ with Whonix-Gateway and Whonix-Workstation ™.
- This is not as well polished, developed and thought through as Whonix ™ yet.
- Enhancements that come with Whonix-Workstation ™ such as:
- have not been considered yet.
- This will potentially not be maintained as well as Whonix ™.
Install gnupg. 
Update: Packages anon-gw-dns-conf, ipv4-forward-disable, ipv6-disable are deprecated (merged into anon-gw-anonymizer-config) in Whonix ™ developers repository (upcoming stable) but these packages are so trivial that the 1 config file per package can be manually set up.
Find out your network interface name. You can learn about what interfaces you have by running.
You might have to change
#EXT_IF="eth0" by removing the hash
# in front of it and by setting it to the name of your network interface such as
wlan0. I.e. the full line might look like this:
EXT_IF="wlan0" Include it with the to be pasted text below. 
If you want port 22 to open for incoming SSH, also paste:
Qubes only. Does not hurt otherwise.
Qubes Debian based VMs would require further
/etc/whonix_firewall.d/50_user.conf modifications. See footnote. 
torsocks config not required. uwt sets that up for us.
Open Tor configuration file
/etc/tor/torrc with root rights.
Check if there is something you need in
/etc/apt/sources.list out of the way because
/etc/apt/sources.list.d/debian.list by Kicksecure ™ replaces it.
Update as per usual. See also Operating System Software and Updates.
Transparent DNS Functional
Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: torproject.org Address: 18.104.22.168 ** server can't find torproject.org: NXDOMAIN
Transparent DNS Functional
--2019-12-10 12:25:43-- http://torproject.org/ Resolving torproject.org (torproject.org)... 22.214.171.124 Connecting to torproject.org (torproject.org)|126.96.36.199|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://www.torproject.org/ [following] --2019-12-10 12:25:45-- https://www.torproject.org/ Resolving www.torproject.org (www.torproject.org)... 188.8.131.52 Connecting to www.torproject.org (www.torproject.org)|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 19623 (19K) [text/html] Saving to: ‘index.html’ index.html 100%[===========================================>] 19.16K 62.3KB/s in 0.3s 2019-12-10 12:25:47 (62.3 KB/s) - ‘index.html’ saved [19623/19623]
Depending on network configuration perhaps
/etc/whonix_firewall.d/50_user.conf need to be appended.
-is required to set the correct paths to
- Other methods are possible.
- Usability. Otherwise after installation is complete, user might not be able to login. Needs further testing if still required. Can be avoided for remote servers.
- Required for Debian netinst "minimal" (no default system tools).
See Secure Downloads to understand why
curland the parameters
--tlsv1.3 --proto =httpsare used instead of
apt-get-noninteractive to avoid asking this question.
Setting up anon-base-files (3:4.6-1) ... Configuration file '/etc/machine-id' ==> File on system created by you or by a script. ==> File also in package provided by package contributor. What would you like to do about it ? Your options are: Y or I : install the package contributor's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** machine-id (Y/I/N/O/D/Z) [default=N] ? i
This was required in Qubes to make Whonix-Gateways Own Traffic Transparent Proxy work. In that case, append to
/etc/whonix_firewall.d/50_user.conf.NON_TOR_GATEWAY="\ 127.0.0.0-127.0.0.24 \ 10.137.0.0-10.138.255.255 \ "
DisableNetwork 0is required to make sdwdate work because the connectivity check locks at it.