Status of Support for Running Whonix in VMware
- Rarely (officially) tested
- It works, but highly experimental
- VMware is closed source, therefore security through obscurity.
- Recommended against
- Recommended to use a supported platform
Whonix needs a contributor, maintainer, to support Whonix in VMware!
What does "maintainer" mean in this context?
- Someone who runs those Test, LeakTests and tests from Protocol-Leak-Protection_and_Fingerprinting-Protection.
- Someone who otherwise looks around if everything is sane.
- User support, answering questions in the forums.
- Someone who creates, signs, uploads .ova images for VMware.
- Future development.
- Describes best security practices
Unofficial Supported VMware Products
VMware Workstation was tested. It's currently in a it works state, but rarely tested.
VMware ESX(i) (up to version 6.0) is tested and it works.
VMware Server or other products are untested, but most likely also in a it works state.
VMware Player is tested by an anonymous user in the old forum  and works as well. This is unconfirmed. Setting up the internal network can sometimes be tricky, this article contains instructions how to setup.
Maybe I am spoiled by Free Software (see  for definition). VMware is not very open, but in my opinion openness is important for security. I haven't found out how to submit a bug report. It looks like only buying customers may submit bug reports and there is only community support for products that are free in price. There is also no list with open bugs. Without a list of known bugs, I am unable to determine if VMware is suitable for Whonix, i.e. does not compromise the user's anonymity. Since bug reports remained entirely unanswered, it's also demotivating to investigate, contribute and submit further report bugs.
Do not forget to read the Documentation.
Newer third party video:
How to Install Whonix 13 for Anonymous Web Browsing + Review on VMware Workstation [HD]
Importing the appliances:
- You can either import the Download version or manually build from source.
- Import Whonix-Gateway.ova and Whonix-Workstation.ova.
- Due to a VMware upstream bug, you may have to press retry when importing the .ova images (to relax the importing requirements).
Setting up the network:
- Connect the virtual network adapter to custom. This is important! No host-only, no NAT, no bridging! I used VMnet9 virtual network, as it wasn't used by anything else.
- Adjust the adapters with the following settings:
- Whonix-Gateway set network adapter 2 to custom, /dev/vmnet8 (or on Windows probably: vmnet9).
- Whonix-Workstation set network adapter 1 to custom, /dev/vmnet8 (or on Windows probably: vmnet9).
- Note: if vmnetX, such as for example vmnet8 is already used by the NAT adapter, do not re-use it for the custom adapter. In that case, use something else, such as vmnet9.
- Due to a VMware upstream bug, VM time is not set to UTC. Set VM time to UTC, otherwise Tor might not be able to connect.
Importing the .ova templates will simply not work. ESX(i) will not recognize the hardware family. However, there is a workaround - extracting .ova and editing .ovf. An example can be found here. Another way is to use extracted .vmdk (VM virtual disk).
Importing the appliances:
- Create two virtual machines in ESX(i) with default settings, do not create a virtual disk for them.
- Import both ova templates in VirtualBox, yes, VirtualBox.
- Once they are imported, grab the .vmdk disk files from their physical location on your disk (VirtualBox has extracted them from the .ova)
- Upload both disk files to the datastore that you are using in ESX(i)
- Attach the disk files to the appropriate virtual machines.
Set the networking:
- Make sure the Whonix-Gateway has two network adapters configured as a virtual machine, the Whonix-Workstation only one.
- Attach the first Whonix-Gateway network adapter to your outside network vSwitch (this can be WAN, LAN, DMZ, ...)
- Attach the second Whonix-Gateway network adapter to an isolated vSwitch. Preferably create a new vSwitch, which will be used only by Whonix-Gateway and Whonix-Workstation. Attach no physical NICs to this vSwitch! Make sure you create a new vSwitch, not simply a new portgroup. Promiscuous mode within a vSwitch might screw you over.
- Attach the Whonix-Workstation network adapter to the isolated vSwitch from previous step.
Once the machines boot, everything should come online nicely. Double check the vSwitch logic in your setup!
Harden VMware products
- Remove printer
- Disable 3D acceleration
- Remove CD/DVD drive
- Remove Floppy drive
- Remove USB controller (at least disable automatically connect new devices)
- Remove sound card
- Do not install VMware Tools or open-vm-tools (comfort vs. security). VMware Tools leak information towards the Host OS or Hypervisor.
One might wish to access the Whonix-Workstation through SSH. Therefore you could add a second network adapter with Host-Only Networking. Beware about this adapter! This can cause information leakage!
If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network. On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing.
VMware upstream bug reports
- VMware bug report: failed to import .ova image
- VMware bug report: .ova image internal network becomes bridged network
- VirtualBox bug report Ticket #11160: .ova image created with VirtualBox, failed to import in VMware
(Windows 8 specific forum help thread:
No Tor/Internet connection with Windows 8 on VMware - Whonix Gateway.)
(Black screen forum help thread:
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.