From Whonix



Status of Support for Running Whonix ™ in VMware[edit]

Ambox warning pn.svg.png VMware warning:

Unofficial Supported VMware Products[edit]

VMware Workstation was tested. It is currently in a it works state, but rarely tested.

VMware ESX(i) (up to version 6.0) is tested and it works.

VMware Server or other products are untested, but most likely also in a it works state.

VMware Player is tested by an anonymous user in the old forum [1] and works as well. This is unconfirmed. Setting up the internal network can sometimes be tricky, this article [archive] contains instructions how to setup.

About VMware[edit]

Maybe I am spoiled by Free Software (see [2] for definition). VMware is not very open, but in my opinion openness is important for security. I haven't found out how to submit a bug report. It looks like only buying customers may submit bug reports and there is only community support for products that are free in price. There is also no list with open bugs. Without a list of known bugs, I am unable to determine if VMware is suitable for Whonix ™, i.e. does not compromise the user's anonymity. Since bug reports remained entirely unanswered, it is also demotivating to investigate, contribute and submit further report bugs.


Do not forget to read the Documentation.

VMware Workstation[edit]

Newer third party video:
How to Install Whonix ™ 13 for Anonymous Web Browsing + Review on VMware Workstation [HD [archive]]

Existing instructions:

Importing the appliances:

  • You can either import the Download version or manually build from source.
  • Import Whonix-Gateway.ova and Whonix-Workstation.ova.
  • Due to a VMware upstream bug, you may have to press retry when importing the .ova images (to relax the importing requirements).

Setting up the network:

  • Connect the virtual network adapter to custom. This is important! No host-only, no NAT, no bridging! I used VMnet9 virtual network, as it wasn't used by anything else.
  • Adjust the adapters with the following settings:
    • Whonix-Gateway ™ set network adapter 2 to custom, /dev/vmnet8 (or on Windows probably: vmnet9).
    • Whonix-Workstation ™ set network adapter 1 to custom, /dev/vmnet8 (or on Windows probably: vmnet9).
  • Note: if vmnetX, such as for example vmnet8 is already used by the NAT adapter, do not re-use it for the custom adapter. In that case, use something else, such as vmnet9.


  • Due to a VMware upstream bug, VM time is not set to UTC. Set VM time to UTC, otherwise Tor might not be able to connect.

VMware ESX(i)[edit]

Importing the .ova templates will simply not work. ESX(i) will not recognize the hardware family. However, there are workarounds, either extracting the .ova and editing the .ovf files or using VMware Workstation.

Importing virtual disk files[edit]

One way Whonix ™ can be made to run on ESXi is by extracting the .vmdk (VM virtual disk) files. An example can be found here[3].

Importing the appliances:

  • Create two virtual machines in ESX(i) with default settings, do not create a virtual disk for them.
  • Import both ova templates in VirtualBox, yes, VirtualBox.
  • Once they are imported, grab the .vmdk disk files from their physical location on your disk (VirtualBox has extracted them from the .ova)
  • Upload both disk files to the datastore that you are using in ESX(i)
  • Attach the disk files to the appropriate virtual machines.

Set the networking:

  • Make sure the Whonix-Gateway ™ has two network adapters configured as a virtual machine, the Whonix-Workstation ™ only one.
  • Attach the first Whonix-Gateway ™ network adapter to your outside network vSwitch (this can be WAN, LAN, DMZ, ...)
  • Attach the second Whonix-Gateway ™ network adapter to an isolated vSwitch. Preferably create a new vSwitch, which will be used only by Whonix-Gateway ™ and Whonix-Workstation ™. Attach no physical NICs to this vSwitch! Make sure you create a new vSwitch, not simply a new portgroup. Promiscuous mode within a vSwitch might screw you over.
  • Attach the Whonix-Workstation ™ network adapter to the isolated vSwitch from previous step.

Once the machines boot, everything should come online nicely. Double check the vSwitch logic in your setup!

Unfinished: Alternate Workflow[edit]

If you prefer building from source, or the previous methods did not work, here is a method that was tested with, & ESXi 6.7.

Build Images[edit]

Using a 64bit linux machine, build both gw & ws whonix flavors target raw

Example build phrase:

 sudo ./build_whonix --flavor whonix-gateway-cli --vmsize 20G --target raw --build etc 

Use qemu-img to convert the raw images to vmdk


 qemu-img convert image.raw image.vmdk etc etc 

Move or copy the .vmdk disks to a data store on ESXi



Create VMs[edit]

  • From ESXi, create a new virtual switch for internal traffic. IMPORTANT: Delete the uplink by clicking the x! Create a new port group for internal traffic using the virtual switch you just created.
  • Create a new virtual machine named Whonix-Workstation ™: Guest linux Debian 9 64bit, one network interface (change network to internal switch/portgroup), delete disk, add existing disk, select vmdk created for workstation, expand dropdown and select IDE controller. Boot the machine.
  • Create a new virtual machine named Whonix-Gateway ™: Guest linux Debian 9 64bit, two network interfaces (leave first one default, add second and change to internal switch. Delete disk, add existing disk, select .vmdk created for gateway, expand dropdown and select IDE controller. Boot the machine. Note: This machine will have no WAN access unless one of the following actions is taken: addition of static route or modification of eth0 to DHCP.

Using VMWare Workstation as intermediary[edit]

If VMware Workstation is available, another option that works without manual extraction and repacking is to import both VMs to VMware Workstation, check that all settings are properly applied (as per the guide above) and then either export the VMs to ovf and import them on the ESXi server or, if the server is connected to the Workstation instance, migrate via VMware Workstation. This generally works out of the box, although the networking should be reviewed and isolated as per the guide above.

Harden VMware products[edit]

See also Security Guide and Advanced_Security_Guide.


  • Remove printer
  • Disable 3D acceleration
  • Remove CD/DVD drive
  • Remove Floppy drive
  • Remove USB controller (at least disable automatically connect new devices)
  • Remove sound card
  • Do not install VMware Tools or open-vm-tools (comfort vs. security). VMware Tools leak information towards the Host OS or Hypervisor.

Additional Security[edit]

One might wish to access the Whonix-Workstation ™ through SSH. Therefore you could add a second network adapter with Host-Only Networking [archive]. Beware about this adapter! This can cause information leakage!

If you install the proper routing or proxy software on your host computer, you can establish
a connection between the host virtual Ethernet adapter and a physical network adapter on the
host computer. This allows you, for example, to connect the virtual machine to a Token Ring
or other non-Ethernet network.

On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only
networking in combination with the Internet connection sharing feature in Windows to allow a
virtual machine to use the host's dial-up networking adapter or other connection to the
Internet. See your Windows documentation for details on configuring Internet connection

VMware upstream bug reports[edit]


(Windows 8 specific forum help thread:
No Tor/Internet connection with Windows 8 on VMware - Whonix-Gateway ™.)

(Black screen forum help thread:


text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Do you wonder why Whonix ™ will always be free? Check out Why Whonix ™ is Freedom Software.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.