From Whonix

Voice over IP[edit]


Anonymizing Voice over IP is somewhat difficult, but possible. It is not so much about hiding the IP, which is easy with Whonix ™, it is about voice recognition and slow Tor network speed (latency). Pseudonymous use or hidden voice communication with known contacts depends on your threat model.

For people behind Tor, who know each other, talking to each other, it is possible to hide the fact that they are talking with each other, from their ISP, government, exit relays, man-in-the-middle, etc. That wouldn't be anonymous, because they know each other.

You can't anonymously use your own voice and whistle-blow over VoIP. Voice gets recorded and voice recognition works well. When you are having a phone call later over a non anonymous connection (which almost everyone had at least once in its life, so everyone supplied a sample of their voice and name), they can correlate the two identities. You would have to use a voice scrambler and how good that works is a whole new field for research, which is outside the scope of Whonix ™.

You could type and let a artificial voice speak (like in anonymous videos), that could work. But is that the point? You better write a mail then.

It is also recommended against voice chatting with other anonymous people. (Like you can talk in a forum.) You don't know who you are talking to. That voice also could be correlated later, putting aside voice scrambler, or artificial voice, which wouldn't make sense.

If you are not calling from .onion to .onion (which delegates encryption to Tor), you should use a VoIP client supporting an end-to-end encryption protocol, such as ZRTP[1]. ZRTP End-to-End Encryption cannot Protect VBR Streams. When using ZRTP + SRTP for encryption in any stretch that goes on the clearnet, be sure to never select a VBR (variable bitrate) codec as the pauses in a conversations produce fingerprints in the encrypted stream that allow the adversary to infer what words are being said.[2] [3]

With ZRTP encryption make sure you compare authentication strings with the other party during the initial call. If they don't match then do not continue the call as it indicates an active MITM attack.

Some good libre software soft-phone programs are Linphone and Jitsi. However communicating directly over Tor with a VoIP server is not possible at the moment as SIP based clients all use UDP. You can still use a workaround but there are limitations. Please don't expect phone calls over Tor can't to be as convenient as over ordinary networks. This is because even when UDP packets are tunneled the restrictions of the underlying TCP protocol still apply. Push to talk will always work however, which is more like using walkie-talkie[4], push-to-talk[5]. Useful advice has been given by the Guardian Project. They recommend to use prowords[6]. Acknowledge the end of transmission (your speech, your sentence, what you just said) with the word "Roger". Once your calling partner hears "Roger", it knows, it is safe to answer and also terminate the answer with "Roger" or "Out" when leaving the conversation.

Other than the things said above, no additional anonymity/security problems are expected. It is less tested, so as for performance and voice quality, just try it and see yourself and please leave feedback.

VoIP Servers and Privacy[edit]

VoIP servers servers can still see call signalling metadata with end-to-end encryption. However if the VoIP IDs are anonymously registered, i.e. if no personal data is required for signing up, everyone only and always connects over Tor, never connected or will ever connect without Tor, and all calls are encrypted and you won't talk to strangers, there is probably very little a malicious server could log or do. [7]

VoIP Solutions[edit]



Tox [8] [9] looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VoIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous. [10] Desktop and mobile client versions have been developed for every major OS platform. [11]

In the Tox design, users are assigned a public and private key, with direct connections being established in a peer-to-peer network. Users can message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl crypto library, via libsodium. [12] [13] Tox helps to protect user privacy by: [14]

  • Removing the need to rely on central authorities to provide messenger services
  • Enforcing end-to-end encryption with perfect forward secrecy as the default and only mode of operation for all messages
  • Making your identity impossible to forge without the possession of your personal private key, which never leaves your computer

As of late-2018, the following secure (encrypted) features have been implemented: [15]

  • Voice and video calls.
  • Instant messaging.
  • Desktop screen sharing / streaming.
  • File sharing.
  • Typing indicators.
  • Message read-receipts.
  • Profile encryption.
  • Group messaging, voice and video conferencing.

Additional features can be implemented by any client, so long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. [16]


Info Non-Qubes-Whonix only.

The following instructions will install the "qTox" graphical user client. As qTox is not currently available as a stand-alone Debian package, users have three choices in late-2018:

  • Build the package from source (difficult).
  • Rely on an unsigned, self-contained AppImage downloaded from the Tox homepage (insecure).
  • Install Flatpak from stretch-backports and then install Tox from the Flathub repository (easiest).

Flatpak Method[edit]

Info .flatpakrepo files generally include the base64-encoded version of the GPG key that was used to sign the repository.

It is recommended to create a separate Whonix-Workstation ™ before installing addtional software. Tox is also alpha software which has not been formally audited, therefore it is less trusted.

Install Flatpak[edit]

Package flatpak can be installed from Debian backports. This is non-ideal, see footnote. [17]

1. Boot Whonix-Workstation ™ (whonix-ws-15) TemplateVM.

2. Add the current Debian stable backports codename buster-backports to Debian apt sources.

Note: this applies to Whonix Later Whonix versions may use a codename different to buster.

In Whonix-Workstation ™ (whonix-ws-15) TemplateVM, run.

sudo su -c "echo -e 'deb buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

3. Update the package lists.

sudo apt-get update

4. Install the select software.

sudo apt-get -t buster-backports install flatpak

The procedure is now complete.

5. Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian buster to bullseye. [18] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.list

Add the Flathub Repository and Install qTox[edit]

Flathub is a common place to source Flatpak applications. To enable it, run.

flatpak remote-add --if-not-exists flathub

Next, restart Whonix-Workstation ™ to allow flatpak to finish setting up.

To install qTox from flathub, open a terminal (Konsole) and run. [19]

flatpak install flathub io.github.qtox.qTox

Start qTox[edit]

To launch qTox, run.

flatpak run io.github.qtox.qTox

TODO: Add instructions on how to use Tox with Stream Isolation without Tor over Tor.
TODO: Add instructions for Qubes-Whonix ™.




  • Looks a bit like Team Speak without its disadvantages.
  • It is Open Source.
  • And supports client to server encryption.[21]
  • Supports push to talk.[22]
  • You can (and must) force TCP mode[23], because the Tor network does not support UDP yet.
  • One has to act as server.
  • Everyone else can act as client.
  • If the server admin runs the server on its local machine and also wants to connect to the server, the admin should connect locally to the server, i.e. to and not the onion service domain to have faster connection.
  • For group chats you have to consider, that there is no end-to-end encryption and once the server has been compromised, conversions are no longer private. However, if two people use mumble just to talk to each other this doesn't matter and you could safely do that with mumble.
  • When one of the two communication partners hosts a mumble server as Tor onion service and the other one connects over Tor, encryption is already provided by Tor. There are different ways to achieve security. In this case, setting a server password (explained below), should be sufficient. Mumble's own encryption is not required. Alternatively, feel free to learn about mumble certificates for defense in depth, channel passwords instead of server password and so on.
Mumble Server Instructions[edit]

If you want to read and introduction about onion services and to learn about about onion service security, see Onion Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Onion Services basics), see Onion Services.

On Whonix-Gateway ™.

Info From Whonix 14 onwards, all user unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf and not anywhere else. Note that Whonix will not modify /usr/local/etc/torrc.d/50_user.conf once it is created, therefore the user is responsible for adding or removing specific configurations in this file.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf


HiddenServiceDir /var/lib/tor/mumble_service/
HiddenServicePort 64738
HiddenServiceVersion 3


Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

To get your Tor onion service url.

sudo cat /var/lib/tor/hidden_service/hostname

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.


Qubes-Whonix ™

Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/hidden_service/private_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/hidden_service/private_key

The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.


Consider moving the file from the QubesIncoming folder to another preferred location.

Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.

Non-Qubes-Whonix ™

TODO document
Also see: File Transfer.

On Whonix-Workstation ™.

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

lxsudo mousepad /rw/config/whonix_firewall.d/50_user.conf

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsUser Firewall Settings

If using Non-Qubes-Whonix ™, complete this step.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_default.conf

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using Non-Qubes-Whonix ™, complete this step.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_default.conf




Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

Update package lists.

sudo apt-get update

Install the mumble-server package.

sudo apt-get install mumble-server

Configure the server.

sudo dpkg-reconfigure mumble-server

The following questions...

  • Autostart, better yes. Otherwise you would have to "sudo service mumble-server start", which didn't work for me.
  • Higher priority? Yes.
  • Password: choose a secure password.

There is also an upstream Murmur, i.e. mumble server guide. The upstream guide does not consider onion services, that's the part already described here. For any other questions regarding the server setup, you can also refer to the upstream documentation.

Set a server password. Open /etc/mumble-server.ini.

Open /etc/mumble-server.ini in an editor with root rights.

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please press on Expand on the right side.

The easiest would be to install these example tools lxsudo mousepad so you can keep copying and pasting these instructions.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the --no-install-recommends lxsudo mousepad package.

sudo apt-get install --no-install-recommends lxsudo mousepad

The procedure is complete.

Alternatively you could also use other tools which may already be installed by default.

gksudo gedit /etc/mumble-server.ini

sudoedit /etc/mumble-server.ini

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /etc/mumble-server.ini

If you are using a terminal-only Whonix, run.

sudo nano /etc/mumble-server.ini

Search for "serverpassword=" and file in.


Restart mumble-server.

sudo service mumble-server restart

Mumble Client[edit]

Update package lists.

sudo apt-get update

Install mumble.

sudo apt-get install mumble


Start mumble.

Start menu → Applications → Internet → Voice Chat

Configure mumble to your liking.

Enable Force TCP mode.

Go to Configure → Check "Advanced" → Network → Check "Force TCP mode" → Ok
Add Server[edit]

Add a new server:

Server → Connect → Add new →

    Label   : anything, can be same as .onion domain name
    Address : your .onion domain name or,
              if the mumble server is running in your own
              {{workstation_product_name}} choose
    Port    : 64738
    Username: anything

You can now connect to the server.

Technical Comments[edit]

[24] Implementing privacy critical software in a browser is seen as a bad and dangerous idea by security conscious Free Software developers. Browser security holes and lack of adequate process isolation, could lead to theft of private encryption keys by a malicious code running in the browser.


USB Webcam Passthrough[edit]

The firmware of USB devices could be flashed by malware and cross infect the host.

TOR Fone[edit]

The developer of TOR Fone (a fork of SpeakFreely) recommends against[25] using TOR Fone. Quote: "I did not think this project as a finished product for practical use." The project got overall a pretty bad review in the mailing list thread.


Does this mean that, for example, is my IP and location safe when using Skype?

Yes, IP and location is safe. Skype has been tested in Whonix ™, it "works" quite well (does it? it seems to have stopped working in 2013 - see [26]), still recommended against. Some further comments you should be aware of:

Those are not Whonix ™ or Tor issues, those are Skype issues. Consider Skype usage pseudonymous rather than anonymous. Skype is closed source and given Skype's history (reading BIOS etc. just research) it is very much likely that they link all your account names inside Whonix-Workstation ™ to the same pseudonym.

Also obviously, if you log into an account, which you have ever used without Tor, consider the account non-anonymous. You really should assume, that they have logs and link your Tor and non-Tor use together.

Security doesn't depend on your local security and key management, but on a third party, the Skype authority. Consider the Skype encryption broken by the Skype authority.

Another obvious thing, if you chat with people, who have not created their account over Tor and who have not always connected over Tor, it is also not so hard to guess who you are. Remember, you are not in control of Skype's encryption keys and Skype is not Open Source, thus do not rely on Skype's encryption.

Voice recognition software also got very sophisticated. Since you should be unsure if the Skype encryption is broken or not, voice recognition software could be used to find out who you are.

Also read Do not mix Modes of Anonymity!

Skype is nonfree software. It is advised to Avoid nonfree software such as Skype.

In conclusion Skype usage does not leak IP/location, but is discouraged anyway, unless you want to use it for circumvention only, without wanting to be anonymous or pseudonymous.

What's the point in using Skype if you and all your chat partners are also willing to create and use their accounts only over Tor? You are advised to use Skype alternatives.

If you are wondering, why Skype works at all in Whonix ™ over Tor, since Tor only supports TCP, see technical details: [27]


There is a Comparison of VoIP software in wikipedia. The client should be Open Source and if you are not calling from .onion to .onion (and let Tor handle encryption) it should also support voice encryption such as ZRTP.


External Resources[edit]


  7. Apart from trying to exploit random Tor users.
  13. Tox employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs.
  15. Depending on the mobile / desktop client in use.
  17. Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk, Non-Qubes-Whonix ™ users might want to consider using Multiple Whonix-Workstation ™ and Qubes-Whonix ™ users might want to consider using Multiple Qubes-Whonix ™ TemplateVMs or Software Installation in a TemplateBasedVM.
  18. Most often this step applies before attempting major Whonix upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
  24. Mumble (and mumble-server)'s connections go through Tor's TransPort. This shouldn't matter, because (connections to and ) onion services (itself) are stream isolated so or so, see Stream Isolation for more information on TransPort, SocksPort, Stream Isolation and so on.
  27. Skype can’t work without a TCP connection
    But Skype can work without UDP
    Blocking UDP is not sufficient

No comments for now due to spam. Use Whonix forums instead.

Random News:

Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.

https | (forcing) onion

Follow: Twitter | Facebook | | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.