Install Whonix: Virtual and extra secure

Whonix is ​​an alternative operating system that is primarily intended for those who value anonymity and privacy. Whonix basically assumes two virtual machines, a gateway and a workstation. This is how you can install Whonix.

You can order electronics for secure data storage at

Earlier we looked at a similar OS, namely Tails. This may be a more secure environment for outside threats due to the configuration options and extra tools, but Whonix prides itself on even better security and is based on Kicksecure, a Debian-Linux distribution, especially with security in mind. Through you can read which safety functions have been implemented.

Just to name a few: use of AppArmor profiles to restrict system access by applications, application of various kernel hardening techniques from the KSPP (Kernel Self Protection Project) and an encrypted swap file for optimal protection of local data.


Whonix was initially released in 2012 under the name TorBOX, where a virtual machine acts as a transparent proxy that routes all internet traffic through the Tor network.

If you want to delve further into the security functions of Whonix, you can read the tables via consult. These may come from Whonix itself – the authors are not afraid to admit that this can encourage (unintentional) partiality – but the information remains interesting.

In the section Security numerous safety functions in eleven areas, including Network, Browser Plugin Security, forensics and hardeningcompared between Whonix and the likes of Tails and Tor Browser.


As mentioned, Whonix revolves around two machines: a gateway and a workstation. Although you can use two physical machines for this, installing the gateway on one machine and the workstation (virtualized) on the other machine, in our scenario we stick to just one physical machine, albeit with two VMs.

Whonix can be installed on different systems and with some effort on a USB stick, but a USB image is not available for the time being. The most common method is via a hypervisor, and Whonix itself provides VirtualBox with an almost ready-to-use ova application (Open Virtual Appliance). You can download the hypervisor itself for free. We assume you already have it installed, on Linux, macOS or Windows.

Anyone interested in the Whonix repository can visit The easiest way to download the VM is via You will see that there are two editions of Whonix available: a CLI variant (command line interface) and a GUI version (with an Xfce desktop environment). It is also possible to combine an Xfce workstation with a CLI gateway (see the section ‘GUI and CLI’ below).

Install Whonix

To install Whonix, launch VirtualBox, open the menu File and choose you Import appliance. Refer to the downloaded ova file via the folder icon. Bee Settings Appliance you immediately notice that there are two VMs involved. You can also click and adjust certain properties here, if you wish. Confirm with Import and with Agree (2x).

You should now find two VMs in the Virtualbox management module. You can still change components from Settings. Keep in mind that some options can only be adjusted when the VM is turned off.

With a double click you already start the gateway VM. After you click Understood (2x), a wizard will ask you how you want to connect to the Tor network. This can be done ‘automatically’ via Connectbut also through Configure, where you can specify a Tor bridge yourself. After bootstrapping you should have a Tor connection.

Over to the VM of the workstation, where you can start the desired applications after you agree. Open Tor Browser and surf to to check whether you are actually surfing through Tor. You will also see the IP address of the Tor relay here.

Settings such as screen resolution and keyboard layout can be adjusted via Applications / Settings. Or you use the console to set things up. Through you will find an overview of the most important commands.

The ova file contains a ready-made VM (which you can still customize).


You will notice that you cannot just get started with Tor Browser from the gateway. The idea is that you only do this from the workstation. To this end, Whonix has set up an internal virtual network. You will notice this when you open the settings of the VM of the workstation in VirtualBox and Network selects. The Network adapter is linked to the Internal network with the name Whonix.

The gateway’s VM has two virtual network adapters enabled: one is also connected to that internal network, while the other is connected through WET is connected. This NAT mode causes VirtualBox’s network engine to act as a router, placing itself between each VM and the host machine. This allows the gateway to reach the remote network, but the host cannot access the VM unless you define port forwarding rules.

Both VMs can’t reach each other either, but connecting them to the same internal network makes this possible, so you can access the internet from the workstation through the gateway, which routes all traffic through the Tor network.

The Whonix gateway has two active network adapters.


As mentioned, it is also possible to connect an Xfce workstation to a headless gateway. For example, this can be done as follows: download the ova file from the CLI gateway and open this file in the 7-Zip File Manager. Select the corresponding vmdk file and drag it, for example, to your desktop.

After that, go to VirtualBox, where you make sure that both Whonix VMs are turned off. Create a new VM in VirtualBox, give it a suitable name (for example Whonix-Gateway-CLI), set it to Linux, Debian (64-bit) and allocate enough memory to it. Select Use an existing virtual hard disk fileclick the folder icon and Add and point to your extracted vmdk file.

Before starting the new VM, compare all the settings of the already installed Xfce gateway with the CLI machine and adjust the latter if necessary. For example, you will have to enable a second network adapter to connect it to the network Internal Network with the name Whonix to link.

When starting the CLI gateway you can initially log in with the credentials user and changeme and then enable Tor. After the system check you can also start your workstation.

Two gateways (Xfce and CLI) are installed, but only one of them is active (here: CLI).

More tips for monitoring your digital privacy? Then order this Security and Privacy Course Bundle.


Recent Articles

Related Stories