Installing additional Software on Whonix. Safety considerations.

General Advice[edit]

Whonix users are free to install their favorite software packages.

Almost any application can be installed, with a few exceptions for programs that are impossible to torify. In addition, Whonix provides:

protection from IP and DNS leaks (see above for details)
partial protection against protocol leaks and fingerprinting, but this is far from perfect

Users are responsible for trying to prevent any other protocol leaks using the "Torify: How-to" guide, but most of those are mitigated by Whonix.

Read the protocol leak and fingerprinting protection entry first. It highlights useful information, like the fact that DNS and IP-related leaks do not apply to Whonix.
Refer to the Tor Project's Torify: How-to which discusses various protocol leaks and how to mitigate them.
Review the Tor Project's Transparent Proxy Leaks documentation, which is particularly relevant for users other custom workstations using Microsoft Windows.

Since Whonix is a Debian derivative, new users should always follow Debian advice when installing or removing packages to avoid common mistakes which can break or destabilize the system.

The user should be aware that additional software increases the attack surface of the platform.

Browsers[edit]

Warning:

In Whonix, for better anonymity it is recommended to use only Tor Browser for browsing the internet. Use of any browsers such as Chromium, Firefox , Opera and others is discouraged. Reasons for that are elaborated on the Tor Browser wiki page.

Whonix is The Everything Tor operating system (OS). All internet traffic is routed through the Tor anonymity network, without exceptions. Whonix is the "All Tor Operating System", featuring reliable IP hiding.

This of course also includes Chromium, Firefox, Opera and other browsers. Due to Whonix's Watertight Privacy Architecture, Whonix provides the strongest protection of your IP address.

The reason why browsers other than Tor Browser are discouraged is because hiding your identity is harder than just hiding your IP. See also IP Hiding is an Outdated Threat Model. This is also elaborated on the Tor Browser wiki page.

Whonix-Workstation^™ is Firewalled[edit]

Note: This section is relevant to server software or other advanced / uncommon applications.

The Whonix-Gateway^™ firewall ^[1] has several effects upon Whonix-Workstation.

Table: Whonix-Gateway Firewall Effects

Category	Notes
Additional Firewall Restrictions	The firewall on Whonix-Gateway is very restrictive. It can be made even more restrictive by activating options within the firewall script. ^[2] It is possible to limit which outgoing ports are redirected to Tor's `TransPort`. Depending on user intentions, it could also be useful to remove all `SocksPort`s.
DNS Requests	Standard DNS requests on UDP port `53` are redirected to Tor's `DnsPort`. ^[3]
Incoming Connections	Incoming connections are not supported. If programs make outgoing connections, then incoming connections are accepted for web browsing, IRC, or other relevant applications. Server ports ("open ports") are blocked. Unless explicitly configured, the Ident Protocol / web server listening port is not reachable.
IPv6	Tor only partially supports IPv6, although full implementation is likely in the near term. ^[4] This is not a Whonix-specific issue. ^[5]
Server Services	Onion Services and/or Location Hidden Services can be hosted.
Tor Routing	All traffic originating from Whonix-Workstation^™ and Whonix-Gateway^™ is routed over Tor. ^[6] ^[7] ^[8] ^[9] ^[10] ^[11] ^[12] Refer to the footnotes for further information.
UDP	Tor does not support UDP. This is not a Whonix-specific issue.

Install Software General[edit]

Since Whonix is based on Kicksecure^™, the user can follow these instructions Install Software (links to the Kicksecure^™ website)

Footnotes[edit]

↑ The firewall is found on Whonix-Gateway^™: /usr/bin/whonix_firewall

↑

         ## Optionally restrict TransPort.
         ## Replace above rule with a more restrictive one, e.g.:
         #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"

↑ If the DNS server is changed in Whonix-Workstation /etc/resolv.conf, this will likely have no effect. The reason is the firewall on Whonix-Gateway will redirect all those requests to Tor's DnsPort. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the secondary DNS resolver instructions.
↑ The only missing elements at the time of writing were automatic client connections and inter-relay connections via IPv6. Bridges are fully supported. See also: IPv6 roadmap.
↑ https://phabricator.whonix.org/T509
↑ Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.
↑ For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.
↑ For those interested: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).
↑ Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will employ the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's /etc/resolv.conf don't influence Whonix-Workstation's DNS queries.
↑ Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor originating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet.
↑ Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.
↑
Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
- Proxy settings that use proxies with domain names instead of IP addresses.
- Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] The firewall is found on Whonix-Gateway^™: /usr/bin/whonix_firewall

[2] 
## Optionally restrict TransPort. ## Replace above rule with a more restrictive one, e.g.: #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"

[3] If the DNS server is changed in Whonix-Workstation /etc/resolv.conf, this will likely have no effect. The reason is the firewall on Whonix-Gateway will redirect all those requests to Tor's DnsPort. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the secondary DNS resolver instructions.

[4] The only missing elements at the time of writing were automatic client connections and inter-relay connections via IPv6. Bridges are fully supported. See also: IPv6 roadmap.

[5] ttps://phabricator.whonix.org/T509

[6] Starting from Whonix version 0.2.1, traffic from Whonix-Gateway is also routed over Tor. This approach conceals the use of Whonix from entities monitoring the network.

[7] For preserving the anonymity of a user's Whonix-Workstation activities, it isn't essential to route Whonix-Gateway's own traffic through Tor.

[8] For those interested: Altering DNS settings on Whonix-Gateway in /etc/resolv.conf only impacts DNS requests made by Whonix-Gateway's applications that utilize the system's default DNS resolver. By default, no applications on Whonix-Gateway that generate network traffic utilize this default resolver. All default applications on Whonix-Gateway that produce network traffic (like apt, systemcheck, sdwdate) are explicitly configured, or force by uwt wrappers, to use their dedicated Tor SocksPort (refer to Stream Isolation).

[9] Whonix-Workstation's default applications are configured to use dedicated Tor SocksPorts (see Stream Isolation), avoiding the system's default DNS resolver. Any applications in Whonix-Workstation not set up for stream isolation - such as nslookup - will employ the default DNS server configured in Whonix-Workstation (through /etc/network/interfaces), which points to Whonix-Gateway. These DNS requests are then redirected to Tor's DnsPort by the Whonix-Gateway firewall. Changes in Whonix-Gateway's /etc/resolv.conf don't influence Whonix-Workstation's DNS queries.

[10] Traffic produced by the Tor process, which by Debian's default operates under the user debian-tor originating from Whonix-Gateway, can access the internet directly. This is permitted because Linux user account debian-tor is exempted in the Whonix-Gateway Firewall and allowed to use the "regular" internet.

[11] Tor version 0.4.5.6 (with no changes announced at the time of writing), the Tor software predominantly relies on TCP traffic. For further details, see Tor wiki page, chapter UDP. For DNS, please refer to the next footnote.

[12] Tor doesn't depend on, nor uses a functional (system) DNS for most of its operations. IP addresses of Tor directory authorities are hardcoded in the Tor software by Tor developers. Exceptions are:
Proxy settings that use proxies with domain names instead of IP addresses.

Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

[13] Proxy settings that use proxies with domain names instead of IP addresses.

[14] Some Tor pluggable transports such as meek lite, which resolves domains set in url= and front= to IP addresses or snowflake's -front.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

Install Additional Software Safely

Contents

General Advice[edit]

Browsers[edit]

Whonix-Workstation^™ is Firewalled[edit]

Install Software General[edit]

Footnotes[edit]

Navigation menu

Install Additional Software Safely

General Advice[edit]

Browsers[edit]

Whonix-Workstation™ is Firewalled[edit]

Install Software General[edit]

Footnotes[edit]

Navigation menu

Search

Whonix-Workstation^™ is Firewalled[edit]