ClockVM and NetVM for

Hi. I started using qubes os and I have a question about global settings. If I only use whonix and want to be as anonymous as possible, should I set ClockVM to sys-net or sys-whonix? (theoretically it seems correct). NetVM should be set to sys-firewall or change it to sys-whonix? I know that the dom0 update should be to sys-whonix. Thank you very much for your help

Whonix doesn’t support being ClockVM yet:

Which NetVM are you talking about? Default net qube in Qubes OS Global Config?

Don’t forget about about default update proxy that is used to update templates. It’s different from the dom0 update proxy.

1 Like

1.Yes, I’m talking about the default qubes global setting module, not about one specific qube.ClockVM, I’m also talking about the global setting.

2.I set proxyupdates for templates according to the guide I found. Is it possible to check if it works?

You can set default net qube in Qubes OS Global Config to sys-whonix if you’ll mainly use sys-whonix for your qubes net qube.

You can open Nyx in sys-whonix and start template update. If you see the traffic going in Nyx during template update then it’s using the sys-whonix as update proxy.
Or you can change repositories in templates to onion ones instead of clearnet ones and see if they will work.

1 Like

I have one more question. I have a clone of sys-whonix and anon-whonix to have two ready machines. Do the clones work the same as the originals and create a second gateway and workstation?

I came across information that it is a good idea to create StandaloneVM instead of AppVM. What are the differences? Can you advise on this topic? If this is true, I would be very grateful for a short guide on how to create them correctly so that they work through the tor like anon-whonix


Maybe for some specific case. But in general AppVM is better choice.
You can use StandaloneVM if you need to use some software that will write in non-user directories and it’ll be a pain to create bind-dirs for it.

1 Like

In anon-connect-wizard I have a connection to the Tor bridge set up and I have an obsf4 bridge from If I use, for example, session messanger in anon-whonix (it is to some extent based on Tor), will there be a tor through tor? and should I set a proxy tor in Telegram’s settings or does the bridge in annon-connect already perform this function? In general, do you recommend using the bridge in annon-connect or maybe something else?

Thank you very much for your valuable time and knowledge

It’s not Qubes-specific, you can read Whonix documentation and Whonix forum.

I’m not familiar with session messanger but I think it’s not using Tor network so it won’t be Tor over Tor situation:

In general, you don’t need to set proxy because whonix gateway will proxify all traffic over Tor translarntly.
But in some cases you need to set proxy to use stream isolation:

It depends on what you want to use bridge for.

1 Like

I thought that if I set the bridge in anno-connect-wizard, it would act as a stream isolation. Generally, I want to use instant messaging in such a way that the anonymity is as high as possible.

In qubes global setting I have:
Dom0 update: sys-whonix
Clock qube:sys whonix
Net qube: sys whonix
Template: whonix-ws16
Disposable template:whonix-ws-16-dvm

in qube manager:
sys-firewall has NetVM:sys-net

sys-whonix has NetVM:sys-firewall and is whonix-gw-16 template

anon-whonix has NetVM:sys-whonix and is whonix-ws-16 template

Can you confirm that it is set ok?

Bridges are not used for stream isolation:

As I’ve stated before:

You need to set ClockVM to be sys-net or sys-firewall.

1 Like

Ok, so in qubes global setting I have to change clockVM to sys-firewall and the rest is correct?

So in my case it doesn’t matter whether I have the bridge set in annon-connect? Is stream isolation required for me if I use 1 application per workstation?

You also need to set template update proxy to sys-whonix.

Again, depends on whatever you need it or not. Read the documentation to understand its purpose.
For example, if you want to hide Tor usage from your ISP or if your ISP is blocking Tor or something else.

Again, depends on whatever you need it or not. Read the documentation to understand its purpose.
For example, it you use Firefox in anon-whonix instead of Tor Browser and don’t set stream isolation proxy in it then when you visit different websites from this firefox the connections will use the same Tor circuit and they could be correlated.
Or if you’ll have two firefox profiles in the same anon-whonix login to facebook using different accounts then these account could be correlated.

1 Like

Ok I have one last question, should I make a whonix-gw-16 clone? Then sys-whonix has the whonix-gw-16 template and sys-whonix-clone1 has the whonix-gw-16-clone1 template. Is it enough that sys-whonix has the whonix-gw-16 template and sys-whonix-clone 1 also has the whonix-gw-16 template? Thank you very much again

No need to.


1 Like

Is there any way to improve your anonymity or security by cloning whonix-gw-16?

In qubes global setting is there any difference between Template set to whonix -ws16 and whonix-gw16?

I don’t know, better to ask this question on Whonix forum.

1 Like

I heard that it is worth setting the UTC time zone in qubes. Is there a difference between using UTC and my real time zone?