Debian template using sys-whonix networking vs Whonix?

What is the practical difference between comms apps like Keybase, Element, Electronmail installed in Debian template with sys-whonix networking vs those same apps installed in a whonix template direct?

the app installed in whonix have better security since the app can take advantage of the whonix security feature (you can mimic there setting in debian, but it hard)


whonix workstations have additional hardening that make them more “leak proof”. But it’s still okay to use debian workstations. I believe @unman has tools that make Tor connections via Debian more secure/private. (he is the Debian dev at Qubes). I’ll try to find the name of it.

If you do use a debian-based appVM, it helps to put a second firewallVM between the appVM and the whonix gateway. I’m not entirely sure of how it helps but it’s recommended. I believe it ensures than traffic going to and from the appVM is configured properly before it interacts with the whonix gateway (i.e. less likely to ‘leak’) I use a disposable called tor-firegate that provides a network for my debian VMs to connect to my whonix gateway.

1 Like

Here it is… complements of unman. Harden your non-whonix VMs so installed apps play nice with Tor and keep your IP and MAC addresses private.

(disclaimer: It’s on my list of things to install but I haven’t used it yet. However it has solid reviews from knowledgeable community members.)

[to clarify… this is a replacement for the Whonix gateway… allowing for a secure whonix-free Tor connection. i.e. A Debian workstation and Debian Tor proxyVM]


Isn’t TorVM not used anymore and sys-whonix is used instead? That linked Github repo seems to be really old (latest commit was two years ago). IIRC Whonix replaced this concept perfectly and in a more robust way.

By default, any qube using the TorVM as its NetVM will be fully torified, so that even applications that are not Tor aware will be forced to use Tor.

This isn’t special either, because Whonix does the same. It supports custom workstations, see this Whonix wiki entry.

1 Like

First of all, thank you for clarifying that TorVM is a gateway and not a workstation. derp. I’m trying to multitask (one drawback of Qubes :slight_smile: ) and I got things turned around in my last post.

However… your assessment about TorVM and Whonix may not be so cut and dry. The current Debian template maintainer for the Qubes team seems to think that the TorVM is every bit as good as the Whonix configuration and could possibly provide privacy benefits because whonix has a smaller pool of users. Of course, he could be wrong but he seems to know what he’s doing. He also clarified in a post from this year that TorVM is nt depreciated.

1 Like

Other than network speed, what situations would you install software in a debian template vs install everything in a whonix-ws template?

If I want whonix anonimity but also network speed, can I approximate that with a whonix-ws appVM, with a sys-firewall bridge through a fast VPN?

I believe the whonix workstation can only be used with the whonix gateway. So if you use whonix ws, you’re committed to the whonix gw. On the other hand, you are free to connect whatever you want to the whonix gw, although the whonix ws is optimized for that.

I can’t remember off the top of my head, but I seem to recall some apps not liking the whonix ws environment. I know fonts were an issue for one app. Whonix ws is based on Debian but it seems like a more restrictive environment than standard Debian. Debian templates also give you the option to use a “minimal” version that consumes less system resources than Whonix, so if RAM is an issue, that’s one consideration.

1 Like

To be clear, TorVM was deprecated, (and in fact not available from official
Whonix remains the officially endorsed route to privacy in Qubes.
For reasons partly explained elsewhere I do not use Whonix - on one level,
it does not fit my needs in Qubes.
The TorVM I offer is compatible with the Qubes firewall model, which
Whonix is not. It’s also very light on resources, and simple to use.
Securing the client machines is left to the user/administrator.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

@unman Thanks for clarifying.

This seems like “the catch”. Can you expand on that just a bit more? For example, Whonix is more or less “plug and play” and relatively secure. What else would a user need to do with TorVM to ensure a reasonable degree of privacy and security (for above average threats).

It’s also very light on resources, and simple to use.

Securing the client machines is left to the user/administrator.

Isn’t simple to use incompatible with leaving up security to the user? Whonix is a plug-and-play sort of system, and hardening at most is just running 2-3 commands. I also would’ve recommended Whonix-CLI, but I’m not sure how Qubes would interact with that version of Whonix. Whonix-CLI is a pure terminal of Whonix that makes it extremely lightweight and secure (Whonix has a lot of security patches that I’m not sure other systems provide; they put a lot into security, just see systems like sdwdate and the tirdad module implementation).