For instance, if I wanna create a regular qube(say my-qube) and use Whonix networking for it, without any clearnet footprint, how would I do that?
AFAIK, I need to set NetVM to sys-whonix and that this(my-qube) should be run without parallell Whonix instances that share sys-whonix networking, otherwise the identity will be shared, correct?
If yes, what else is needed to be done in order to maximize the security and privacy and not leak clearnet?
I disabled the updates in the Qubes’ config app, and I guess I should block all the traffic except the Tor/Whonix by firewall, but I don’t know how to do that.
No expert here, so double-check my advice.
Quote:
For instance, if I want to create a regular qube (say, my-qube), and use Whonix networking for it without any clearnet footprint, how would I do that?
You need to create an AppVM and connect it to sys-whonix.
Quote:
AFAIK, I need to set NetVM tosys-whonixfor this (my-qube).
No, you don’t set NetVM to sys-whonix; that doesn’t work.
This is the correct order:
For anything Whonix:
Anon-Whonix / AppVM → sys-whonix → firewall → sys-net
or
sys-net → firewall → sys-whonix → Anon-Whonix / AppVM
For anything VPN:
AppVM (like a disposable, normal, or standalone) → sys-vpn → sys-firewall → sys-net
or
sys-net → sys-firewall → sys-vpn → AppVM
For anything regular clearnet (normal internet without a VPN or Whonix):
AppVM → sys-firewall → sys-net
An AppVM can be a:
- Application Virtual Machine
- Standalone
- Named Disposable
I’m providing this extra info as others may read this too.
Quote:
Whonix instances that sharesys-whonixnetworking: otherwise the identity will be shared, correct?
I’m not sure about this. However, I’ve read some Whonix documentation, and I know a lot of things can leak your data. So I assume yes, it probably will leak your data. But since assumptions can lead to issues, you’ll need to read the docs to ensure you understand what it exactly does.
Quote:
If yes, what else needs to be done to maximize security and privacy and not leak clearnet?
I think using a regular AppVM is a bad idea, as I believe there’s a high risk it will leak your data. I can’t back this up with hard facts. Again, an assumption. Furthermore, it seems you’re trying to reinvent the wheel. The Anon-Whonix template was specifically built to prevent data leaks. I mean this in a nice way—do you think you can do a better job than the developers with the current knowledge you have?
It is possible to clone the template, but given the complexity of Whonix, this could have implications. Your AppVM might have a double fingerprint, for instance. So again, read the docs. It’s also possible to install applications in a cloned Whonix AppVM, but I read this might also have privacy implications depending on the app you install. Whonix is quite complex in this regard, and you need to read the docs carefully, like the fine print in a contract. That’s the best way to protect yourself.
Question to ask:
Is my anonymity compromised when I clone my Whonix template in Qubes OS and go online with AppVMs?
What I think—though I am by no means an expert—is that creating two separate networks running Anon-Whonix and sys-whonix would prevent leaking data. But that’s a whole other ballgame.
In my previous message, I wrote “USB controller,” but I meant a NIC (network interface controller). A NIC is a small device in your phone, computer, tablet, or Wi-Fi/Ethernet dongle. With Qubes, you can create two fully separate networks and run them simultaneously. If your device has more USB controllers (small devices that connect your USBs), you can create an additional sys-net. With an Ethernet or Wi-Fi dongle, you can set up a completely separate network.
Can you do this without another USB controller? Well, yes, but then your traffic would mix in sys-net, and I’m unsure of the implications of that.
What’s cool about Qubes is that’s it’s possible to build to separate networks. But that’s a whole other ballgame.
Why? Any info regarding this please?
If not used together at once, then what’s the issue that may arise from that?
Yes, it does connects to sys-firewall, but I don’t know what all of you just said actually means? What is the affect of that? It doesn’t give me much to my noobie ears.
Yeah, I actually asked there first and didn’t get much of clarity except blindly pointing me to the general docs.
I’m doing my best, but I need to connect the dots somehow and for that I need help or clarifications and that’s what I’m actually asking here.
ll can’t answer your questions at the moment but will do so another time.
However I just wanted to check with you what you disabled from updating because
not updating can be a risk.
I meant I disabled the checking for updates in the Qubes config app. But as I went through all of the things I realized that maybe it’s not that and the paths in that file(forgot the name of it) that is used to check for repositories(debian).
In the Qubes Global config you can also set separate update preferences and exceptions. So you could run all your Whonix updates over sys whonix and your regular app vm’s over a vpn (you will need to create sys-vpn for that) or over clearnet. That way you keep it separate. I don’t know how that works with the update manager - you should read up on that in the guides. I just wanted warn you because updating is the MOST IMPORTANT to keep your system safe and healthy.
I rewrote my post so it’s hopefully a bit more clear. However now your questions don’t make sense anymore. OOPS 
If you have more questions can you rewrite your old questions? So this post is coherent? And I understand my answer could be a little bit frustrating to you, because I can’t provide you a clear-cut recipe. I’m also still learning myself. But as nobody answered your question I’m trying to help you to the best of my knowledge.