Monero Wallet/Daemon Isolation with Qubes + Whonix

I’d just download the new monero wallet manually. But you can try to comment out the restricted-rpc=true in your config if you have it then try to download monero wallet with monerod and return your config back afterwards.

Clarify what you mean by:

updated wallet file

Do you mean as it says - wallet file wallet.dat in ~/Monero/... directory or you mean updating your monero wallet software?
You need to update monero wallet software in both monerod-ws and in monero-wallet-ws.

OK, don’t like the idea of the rpc hack around, looks a bit risky, I’ll just download it manually and then just install it over the top using the same command I used for the original setup if you don’t see a problem with that

sudo install -g staff -m 0755 -o root ~/monero-<VERSION NUMBER>/monero-blockchain-* ~/monero-<VERSION NUMBER>/monerod -t /usr/local/bin/

Sorry, I meant updating the ‘actual’ wallet program in my monero-wallet-ws VM by just copying the new wallet binaries over

Thanks for all of your help

That should work just fine.

1 Like

Worked out of the box using the Whonix template & standard disposable VM here last week

Make sure you’ve updated to for the wallet now, significant upgrade with added ring signature & speed when it comes to syncing

Do you mean you use the already installed Monero app? create 2, one for node and one for wallet and connect them?

If so, could you share how?

When I upgraded to 4.1, I had some issues using the original setup method I posted here (and the really helpful tweaks posted on this thread), so I thought to make a working method clear since @Mdogg had issues with his.

The setup here is using this method with a fix for 4.1 here and confirmed here:

We need to create wallet and daemon VMs and get them talking to each other. Just get your copy/paste mojo going:

In this example they are named:
monerod - this will be online to allow sync the blockchain.
monero-wallet - this will be isolated with no network.

1. Creating VMs:

In dom0 terminal:
qvm-create --label purple --property netvm=sys-whonix --template whonix-ws-16 monerod

qvm-create --label black --property netvm='' --template whonix-ws-16 monero-wallet

2. In monerod terminal:

Increase volume size to allow for 150Gb (Dec '22) blockchain:
qvm-volume extend monerod:private 175G

Create a systemd file.
sudo nano /home/user/monerod.service

Paste the following contents:

Description=Monero Full Node 



ExecStart=/usr/bin/monerod --detach --data-dir=/home/user/.bitmonero \ 
    --no-igd --pidfile=/home/user/.bitmonero/ \ 
    --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip= 



Editing a nano file:
Ctrl+o = save
Ctrl+x = close

Make monerod daemon run on startup by editing the file /rw/config/rc.local:
sudo nano /rw/config/rc.local

Add these lines to the bottom:
cp/home/user/monerod.service /lib/systemd/system/
systemctl start monerod.service

Make file executable:
sudo chmod +x /rw/config/rc.local

Create rpc action file:
sudo mkdir /rw/usrlocal/etc/qubes-rpc
sudo nano /rw/usrlocal/etc/qubes-rpc/user.monerod

Add the line:
socat STDIO TCP:localhost:18081

Shutdown monerod:
sudo shutdown now

3. In monero-wallet terminal:

Edit the file /rw/config/rc.local.
sudo nano /rw/config/rc.local

Add the line:
qvm-connect-tcp ::18081 to rc.local

Make file executable:
sudo chmod +x /rw/config/rc.local

Shutdown monero-wallet:
sudo shutdown now

4. In dom0 terminal:

Create a TCP connect policy file:
sudo nano /etc/qubes-rpc/policy/qubes.ConnectTCP

Add the following line:
monero-wallet @default allow,target=monerod

RESTART your system for good luck

you’ll have to wait for the 150Gb+ blockchain (as of Dec '22) to sync on your system. If you start your wallet before then, you’ll get errors and your brain may melt. But believe me, it’s worth the wait.


my $0.02, dont forget to clone the blockchain vm.

Instead of sudo nano, I suggest using sudoedit (or gsudoedit if the default editor is graphic). The advantage is that the editor itself isn’t elevated. Only the behind the scenes mv equivalent is. It does it by copying the file, then opening the copy inside the editor. Only if changes were made does it modify the original. Otherwise it deletes the unedited copy.

Edit: Not sure how valid it is for Qubes.


Stupid question:
Does the blockchain sync start automatically, or do I have to enter some kind of command for that?

1 Like

Why wouldn’t it? Fom’s giant list of Qubes OS workarounds, tweaks and shenanigans - #12 by BEBF738VD (point 2)


Because of Qubes’ passwordless sudo business and qube isolation. I know about Qubes in a very generic novice level. Therefore I’m never sure how much something applies to it’s architecture as oppose to a plain monolithic OS. I often get surprised :sweat_smile:

I’ve always been of the opinion that the only stupid question is the one not asked :wink:

However, I’m hesitating here in this thread because I’m unsure how the mods approach a Q and A that’s not specific to Qubes. So far we’ve dealing with the challenges you face that are specific to Qubes, but your question moves us to something that’s specific to dealing with Monero daemon in general.

The short answer is no, it needs commands to start and stop it in a gentle manner. Sorry, I forgot that.

I’ll PM you with the commands, unless the mods tell me otherwise.


I got an update suggestion. On ArchWiki it is stated that this is the usual place to host user systemd unit files:

~/.config/systemd/user/ where the user puts their own units.

Therefore I decided to put mine there. It avoids the need for root (or sudo?) to own it. In such a setup, systemd already “knows” that the file is to be run as user. Therefore, the User and Group parameters become superfluous. In fact, I discovered the hard way they just confuse it. Of course, it means that the cp command in rc.local should be modified to this:

cp /home/user/.config/systemd/user/monerod.service /lib/systemd/user

Also, it looks like the service should be enabled. Maybe even restarted.

systemctl --user enable monerod
systemctl --user restart monerod

At the very least it helped me. The following two commands, and searching the errors on the web, helped me discover issues (including the one I mentioned):

systemctl -- user status monerod
journalctl --boot --user -f -u monerod

i would also like to know the commands because i was following this tutorial: How-to: Use Monero with Wallet Isolation in Qubes-Whonix ™ like @Mdogg was and now i will try to follow your guide, also thank you for the effort of writing this for all of us :smile:


I have trouble mining with this setup. I launch the mining daemon through the wallet with this command: start_mining 1 true true. It launches one mining thread, tells it to background-mine, and tells it to not query battery statues (which it can’t do anyway). After an hour, the log shows this message:

…[P2P9] WARNING global src/p2p/net_node.inl:2093 No incoming connections - check firewalls/routers allow port 18080

How do I solve it? Do I need to forward the port in some way?

Edit: Also, when I installed qubes 4.1 I set sys-net as a static disposable VM. I thought it may be worth mentioning.

This needs to be updated for Whonix 17 on Qubes 4.2

I had this setup working on whonix 15-16, but it is not working on Whonix 17. I want to try your solution here of using qvm-connect-tcp, however Whonix 17 no longer uses /etc/qubes-rpc/policy, so where would you setup the qubes.ConnectTCP info? In /etc/qubes/policy.d/ somewhere? It seems 30-user.policy is the only place you are supposed to edit there.


Qubes 4.2 is based on the new policy system. Now you must explicitly write the qrexec policy name you want to use in a policy file. For example, you could have a file here /etc/qubes/policy.d/30-user.policy with:

qubes.ConnectTCP +18081 monero-wallet @default allow target=monerod

Thanks! I added that and my connection worked immediately. To summarize, with Qubes 4.2 and Whonix 17 @MrA’s post should work, with the following changes @DVM gives above.

OLD Step 4 (in dom0)

NEW Step 4 (in dom0)

Edit the policy file:
sudo nano /etc/qubes/policy.d/30-user.policy

Add the following line:
qubes.ConnectTCP +18081 monero-wallet @default allow target=monerod


I had hopes I’d be saving myself some time, so I got around to upgrading a box to 4.2 using backups of monerod and wallet VMs moved to Whonix 17 on restore. However, despite the policy edit in dom0, monerod doesn’t want to fly. Did you use a backup for yours? @scallyob

journalctl tells me it doesn’t have /usr/bin/monerod to play with. (Guessing …) Does the edit also require a change to /qubes-rpc/user.monerod?

I reinstalled from 4.1 to 4.2 (and whonix 17) restored with qubes backup and just set the exact same policies from 4.1.

Everything works fine.

My policy is in


monero-wallet-ws @default allow, target=monerod-ws