This guide here to use multiple Whonix Workstations recommends to set netVM to sys-whonix:
Why?
What could go wrong in regards to privacy if I leave it on sys-firewall (the default)?
No privacy is mentioned in the article you posted. But, if beside privacy, anonymity is your goal too then via sys-firewall you usually get clear net, while via sys-whonix you go over tor.
I just read that guide, and I think you misunderstood what it was saying. It doesn’t say set netvm to sys-whonix, it says connect the whonix workstation VM to the sys-whonix gateway.
" 2. Confirm the new App Qube is using sys-whonix as its [NetVM]"
This is the default way to do it, and I recommend that as well.
If you are looking to run multiple whonix-workstations, I would create a SEPARATE whonix-gw for each whonix-ws. I recommend:
whonix-ws → whonix-gw → sys-firewall → sys-net
whonix-ws2 → whonix-gw2 → sys-firewall → sys-net
If you want a second workstation, I would also create a second gateway. I run multiples myself. I also run a private VPN server to isolate them completely from everything else.
I like to run multiple whonix workstations on my laptop. I currently have:
work-whonix-ws → whonix-gw-losangeles → vpn-losangeles → sys-firewall → sys-net
That config gives me a torified workstation that connects to a vpn before connecting to the tor network. My ISP sees me connecting to a vpn service. The vpn service sees me connecting to the tor network. Neither one sees my final destination.
I also have:
play-whonix-ws → whonix-gw-warsaw → vpn-warsaw → sys-firewall → sys-net
That is a separate torified workstation that I use that connects to a totally different vpn that connects to a different tor network entry point
Qubes is really flexible, and easy to setup, once you get the hang of it. I follow the recommended Qubes instructions for advanced setup, for the additional security and leak protection, for vpn’s. You don’t really need a vpn, I do it to hide the fact that I’m using tor from my ISP. All they see instead is a VPN connection, which is more common.
Advanced vpn config:
For tor settings, you should start with the defaults. Before you start using tor bridges, you really need to read up on all the tor doc’s. It can get complicated pretty quickly. Lots of options.
1 Like
Not to say that the one cannot set any other NetVM for whonix-ws based VMs other than sys-whonix and expecting it to get online.
I think you misunderstood what it was saying
You’re right. I was confused because when I am creating a new Qube, it shows sys-firewall (default) as ‘Networking’. But then when it is created, the NetVM is sys-whonix. I thought it is the same. What’s the difference?
whonix-ws → whonix-gw → sys-firewall → sys-net
whonix-ws2 → whonix-gw2 → sys-firewall → sys-net
Good recommendation. Can you elaborate why it’s better? Just curious.
So I actually have to create another gw, but also another ws template, right? Like that:
whonix AppVM → whonix-ws → whonix-gw → sys-firewall → sys-net
whonix AppVM 2 → whonix-ws2 → whonix-gw2 → sys-firewall → sys-net
Or do you mean something different?
My sys-whonix’ NetVM is sys-firewall, and my Whonix AppVM’s NetVM is sys-whonix, my whonix-gw-16 and whonix-ws-16’s NetVM is (none). That’s good, right?
I do it to hide the fact that I’m using tor from my ISP
But doesn’t that enormously increase the trust you need to have in your VPN provider?
I’m the VPN provider. I rent a cheap $5/month vps server, and install openvpn on it. I trust myself 
but yeah, you are right, I am then trusting the vps server provider with the knowledge that I’m running both a vpn to them and then whatever leaves that server. Adding a vpn hop doesn’t do anything to increase trust, security or even anonymous behavior, but it is fun to setup, and does have it’s uses, such as traffic isolation, running other apps over the vpn, like visiting sites in that region of the world that would otherwise be blocked from direct connections, etc. It’s not better, just different. I like to play around with options. It’s fun and educational.
As far as better creating a separate whonix gateway for each whonix workstation VM, it just makes it easier to troubleshoot later, because each workstation is isolated to it’s own gateway. It’s a preference I find helpful when later making a change.
1 Like
That is awesome, you must feel proud.
As far as better creating a separate whonix gateway for each whonix workstation VM, it just makes it easier to troubleshoot later, because each workstation is isolated to it’s own gateway. It’s a preference I find helpful when later making a change.
I see. Does it improve privacy/anonymity?
And is this here correct?
So I actually have to create another gw, but also another ws template, right? Like that:
whonix AppVM → whonix-ws → whonix-gw → sys-firewall → sys-net
whonix AppVM 2 → whonix-ws2 → whonix-gw2 → sys-firewall → sys-net
Like I said earlier, from a privacy standpoint, it only transfers the knowledge of using tor from my ISP to the VPS service provider, so improve? No, not at all. Change? only at first glance. If my ISP really wanted to, they could examine my vpn connection and from the traffic patterns quickly discover i’m running tor over the vpn. It’s not that hard to figure out, but they would have to make some effort and examine me specifically.
There is no such thing as true anonymous over the Internet. There are always clues along the way, and with enough looking, you can and will be discovered. The only 100% guaranteed way to remain anonymous over the Internet, is to stay off the Internet. As the computer “joshua” said in that movie “War Games”, the only winning move is not to play.
1 Like
Here is an older article, but is very good at illustrating connecting different app vm’s to net vm’s.
1 Like
Thank you for the link, but actually I just wanna know if this specific case is correct. Can you tell me that?
not quite, the “whonix AppVM” and the “whonix-ws” are the same thing, that example is redundant, it should be just:
anon-whonix → sys-whonix → sys-firewall → sys-net
1 Like
Okay, that’s the default.
I’ve got one last question. The thing that confused me in the beginning was when I am creating a new Qube, it shows sys-firewall (default) as ‘Networking’. But then when it is created, the NetVM is sys-whonix. I thought Networking and NetVM is the same. What’s the difference?