I would like to protect my privacy while also staying safe and thus I’d like to use some apps in a separate appVM that exclusively communicates to the internet via Tor. My normal (non-Tor) approach is to create a template VM (usually debian), install software and then create an appVM based on that template. Now for Tor usage I see two possible paths to get there and I’m not sure which is recommended:
I could create again myTemplateVM based off debian-11, NetVM none as usual for templates. I’d then install the software (e.g. a web browser or dev tools in separate VMs) and then derive an appVM from that one which is using the default sys-whonix as NetVM.
I could create myTemplateVM based off whonix-ws, install software there and then go ahead as above.
I don’t know anything about that whonix as an OS, so I naturally lean towards the more familiar option (1) but I have the feeling that’s not a good idea. What is best practice here?
I played around with option 1 for similar reasons, but ultimately decided to create a second whonix-ws template instead. I keep the original whonix-ws-16 template as completely unmodified and most of my tor usage is based on this template. I use my other whonix-ws template, whonix-ws-16-modified, for my cacher-vm (since I use Debian’s onion sites for updating over whonix), but also have signal-desktop installed there, for example.
In my experience, the whonix firewall will probably create challenges with option 1.