Suggested path to use app VM with Tor

I would like to protect my privacy while also staying safe and thus I’d like to use some apps in a separate appVM that exclusively communicates to the internet via Tor. My normal (non-Tor) approach is to create a template VM (usually debian), install software and then create an appVM based on that template. Now for Tor usage I see two possible paths to get there and I’m not sure which is recommended:

  1. I could create again myTemplateVM based off debian-11, NetVM none as usual for templates. I’d then install the software (e.g. a web browser or dev tools in separate VMs) and then derive an appVM from that one which is using the default sys-whonix as NetVM.

  2. I could create myTemplateVM based off whonix-ws, install software there and then go ahead as above.

I don’t know anything about that whonix as an OS, so I naturally lean towards the more familiar option (1) but I have the feeling that’s not a good idea. What is best practice here?

Best practice is probably to use Whonix and modify it as little as possible to avoid making your VM fingerprint distinctive.

1 Like

I guess VM fingerprinting is not an issue when I consistently use an anon profile in that one Tor VM and keep that usage entirely separate from my doxed accounts on other (clearnet) VMs?

Depends entirely on your threat model and goals.

I think you are right that it may cause problems to your privacy. Have a look at this related discussion:

1 Like

I played around with option 1 for similar reasons, but ultimately decided to create a second whonix-ws template instead. I keep the original whonix-ws-16 template as completely unmodified and most of my tor usage is based on this template. I use my other whonix-ws template, whonix-ws-16-modified, for my cacher-vm (since I use Debian’s onion sites for updating over whonix), but also have signal-desktop installed there, for example.

In my experience, the whonix firewall will probably create challenges with option 1.

1 Like