Sys-whonix, whonix workstation and TOR browser - the way these function

Hello folks,

I have a big concern on how these work together.
I use a few VMs in Qubes connected to sys-whonix and I can’t control the ExitNodes. This gives me headaches. I tried to understand but I couldn’t

  • at sys-whonix (the gateway) level a TOR circuit is established
  • at whonix workstation level
    – using TOR browser, there is another TOR circuit established on top of the sys-whonix? I remember I read somewhere that is not good to have more than 3 nodes (including entry and exit nodes) in TOR network. Anyways, it seems there is a different circuit than the one sys-whonix creates.
    – using CLI seems to keep the sys-whonix circuit, though, Im not sure.
  • at a debian-based VM level which is connected to sys-whonix using Firefox it seems to be a different TOR circuit than sys-whonix

Once the sys-whonix establishes a TOR circuit, logically is to provide that TOR circuit to all the VMs connected to it either if the VMs establish browser/app connections or CLI connections, right?
I really don’t understand how this works. If someone can tell me or point me to a document it would be great. Or tell me how can I test it, maybe I didn’t test it correct.

Thank you.

Read about stream isolation:
Stream Isolation
Also it’s better to ask this on Whonix forum:
Qubes-Whonix - Whonix Forum

If someone is interested, I posted this thread here: