Using sys-whonix Net qube in Windows 11 Template/AppVM does not work. Qubes documentation needs corrections

EveK818 · March 26, 2026, 12:52pm

I am having trouble using sys-whonix in front of a Windows 11 TemplateVM. The instructions on the whonix documentation in the “After Windows installation” section, is quite wrong.

The instructions say

Check the IP address allocated to the qube - either from GUI Manager, or via qvm-ls -n WindowsNew from a dom0 terminal (e.g., 10.137.0.x with gateway 10.138.y.z).

For me on my Windows 11 TemplateVM using sys-firewall as my Net qube, that would be this:

IP: 10.137.0.37
Netmask: 255.255.255.255
Gateway: 10.138.37.150
Virtual DNS: 10.139.1.1, 10.139.1.2

In the Windows qube, open the Network Manager and change the IPv4 configuration of the network interface from “Automatic” to “Manual”.

In Windows 11 it looks more like this when I do it:

Windows > Settings > Network & internet > Advanced network settings > Ethernet > IP assingment: Edit > Edit IP settings: Manual > IPv4: On

The instructions continue:

Enter the Address: 10.137.0.x in our example.
Enter the Netmask: 255.255.255.0
Enter the Gateway: 10.138.y.z in our example.
Enter DNS: 10.139.1.1,10.139.1.2 (the Virtual DNS addresses used by Qubes.

When I do it, the final result looks like this from “IPv4: On manual settings” in Windows 11:

IP address: 10.137.0.37
Subnet mask: 255.255.255.0
Gateway: 10.138.37.150
Preferred DNS: 10.139.1.1
Alternate DNS: 10.139.1.2

The instructions continue:

Click “Apply”. You should now see “Connected”.

In Windows 11, there is no “apply” button, instead there is a “save” button. So the instructions should be update to reflect this:
Click "Save". Your network should now connect.

My problem that I am having, is after doing all of this and manually changing my Windows 11 network settings, I still get no internet in Windows 11, while using sys-whonix as my Net qube. Why? Are my settings incorrect? Are the instructions incorrect? What must I do to get windows connecting through the sys-whonix gateway?

EveK818 · March 27, 2026, 6:51pm

Anyone out there have some answers to this?

linuxuser1 · March 28, 2026, 10:14am

Try it Anonymize Other Operating Systems

EveK818 · April 10, 2026, 4:03am

I tried connecting my Windows TemplateVM using the link you posted, but still to no avail. I also made sure to set net.ipv4.conf.*.arp_ignore=1 in whonix-gateways /etc/sysctl.d/99_user.conf file.

It’s peculiar that in the link, the Custom Network settings are completely different then the settings I posted above in the Windows Template VM Tutorial. In your link, it is telling me to use the following settings in the windows custom Network settings in my Windows TemplateVM:

 ## increment last octet of IP address on additional workstations
IP address 10.152.152.50
Subnet netmask 255.255.192.0
Default gateway 10.152.152.10
Preferred DNS server 10.152.152.10

when in the qubes windows template VM instructions they tell me to do this:

IP address: 10.137.0.37
Subnet mask: 255.255.255.0
Gateway: 10.138.37.150
Preferred DNS: 10.139.1.1
Alternate DNS: 10.139.1.2

in my Windows TemplateVM settings.

I have tried both methods (1 or 2) in my Windows settings panel as well as in network manager settings. None of these options work. Furthermore, both instruction sets from each of the two links are not clear. Couldn’t someone just please walk me through getting sys-whonix to work and properly torify a Windows TemplateVM? Does the installation of Qubes Windows Tools matter for this?

Can someone please revise both documentations to make more sense and be more accurate? I have been stuck with this issue for a while now, and I think the documentation for Windows 11 TemplateVM’s needs to be revised. Help?

unman · April 10, 2026, 10:31am

You seem to have overlooked the rather important first step:
“Check the IP address allocated to the qube - either from GUI Manager,
or via qvm-ls -n WindowsNew from a dom0 terminal (e.g., 10.137.0.x with
gateway 10.138.y.z).”

It doesnt make sense to just put in random addresses here - the
networking will not work and the Qubes firewall on the netvm should
block such traffic.

FIRST, check the IP allocated to your Windows qube, and the netvm.
THEN, in the windows qube set the IP to that value with Subnet mask: 255.0.0.0
Set gateway to the netvm value
DNS values as above 10.139.1.1 10.139.1.2

You have already made the arp change needed in Whonix gateway. That
should be enough.

NB you talk about a Windows TemplateVM. If you want to use qubes based
on that template you will have to manually change the IP address on each
qube. You cant network with multiple devices inheriting the same IP.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.

EveK818 · April 11, 2026, 12:22am

Actually, if you scroll to the very top of my original post, you will see I did take this step, using my Windows Template Qube with sys-firewall as it’s Net qube. I quote myself here:

For me on my Windows 11 TemplateVM using sys-firewall as my Net qube, that would be this:
IP: 10.137.0.37
Netmask: 255.255.255.255
Gateway: 10.138.37.150
Virtual DNS: 10.139.1.1, 10.139.1.2

Am I wrong in assuming that the Net Qube should be sys-firewall when documenting these addresses? The way the instructions made it seem, is that you should take all of the network information acquired from using sys-firewall as the Net Qube, and then, switch your Net Qube to sys-whonix, and while using the sys-whonix Net Qube, apply the static IP and addresses to your Windows TemplateVM from within Windows 11. Is this not what the instructions are suggesting? Because I have done this, and it does not work.

For example, quoting my Original post again, when looking at my network settings from the GUI Manager of the Win11 TemplateVM, with sys-firewall as my Net Qube, my network settings look like this:

IP: 10.137.0.37
Netmask: 255.255.255.255
Gateway: 10.138.37.150
Virtual DNS: 10.139.1.1, 10.139.1.2

The after Windows Installation section says:

In the Windows qube, open the Network Manager and change the IPv4 configuration of the network interface from “Automatic” to “Manual”.
Enter the Address: 10.137.0.x in our example.
Enter the Netmask: 255.255.255.0
Enter the Gateway: 10.138.y.z in our example.
Enter DNS: 10.139.1.1,10.139.1.2 (the Virtual DNS addresses used by Qubes.

So according to my Settings GUI while using sys-firewall, I should use the following settings manually in Windows Template VM, after changing sys-firewall to sys-whonix:

IP: 10.137.0.37/24 (taken from sys-firewall as Net Qube)
Netmask: 255.255.255.0 (even though in sys-firewall it is 255.255.255.255)
Gateway: 10.138.37.150 (taken from sys-firewall as Net Qube)
Virtual DNS: 10.139.1.1, 10.139.1.2 (taken directly from the [after windows installation instructions](https://doc.qubes-os.org/en/latest/user/templates/windows/qubes-windows.html#after-windows-installation))

Therefore, my Manual Network Settings In windows 11 Template VM (while using sys-whonix as my Net Qube) should be:

IP: 10.137.0.37/24
Netmask: 255.255.255.0
Gateway: 10.138.37.150
Virtual DNS: 10.139.1.1, 10.139.1.2

Which is what I have already tried, along with various combinations of each set of instructions. None have worked. This is why I am asking if someone can please clarify the instruction, and perhaps, post a step by step with examples on how to use sys-whonix as the net-qube for my Windows 11 TemplateVM installation. Both sets of instructions are unclear, and do not provide step by step instructions on how to do this properly.

If someone could please just boot up a Win11 installer, and document the instructions with real examples as to how to get sys-whonix working as the Net Qube for the Windows 11 TemplateVM, I would be very happy!

EveK818 · April 18, 2026, 8:40am

@unman ^^^^^ ???

random1 · April 19, 2026, 2:22am

I found this while googling:

It seems to be a whonix thing, albeit specific to qubes-whonix.

Here is the corresponding github issue:

github.com/QubesOS/qubes-issues

After recent update, Windows HVM can no longer network through Whonix gateway

opened 01:49PM - 05 Jun 25 UTC

unman

C: Whonix C: windows-vm P: default needs diagnosis C: networking affects-4.2 community template

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… Qubes OS release 4.2.4 ### Brief summary A number of users on the Forum report that Windows HVM can no longet network through Whonix. HVM that worked previously have stopped working. ### Steps to reproduce Use Windows HVM with sys-whonix as netvm, networking enabled. Update Whonix ### Expected behavior Networking in the Windwos qube will continue to work. ### Actual behavior Forum user jxadceno reports: however suddenly after updating whonix-gateway all networking to the HVM is broken, showing "Unidentified network". User dexter05 reports: sys-whonix -> windows HVM (not working after last update, worked fine for years) sys-whonix -> sys-vpn -> windows HVM (works fine, go figure) The Windows error code is 10060. Winsock timeout error. ### Additional information Forum thread is in User Support - "Windows HVM + sys-whonix networking suddenly broken"

Edit: I tested before reading the whonix docs and had the same behaviour as you, but once I changed the value in whonix, the windows qube successfully connected.

phceac · April 20, 2026, 8:12pm

I don’t know if it will help, but it seems to me that you are configuring the gateway used by Win11 as an address of sys-firewall, even after you switch to sys-whonix. I might be wrong, but this does not seem correct.

I believe that your gateway should be an address of sys-whonix, but it is not clear to me exactly how it should be discovered. I guess it is in one of the docs…