Hello,
I’m using Qubes OS with Whonix 18 (sys-whonix) and noticed that the Tor configuration workflow has changed compared to older Whonix versions.
Currently, Tor is configured mainly through Anon Connection Wizard, and manual editing of torrc / torrc.d is strongly discouraged or effectively blocked in Qubes-Whonix.
I have two related questions:
Is it still possible (and supported) to exclude specific Tor exit countries?
In the past, this could be done using options like:
ExcludeExitNodes {xx},{yy}
StrictNodes 1
However, in Whonix 18:
- Anon Connection Wizard does not expose any option for exit country selection or exclusion
- Tor User Config GUI seems non-functional or deprecated
- Manual torrc editing is discouraged and overwritten by the wizard
Is there any supported or recommended way to exclude exit countries in the current Whonix 18 + Qubes setup?
Does excluding exit countries meaningfully impact security/anonymity?
I understand that:
- restricting exit nodes can reduce the anonymity set
- it may increase fingerprintability
- Whonix intentionally avoids exposing this option
But I’m trying to understand the actual threat model trade-off:
- Is excluding a small set of countries (e.g. 1–2) considered significantly harmful?
- Or is the risk mostly theoretical unless very strict constraints are used?
- Are there scenarios where exit country exclusion makes sense (legal, compliance, testing, reliability), or is it generally discouraged in all cases?
Design intent question
Am I correct in assuming that:
- Whonix 18 intentionally removes or hides exit country controls
- to prevent users from weakening anonymity unintentionally?
If so, is this documented somewhere as an explicit design decision?
I’m not looking to bypass Whonix security mechanisms, just to better understand whether exit country control is still compatible with Whonix’s security model, or if it’s fundamentally at odds with it.
Thanks in advance for any clarification.