Whonix is two VMs working together: a Gateway that talks to Tor, and a Workstation that routes all its traffic through the Gateway. Nothing on the Workstation can leak outside Tor — not DNS, not an NTP query, not a misbehaving app. That isolation is the whole point.
This is how I install it on Windows 11 using Oracle VirtualBox 7.0. The same steps work on Linux with minor changes.
1. Prep the Host
Before you download anything, deal with Hyper-V. If Hyper-V is enabled, VirtualBox will run in an emulated slow mode and Whonix will crawl. Disable it:
# Run as administrator
bcdedit /set hypervisorlaunchtype off
DISM /Online /Disable-Feature:Microsoft-Hyper-V-All
# RebootIf you use WSL2 or Docker Desktop, this will break them. Pick your compartment and stick with it — ideally a dedicated host for privacy work.
Install VirtualBox 7.0.x plus the matching Extension Pack. Confirm VT-x is enabled in BIOS.
2. Download and Verify Whonix
Grab the Whonix-Xfce OVA from whonix.org. Two things are non-negotiable:
- Verify the OpenPGP signature. The Whonix signing key fingerprint is
916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA. - Verify the SHA-512 hash published next to the download.
gpg --verify Whonix-Xfce-17.*.ova.asc Whonix-Xfce-17.*.ova
certutil -hashfile Whonix-Xfce-17.*.ova SHA512If either check fails, do not import. Download again from a different network.
3. Import and First Boot
In VirtualBox, File → Import Appliance → point at the OVA. It creates both the Whonix-Gateway and Whonix-Workstation VMs plus an internal network called Whonix that connects them.
Start the Gateway first. Walk through the Anon Connection Wizard — for most home networks, pick "Connect" unless you are in a censored region that needs bridges. Wait for the progress bar to show "Bootstrapping done: 100%". That typically takes 60 to 120 seconds.
Now start the Workstation. Open Tor Browser from the menu. Load check.torproject.org. If it confirms Tor, you are live.
4. Publish Your First Onion Service
This is done on the Gateway, not the Workstation. SSH in or use the console:
sudo nano /usr/local/etc/torrc.d/50_user.confAdd:
HiddenServiceDir /var/lib/tor/my_first_onion/
HiddenServicePort 80 10.152.152.11:80
HiddenServiceVersion 3Where 10.152.152.11 is the default Workstation IP on the internal Whonix network. Restart Tor: sudo systemctl restart tor@default. Your onion address appears in /var/lib/tor/my_first_onion/hostname.
On the Workstation, install nginx: sudo apt install nginx, drop a test index.html, and browse to your new v3 onion from any Tor Browser in the world.
5. Common Pitfalls
- Hyper-V sneaks back on. Windows updates, WSL installs, and Docker Desktop all flip the hypervisor flag. Re-run
bcdeditafter every feature update. - Shared folders do not work. By design — they would be a de-anonymization vector. Use the clipboard sharing in Qubes-Whonix or, on standalone Whonix, move files through the internal network with scp.
- Time drift breaks Tor. If your host clock is more than a few minutes off, the Tor consensus check fails. Whonix uses sdwdate internally — let it settle before troubleshooting anything else.
- Do not install Guest Additions. Ever. It defeats the isolation.
- Updates go through Tor.
sudo apt updatewill feel slow. That is correct behavior.
Spend an afternoon here. Whonix is one of the cleanest compartmentalization tools available, and the setup pays for itself the first time you need to do any sensitive research.