When using multiple Whonix-Workstations (AppVMs) with stream isolated applications, e.g. Tor browser, and one Whonix-Gateway (default sys-whonix):
Do all Tor circuits are different or is the Tor Guard (entry) always the same by default?
If I use only one Whonix-Workstation (AppVM) and restart the Tor browser, is then the same Tor Guard (entry) used by default?
From my understanding this should not be the case but I remember that I read this somewhere therefore I want to get clarification.
Guard is a (sorta) persistent Tor entry, so Guard wont rotate when there are different connections to Tor.
But you can do that if you use Disposable (dispVM) Whonix GW so that each time you open it it will pick a different guard entry, or separate each WS with its own GW.
Note: Choosing different guard each time can be ideal and can be not ideal on the same time depend on the attacks you want to prevent on yourself.
Thus best if you use different GW for each WS
I appreciate your answer. I was not aware of this.
The Stream Isolation wiki page states: This does not necessarily result in using a different Tor Entry Guard or Tor exit relay.
Based on your answer this statement is misguiding from my perspective, if it is defined that the Tor Entry Guard will persists for each Whonix-Gateway.
This leads me to further questions. I would appreciate if you could help me clarify them.
Does the Tor Entry Guard rotate when I ‘Restart Tor’ on the Whonix-Gateway (through Tor control panel application on sys-whonix)?
General: Why the Guard won’t rotate by default when using different Whonix-Workstations? If there are some references please point me to them.
And is this behavior Whonix-specific?
Do the other Tor relays rotate by defaut (including Exit relay) when I am using different Whonix-Workstations and one Whonix-Gateway?
You’re questions in Whonix forums while this is about Tor, not Whonix.
Because Tor developers decided to make it entry guards, that don’t frequently rotate for reasons that you should be able to look up using search engines.
No. Whonix simply uses Tor.
In so far as Tor rotates these.
No, because Tor doesn’t either if you restart it.
Tor isolates streams if correctly used. Doesn’t cycle specific relays necessarily. Whonix uses Tor correctly.
Thanks for helping me here especially as my questions were not Whonix related. I will read about this topic on Tor resources.
What could you do to rotate/change the entry guard? Maybe restart the Whonix-Gateway VM?
For me it sounds like a it might be a risk that the same entry guard is used even after reconnecting to Tor. I assume this is a misunderstanding on my side.
Before trying to change the design, please study the design.