How to Disable IPv6 in Whonix 18?

anontroll · December 15, 2025, 9:57pm

How can I disable IPv6 in Whonix to ensure all traffic is routed through IPv4? Any specific steps for configuring both the Whonix-Gateway and the Whonix-Workstation? I’m using Whonix 18.0.8.7, and my host OS is Windows.

arraybolt3 · December 16, 2025, 1:09am

On non-Qubes platforms, this isn’t supported at the moment. Disabling IPv6 in Whonix-Gateway will result in Tor failing to start, since Tor is configured to listen for IPv6 connections from the workstation. If Tor isn’t able to bind to a configured listening socket, it will refuse to run, by design.

On Qubes OS, we have the needed tooling to detect when IPv6 is disabled and fall back to IPv4-only. In theory, we could probably bring this to non-Qubes platforms also. @Patrick does that sound like a good idea?

nurmagoz · December 16, 2025, 7:30am

If its not supported within Whonix, then you can add firewall VM (e.g OPNsense or so) that only accept IPv4, so even if internally isnt disabled but externally cant bind to IPv6.

Patrick · December 16, 2025, 10:43am

Yes.

arraybolt3 · December 29, 2025, 1:54am

Just researched this closer, it looks like the code that autodetects when IPv6 is disabled actually does work on non-Qubes platforms. I was attempting to disable IPv6 at the kernel level, which failed. Disabling it in the network configuration works though.

Boot Whonix-Gateway into sysmaint mode, then run sudoedit /etc/network/interfaces.d/30_non-qubes-whonix.
Find the following lines in the file:

iface eth0 inet6 auto

...

iface eth1 inet6 static
    address fd19:c33d:88bc::10
    netmask 96

Add a # symbol in front of each IPv6 configuration line:

#iface eth0 inet6 auto

...

#iface eth1 inet6 static
#    address fd19:c33d:88bc::10
#    netmask 96

Save and close the file.
Reboot Whonix-Gateway.

This should disable the “global” IPv6 link, which is what would be used for Internet traffic over IPv6. You will still have a link-local IPv6 address in the gateway, which is what VirtualBox uses to allow IPv6 DNS resolution, but this won’t (or at least shouldn’t, unless VirtualBox is poorly designed in this area) allow IPv6 connectivity to the LAN or the Internet, and Whonix-Gateway doesn’t use DNS except over Tor.

While not strictly necessary, you can also disable IPv6 on the Workstation. The Workstation won’t have IPv6 connectivity if the Gateway doesn’t offer it, but you might want to turn it off anyway as a form of defense-in-depth. The relevant file in the Workstation is /etc/network/interfaces.d/30_non-qubes-whonix (same file as in the Gateway), you’ll want to comment out this block:

iface eth0 inet6 static
    address fd19:c33d:88bc::11
    gateway fd19:c33d:88bc::10
    netmask 96

It might be possible to support disabling IPv6 at the kernel level if this isn’t sufficient. @Patrick would that be worth pursuing, or should I document this on the Wiki, probably at IPv6 support in Whonix? (Or maybe both?)

Patrick · December 29, 2025, 7:32am

Yes. Disabling IPv6 in the kernel might actually be a lot simpler than editing the network configuration.

Patrick · February 15, 2026, 12:00pm

Will be available in version 18.1.4.2 and above.