How to use mullvad wireguard vpn on host, while excluding kvm whonix tor.

Hi, I’ve been at this all day, and I can’t seem to find an answer.
I’ve read through the Whonix wiki on Tunnles. I’ve read through questions on this forum as well.
But I cant seem to figure out, how to do it like a step by step guide. Is there anyone that may please help me with this.
All I want to do is be able to use my host linux (manjaro kde) with mullvad vpn for torrenting and browsing the internet, email, etc… while at the same time be able to use guest Whonix on kvm without it going through mullvad vpn on host.

We don;t document this, but we have it for Whonix Gateway.

Check this topic out for similar iptables rules:


Thank you so much @HulaHoop
Just trying to understand it a bit better. I also should have mentioned that this was for wireguard using wg-quick.

So when I do a wg show I get this output:

interface: mullvad-wg-excludewhonix.conf
    public key: (hidden)
    private key: (hidden)
    listening port: 50454
    fwmark: 0x.....

Would that mean I would do this to my mullvad-wg-excludewhonix.conf file:

PrivateKey = <privatekey>
Address =,fc00:bbbb:bbbb:bb01::3:d52a/128
PostUp = iptables -t nat -A OUTPUT -p tcp --dport 50454 -m owner --uid-owner libvirt -j ACCEPT
PostUp = iptables -t nat -A OUTPUT -p tcp --dport 50454 -m owner --uid-owner kvm -j ACCEPT
PreDown = iptables -t nat -A OUTPUT -p tcp --dport 50454 -m owner --uid-owner libvirt -j REJECT
PreDown = iptables -t nat -A OUTPUT -p tcp --dport 50454 -m owner --uid-owner kvm -j REJECT
PublicKey = <publickey>
Endpoint =
AllowedIPs =, ::/0

Because the port that showed when wg show command was executed, showed listening port 50454?

Or do I change the --uid-owner to --gid-group kvm and do another one for libvirt?

I have also done a print out of my ip address show and ip route.
Not sure if that helps, but here is the link

Password for privacytools privatebin/pastebin is whonixrocks

I did try --gid-owner kvm and --gid-owner libvirt but unfortunately, that did not work.

I have read through most of your wiki now, and I completely understand why this is not documented, etc… man you guys are smart with everything you do. I sincerely appreciate everything you do.

Was hoping there might be a chance you might please please please be able to provide an example of the correct iptables based on the similar topic from url you posted on gentoo forum, and the what info i have, and what you have not documented for whonix gateway. I’m dying to learn how this would work. Thank you again, soo much!

1 Like

Thanks for your compliments. I don’t want to imply I have the answers. My suggestion was based on a concept that would work in principle and that we have planned for Whonix Host, but it is not something we have done before or are working on right now. Try asking on Stack Exchange for more detailed answers and let us know what they say because it might help us someday.

Also when I looked at the wireguard manual it had some interesting features like routing traffic from specific namespaces only or excluding them. IIRC KVM machines have their own namespaces assigned so this might be another direction worth looking at.

1 Like