If whonix VMs are set to Immutable, then how are the Entry Guards gonna rotate? +other questions

1)In the Whonix anon-guide to have an anon OS at chapter 4 there’s the “Malware Mitigation” where we change the vms to immutable etc…
the point is: if we change those to immutable, then the entryguards set in the tor files are gonna change after those 2-3 months? what’s gonna happen?
cuz since the system is immutable the files will persist the same, and thus how are the guards gonna change if the do not change any file anywhere? (perhaps tor should be stored in the storage so it can change?)
Cuz if there’s a problem in changing Guards due to the fact of immutability of the VMs then there’s a hell of a big problem!!!

2)In the guide it’s not really written if after the chapter 4 - Malware mitigation, and the whole process etc… once it’s complete shall we still start the normal Whonix Gateway and Whonix Workstation right? I’m sure at 99,5% but since it isn’t specified in the guide, I better ask to avoid some potential problems.

3)If I want to spoof my mac address, should I do it in the Debian Host OS or in the Whonix-Gateway?

  1. If i want to install a VPN (like with GUI and not from terminal etc) should I install it on Debian Host OS or in the Whonix-Gateway?
    This last question i’m almost sure it’s already been answered, and there are explanations in the Whonix Docs page, so don’t really bother answering this particular question (quesiton #4) if you don’t feel it.

  2. Can someone send me a link or just explain to me the difference between Debian-Whonix and Qubes-Whonix ? I searched but with my poor skills didn’t find anything.

I’ll let @HulaHoop or @Patrick answer 1 & 2 re: Guards etc.

3) Re: MAC address spoofing, this answers all your questions - but most people don’t need it, unless changing physical locations.

Qubes-Whonix how-to:

Non-Qubes-Whonix how-to:


4) Re: VPNs, where you install it depends on what you are trying to achieve. See here:




Note this:

To decide the best configuration in your circumstances, consider:

  • Is it necessary to hide all traffic from the ISP? [1] Then install the VPN on the host.
  • Should the VPN provider be able to see all traffic? [1] Then install the VPN on the host.
  • Should the VPN provider be limited to seeing Tor traffic, but not clearnet traffic? Then install the VPN on Whonix-Gateway.

5) Differences between Qubes-Whonix and non-Qubes-Whonix

See here:


And here (why Qubes is more secure):


Happy reading!

1 Like

Can you plese point out where you read that?

Immutability just makes malware non-persistent and so it cleans the VM to a known good state. This can be controlled in a fine-grained way using snapshots. So simply snapshot your workstation and roll it back while not doing the same for your gateway to enable guard persistence. Its important to note that this doesn’t protect against malware exploiting bugs in the software running inside the VM so if you visit the infected site, you will end up reinfecting again.

1 Like

He’s probably talking about a third party guide by @tempest.

Main link:



It was also posted in Whonix forums back then:

Yes Patrick I was talking about that guide, Should I ask tempest to answer the first two questions? Cuz they are 99% oriented to that guide in particular…
@tempest ??

ideally you update the virtual machines every time new debian updates are available. after each time an update is installed, it is instructed that a new vm snapshot is created. updates come fairly regularly. while, yes, there is a risk that you will change entry guards upon expiration each time you boot up the vm, as soon as a new update is available and installed, and you create a new snapshot, you will have a new regular guard again.

to put it in perspective, tails currently does not implement guard nodes. issue with the “live os” aspect. while a guard node is said to have security merits, not having one is not considered so dangerous as to disuade people from using tails. for the method in the guide you used, if you create new snapshots after you’ve installed updates (without doing anything else in the virtual machines), you run the risk of not having a regular guard node for a short period of time if you use the immutable method. if your guard node has expired, as soon as you install a new update and create a snapshot, the guard node selected at that time will become your new guard node going forward.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]