Network Setting and VPN VPN TOR

Hi I have questions I couldn’t find the answer to from searching the forum.

  1. When setting up Whonix (non-Qubes) in VB, for the Gateway, there are two adapters that are checked. Adapter 1 is set to NAT and Adapter 2 is set to Internal Network. Other options for networks are Bridged Adapter, Host-only Adapter, Generic Driver, NAT Network, Cloud Network, and Not attached. I read up on what these options are on the VB website, but I still have some questions. What is the best option for privacy and anonymity? Is NAT or NAT Network the best options?

  2. The NAT option requires the VB software itself to have outbound internet access on the host OS. The firewall I have on my host OS alerts me that I need to approve or deny this connection. If I deny it, TOR doesn’t connect in the Gateway VM, which causes no internet connection on the Workstation VM. I am running a VPN on my host OS. So my question is, does the ISP see TOR (even though I am connected to a VPN first on the host OS) whenever VB needs internet access through the firewall, or does it see VPN traffic?

  3. If TOR is stopped on the Gateway VM, is it possible to have internet access through the host OS VPN that is running, and using this on the Workstation VM? If this works, I assume that internet browsing would work on the Workstation VM, and sites like IPLEAK would show the IP of the host OS’ VPN that is running, and not a TOR IP. Wouldn’t this require a different network setup instead of NAT? Because on the NAT setting for the Gateway VM (for Adapter 1), if TOR is stopped, there is no internet access on the VM, e.g. no internet on the Workstation VM.

  4. How can I setup a VPN → VPN → TOR conection? Would the second VPN need to be running on the Gateway VM or the Workstation VM? I read that it would need to be on the Gateway VM, but I’m not sure if this would result in VPN → TOR → VPN, which I don’t want.

Thanks a bunch!

Defaults are safe. Users are expected to keep them as is.

Playing with these settings is discouraged and unsupported.

Whonix-Workstation Security - Whonix chapter Add a NAT Adapter / Updates without Tor in Whonix wiki

No issues here. Works as expected.

This is unspecific to Whonix.

You can easily confirm that by using non-Whonix VMs.


Feel free to test this.
No Whonix-Gateway running (or Tor stopped) results in no networking for Whonix-Workstation whatsoever.

This is even a documented as leak test for many years:
Leak Tests chapter Leaks through the host or VM in Whonix wiki

VPN → VPN → TOR conection


Setup a VPN on the host operating system.


Setup a VPN on the host operating system and inside Whonix-Gateway.

See documentation on the topic. Starts here:

Certainly, not. That would result in TOR → VPN, which you said: