It can be tested as documented. Users should not navigate to Dev/onion-grater wiki page except for the purpose of curiosity, learning.
The wiki page is whonix.org/wiki/Dev/onion-grater. Dev means developer.
The mininav title is:
onion-grater (Developer)
The introduction text is;
onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands - Design Documentation
Maybe design is unclear and should be replaced by developer.
This feature is unsupported due to the technical complexities of developing this feature. (onion-grater-merger versus onion-grater.)
Developer documentation isn’t as frequently updated as user documentation. Developer documentation can be hard to understand, lack context, have a “lost at hello” effect. Little effort is made to make it laymen friendly.
There’s only 1 “real” onion-grater configuration file:
/etc/onion-grater.d/30_autogenerated.yml
And it has only 1 hosts: directive. It’s auto generated based on snippets in /etc/onion-grater-merger.d. onion-grater does not have multiple hosts: support.
There is no feature “this hosts for that VM, another hosts for another VM”. There is only 1 global hosts for all incoming connections. onion-grater has been originally developed by Tails, not Whonix. It primarily serves the threat model of Tails. To keep the delta low, this feature hasn’t been implemented due to maintainability concerns.
Also:
Tor’s control protocol will be completely re-designed in Arti. Therefore there’s not the time now to make big changes in onion-grater.
What you’re asking for is not even something developers themselves are using.
And even if this feature did exist, it could be circumvented until connections between Whonix-Gateway and Whonix-Workstation are authenticated in Non-Qubes-Whonix. More information: