Why Choosing the Right VPN for Whonix Matters
Whonix is a security- and privacy-focused Debian derivative featuring two VMs: the Gateway (handling Tor) and the Workstation (isolated user environment). It uses the APT package manager, often runs lightweight desktop environments such as XFCE or KDE Plasma, and strictly forces all traffic through Tor. Any VPN you add must respect this isolation model, integrate cleanly with apt, and avoid IPv6 or DNS leaks that could deanonymise you.
Ideal candidates for Whonix will offer:
- Command-line or lightweight Linux clients installable via APT or .deb packages
- Perfect forward secrecy and strong AES/GCM encryption
- No-logs policies and robust privacy audits
- Built-in kill switches or firewall integration to prevent traffic outside Tor
- Support for OpenVPN and/or WireGuard (CLI)
- Port forwarding or obfuscation for advanced Tor VPN setups
Top VPN Recommendations for Whonix
After extensive testing on Whonix Gateway, these providers stood out for stability, transparency and technical compatibility:
- Mullvad VPN – OpenVPN/WireGuard CLI, strong privacy roots, port forwarding
- ProtonVPN – Deb repository, built-in kill switch, IPv6 leak protection
- Private Internet Access – .deb/CLI support, OpenVPN/WireGuard, port forwarding and advanced configuration options
Comparison Table
| Provider | Linux Install | Protocols | Tor-over-VPN | Kill Switch | Port Forwarding | Server Network |
|---|---|---|---|---|---|---|
| Mullvad VPN | .deb package / CLI | OpenVPN, WireGuard | Yes | Systemd-based | Yes | ~900 servers in 40 countries |
| ProtonVPN | APT repository, CLI | OpenVPN, WireGuard | Yes | Integrated | No | 1 900 servers in 60 countries |
| Private Internet Access | APT / .deb package, CLI | OpenVPN, WireGuard | Yes | Integrated | Yes (on supported servers) | 12 000+ servers in 90+ countries |
Detailed Setup Guides
Mullvad VPN on Whonix Gateway
Mullvad offers a simple Debian package and WireGuard support. We’ll install via APT and configure WireGuard in the Gateway VM.
1. Install the Mullvad .deb
wget https://mullvad.net/download/app/deb/latest -O mullvad.deb sudo dpkg -i mullvad.deb sudo apt-get install -f
2. Enable and Configure WireGuard
- Login at your Mullvad account to generate a WireGuard config file (e.g.
wg0.conf). - Copy it to
/etc/wireguard/wg0.conf.
sudo mv wg0.conf /etc/wireguard/ sudo chmod 600 /etc/wireguard/wg0.conf sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0
3. Verify Tunnel and Firewall
sudo wg show sudo iptables -L -v # Ensure only wg0 is allowed out
ProtonVPN via APT on Whonix Gateway
ProtonVPN’s official repository simplifies updates and provides a CLI tool that integrates a kill switch and DNS leak protection.
1. Add the ProtonVPN Repository
sudo apt-get update sudo apt-get install -y gnupg2 curl curl -fsSL https://repo.protonvpn.com/debian/public_key.asc sudo apt-key add - echo deb https://repo.protonvpn.com/debian stable main sudo tee /etc/apt/sources.list.d/protonvpn.list sudo apt-get update
2. Install the CLI and Authenticate
sudo apt-get install -y protonvpn-cli protonvpn-cli login yourusername
3. Connect with Kill Switch
protonvpn-cli c --sc # Connect with secure core and kill switch protonvpn-cli s # Show connection status
Private Internet Access with OpenVPN on Whonix Gateway
Private Internet Access (PIA) doesn’t require a heavy GUI to work with Whonix. Instead, you can use its OpenVPN configuration files directly on the Gateway VM to keep everything scriptable and auditable.
1. Install OpenVPN
sudo apt-get update sudo apt-get install -y openvpn
2. Download and Deploy Config Files
- From your PIA account area, open the OpenVPN configuration generator and download the Linux configuration bundle (usually a
.zipwith multiple region files). - Extract the archive and pick a server file, for example
pia-germany-frankfurt.ovpn. - Copy and rename it into OpenVPN’s config directory so it runs as a service:
sudo mv pia-germany-frankfurt.ovpn /etc/openvpn/pia.conf sudo chmod 600 /etc/openvpn/pia.conf
If your file requires username/password authentication, create an auth file (e.g. /etc/openvpn/pia-auth) and reference it from pia.conf via auth-user-pass pia-auth.
3. Start OpenVPN Service
sudo systemctl enable openvpn@pia sudo systemctl start openvpn@pia sudo systemctl status openvpn@pia
4. Harden with Whonix Firewall
Ensure the VPN tunnel is the only outbound interface by adding rules in /etc/whonix_firewall.d/30_user.d/50_pia.rules:
-A OUTPUT -o tun0 -j ACCEPT -A OUTPUT ! -o tun0 -m addrtype --dst-type ! LOCAL -j DROP
Then reload:
sudo whonix_firewall_reload
Conclusion
Integrating a VPN into Whonix requires care to maintain the Tor-only traffic model. Mullvad, ProtonVPN and Private Internet Access excel in CLI support, strong crypto choices and no-logs policies. Follow the steps above within your Whonix Gateway VM to achieve an extra layer of protection without compromising anonymity.
Leave a Reply