[Whonix](https://www.whonix.org)-like setup with a [libvirt](https://libvirt.org) workstation and a [podman](https://podman.io) container as the [Tor](https://torproject.org) gateway.
## What are the advantage of this project over original Whonix ?
Whonix uses one VM for the workstation and another VM for the Tor gateway. This can be costly in terms of performance and resource usage. TorVirt improves on this by running the gateway in a lightweight container instead of a full VM.
Containers share the same kernel as the host. This means that if someone manages to exploit a bug in software present in the container (such as the tor daemon) and then uses a vulnerability in the kernel, they could gain access to the host's operating system. To mitigate this risk, some measures have been put in place:
- The gateway container is created using podman in rootless mode
- The container runs with all capabilities dropped (`--cap-drop=ALL`)
- Container processes cannot gain additional privileges (`--security-opt=no-new-privileges`)
- The entry point is executed with normal user privileges
The risk on the workstation side depends on the guest OS, on the hypervisor used and on the interactions between the host and the VM (filesystem sharing, hardware passthrough, etc.)
You can create the workstation VM any way you like, with any OS, but you must select *torvirt* as the network. You can use [virt-manager](https://virt-manager.org) GUI to do it easily.