dockernymous: create a whonix like gateway/workstation environment

Dockernymous is a start script for Docker that runs and configures two individual Linux containers in order act as an anonymization workstation-gateway set up. It’s aimed towards experienced Linux/Docker users, security professionals, and penetration testers!

The gateway container acts as an Anonymizing Middlebox (see and routes ALL traffic from the workstation container through the Tor Network.

The idea was to create a whonix-like setup (see that runs on systems which aren’t able to efficiently run two hardware virtualized machines or don’t have virtualization capacities at all.


Warning: Dockernymous is in a very early stage of development. Only use it for educational purposes. DON’T use it if you rely on strong anonymity!



I completely changed the overall function logic of the script hence there are improvements in usability and stability. The look of the menu was improved.

These NEW functions were added:

  1. Option to keep the containers running and restore them later: You now have the choice to keep the containers running on exiting. This, of course, will speed up the start time of the whole script. For privacy reasons I keep the containers “self-destroyable”, so if you manually stop them or reboot your system they are gone nevertheless.
  2. (Re)start TOR from the menu
  3. Stop TOR from the menu


1. Host

To clone the dockernymous repository type:

git clone

Dockernymous needs an up and running Docker environment and a non-default docker network. Let’s create one:

docker network create --driver=bridge --subnet= docker_internal

2. Gateway (Alpine):

Get a lightweight gateway Image! For example Alpine:

docker pull alpine

Run the image, update the package list, install iptables & tor:

docker run -it alpine /bin/sh
apk add --update tor iptables iproute2

Feel free to further customize the gateway for your needs before you exit.

To make this permanent you have to create a new image from the gateway container we just set up. Each time you run dockernymous a new container is created from that image and disposed on exit:

docker commit [Container ID] my_gateway

Get the container ID by running:

docker ps -a

3. Workstation (Kali Linux):

Get an image for the Workstation. For example, Kali Linux for penetration testing:

docker pull kalilinux/kali-linux-docker

Update and install the tools you would like to use (see

docker run -it kalilinux/kali-linux-docker /bin/bash
apt-get update
apt-get dist-upgrade
apt install kali-linux-top10

Make sure the tightvncserver and curl packages are installed which is the case with most Kali metapackages.

apt-get install tightvncserver
apt-get install curl

Install xfce4 for a minimal graphical Desktop:

$ apt-get install xfce4 
$ apt-get clean
$ exit

As with the Gateway, to make this permanent you have to create an image from that customized container. Each time you run dockernymous a new container is created and disposed on exit.

$ docker commit [Container ID] my_workstation

Get the container ID by running:

$ docker ps -a

4. Run dockernymous In case you changed the names for the images to something different (defaults are: “docker_internal” (network), “my_gateway” (gateway), “my_workstation” (you guessed it)) open with your favorite editor and update the actual names in the configuration section.

Everything should be set up by now, let’s give it a try! Run Dockernymus (don’t forget to ‘cd’ into the cloned folder):


or mark it executable once:

chmod +x

and always run it with: