Build Documentation: Physical Isolation
From Whonix
< Dev | Build Documentation(Redirected from Dev/Build Documentation/Physical Isolation/12)
Warning: It is essential to read the Security and Support Status, Warnings and First time user entries in conjunction with this chapter.
Warning: There is build issue with version
15.0.1.3.4-stable
for physically isolated builds. [1] 15.0.1.4.0-testers-only
was reported [archive] to be functional.
Introduction[edit]
Basic[edit]
A supported platform that can run Whonix ™. There are also others.
See also Physical Isolation #Security and Support Status.
The following instructions are for Non-Qubes-Whonix ™. For Qubes-Whonix ™ see:
https://forums.whonix.org/t/physical-isolation-is-back-qubes-whonix-style [archive]
Technical Introduction[edit]
When setting up Whonix ™ in the form of two Virtual Machines running on the same physical host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To protect such attacks we need a different approach: In this context we called it Physical Isolation, because the gateway system is installed on separate hardware. This drastically reduces the TCB[2] by more than the half.
In total we'll be installing and configuring two computers and set up an isolated point to point network between them (you could also set up a an ordinary, completely isolated, LAN behind the Whonix-Gateway ™). One computer acts as the client or "Whonix-Workstation ™", the other as a proxy or "Whonix-Gateway ™" which will transparently route all of the Whonix-Workstation ™ traffic through Tor.
The Whonix-Gateway ™ on its own physical device can either run directly on hardware or inside a virtual machine. Both options have advantages and disadvantages. We recommend to use no additional Virtual Machine for the Whonix-Gateway ™.
The Whonix-Workstation ™ should always be installed in a Virtual Machine: A VM hides hardware serial numbers. See also Recommendation to use multiple VM Snapshots.
The host operating system(s) should only be used for downloading operating system updating, hosting Whonix-Gateway ™ or Whonix-Workstation ™ and nothing else.
Bonus points if the physical systems are exclusively used for hosting Whonix ™, or if storage devices are separated for Whonix ™ and non-Whonix ™ use cases, to avoid a Whonix ™ hard drive getting infected by a another operating system.
First time user?[edit]
- If you do not know what metadata or a man-in-the-middle attack is.
- If you think nobody can eavesdrop on your communications because you are using Tor.
- If you have no idea how Whonix works.
Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix is the right tool for you based on its limitations.
Warnings[edit]
WARNING: Less tested than VM builds. Needs your help for more rigid testing!
WARNING: Instructions are difficult. Only advanced Linux users can understand them.
WARNING: Dev/Build Anonymity has not been considered for this article.
WARNING: Do also read the warnings in the latest build instructions for VM images. Some of them, Don't add private files to Whonix ™ source code folder! and Check if the OpenPGP public keys are still up to date. also applies to the physical isolation page.
WARNING: This article currently lacks information about Whonix-Gateway ™ and Whonix-Workstation ™ MAC address. See also:
WARNING: Joanna Rutkowska [archive], security researcher, founder and developer emeritus of Qubes OS [archive] has completed a research paper comparing the security of software compartmentalization vs. physically separated computers [archive] (pdf). It concluded that in some cases, notably for specific, desktop-related workflows, Physical Isolation might be less secure than Qubes' compartmentalized approach. (See also: Qubes-Whonix ™.)
Using spare hardware + Virtual Machine[edit]
Advantages:
- You can install a graphical host.
- Use the Whonix ™ download version.
- You can use the graphical network manager on the host, for example to connect to WiFi.
- You can setup easily a VPN on the host. Tor will be tunneled through the VPN.
Disadvantages:
- Higher attack surface, because the Virtual Machine code get's involved.
Using spare hardware without Virtual Machine[edit]
Advantages:
- More secure, because less code is involved.
Disadvantages:
- Slightly more complicated setup
- More difficult to set up VPN
- More difficult to set up 3G networking compared to using a Windows host
Hardware[edit]
General[edit]
We recommend that you use two dedicated computers for Whonix ™ that are never used for activities that could lead back to your identity. Alternatively you can use an already existing and otherwise used computer for the Whonix-Gateway ™. To offer some isolation you should disconnect all internal and external drives and boot from a eSATA, USB or another internal drive into a clean environment.
non-anonymous use[edit]
- non-anonymous box (leave it as it is, like you want)
- non-anonymous home dial up internet router (leave it as it is, like you want)
anonymous use[edit]
- Whonix-Gateway ™
- This really does not have to be a big desktop computer or ordinary server. There are alternatives.
- smartphone [3],
- UMPC[4]
- pad, tablet,
- notebook, netbook,
Raspberry Pi[5]: needs contributor, development thread [archive]- router [6],
- set top box,
- etc.
- how to utilize such a device as a linux server is beyond the scope of this guide, there are already better resources
- anonymous 3G modem (see below) or anonymous wifi adapter (see below)
- Whonix-Workstation ™
- You get the idea. Use a device which suits you.
Before installing[edit]
Read and apply the Pre-Installation Security Advice.
Prerequisites[edit]
- System Requirements
- Whonix-Gateway ™: A device with at least two network adapters, at least one of them ethernet [7], capable of running Linux. It will run Debian. [8]
- Whonix-Workstation ™: A device connected via ethernet to the Whonix-Gateway ™. It must only have this one NIC and no other network connectivity! Must be connected by wire.[9] This will be the torified client system or Whonix-Workstation ™. It must be capable of running Debian.[10]
- We recommend to use a VM as the client, the same Whonix-Workstation ™, that most non Physical Isolation users use. [11] [12] [13]
- Host build environment has a working internet connection to Debian mirrors.
- Optionally, it would be useful, if you knew how to open a second virtual console.
Host Preparation[edit]
- You need to build on Debian buster. (How to obtain Debian safely: [14]) [15]
- It is recommended to set your terminal (for example Konsole) to unlimited scrollback, so you can watch the full build log.
- Install build dependencies and get the source code.
Update the package lists.
sudo apt-get update
Install build dependencies.
sudo apt-get install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev
System Preparation[edit]
- Debian
buster
installed. - User account
user
exists.
Become root. [16]
su
Install sudo and adduser.
Install sudo adduser
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the sudo adduser
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends sudo adduser
The procedure of installing sudo adduser
is complete.
The following commands need to be run either by root or use sudo
.
Create group console
.
addgroup --system console
Add user user
to group console
.
adduser user console
Add user user
to group sudo
.
adduser user sudo
Reboot.
reboot
How To Install Whonix-Gateway ™ on the Raspberry Pi 3 B (RPI3)[edit]
- Contributor of
How To Install Whonix-Gateway ™ on the Raspberry Pi 3 B (RPI3)
: Algernon [archive] - Forum discussion: Whonix ™ for arm64 / Raspberry Pi ( RPi ) [archive]
Get the source (see below).
From inside the Whonix ™ source folder run:
sudo ./whonix_build --target raw --flavor whonix-gateway-rpi --build --arch arm64 --kernel linux-image-arm64 --headers linux-headers-arm64
After a succesful build burn the whonix_gw_rpi.img
to a micro SD card using gnome-disk-utility.
- Within gnome-disk-utility select the SD card.
- At the top panel select options (next to the poweroff button).
- Click restore disk image and choose the respective file.
- Click start restoring and wait until it is finished.
- Put the SD card into the RPI3, attach an HDMI monitor, an USB-ethernet adapter as well as a keyboard and boot it.
After login run:
sudoedit /etc/network/interfaces.d/30_non-qubes-whonix
and change the address and the gateway of eth0 corresponding to your local network / upstream router. As an example our ISP router uses 192.168.0.1/24 for the internal network. The settings of eth0 would look like the following:
auto eth0 iface eth0 inet static address 192.168.0.11 netmask 255.255.255.0 gateway 192.168.0.1
By default eth0 is the native ethernet connection of the RPI3. Hence, connect a network cable from there to your router. eth1 is the USB-ethernet adapter which should also be connected via cable to the computer running the workstation.
Since the RPI3 is lacking a real time clock you need to set the date manually to the current UTC time. Example:
sudo date -s "09 NOV 2019 17:00:00"
Run:
sudo service networking restart
and
sudo service tor restart
to connect to the Tor network. Depending on your hypervisor you need to change network settings on the Workstation in order to connect it to the gateway (see below).
How To Install Whonix-Gateway ™ on Hardware (RECOMMENDED)[edit]
Get Debian[edit]
Download a Debian buster 32 bit installation iso. Detailed instructions doing so are unfortunately not part of this guide. However, the Debian page contains some help.
You can choose iso of any desktop environment (KDE, LXDE, Xfce, ...) but since you'll be using the command line, Debian buster network install (netinst) version is recommended (it is the most minimal).
(You could also use a Debian buster 64 bit installation iso, these instructions should also work, but it is less tested.)
Install Debian[edit]
In the installer boot menu of Debian buster press "Install" and choose following settings:
Select a language: English Select your location: United States Configure the keyboard: (select yours) Hostname: host Domain name: (empty) Root password: (set up a strong password) Full name for the new user: user Username for your account: user Password for the new user: (choose a good password, different from root password) Partitioning method: Guided - use entire disk (it is a good idea to set up cryptsetup encrypted LVM at this point) Partitioning scheme: All files in one partition (select the listed device in the next step) Partition disks/overview: Finish partitioning Write changes to disk: Yes Debian archive mirror country: Go back Continue without a network mirror: Yes Use a network mirror: No Participate in the package usage survey: No Software selection: None; deselect all options (using Space) Install the GRUB boot loader: Yes (select the listed device in the next step) Finish the installation: Continue
OPTIONAL.
If you are interested in seeing a visual walk-through of the minimal installation of Debian buster, click on Expand on the right.
In the menu select "Install"
Set language as English.
Set location as United States.
Select your keyboard.
Installing additional content.
Network will auto-configure (hopefully).
Set the hostname to "host".
Leave the domain name empty.
Pick a strong root password.
Reenter the password.
Full name should should be "user".
Username should also be "user".
Enter a strong user password.
Reenter the password.
Network time procedure.
Use a guided partitioning method with the whole disk (FDE is a good idea if you plan to use physical isolation or as your main system).
Select the suggested disk.
Partition all files in one partition.
Finish partitioning.
Confirm the changes.
It takes a few minutes to get the base system installed.
We don't need any extra packages so don't select a mirror, "Go back".
Confirm that you want to continue without a mirror.
Configuring apt.
"No thanks" to survey participation.
Deselect (no star) the given option (using Space).
Install GRUB.
Select your disk.
Finishing the installation.
Done! The system will reboot.
OS screen.
Login screen.
OPTIONAL - CUSTOMIZING FULL DISK ENCRYPTION
If you are interested in configuring a custom encryption algorithm to enhance security during the minimal installation of Debian buster, click on Expand on the right.
1. Under "Partitioning method", select Manual
2. Select the disk you are installing to and press enter, then select <Yes> to create a new empty partition table.
3. Select the "FREE SPACE" of the drive you are installing to, press Enter, "Create a new partition" should already be selected; press Enter again.
4. Now create a boot partition. This is the unencrypted partition your system boots from. The standard is 254.8 MB. Type "254.8 MB" (without the quotes) and press Enter.
5. Under "Type for the new partition:", Primary should already be selected, press Enter again; Under "Location for the new partition: "Beginning" should already be selected, press Enter again to go to the Partition settings screen.
Use the following settings for your boot partition:
Use as: Ext2 file system Mount point: /boot Mount options: noatime Label: none Reserved blocks: 5% Typical Usage: standard Bootable flag: on
Then select "Done setting up the partition" and press Enter, you will be brought back to the main partitioning menu.
6. Select "Configure encrypted volumes" and press Enter, then select <Yes> when asked to write the changes to disk and configure encrypted volumes.
7. Create encrypted volumes should already be selected, press Enter and select the free space of the drive you are installing to by pressing the spacebar, then select <Continue> and press Enter again. Additional components will load, then you will be brought to the configuration page for your encrypted partition. Here you can customize your encryption settings.
Use as: physical volume for encryption Encryption method: Device-mapper (dm-crypt) Encryption: twofish [Recommend "twofish" and "serpent" as alternatives. "Serpent" is the slowest and only recommended if you have a fast system (and a fast drive), as it creates a lot of system overhead. "Twofish" is an algorithm created by Bruce Schneier, and is a lot faster, computationally-speaking. For most use-cases, "twofish" should be sufficient as an alternative algorithm] Key size: 256 (leave as-is) IV algorithm: xts-plain64 [for most use-cases, xts-plain64 should be sufficient. Do not change this unless you know what you are doing. You could inadvertently create a security hole] Encryption key: Passphrase (leave as-is) Erase data: yes (this will wipe the partition) Bootable flag: off
8. After you have completed your configuration, select "Done setting up this partition", and press Enter, then select <Yes> and press enter to write the changes to disk, then on the next screen select "Finish", and press Enter.
9. It is highly recommended that you erase the partition before you continue. Please note this may take a while for large drives. If you have already securely wiped your device before starting this installation, you can skip this step. To erase the partition, select <Yes> and press enter.
10. Choose a strong password. This password should be at LEAST 26 characters, including symbols. Remember: the stronger your password, the stronger your encryption. The weaker the password, the weaker your encryption. After entering your password and confirming it, you will be brought back to the main partitioning menu.
11. Under your new "Encrypted volume" (which should be at the top of the list), highlight the partition that was just created under it (it should say ext4), and press Enter. Under "Use as:", change this to "physical volume for LVM", and press Enter, then select "Done setting up the partition", and press Enter again to be brought back to the main partitioning menu.
12. Now select "Configure the Logical Volume Manager" and press Enter.
13. Highlight "Create volume group", and press Enter. Under "Volume group name:", enter HOST_VG, and press Enter.
14. Use the spacebar to select your encrypted partition, then select <Continue> and press Enter.
(Optional) SWAP USERS: O1. Now create your swap partition. Highlight "Create logical volume" and press Enter, then select HOST_VG and press Enter again. Type SWAP, press Enter. O2. Enter your volume size (2.5 GB is usually a good standard size for most systems) then select <Continue> and press Enter.
15. Highlight "Create logical volume" and press Enter, then select HOST_VG and press Enter again. Type ROOT, press Enter.
16. Under the "Logical volume size:", your entire volume should already be displayed, press Enter again.
17. Highlight "Finish", then press Enter to be brought back to the main partitioning menu.
18. You should see your new partition for ROOT displayed on this screen [LVM VG HOST_VG, LV ROOT - xxx.x GB Linux device-mapper (linear)]. Select the partition underneath the heading and press Enter
19. Change "do not use" to the filing system of your choice. Ext4 is good for most installations. XFS is more suitable for filesystems on top of encryption and is more robust with better performance. For the purposes of this documentation, the following configuration is provided:
Use as: XFS journaling file system Mount point: / Mount options: defaults Label: none
20. Once you're done, select "Done setting up this partition", and press Enter to return to the main partitioning menu.
(Optional) SWAP USERS: O1. You should see your new partition for SWAP displayed on this screen [LVM VG HOST_VG, LV SWAP - 2.5 GB Linux device-mapper (linear)]. Select the partition underneath the heading and press Enter. O2. Change "do not use" to "swap area", and press Enter. Then select "Done setting up the partition" to return to the main partitioning menu.
21. Highlight "Finish partitioning and write changes to disk" and press Enter, then select <Yes> when asked to confirm the changes. Your installation will continue automatically.
Network Configuration[edit]
The external interface (usually eth0) may need to be configured according to the requirements of your local network, e.g. static or simply left to use dhcp if the gateway is connected to a dhcp capable router. For wlan follow the upstream documentations: debian wiki [archive], Ubuntu help [archive].
Make sure the internet is working.
Logon and upgrade Debian[edit]
Logon, install all security updates and reboot.
Login with "root"
Add a new repository source.
echo "deb http://ftp.us.debian.org/debian buster main" >> /etc/apt/sources.list
Add a new repository source. TODO: Is this needed?
echo "deb http://security.debian.org buster/updates main" >> /etc/apt/sources.list
Refresh package lists and upgrade.
apt-get update && apt-get dist-upgrade -y
Firmware Updating and Security Problems[edit]
As per Firmware_Security_and_Updates#Firmware_Updating_and_Security_Problems.
Update the package lists.
sudo apt-get update
For Intel.
sudo apt-get install intel-microcode
For AMD.
sudo apt-get install amd64-microcode
Preparation[edit]
Install sudo and git. [17]
## Install "sudo" and git. apt-get install sudo git -y
You must build as user "user" and that user must be a member of the "sudo" group. Rebooting applies the changes.
## Add "user" to "sudo" group addgroup user sudo ## Reboot the system shutdown -r now ## (host) login with "user" user
Optional:
You may want to take an image of your installation in case the build script fails in the middle.
Get the Source Code[edit]
Get the Signing Key[edit]
This step is recommended for better security, but is not strictly required. (See Trust)
Get the Source Code[edit]
By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.
Install git.
sudo apt-get update && sudo apt-get install git
Get source code including git submodules. [18]
git clone --depth=1 --branch 15.0.1.5.4-stable --jobs=4 --recurse-submodules --shallow-submodules https://gitlab.com/whonix/Whonix.git
Shift to the source folder.
cd Whonix
OpenPGP Verify the Source Code[edit]
This chapter is recommended for better security, but is not strictly required.[19]
Change directly into source code folder.
cd Whonix
Git fetch. [20]
git fetch
Verify the chosen tag to build. Replace with tag you want to build.
git verify-tag 15.0.1.5.4-stable
The output should look similar to this.
object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 15.0.1.5.4
tagger Patrick Schleizer <adrelanos@whonix.org> 1392320095 +0000
.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@whonix.org>" [ultimate]
Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2020 and now see a signature from 2019, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [21]
The warning.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Is explained on the Whonix Signing Key page and can be safely ignored.
By convention, git tags should point to signed git commits. [22] (forum discussion [archive]) It is advisable to verify the signature of the git commit as well (replace 15.0.1.5.4
with the actual git tag being verified).
git verify-commit 15.0.1.5.4-stable^{commit}
The output should look similar to this.
commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@whonix.org>" [ultimate]
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun Dec 7 01:22:22 2014 +0000
.
Choose Version[edit]
Retrieve a list of available git tags.
git --no-pager tag
Use git checkout to select the preferred version to build.
git checkout --recurse-submodules 15.0.1.5.4-stable
Replace 15.0.1.5.4-stable
with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Whonix ™ News Blog as it might contain information.
Check if you really got the version you want.
git describe
Should show:
15.0.1.5.4-stable
Check if source folder is pristine.
git status
Should show nothing.
HEAD detached at 15.0.1.5.4-stable
nothing to commit, working tree clean
If it shows something else, do not continue.
Optional Build Configuration[edit]
See also Optional Build Configuration.
Network Verification[edit]
Before running the whonix_build script make sure eth1 and eth0 refer to the correct interfaces.
## May be helpful. dmesg | grep eth
If you are using non-default network interface names, please click on Expand on the right.
Should be doable using non-default network interface names as well. Not as easy. Not fully documented. Untested.
One way would be to figure out how to change a network interface name such as wlan0
to eth0
.
Otherwise you could consider to change the network interface names in the configuration files. To find the components that require configuration changes in the Whonix ™ source folder, the following commands may be helpful. Should be really only a very few files. We used variables for eth0 and eth1 wherever possible.
exclude="--exclude=README.md --exclude=control --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=whonix-developer-meta-files --exclude-dir=build-steps.d --exclude-dir=qubes-whonix"
grep $exclude -r eth0 ~/{{project_name_short}} grep $exclude -r eth1 ~/{{project_name_short}}
grep -l $exclude -r eth0 ~/{{project_name_short}} grep -l $exclude -r eth1 ~/{{project_name_short}}
Should you decide to edit these files in Whonix ™ source folder, note to apply the build parameters from #Source Code Changes as well.
Another, perhaps better option might be to change the network interface names after Whonix ™ build script finished.
For example /home/user/Whonix/packages/whonix-ws-network-conf/etc/network/interfaces.d/30_non-qubes-whonix
becomes /etc/network/interfaces.d/30_non-qubes-whonix
.
/usr/bin/whonix_firewall
Do not edit. We use a drop-in config snippet instead.
/etc/whonix_firewall.d/30_default.conf
Use a drop-in config snippet instead.
Open file /etc/whonix_firewall.d/50_user.conf
in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
This box uses sudoedit
for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/whonix_firewall.d/50_user.conf
Add. Replace eth0 with your actual external network interface name as well as eth1 with your actual internal network interface name.
EXT_IF="eth0" INT_IF="eth1"
Save.
/etc/network/interfaces.d/30_non-qubes-whonix
Manual edit required.
Open file /etc/network/interfaces.d/30_non-qubes-whonix'
in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
This box uses sudoedit
for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/network/interfaces.d/30_non-qubes-whonix'
Replace interface names.
Save.
/uwt/usr/lib/uwtwrapper
Do not edit. Use a drop-in config snippet instead.
Required for Whonix-Workstation ™ in Whonix ™ 14 and above only.
Open file /etc/uwt.d/50_user.conf
in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
This box uses sudoedit
for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/uwt.d/50_user.conf
Add. Replace eth0 interface name.
bindp_interface="eth0"
/usr/bin/leaktest
Not important. Manual edit required.
/usr/lib/whonixcheck/check_network_interfaces.bsh
Manual edit required. Will break when whonixcheck gets upgraded. Then it needs to be edited again. This will be configurable in Whonix ™ 14 so the setting survives whonixcheck upgrades.
/etc/sudoers.d/whonixcheck
Do not edit. Use a drop-in config snippet instead.
Use any editor of your choice.
sudo EDITOR=nano visudo -f /etc/sudoers.d/whonixcheck-user
Add. Replace eth0 and eth1 with your network interface names.
whonixcheck ALL=NOPASSWD: /sbin/ifconfig eth0 whonixcheck ALL=NOPASSWD: /sbin/ifconfig eth1
Save.
/usr/lib/systemd/system/onion-grater.service.d/30_cpfpy.conf
Systemd may fail to start onion-grater if this file isn't configured properly. Replace any appearances of old interface names with your corresponding interface names. Restart onion-grater.service and confirm active status.
TODO: better use a drop-in /usr/lib/systemd/system/onion-grater.service.d/50_user.conf
. See Configuration Files.
systemctl restart onion-grater.service systemctl status onion-grater.service
Minor Things[edit]
Most configuration files work well inside Virtual Machines and on hardware. Only minor things such as deactivating powersaving, passwordless reboot, shutdown etc. are only recommended for Virtual Machines. You can easily comment them out by putting a hash # in front of them. They are marked, to find them, grep can be used. Skip this for now. You can change these files later after building Whonix ™. (Simpler.)
grep -r VMONLY* *
Run Build Script[edit]
It is recommended that you create a log of the build process by redirecting all the output to a log file. Be aware that by doing so no build progress will appear on the screen - instead a text log file will be created in your home folder.
sudo ./whonix_build --flavor whonix-gateway-xfce --target root --build >> ~/log-phyiso 2>&1
To optionally watch the progress, open a second virtual console and type.
tail -f ~/log-phyiso
If don't want to create a log of the build process (the build progress will then appear on screen) use the following command.
This is not recommended because if anything goes wrong during the build, it will be harder to pinpoint the exact error without the actual log file.
sudo ./whonix_build --flavor whonix-gateway --target root --build
Final Steps[edit]
Reboot.
sudo reboot
Login as new user "user". (If you didn't install as user "user", your old user and home folder does of course still exist.)
- This is untested since use /etc/network/interfaces.d instead of /etc/network/interfaces [archive] was implemented. Please test and leave feedback. whonix-gw-network-conf [archive] ships a file /etc/network/interfaces.d/30_non-qubes-whonix [archive]. Usually it should not conflict with your /etc/network/interfaces. If it does, consider removing source-directory /etc/network/interfaces.d from /etc/network/interfaces (if there are no other files in /etc/network/interfaces.d folder) or moving /etc/network/interfaces.d/30_non-qubes-whonix out of the way. (sudo mv /etc/network/interfaces.d/30_non-qubes-whonix ~/)
Done.
Cleanup[edit]
OPTIONAL!
Remove temporary files.
WARNING: This will run git clean -d --force --force
in Whonix's main source code folder [archive] (~/Whonix
) as well as in all sub folders of the Whonix packages folder [archive] ~/Whonix/packages
. This means, if you knowingly added any files to any of these folders that have not been committed to git, these will be deleted.
./help-steps/cleanup-files
How To Install Whonix-Gateway ™ in a VM (UNTESTED / NOT RECOMMENDED)[edit]
It is advised to install a new OS just for hosting the Gateway VM, any OS that can run VirtualBox works but we recommend an Open Source system.
Download the Whonix-Gateway ™ image. (Or build it from source code.)
Adapter 1 can be set up as a NAT network. Adapter 2 must either be set to NAT as well (but you will need to forward ports from the host to the guest) or much simpler: use bridged networking and set it to the second physical interface (the one that goes into the isolated network/point to point ethernet). See "NAT vs Bridging" below.
This configuration is entirely untested and not recommended unless you need to run Tor through an unsupported 3G modem and can't afford a 3rd physical device.
When using NAT for a virtualized Gateway you need to set up port forwarding in VirtualBox. Using bridged network may be easier, but then the router may see the Whonix-Gateway ™ MAC address which identifies as Whonix-Gateway ™. (Should not be of concern in home networks. Should be of concern in untrusted networks or when using a modem to connect.)
Install Whonix-Workstation ™ in a VM (RECOMMENDED)[edit]
First Steps[edit]
Install and update a host operating system. On the host can run any OS that is capable of running VirtualBox, but be aware of Transparent Proxy Leaks [archive]. It is recommended against to use Windows or another other commercial proprietary system as host operating system.
Download the Whonix-Workstation ™ image. (Or build it from source code.)
Note sure what we wanted to say with this sentence: If the physical network (between Whonix-Gateway ™ and a router) uses 10.152.152.* you need to review and edit all shell scripts and switch the internal network to something else!
Host Network Adapter[edit]
The host has to be configured to use the static IP configuration.
## {{workstation_product_name}} ## /etc/network/interfaces for the host, ## when using Physical Isolation, ## with {{workstation_product_name}} in a VM. auto lo iface lo inet loopback auto eth0 iface eth0 inet static ## Increment last octet of address ## on optional additional hosts. address 10.152.152.11 netmask 255.255.192.0 gateway 10.152.152.10 #pre-up /usr/bin/whonix_firewall ## Out commented. ## For what do we require the network and broadcast ## instances anyway? #network 10.152.152.0 #broadcast 10.152.152.255 #auto eth0 #iface eth0 inet dhcp ## end of /etc/network/interfaces
If the physical network (between Whonix-Gateway ™ and a router) uses 10.152.152.* you need to review and edit all /etc/network/interfaces.
NAT vs Bridging[edit]
Two Choices[edit]
In the default Whonix ™ VirtualBox image, the network adapter setting for Adapter 1 (eth0) is set to internal network and will therefore not work out of the box. There are two choices to fix this. NAT (recommended) or bridged network.
NAT (RECOMMENDED)[edit]
If you use NAT you will have to edit the /etc/network/interfaces in Whonix-Workstation ™ to use DHCP (easier, shown in the example below) or a static IP for VirtualBox NAT.
sudoedit /etc/network/interfaces
Replace it with.
## {{workstation_product_name}} ## /etc/network/interfaces in a VM ## when using Physical Isolation. auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp ## end of /etc/network/interfaces
Bridged Network (UNTESTED / NOT RECOMMENDED)[edit]
If you use bridged networking things will (or should, we haven't tested anything yet) just work.
Since in the bridged network case, Whonix-Workstation ™ can see the MAC address of whatever network adapter it is connected to, you should change the MAC address of the Workstation host and of the Whonix-Gateway ™.
See Whonix ™ in public networks.
Macvtap on KVM[edit]
Change the network source of the ethernet nic to "macvtap" and the source mode to "passthrough" Be aware, you can't use networking on the host anymore.
Attach an USB-ethernet adapter to the VM[edit]
Remove the network adapter from the VM and instead attach an USB-ethernet adapter to the host and redirect it to the VM.
Install Whonix-Workstation ™ on hardware (NOT RECOMMENDED)[edit]
Install Whonix-Workstation ™ on hardware without using a VM is recommended against, because hardware serials would be visible to Whonix-Workstation ™.
The instructions are very similar, if not the very same, to those in "How To Install Whonix-Gateway ™ on hardware" above. You have to use --flavor whonix-workstation instead of --flavor whonix-gateway.
Expected Build Warnings[edit]
dpkg-source: warning: extracting unsigned source package
dpkg-source: warning: extracting unsigned source package (anon-gw-anonymizer-config_5.0-1.dsc)
etc.
This does not affect the build. [24]
Can not write log, openpty() failed (/dev/pts not mounted?)
This does not affect the build. [25]
[....] Your system does not have the CPU extensions required to use KVM. Not doing anything. ...[ FAIL ]
This does not affect the build. [26]
[....] Stopping VirtualBox kernel modules [ ok ]. [....] Starting VirtualBox kernel modules[....] No suitable module for running kernel found ...[ FAIL ] invoke-rc.d: initscript virtualbox, action "restart" failed.
This does not affect the build. [27]
WARNING: The character device /dev/vboxdrv does not exist. Please install the virtualbox-ose-dkms package and the appropriate headers, most likely linux-headers-486. You will not be able to start VMs until this problem is fixed.
This does not affect the build. [28]
dpkg: warning: failed to open configuration file '/root/.dpkg.cfg' for reading: Permission denied
This does not affect the build. [29]
sudo: unable to resolve host host
This does not affect the build. [30]
Related forum topic:
Expected Build Warnings [archive]
After installing[edit]
Further required reading: Documentation. The host security chapter applies to both computers!
Read and apply the Post Installation Security Advice.
Stay tuned[edit]
It is absolutely crucial to subscribe to and read the latest Whonix ™ news category 'important-news' to stay in touch with ongoing developments. This way users benefit from notifications concerning important security advisories, potential upgrade issues and improved releases which address identified issues, like those affecting the updater or other core elements.
See Stay Tuned.
Extra packages for better hardware support[edit]
Some packages for bare metal may or may not be missing. Here is a probably incomplete list of packages, which may or may not be useful for better hardware support. Some suggestions.
xorg xserver-xorg-input-all xserver-xorg-input-wacom xserver-xorg-input-geode xserver-xorg-input-vmmouse xserver-xephyr xserver-xorg-input-* xserver-xorg-* acpi-support-base acpid acpi discover discover-modprobe discover-data hwdata mdetect apt-cache show task-desktop apt-cache show task-kde-desktop apt-cache show task-laptop
If you have EFI bios.
grub-efi-amd64
To get a more complete list, install Debian (with KDE) on bare metal using the regular Debian installer medium.
- diff "dpkg -l" with Whonix
- diff "sudo lsmod" with Whonix
- contribute your findings
Troubleshooting[edit]
- Slow network speed? Eventually it is the fault of your wifi driver? We had such a report [archive] in the forum.
- No connection between Whonix-Gateway ™ and Whonix-Workstation ™? Could have something to do with Auto-MDIX [archive]. We had such a report [archive] in the forum.
Known bugs[edit]
All Platforms[edit]
"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]
This is not a security issue, but only a warning. Read the entire thread here [archive] for more information.
This warning message can be removed with the following workaround below.
1. Modify /etc/dpkg/origins/default
sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/debian /etc/dpkg/origins/default
2. Download the source package.
apt-get source package
3. Undo afterwards to prevent unexpected issues.
sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/whonix /etc/dpkg/origins/default
Proxychains Tor Browser Issue[edit]
Using Tor Browser in conjunction with proxychains for the connection scheme: User
→ Tor
→ Proxy
→ Internet
does not currently work. For more information, see here.
VirtualBox[edit]
ATA Freeze[edit]
If you see the following error and freezing.
433.348893] mptscsih: ioc0: attempting target reset! (sc=ffff81021b950940) 433.348896] sd 0:0:0:0: [sda] CDB: ATA command pass through(16): 85 08 0e 00 d5 00 01 00 09 00 4f 00 c2 00 b0 00 433.605026] mptscsih: ioc0: target reset: SUCCESS (sc=ffff81021b950940
It is a known [archive] issue and hardware-specific - VirtualBox upstream bug report: https://www.virtualbox.org/ticket/10031 [archive]
This cannot be fixed by the Whonix team and patches are required.
It has been reported [archive] that running from an internal HDD/SSD works better than running from external devices.
One workaround might be avoiding high load on your host operating system. If this bug causes a lot of problems, then your only option is to switch to another platform.
Non-Qubes-Whonix[edit]
Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
Mounting (CD / DVD) Devices[edit]
If the device auto mounter is broken, see if Start menu
→ System Settings
→ Removable Media
helps.
The following workaround can be used.
sudo mkdir /mnt/cdrom
sudo mount -o ro /dev/cdrom /mnt/cdrom/
Using the ro flag will mount the CD / DVD in read-only mode. If a CD / DVD is not being mounted, then drop the "-o ro" parameter.
Forum discussion:
https://forums.whonix.org/t/workstation11-doesnt-mount-hdds/1313 [archive]
Help fixing this bug is welcome! (ticket [archive])
Network Manager Systray Unmanaged Devices[edit]
Short answer: Unmanaged devices are unrelated to Whonix functioning and should not concern the user.
Long answer: [31]
Suspend / Hibernate Issues[edit]
Short: Avoid suspending or hilbernating the computer or Whonix VMs while Whonix is running.
Long: Network Time Syncing, Clock Fix. [32]
VLC / Video Player Crash[edit]
The following workaround can be used; this is the default in recent builds (like Whonix 14). [33]
VLC
→ Tools
→ Preferences
→ Video
→ Output
→ X11
→ Save
Security and Support Status[edit]
Whonix ™ Physical Isolation has no dedicated contributor. It is a leftover from previous times, where no other supported platforms were supported. This setup, these instructions still work. Some users are still using them. But Patrick's focus has now moved to Qubes. Grave security issues are unlikely due to Whonix ™ design. There is no Whonix ™ contributors member testing Whonix ™ physical isolation. No progress on the Whonix ™ Physical Isolation development task list [archive] should be expected. That's why the supported platforms table lists Physical Isolation in the column 'security' with 'experimental'.
Help Wanted[edit]
- work on the Whonix ™ Physical Isolation development task list [archive] (not even filled up)
- Become Whonix ™ Physical Isolation contributor so the #Security and Support Status can be improved.
Footnotes / References[edit]
- ↑ https://forums.whonix.org/t/error-failed-bilding-whonix-gateway-on-physical-host/9742 [archive]
- ↑ https://en.wikipedia.org/wiki/Trusted_computing_base [archive]
- ↑ Just some hints to get started. It is difficult and beyond the scope of Whonix ™, because you don't have an Ethernet interface. Some (after market) firmwares support USB-host. (You can plug USB devices into your phone, such as an USB ethernet card. For example some rooted android smartphones can install [archive] Debian Linux.
- ↑ https://en.wikipedia.org/wiki/Ultra-mobile_PC [archive]
- ↑ https://en.wikipedia.org/wiki/Raspberry_Pi [archive]
- ↑ something like OpenWRT
- ↑ The other one may be either an Anonymous 3G modem; Anonymous WiFi adapter, another ethernet or wifi connected to your modem/router.
- ↑ Theoretically you could use any OS that supports iptables or pf. If you don't want to use Debian you will have to edit the source code. This will be easy for Debian derivatives but much more difficult for *BSD for example. In any case, the choice of OS shouldn't really matter because this system is not used for anything but running Tor. A cheap plug computer, something like Raspberry Pi or the hardware used by Torouter would be sufficient.
- ↑ If you don't connect by wire, you significantly weaken isolation and security. One the Whonix-Workstation ™ were infected, it could jump onto another network and start leaking.
- ↑ Any OS can be used. But this is not recommended! If you do anyway, read warning, especially for Windows: Transparent Proxy Leaks [archive].
- ↑ From the Download page or build it yourself from source code.
- ↑ A generic VM image can neither leak identifying hardware serial numbers nor unique software fingerprints. (e.g. trough software updates [archive]).
- ↑ This ensures that you get the latest security features and most secure configurations. (Such as stream isolation that protects against Identity correlation through circuit sharing, HexChat IRC hardening or Whonix ™ Protocol-Leak-Protection and Fingerprinting-Protection etc.)
- ↑ Debian ISO OpenPGP verification
- ↑ The build scripts could be adapted to run on other *NIX systems as well but currently they assume apt-get and grml-debootstrap to be available. You need about 15 GB of free space.
- ↑ One way or another.
- ↑ You need git to obtain the source code. Alternatively, you could also download a git tag as an archive using a (torified) browser: https://github.com/Whonix/Whonix/tags [archive]
- ↑
Optional
git
parameters:--depth=1
: Used to speed up download.--branch 15.0.1.5.1-stable
Usability. Used to speed up download.--jobs=4
: Used to speed up download.--recurse-submodules --shallow-submodules
: Usability.
git
are free to drop any of these optional parameters. - ↑ See Trust.
- ↑ Optional. [...]
- ↑ As defined by TUF: Attacks and Weaknesses:
- ↑ Beginning from git tag 9.6 and above.
- ↑ https://github.com/Whonix/Whonix/blob/master/help-steps/cleanup-files [archive]
- ↑ https://forums.whonix.org/t/end-to-end-signed-debs-debsign-debsig-and-dpkg-sig/3446 [archive]
- ↑ This is nothing to be concerned about; it only happens because commands are run inside chroot. Research of this "issue" indicates it is purely cosmetic.
- ↑ KVM is installed as a dependency of the build dependency libguestfs-tools. KVM is not needed to build the actual images.
- ↑ This only means that VirtualBox cannot be started. VirtualBox kernel modules could not be compiled because the linux-headers-$(uname -r) package was not installed prior to installing VirtualBox (before starting Whonix's build script). The build script doesn't start VirtualBox, hence does not affect the build. The build script only uses VBoxManage for creation of virtual machine description files and that tool doesn't need VirtualBox kernel modules.
- ↑ This is caused by the same issue referenced above.
- ↑ This happens because debuild is run as user, not root. It is probably a bug in dpkg. Research of this issue reveals there are many similar bugs in dpkg.
- ↑
Hostname inside VM image gets changed intentionally to
host
inside the VM image. The cause probably is package anon-base-files postinst runninghostname "$my_host_name"
/hostname host
. This change should only happen inside the change rootchroot
. We might get rid of this issue by porting formchroot
tosystemd-nspawn
, but it is not very important. - ↑
Whonix does not use network manager to manage either eth0 or eth1.
- In Non-Qubes-Whonix ™, networking is managed by ifupdown.
- Qubes-Whonix ™ uses a custom /lib/systemd/system/qubes-whonix-network.service [archive] and is unaffected by this issue.
To reduce confusion, the ideal Whonix default would either: prevent the systray item starting, hide the systray item, or suppress the information being presented. Network manager is installed so users can easily setup VPNs with its intuitive graphical user interface.
All attempts to fix this long-standing issue have failed. Help is welcome to fix it.
Fix Unmanaged Devices Network Manager [archive]
- ↑ https://github.com/QubesOS/qubes-issues/issues/1764 [archive]
- ↑
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.