WARNING: Please don't forget reading the #Security and Support Status, Warnings and First time user chapter.

Introduction[edit]

Basic[edit]

A supported platform that can run Whonix. There are also others.

See also Physical Isolation #Security and Support Status.

The following instructions are for Non-Qubes-Whonix. For Qubes-Whonix see:
https://forums.whonix.org/t/physical-isolation-is-back-qubes-whonix-style

Technical Introduction[edit]

When setting up Whonix in the form of two Virtual Machines running on the same physical host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To protect such attacks we need a different approach: In this context we called it Physical Isolation, because the gateway system is installed on separate hardware. This drastically reduces the TCB^[1] by more than the half.

In total we'll be installing and configuring two computers and set up an isolated point to point network between them (you could also set up a an ordinary, completely isolated, LAN behind the Whonix-Gateway). One computer acts as the client or "Whonix-Workstation", the other as a proxy or "Whonix-Gateway" which will transparently route all of the Whonix-Workstation's traffic through Tor.

The Whonix-Gateway on its own physical device can either run directly on hardware or inside a virtual machine. Both options have advantages and disadvantages. We recommend to use no additional Virtual Machine for the Whonix-Gateway.

The Whonix-Workstation should always be installed in a Virtual Machine: A VM hides hardware serial numbers. See also Recommendation to use multiple VM Snapshots.

The host operating system(s) should only be used for downloading operating system updating, hosting Whonix-Gateway or Whonix-Workstation and nothing else.

Bonus points if the physical systems are exclusively used for hosting Whonix, or if storage devices are separated for Whonix and non-Whonix use cases, to avoid a Whonix hard drive getting infected by a another operating system.

First time user?[edit]

Default username: user Default password: changeme

Warning: If you do not know what metadata or a man-in-the-middle attack is. If you think nobody can eavesdrop on your communications because you are using Tor. If you have no idea how Whonix works. Then read the About, Warning and Do Not pages to decide whether Whonix is the right tool for you based on its limitations.

Warnings[edit]

WARNING: Less tested than VM builds. Needs your help for more rigid testing!

WARNING: Instructions are difficult. Only advanced Linux users can understand them.

WARNING: Dev/Build Anonymity has not been considered for this article.

WARNING: Do also read the warnings in the latest build instructions for VM images. Some of them, Don't add private files to Whonix's source code folder! and Check if the OpenPGP public keys are still up to date. also applies to the physical isolation page.

WARNING: This article currently lacks information about Whonix-Gateway's and Whonix-Workstation's MAC address. See also:

• Protocol-Leak-Protection and Fingerprinting-Protection
• Whonix in public networks / MAC Address
  

WARNING: Joanna Rutkowska, security researcher, founder and developer emeritus of Qubes OS has completed a research paper comparing the security of software compartmentalization vs. physically separated computers (pdf). It concluded that in some cases, notably for specific, desktop-related workflows, Physical Isolation might be less secure than Qubes' compartmentalized approach. (See also: Qubes-Whonix.)

Using spare hardware + Virtual Machine[edit]

Advantages:

• You can install a graphical host.
• Use the Whonix download version.
• You can use the graphical network manager on the host, for example to connect to WiFi.
• You can setup easily a VPN on the host. Tor will be tunneled through the VPN.

Disadvantages:

• Higher attack surface, because the Virtual Machine code get's involved.

Using spare hardware without Virtual Machine[edit]

Advantages:

• More secure, because less code is involved.

Disadvantages:

• Slightly more complicated setup
• More difficult to set up VPN
• More difficult to set up 3G networking compared to using a Windows host

Hardware[edit]

General[edit]

We recommend that you use two dedicated computers for Whonix that are never used for activities that could lead back to your identity. Alternatively you can use an already existing and otherwise used computer for the Whonix-Gateway. To offer some isolation you should disconnect all internal and external drives and boot from a eSATA, USB or another internal drive into a clean environment.

non-anonymous use[edit]

• non-anonymous box (leave it as it is, like you want)
• non-anonymous home dial up internet router (leave it as it is, like you want)

anonymous use[edit]

• Whonix-Gateway
  • This really does not have to be a big desktop computer or ordinary server. There are alternatives.
  • smartphone ^[2],
  • UMPC^[3]
  • pad, tablet,
  • notebook, netbook,
  • Raspberry Pi^[4]: needs contributor, development thread
  • router ^[5],
  • set top box,
  • etc.
  • how to utilize such a device as a linux server is beyond the scope of this guide, there are already better resources
• anonymous 3G modem (see below) or anonymous wifi adapter (see below)
• Whonix-Workstation
  • You get the idea. Use a device which suits you.

Before installing[edit]

Read and apply the Pre-Installation Security Advice.

Prerequisites[edit]

• System Requirements
• Whonix-Gateway: A device with at least two network adapters, at least one of them ethernet ^[6], capable of running Linux. It will run Debian. ^[7]
• Whonix-Workstation: A device connected via ethernet to the Whonix-Gateway. It must only have this one NIC and no other network connectivity! Must be connected by wire.^[8] This will be the torified client system or Whonix-Workstation. It must be capable of running Debian.^[9]
• We recommend to use a VM as the client, the same Whonix-Workstation, that most non Physical Isolation users use. ^{[10] [11] [12]}
• Host build environment has a working internet connection to Debian mirrors.
• General advice from Build Documentation about Build Security applies
• Optionally, it would be useful, if you knew how to open a second virtual console.

Host Preparation[edit]

• You need to build on Debian stretch. (How to obtain Debian safely: ^[13]) ^[14]
• Build dependencies and configurations get automatically applied, so you don't have to worry about that. ^[15]
• It is recommended to set your terminal (for example Konsole) to unlimited scrollback, so you can watch the full build log.

How To Install Whonix-Gateway on the Raspberry Pi 3 B (RPI3)[edit]

Get the source (see below).

From inside the Whonix source folder run:

sudo ./whonix_build --target raw --flavor whonix-gateway-rpi --build --arch arm64 --kernel linux-image-arm64 --headers linux-headers-arm64

After a succesful build burn the whonix_gw_rpi.img to a micro SD card using gnome-disk-utility.

1. Within gnome-disk-utility select the SD card.
2. At the top panel select options (next to the poweroff button).
3. Click restore disk image and choose the respective file.
4. Click start restoring and wait until it is finished.
5. Put the SD card into the RPI3, attach an HDMI monitor, an USB-ethernet adapter as well as a keyboard and boot it.

After login run:

sudo nano /etc/network/interfaces.d/30_non-qubes-whonix

and change the address and the gateway of eth0 corresponding to your local network / upstream router. As an example our ISP router uses 192.168.0.1/24 for the internal network. The settings of eth0 would look like the following:

auto eth0
iface eth0 inet static
    address 192.168.0.11
    netmask 255.255.255.0
    gateway 192.168.0.1

By default eth0 is the native ethernet connection of the RPI3. Hence, connect a network cable from there to your router. eth1 is the USB-ethernet adapter which should also be connected via cable to the computer running the workstation. Since the RPI3 is lacking a real time clock you need to set the date manually to the current UTC time. Example:

sudo date -s "09 NOV 2018 17:00:00"

Run:

sudo service networking restart

and

sudo service tor restart

to connect to the Tor network. Depending on your hypervisor you need to change network settings on the Workstation in order to connect it to the gateway (see below).

How To Install Whonix-Gateway on Hardware (RECOMMENDED)[edit]

Get Debian[edit]

Download a Debian stretch 32 bit installation iso. Detailed instructions doing so are unfortunately not part of this guide. However, the Debian page contains some help.

You can choose iso of any desktop environment (KDE, LXDE, Xfce, ...) but since you'll be using the command line, Debian stretch network install (netinst) version is recommended (it is the most minimal).

(You could also use a Debian stretch 64 bit installation iso, these instructions should also work, but it is less tested.)

Install Debian[edit]

In the installer boot menu of Debian stretch press "Install" and choose following settings:

Select a language: English
Select your location: United States
Configure the keyboard: (select yours)
Hostname: host
Domain name: (empty)
Root password: (set up a strong password)
Full name for the new user: user
Username for your account: user
Password for the new user: (choose a good password, different from root password)
Partitioning method: Guided - use entire disk (it is a good idea to set up cryptsetup encrypted LVM at this point)
Partitioning scheme: All files in one partition (select the listed device in the next step)
Partition disks/overview: Finish partitioning
Write changes to disk: Yes

Debian archive mirror country: Go back
Continue without a network mirror: Yes

Use a network mirror: No
Participate in the package usage survey: No
Software selection: None; deselect all options (using Space)
Install the GRUB boot loader: Yes (select the listed device in the next step)
Finish the installation: Continue

Use as:         Ext2 file system

Mount point:       /boot
Mount options:    noatime
Label:                 none
Reserved blocks:  5%
Typical Usage:     standard
Bootable flag:      on    

Use as:      physical volume for encryption
Encryption method:   Device-mapper (dm-crypt)

Encryption: twofish 
[Recommend "twofish" and "serpent" as alternatives. "Serpent" is the slowest and only recommended if you have a fast system (and a fast drive), as it creates a lot of system overhead. "Twofish" is an algorithm created by Bruce Schneier, and is a lot faster, computationally-speaking. For most use-cases, "twofish" should be sufficient as an alternative algorithm]
Key size:     256 (leave as-is)
IV algorithm:  xts-plain64 
[for most use-cases, xts-plain64 should be sufficient. Do not change this unless you know what you are doing. You could inadvertently create a security hole]
Encryption key: Passphrase (leave as-is)
Erase data: yes (this will wipe the partition)
Bootable flag: off  

(Optional) SWAP USERS:

O1. Now create your swap partition. Highlight "Create logical volume" and press Enter, then select HOST_VG and press Enter again. Type SWAP, press Enter.

O2. Enter your volume size (2.5 GB is usually a good standard size for most systems) then select <Continue> and press Enter.

Use as:             XFS journaling file system

Mount point:     / 
Mount options: defaults
Label:               none

(Optional) SWAP USERS:

O1. You should see your new partition for SWAP displayed on this screen [LVM VG HOST_VG, LV SWAP - 2.5 GB Linux device-mapper (linear)]. Select the partition underneath the heading and press Enter.

O2. Change "do not use" to "swap area", and press Enter. Then select "Done setting up the partition" to return to the main partitioning menu.

Network Configuration[edit]

The external interface (usually eth0) may need to be configured according to the requirements of your local network, e.g. static or simply left to use dhcp if the gateway is connected to a dhcp capable router. For wlan follow the upstream documentations: debian wiki, Ubuntu help.

Make sure the internet is working.

Logon and upgrade Debian[edit]

Logon, install all security updates and reboot.

Login with "root"

Add a new repository source.

echo "deb http://ftp.us.debian.org/debian stretch main" >> /etc/apt/sources.list

Add a new repository source. TODO: Is this needed?

echo "deb http://security.debian.org stretch/updates main" >> /etc/apt/sources.list

Refresh package lists and upgrade.

apt-get update && apt-get dist-upgrade -y

Firmware Updating and Security Problems[edit]

As per Firmware_Security_and_Updates#Firmware_Updating_and_Security_Problems.

Update the package lists.

sudo apt-get update

For Intel.

sudo apt-get install intel-microcode

For AMD.

sudo apt-get install amd64-microcode

Preparation[edit]

Install sudo and git. ^[16]

## Install "sudo" and git.
apt-get install sudo git -y

You must build as user "user" and that user must be a member of the "sudo" group. Rebooting applies the changes.

## Add "user" to "sudo" group
addgroup user sudo

## Reboot the system
shutdown -r now

## (host) login with "user"
user

Optional:
You may want to take an image of your installation in case the build script fails in the middle.

Get the Signing Key[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust)

gpg --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

It isn't safe to only get the signing key from one source for the download you want to verify. For better security, learn more about the Whonix Signing Key.

Get the Source Code[edit]

Install git and curl.

sudo apt-get update && sudo apt-get install git curl

Get source code including git submodules.

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix

Note: If using an older version of git (from Debian Jessie, Whonix 13, etc), remove --jobs=4.

Remember it is Whonix, not whonix! If prompted for a username for github, you have mistyped the web address.

Shift to the source folder.

cd Whonix

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required.^[17]

Retrieve a list of available git tags.

cd ~/Whonix/ && git tag

Verify the chosen tag to build.

## ... Replace with tag you want to build.
git verify-tag 14.0.0.9.3-stable

The output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 14.0.0.9.3
tagger Patrick Schleizer <adrelanos@riseup.net> 1392320095 +0000

.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]

Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2018 and now see a signature from 2017, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [18]

The warning.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Is explained on the Whonix Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. ^[19] (forum discussion) It is advisable to verify the signature of the git commit as well (replace 14.0.0.9.3 with the actual git tag being verified).

git verify-commit 14.0.0.9.3-stable^{commit}

The output should look similar to this.

commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Sun Dec 7 01:22:22 2014 +0000

    .

Choose Version[edit]

Retrieve a list of available git tags.

git tag

Use git checkout to select the preferred version (or git branch) to build.

git checkout 14.0.0.9.3-stable

Replace 14.0.0.9.3 with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. To learn more about current Whonix versions, follow the Whonix News Blog.

Clean Up and Sanitize[edit]

This step is also important for security.

Retrieve the list of extraneous files and folders. ^[20]

git clean -ndff

See if the output looks sane; it generally should, unless Whonix source code is modified by advanced users (who understand git better anyhow). If the output looks like the following, everything is fine.

Would remove packages/apparmor-profile-gwenview/
Would remove packages/kde-privacy/

Remove these folders.

git clean -dff

The output should show.

Removing packages/apparmor-profile-gwenview/
Removing packages/kde-privacy/

Be sure to check out the right commit for each git submodule.

git submodule update --init --recursive

Check there are no extraneous files. This is important for security.

git status

The output should show the following:

nothing to commit (working directory clean)

If the directory is not clean, the extra files should be removed first.

Build Configuration (Optional)[edit]

Note: All of the following build configuration steps are optional.

Introduction

sudo rm -r /etc/whonix_buildconfig.d

Platforms Choice

Advanced users can create 32-bit instead of 64-bit builds.

If you are interested, click on Expand on the right.

--arch i386

Whonix APT Repository

Non-Qubes-Whonix:
Whonix's APT Repository is disabled by default since Whonix 7.3.3 for reasons of Trust. Later on, users can decide to update Whonix Debian packages by building them from source code (greater security). Alternatively, Whonix's APT repository can be enabled right after building or after booting the build for the first time (greater convenience). To use the latter method which sacrifices security for convenience, click on Expand on the right side.

WHONIX_APT_REPOSITORY_OPTS='--enable --repository stable'

WHONIX_APT_REPOSITORY_OPTS='--enable --repository testers'

WHONIX_APT_REPOSITORY_OPTS='--enable --repository developers'

WHONIX_APT_REPOSITORY_OPTS='--enable --codename stretch'

sudo WHONIX_APT_REPOSITORY_OPTS='--enable --repository stable' ./whonix_build [...]

APT Onion Build Sources

--connection onion

APT Cache

Using an apt cache will greatly improve build speed when building several times in a row (e.g. when debugging, during development).

If you are interested, click on Expand on the right.

---

torified apt-cacher-ng

The following torified apt-cacher-ng setup only has to be applied, if you are building using onion apt sources using --connection onion. In that case, please click Expand on the right. Howeverif you are building behind a Tor transparent proxy such as Whonix-Gateway, you can use the simpler clearnet apt-cacher-ng instructions below instead.

If you skip these steps of setting up a torified apt-cacher-ng, you must below drop and not use REPO_PROXY=http://127.0.0.1:3142.

Note, this neither torifies all of the build script's connections nor hides Tor from your ISP!

Install apt-cacher-ng-, torsocks and tor.

sudo apt-get install apt-cacher-ng torsocks tor

Create folder apt-cacher-ng systemd drop-in folder /lib/systemd/system/apt-cacher-ng.service.d.

sudo mkdir -p /lib/systemd/system/apt-cacher-ng.service.d

Open /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.

kdesudo kwrite /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

kdesudo kwrite /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

If you are using a terminal-only Whonix, run.

sudo nano /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

sudo nano /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

Add.

[Service]
ExecStart=torsocks /usr/sbin/apt-cacher-ng SocketPath=/run/apt-cacher-ng/socket -c /etc/apt-cacher-ng ForeGround=1

Save.

Reload systemd.

sudo systemctl daemon-reload

Restart apt-cacher-ng.

sudo systemctl apt-cacher-ng restart

---

clearnet apt-cacher-ng

sudo apt-get install apt-cacher-ng

Be sure to have a firewall, so the whole internet can not use the apt-cacher-ng service.

sudo REPO_PROXY=http://127.0.0.1:3142 ./whonix_build ...

When building inside a non-Whonix VM, an apt cache can be used on the host. In that case, adjust the IP accordingly and manually test that it is reachable. When building inside a (Whonix) VM, just install the apt cache inside the VM and point to a localhost apt cache.

---

VM Settings

--vmram 128

--vram 12

--vmsize 200G

--file-system ext4

--hostname host

--os-password changeme

--debopt "--verbose"

Skip Steps

--sanity-tests false

Source Code Changes

This is only required if changes were made to the Whonix source folder! In that case click on Expand on the right.
This is not required if only a customized build configuration was added to the /etc/whonix_buildconfig.d folder.

--allow-uncommitted true

--allow-untagged true

Network Verification[edit]

Before running the whonix_build script make sure eth1 and eth0 refer to the correct interfaces.

## May be helpful.
dmesg | grep eth

exclude="--exclude=README.md --exclude=control --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=whonix-developer-meta-files --exclude-dir=build-steps.d --exclude-dir=qubes-whonix"

grep $exclude -r eth0 ~/Whonix
grep $exclude -r eth1 ~/Whonix

grep -l $exclude -r eth0 ~/Whonix
grep -l $exclude -r eth1 ~/Whonix

kdesudo kwrite /etc/whonix_firewall.d/50_user.conf

sudo nano /etc/whonix_firewall.d/50_user.conf

EXT_IF="eth0"
INT_IF="eth1"

kdesudo kwrite /etc/network/interfaces.d/30_non-qubes-whonix'

sudo nano /etc/network/interfaces.d/30_non-qubes-whonix'

kdesudo kwrite /etc/uwt.d/50_user.conf

sudo nano /etc/uwt.d/50_user.conf

bindp_interface="eth0"

sudo EDITOR=nano visudo -f /etc/sudoers.d/whonixcheck-user

whonixcheck ALL=NOPASSWD: /sbin/ifconfig eth0
whonixcheck ALL=NOPASSWD: /sbin/ifconfig eth1

Minor Things[edit]

Most configuration files work well inside Virtual Machines and on hardware. Only minor things such as deactivating powersaving, passwordless reboot, shutdown etc. are only recommended for Virtual Machines. You can easily comment them out by putting a hash # in front of them. They are marked, to find them, grep can be used. Skip this for now. You can change these files later after building Whonix. (Simpler.)

grep -r VMONLY* *

Run Build Script[edit]

It is recommended that you create a log of the build process by redirecting all the output to a log file. Be aware that by doing so no build progress will appear on the screen - instead a text log file will be created in your home folder.

sudo ./whonix_build --flavor whonix-gateway -- --target root --build >> ~/log-phyiso 2>&1

To optionally watch the progress, open a second virtual console and type.

tail -f ~/log-phyiso

If don't want to create a log of the build process (the build progress will then appear on screen) use the following command.

This is not recommended because if anything goes wrong during the build, it will be harder to pinpoint the exact error without the actual log file.

sudo ./whonix_build --flavor whonix-gateway -- --target root --build

Final Steps[edit]

Reboot.

sudo reboot

Login as new user "user". (If you didn't install as user "user", your old user and home folder does of course still exist.)

• This is untested since use /etc/network/interfaces.d instead of /etc/network/interfaces was implemented. Please test and leave feedback. whonix-gw-network-conf ships a file /etc/network/interfaces.d/30_non-qubes-whonix. Usually it should not conflict with your /etc/network/interfaces. If it does, consider removing source-directory /etc/network/interfaces.d from /etc/network/interfaces (if there are no other files in /etc/network/interfaces.d folder) or moving /etc/network/interfaces.d/30_non-qubes-whonix out of the way. (sudo mv /etc/network/interfaces.d/30_non-qubes-whonix ~/)

Done.

Cleanup[edit]

OPTIONAL!

Remove temporary files.

Warning, this will run git clean -d --force --force in Whonix's main source code folder (~/Whonix) as well as in all sub folders of the Whonix packages folder ~/Whonix/packages. This means, if you knowingly added any files to any of these folders that have not been committed to git, these will be deleted.

^[27]

./help-steps/cleanup-files

How To Install Whonix-Gateway in a VM (UNTESTED / NOT RECOMMENDED)[edit]

It is advised to install a new OS just for hosting the Gateway VM, any OS that can run VirtualBox works but we recommend an Open Source system.

Download the Whonix-Gateway image. (Or build it from source code.)

Adapter 1 can be set up as a NAT network. Adapter 2 must either be set to NAT as well (but you will need to forward ports from the host to the guest) or much simpler: use bridged networking and set it to the second physical interface (the one that goes into the isolated network/point to point ethernet). See "NAT vs Bridging" below.

This configuration is entirely untested and not recommended unless you need to run Tor through an unsupported 3G modem and can't afford a 3rd physical device.

When using NAT for a virtualized Gateway you need to set up port forwarding in VirtualBox. Using bridged network may be easier, but then the router may see the Whonix-Gateway MAC address which identifies as Whonix-Gateway. (Should not be of concern in home networks. Should be of concern in untrusted networks or when using a modem to connect.)

Install Whonix-Workstation in a VM (RECOMMENDED)[edit]

First Steps[edit]

Install and update a host operating system. On the host can run any OS that is capable of running VirtualBox, but be aware of Transparent Proxy Leaks. It is recommended against to use Windows or another other commercial proprietary system as host operating system.

Download the Whonix-Workstation image. (Or build it from source code.)

Note sure what we wanted to say with this sentence: If the physical network (between Whonix-Gateway and a router) uses 10.152.152.* you need to review and edit all shell scripts and switch the internal network to something else!

Host Network Adapter[edit]

The host has to be configured to use the static IP configuration.

## Whonix-Workstation
## /etc/network/interfaces for the host,
## when using Physical Isolation,
## with Whonix-Workstation in a VM.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   ## Increment last octet of address
   ## on optional additional hosts.
   address 10.152.152.11 
   netmask 255.255.192.0
   gateway 10.152.152.10
   #pre-up /usr/bin/whonix_firewall

   ## Out commented.
   ## For what do we require the network and broadcast
   ## instances anyway?
   #network 10.152.152.0
   #broadcast 10.152.152.255

#auto eth0
#iface eth0 inet dhcp

## end of /etc/network/interfaces

If the physical network (between Whonix-Gateway and a router) uses 10.152.152.* you need to review and edit all /etc/network/interfaces.

NAT vs Bridging[edit]

Two Choices[edit]

In the default Whonix VirtualBox image, the network adapter setting for Adapter 1 (eth0) is set to internal network and will therefore not work out of the box. There are two choices to fix this. NAT (recommended) or bridged network.

NAT (RECOMMENDED)[edit]

If you use NAT you will have to edit the /etc/network/interfaces in Whonix-Workstation to use DHCP (easier, shown in the example below) or a static IP for VirtualBox NAT.

sudo nano /etc/network/interfaces

Replace it with.

## Whonix-Workstation
## /etc/network/interfaces in a VM
## when using Physical Isolation.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

## end of /etc/network/interfaces

Bridged Network (UNTESTED / NOT RECOMMENDED)[edit]

If you use bridged networking things will (or should, we haven't tested anything yet) just work.

Since in the bridged network case, Whonix-Workstation can see the MAC address of whatever network adapter it is connected to, you should change the MAC address of the Workstation host and of the Whonix-Gateway.

See Whonix in public networks.

Macvtap on KVM[edit]

Change the network source of the ethernet nic to "macvtap" and the source mode to "passthrough" Be aware, you can't use networking on the host anymore.

Attach an USB-ethernet adapter to the VM[edit]

Remove the network adapter from the VM and instead attach an USB-ethernet adapter to the host and redirect it to the VM.

Install Whonix-Workstation on hardware (NOT RECOMMENDED)[edit]

Install Whonix-Workstation on hardware without using a VM is recommended against, because hardware serials would be visible to Whonix-Workstation.

The instructions are very similar, if not the very same, to those in "How To Install Whonix-Gateway on hardware" above. You have to use --flavor whonix-workstation instead of --flavor whonix-gateway.

Expected Build Warnings[edit]

Can not write log, openpty() failed (/dev/pts not mounted?)

This does not affect the build. ^[28]

[....] Your system does not have the CPU extensions required to use KVM. Not doing anything. ...[ FAIL ]

This does not affect the build. ^[29]

[....] Stopping VirtualBox kernel modules [ ok ].
[....] Starting VirtualBox kernel modules[....] No suitable module for running kernel found ...[ FAIL ]
invoke-rc.d: initscript virtualbox, action "restart" failed.

This does not affect the build. ^[30]

WARNING: The character device /dev/vboxdrv does not exist.
	 Please install the virtualbox-ose-dkms package and the appropriate
	 headers, most likely linux-headers-486.

	 You will not be able to start VMs until this problem is fixed.

This does not affect the build. ^[31]

dpkg: warning: failed to open configuration file '/root/.dpkg.cfg' for reading: Permission denied

This does not affect the build. ^[32]

sudo: unable to resolve host host

This does not affect the build. ^[33]

Related forum topic:
Expected Build Warnings

After installing[edit]

Further required reading: Documentation. The host security chapter applies to both computers!

Read and apply the Post Installation Security Advice.

Stay tuned[edit]

Introduction[edit]

It is important to read the latest Whonix news to stay in touch with ongoing developments. This way users benefit from notifications concerning important security vulnerabilities and improved releases which address identified issues, like those affecting the updater or other core elements.

Stay Tuned[edit]

Whonix News Forums[edit]

For user convenience, there are multiple avenues for receiving news. Choose the most suitable option below.

1. Whonix Important News Forum Tag (v3 onion) - Only critical information is reported. This includes security vulnerabilities and new stable Whonix versions. It is best suited for people with very limited time and interest in Whonix development and news.
2. Whonix News Forums (v3 onion) - This includes everything including important news and has a relaxed posting policy. Testers-only and developers Whonix versions are announced here, along with the publishing of news about updated articles, new features, future features, development, calls for testing, general project ideas and so on.
3. Other choices. ^[34]

If time-constrained, users should at least read the Whonix Important News Forum Tag. Follow the Whonix News Forums if detailed anonymity / privacy / security-related issues are of interest, or to follow recent Whonix developments.

Operating System Updates[edit]

As strongly recommended in the Security Guide, it is necessary to regularly check for operating system updates on the host operating system, and both the Whonix-Workstation and Whonix-Gateway.

Social Media Profiles[edit]

There are some Whonix Social Media Profiles online, but please do not rely on them for the latest Whonix News or to contact Whonix developers (see Contact for contact information).

As some users will disregard this advice, messages from the Whonix Feature Blog are automatically mirrored to the Whonix Twitter Profile and the Whonix Facebook Profile. However, they are not mirrored to the Whonix Google+ Profile. Diaspora Whonix and Tumblr accounts have also recently been established.

If it is safe to inform others about Whonix, feel free to Contribute via an anonymous account that follows or likes these profiles. This page can be shared on: Twitter | Facebook.

Source Code[edit]

If Whonix source code updates are of interest, subscribe to code changes.

Tor Bootstrap[edit]

Tor bootstrap refers to the process of attempting to connect to the Tor network (successfully or unsuccessfully). Familiar output related to this process includes: "Tor connecting xx percent...", "Tor not connected", "Tor connected" and so on. Bootstrapping does not refer to related concepts, such as whether connections are "secure", "not secure", "anonymous" or "not anonymous".

Tor Browser[edit]

Tor Browser's built-in update check mechanism also works in Whonix, so use it whenever updates become available. ^[35]

For additional information about Tor Browser updates see Tor Browser. Additionally, consider subscribing to https://blog.torproject.org for developments from The Tor Project.

Whonix Version Check and Whonix News[edit]

Whonix Version Check (first rectangle in black) and Whonix News (second rectangle in green)

whonixcheck can provide notifications about new Whonix versions and critical Whonix News updates. ^[36]

Running whonixcheck[edit]

whonixcheck verifies that the Whonix system is up-to-date and that everything is in proper working order.

Users can manually run whonixcheck to check the system status by following the steps below.

How to Manually Run whonixcheck[edit]

whonixcheck

Depending on the system specifications, whonixcheck may take up to a few minutes to run. Assuming everything is working as intended, the output should highlight each INFO heading in green (not red). A successful whonixcheck process results in output similar to the sample below.

Sample whonixcheck Output[edit]

[INFO] [whonixcheck] anon-whonix | Whonix-Workstation | {{whonix-ws}} TemplateBased AppVM | Thu Aug 9 18:09:23 UTC 2018
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases STRETCH-PROPOSED-UPDATES updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.whonix.org/wiki/Trust to understand the risk.
If you want to change this, use:
    sudo whonix_repository
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get... ( Documentation: https://www.whonix.org/wiki/Update )
[INFO] [whonixcheck] Debian Package Update Check Result: No updates found via apt-get.

Whonix Repository Testers[edit]

Whonix requires a critical mass of users to properly test planned updates by enabling the stable-proposed-updates or testers repository. ^[38] Otherwise, bugs might go undiscovered and be inadvertently introduced into the stable repository.

To ensure a stable Whonix system is available at all times, willing testers should:

• Create new Whonix-Workstation and Whonix-Gateway TemplateVMs solely for testing.
• Enable the stable-proposed-updates or testers repository via the Whonix repository tool.
• Platform-specific advice:
  • Non-Qubes-Whonix: Create a clean snapshot or use Multiple Whonix-Workstations / Multiple Whonix-Gateways.
  • Qubes-Whonix: Use separate TemplateVMs and separate sys-whonix-test and anon-whonix-test TemplateBasedVMs.
• And perform normal user activities.

Please only report bugs after first searching relevant Whonix forums and developer portals for the problem.

Footnotes[edit]

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

Extra packages for better hardware support[edit]

Some packages for bare metal may or may not be missing. Here is a probably incomplete list of packages, which may or may not be useful for better hardware support. Some suggestions.

xorg
xserver-xorg-input-all
xserver-xorg-input-wacom
xserver-xorg-input-geode
xserver-xorg-input-vmmouse
xserver-xephyr

xserver-xorg-input-*
xserver-xorg-*

acpi-support-base
acpid
acpi

discover
discover-modprobe
discover-data

hwdata

mdetect

apt-cache show task-desktop
apt-cache show task-kde-desktop
apt-cache show task-laptop

If you have EFI bios.

grub-efi-amd64

To get a more complete list, install Debian (with KDE) on bare metal using the regular Debian installer medium.

• diff "dpkg -l" with Whonix
• diff "sudo lsmod" with Whonix
• contribute your findings

• See also: http://wiki.debian.org/HardwareAutodetection

Troubleshooting[edit]

• Slow network speed? Eventually it is the fault of your wifi driver? We had such a report in the forum.
• No connection between Whonix-Gateway and Whonix-Workstation? Could have something to do with Auto-MDIX. We had such a report in the forum.

Known bugs[edit]

Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.

Suspend / Hibernate Issues[edit]

Short: Avoid suspending or hilbernating the computer or Whonix VMs while Whonix is running.

Long: Network Time Syncing, Troubleshooting#Clock Fix. ^[1]

Mounting (CD / DVD) Devices[edit]

If the device auto mounter is broken, see if Start menu -> System Settings -> Removable Media helps.

The following workaround can be used.

sudo mkdir /mnt/cdrom

sudo mount -o ro /dev/cdrom /mnt/cdrom/

Using the ro flag will mount the CD / DVD in read-only mode. If a CD / DVD is not being mounted, then drop the "-o ro" parameter.

Forum discussion:
https://forums.whonix.org/t/workstation11-doesnt-mount-hdds/1313

Help fixing this bug is welcome! (ticket)

VLC / Video Player Crash[edit]

The following workaround can be used.

(This is the default in recent builds, in Whonix 14. ^[2])

VLC -> Tools -> Preferences -> Video -> Output -> X11 -> Save

Network Manager Systray Unmanaged Devices[edit]

Short answer: Unmanaged devices are unrelated to Whonix functioning and should not concern the user.
Long answer: ^[3]

All Platforms[edit]

"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]

This is not a security issue, but only a warning. Read the entire thread here for more information.

This warning message can be removed with the following workaround below.

1. Modify /etc/dpkg/origins/default

sudo unlink /etc/dpkg/origins/default

sudo ln -s /etc/dpkg/origins/debian /etc/dpkg/origins/default

2. Download the source package.

apt-get source package

3. Undo afterwards to prevent unexpected issues.

sudo unlink /etc/dpkg/origins/default

sudo ln -s /etc/dpkg/origins/whonix /etc/dpkg/origins/default

Proxychains Tor Browser Issue[edit]

Using Tor Browser in conjunction with proxychains for the connection scheme: User -> Tor -> Proxy -> Internet
does not currently work. For more information, see here.

VirtualBox[edit]

Screen Resolution Bug[edit]

If your window looks like the image on the right side, you are affected by the Screen Resolution Bug. This is only happening with Whonix for VirtualBox with XFCE. To fix this, please apply the following workaround.

1. Maximize Window

2. VirtualBox VM Windows -> View -> Virtual Screen 1 -> choose any, resize to some other resolution

3. VirtualBox VM Windows -> View -> Auto-resize Guest Display

ATA Freeze[edit]

If you see the following error and freezing.

433.348893] mptscsih: ioc0: attempting target reset! (sc=ffff81021b950940)
433.348896] sd 0:0:0:0: [sda] CDB: ATA command pass through(16): 85 08
0e 00 d5 00 01 00 09 00 4f 00 c2 00 b0 00
433.605026] mptscsih: ioc0: target reset: SUCCESS (sc=ffff81021b950940

It is a known issue.
VirtualBox upstream bug report: https://www.virtualbox.org/ticket/10031
Cannot be fixed by the Whonix team. Patches required. Hardware specific.
It has been reported that running form internal hdd works better than running from external devices.
A workaround might be "avoid high load on your host operating system". If this bug causes a lot issues to you, your only option is to switch to another platform.

Non-Qubes-Whonix[edit]

Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.

Suspend / Hibernate Issues[edit]

Short: Avoid suspending or hilbernating the computer or Whonix VMs while Whonix is running.

Long: Network Time Syncing, Troubleshooting#Clock Fix. ^[4]

Mounting (CD / DVD) Devices[edit]

If the device auto mounter is broken, see if Start menu -> System Settings -> Removable Media helps.

The following workaround can be used.

sudo mkdir /mnt/cdrom

sudo mount -o ro /dev/cdrom /mnt/cdrom/

Using the ro flag will mount the CD / DVD in read-only mode. If a CD / DVD is not being mounted, then drop the "-o ro" parameter.

Forum discussion:
https://forums.whonix.org/t/workstation11-doesnt-mount-hdds/1313

Help fixing this bug is welcome! (ticket)

VLC / Video Player Crash[edit]

The following workaround can be used.

(This is the default in recent builds, in Whonix 14. ^[5])

VLC -> Tools -> Preferences -> Video -> Output -> X11 -> Save

Network Manager Systray Unmanaged Devices[edit]

Short answer: Unmanaged devices are unrelated to Whonix functioning and should not concern the user.
Long answer: ^[6]

Qubes-Whonix[edit]

Missing Qubes Appmenu Entries in anon-whonix[edit]

In Qubes R3.2, anon-whonix in Whonix 14 does not have Qubes appmenus (start menu) entries by default. These must be manually added:

Qubes appmenu -> anon-whonix -> Add more shortcuts

This issue has been fixed in Qubes R4. ^[7]

Template Installation qubesctl Error[edit]

The following qubesctl error message can be safely ignored: ^[8]

[user@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix
[ERROR   ] Command ['dnf', '--quiet', 'clean', 'expire-cache', '--disablerepo=*', '--enablerepo=qubes-templates-community-testing'] failed with return code: 1                                                                                                                
[ERROR   ] output: Error: Unknown repo: 'qubes-templates-community-testing'

Security and Support Status[edit]

Whonix Physical Isolation has no dedicated maintainer. It is a leftover from previous times, where no other supported platforms were supported. This setup, these instructions still work. Some users are still using them. But Patrick's focus has now moved to Qubes. Grave security issues are unlikely due to Whonix's design. There is no Whonix team member testing Whonix physical isolation. No progress on the Whonix Physical Isolation development task list should be expected. That's why the supported platforms table lists Physical Isolation in the column 'security' with 'experimental'.

Help Wanted[edit]

• work on the Whonix Physical Isolation development task list (not even filled up)
• Become Whonix Physical Isolation maintainer so the #Security and Support Status can be improved.

Footnotes / References[edit]

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)