Actions

Multiple Whonix-Workstation ™

From Whonix

(Redirected from Multiple Whonix-Workstations)



About this Whonix-Workstation ™ Page
Support Status stable
Difficulty easy
Maintainer 0brand [archive]
Support Support

Introduction[edit]

Whonix ™ is a secure operating system comprised of two virtual machines which are isolated both from each other and the host. This configuration averts many threats posed by malware, misbehaving applications and user error. While Whonix ™ protects against many real world threats, [1] it is still possible for skilled adversaries to compromise Whonix-Workstation ™ (Qubes-Whonix ™: anon-whonix).

If a single Whonix-Workstation ™ is used for all anonymous activities and is exploited, the attacker gains access to available data and can monitor all online activity. To minimize the impact of a compromise, it is recommended to utilize multiple Whonix-Workstation ™ to compartmentalize different identities and/or additional software. Depending on individual preferences and requirements, a second, third ... nth Whonix-Workstation ™ VM can be created.

Multiple Whonix-Workstation ™ Rationale[edit]

Different torifed clients can be used in a completely isolated manner with Multiple Whonix-Workstation ™. By compartmentalizing each different identity or client, an attacker can only read the data in the compromised VM. For example, if Tor Browser in VM-1 was compromised it could not read a user's IRC identity in VM-2. [2]

One disadvantage of this configuration is that if the host Internet connection goes offline or Tor on Whonix-Gateway ™ (sys-whonix) suddenly fails, then all Whonix-Workstation ™ will go offline simultaneously. If multiple Tor clients were running and abruptly stop in unison, a network observer could link these activities to the same person. For instance, a strong correlation is formed if two Tor users in one IRC channel go offline at exactly the same time.

Qubes-Whonix ™ vs Non-Qubes-Whonix ™[edit]

Qubes-Whonix ™ is the recommended choice for multiple Whonix-Workstation ™ because it is specifically designed for compartmentalization (a.k.a. sandboxing) of multiple running VMs. This provides significant speed and security advantages relative to the traditional Type 2 hypervisor model, where two (or more) Whonix ™ VMs are run inside programs like VirtualBox on top of the host OS. For further information, see: Type 1 vs Type 2 Hypervisors and Why use Qubes over other Virtualizers?

Qubes-Whonix ™ also has a TemplateBased filesystem which saves time and improves usability compared to Non-Qubes-Whonix ™:

  • Centralized Updates: AppVMs [archive] are based on the corresponding TemplateVM's root filesystem. After updating the TemplateVM, those same updates will be reflected in the root filesystem of every TemplateBasedVM [archive]. Non-Qubes-Whonix ™ users must spend more time in updating each VM individually.
  • Minimal Disk Usage: TemplateBasedVMs require far less disk space than traditional VMs since the AppVM's root filesystem is based on the corresponding template. The AppVM only requires enough disk space to hold user files in the /home directory.
  • VM Management: Cloning VMs is a simple two-step process which can be done in Qube Manager. Non-Qubes-Whonix ™ requires a multi-step process to clone and configure each VM.

Safety Precautions[edit]

Ambox warning pn.svg.png While multiple Whonix-Workstation ™ are recommended, this is not an endorsement for using them simultaneously!

It is safest to only use one Whonix-Workstation ™ at a time and for a single activity. New risks are introduced by running multiple Whonix-Workstation ™ at the same time. For instance, if a single Whonix-Workstation ™ was compromised, it could potentially perform various side channel attacks to learn about running processes in other VMs, and not all of these can be defeated. Depending on user activities, a skilled adversary might be able to correlate multiple Whonix-Workstation ™ to the same pseudonym. Therefore, ideally, shut down all but one Whonix-Workstation ™ before using any other Whonix-Workstation ™.

Cross-VM Attack Vectors[edit]

Table: Cross-VM Attack Vectors

Category Description
Distributed Denial of Service (DDOS) Attack

If a Distributed Denial of Service (DDOS) Attack [archive] is launched from an infected Whonix ™ VM, then:

  • Other Whonix-Workstation ™ can be DDOSed, and there is no current defense.
  • Other Whonix-Gateway ™s can also be DDOSed, and there is no current defense.
Exploits [3]

Following infection, an adversary could try to exploit the Whonix-Gateway ™ or other Whonix-Workstation ™:

  • Non-Qubes-Whonix ™: At risk.
  • Qubes-Whonix ™: Users are safe, unless Whonix-Gateway ™ is compromised first. [4]
Identity Correlation through Circuit Sharing

When different applications use the same Tor circuit and exit relay, these activities can be linked to the same pseudonym (see Stream Isolation for further details):

  • Non-Qubes-Whonix ™: This is not a threat so long as the Whonix-Workstation ™ were not compromised. Multiple Whonix-Workstation ™ which have different internal IPs configured (see the instructions further below) are automatically stream-isolated. [5]
  • Qubes-Whonix ™: No further action is necessary; see Firewall.
Impersonation
System Stressing An adversary could stress any system, network or software components like CPU, HDD, RAM, network connection and other Whonix-Workstation ™. Potentially the host could be negatively affected as well.

How-to: Use more than One Whonix-Workstation ™ - EASY[edit]

Qubes-Whonix ™[edit]

Using multiple Whonix-Workstation ™ is simple in Qubes-Whonix ™.

1. Create an additional AppVM based on the Whonix-Workstation ™ template (whonix-ws-15) and give it a distinctive name.

2. Confirm the new AppVM is using sys-whonix as its NetVM [archive].

If creating a new AppVM is unfamiliar, follow this link for step-by-step instructions: Create Whonix ™ Workstation AppVMs.

3. If the AppVM is connected to any Whonix-Gateway other than sys-whonix, apply the following instructions. [7]

sudo mkdir -p /usr/local/etc/sdwdate-gui.d

Open file /usr/local/etc/sdwdate-gui.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/local/etc/sdwdate-gui.d/50_user.conf

Add the following text -- replace sys-whonix2 with the name of the VM of the other Whonix-Gateway. [8]

gateway=sys-whonix2

4. Save the file.

Non-Qubes-Whonix ™[edit]

If you are interested in this configuration, please press on Expand on the right.

Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation. Only!

Info Note: The following instructions only apply to Download/Default-Whonix-Workstation ™ or Whonix ™ VMs built from source code. To use another operating system like Windows, other GNU/Linux, BSD etc. please see the Other Operating Systems chapter instead.

Ambox warning pn.svg.png Each additional Whonix-Workstation ™ VM must have its own MAC address and internal LAN IP address.

1. Clone a fresh Whonix-Workstation ™ VM.

  • VirtualBox: In VirtualBox Manager, clone [archive] a clean Whonix-Workstation ™.
  • KVM: In Virtual Machine Manager, clone a clean Whonix-Workstation ™: Highlight Whonix-Workstation ™OpenVirtual MachineClone

2. Assign a new MAC address to the cloned VM.

Info Note: A new MAC address is necessary if an additional VirtualBox VM is imported.

  • VirtualBox: In VirtualBox Manager, assign a new MAC address: VirtualBoxSettingsNetworkAdapter 1AdvancedMac AddressCreate a new MAC address (press the green round arrow icon)OK
  • KVM: To change the internal network in KVM, see: Creating Multiple Internal Networks.

3. Edit the network interfaces file in Whonix-Workstation ™.

Open file /etc/network/interfaces.d/30_non-qubes-whonix in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/network/interfaces.d/30_non-qubes-whonix

Change the last octet. For example, change 10.152.152.11 to 10.152.152.12

Save and exit.

4. Reboot.

Reboot the Whonix-Workstation ™ or alternately restart the network.

sudo service networking restart

Done.

How-to: Use more than One Whonix-Workstation ™ - More Security[edit]

Multiple Whonix-Gateway ™s[edit]

Moved to Multiple Whonix-Gateway ™s.

See Also[edit]

Footnotes[edit]

  1. See: Protection Against Real World Attacks.
  2. Without using an additional exploit to successfully break out of the infected VM, which is a difficult task.
  3. To minimize the threat of exploits it is recommended to apply relevant instructions found in the System Hardening Checklist.
  4. For details, see Firewall.
  5. Since IsolateClientAddr [archive] is the Tor default.
  6. Like a man-in-the-middle attack or malicious gateway.
  7. Sparing users from needing to change this setting requires upstream Qubes feature request way to find out name of gateway from witin VM - qubesdb-read /qubes-gateway-name [archive] or qrexec feature request: send this over qrexec to the NetVM I am connected to / sys-whonix hardcoded / sys-whonix unexpected autostart [archive] to get implemented.
  8. https://forums.whonix.org/t/sys-whonix-starting-spontainously-after-update/8123 [archive]
  9. By default, AppVMs which are behind the same ProxyVM (or NetVM) are prevented from connecting to each other in Qubes.


Love Whonix and want to help spread the word? You can start by telling your friends or posting news [archive] about Whonix on your website, blog or social media.

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png