Jump to: navigation, search

Other Operating Systems

Introduction[edit]

Whonix-Gateway supports torification of any operating system, including Microsoft Windows and others.

Using a default workstation is easier and provides more Security out of the box! It's your responsibility to get the same security features for a Whonix-Custom-Workstation, see Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation at the bottom of the page for details.

Also note that its strongly discouraged to anonymize VMs that have once connected to the clearnet. It could be the case that they might have leaked an identifier or created some network fingerprint that is still recognizable even when running it with Tor. Using it would unmask your traffic.

Windows-Whonix-Workstation[edit]

Introduction[edit]

XP, Vista and Windows are known to work behind Whonix-Gateway. While it's possible, it's not recommended and only for advanced users. This is because, there are issues with Windows. Those are not Whonix issues. Whonix developers cannot fix those issues. One issue is, that Windows is closed source. Rather, Windows is affected by Transparent Proxy Leaks and other issues. For more information and depending on your security requirements, read the following chapters.

Easy[edit]

Easiest, but least secure option. (#more security)

For Qubes-Whonix, click on expand on the right.

Create a new VM.

Set sys-whonix as your VMs NetVM.

For Non-Qubes-Whonix, click on expand on the right.

Download and use the default Whonix-Gateway.

Download and import it the same way you would do for Whonix-Default/Download-Version. No other changes required to Whonix-Gateway for this use case!

Set up a Whonix-Custom-Workstation.

There are currently two ways to set up a Whonix-Custom-Workstation. Either 1) manually create a VirtualBox VM (old, stable way); or 2) download and import Whonix-Custom-Workstation (experimental, testers-only).

If you want to manually create a VirtualBox VM (old, stable way), click on expand on the right.

Create a VirtualBox VM.

VirtualBox -> Machine -> New -> Next -> Enter Name (for example: myVM) -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Switch VirtualBox VM settings.

Choose the newly created VM (for example: myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Motherboard -> Pointing Device -> PS/2 Mouse (required so that USB controller may be disabled)

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

(Note: It's Whonix, not whonix. Case sensitive. Capital W.)

USB -> uncheck Enable USB controller

-> OK

If you want to download and import Whonix-Custom-Workstation template (experimental, testers-only), click on expand on the right.

The idea behind this method is, that you do not have to manually create a new virtual machine. To simplify the process, you can just download and import a so called Whonix-Custom-Workstation. This has the advantage, that you have all security settings for the virtual machine, you cannot forget to apply any settings and it is easier.

Latest Whonix-Custom-Workstation Version: 9

Don't wonder, the version number for Whonix-Gateway and Whonix-Default/Download-Version might be higher than the version for Whonix-Custom-Workstation. This is normal. [1]

Download, verify.

Download

OpenPGP Signature

Import.

Rename the virtual machine to something else.[2] (VirtualBox -> Right click on VM -> Settings -> Name) (For example: myVM)

Please report in the forums if you used this and how it worked for you.

Start VM and Install Operating System.

Start the newly created VM (for example: myVM).

Insert the installation dvd.

You don't have to install updates while installing. You can do that right after installing, after the network has been set up.

username: user
computer name: host

Configure network.

For Windows 7 (similar in Windows XP): In Control Panel -> Network and Sharing Center: click on "Change adapter settings" Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:

# increment last octet of IP address on additional workstations
IP address 10.152.152.50
Subnet netmask 255.255.192.0
Default gateway 10.152.152.10
Preferred DNS server 10.152.152.10

Download operating system updates.

Whonix-FreeBSD-Workstation[edit]

Create a new FreeBSD VM on VirtualBox

VirtualBox -> Machine -> New -> Next -> Enter Name (for example: myVM) -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Install FreeBSD and upgrade it

This is necessary as freebsd-update or pkg do not support socks.

#Base OS patches as root
root_shell> freebsd-update fetch install 

#Application updates
root_shell> pkg upgrade

You will need a http proxy chained to tor gateway to torify pkg or freebsd-update, else you risk loosing patches. Use one of privoxy/proxychains/tsocks when using the Whonix-Gateway.

Install necessary applications.

root_shell> pkg install privoxy 

After this shutdown the VM.

root_shell> shutdown -p now

Change the VirtualBox VM settings

Choose the newly created VM (for example: myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Motherboard -> Pointing Device -> PS/2 Mouse (required so that USB controller may be disabled)

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

(Note: It's Whonix, not whonix. Case sensitive. Capital W.)

USB -> uncheck Enable USB controller

-> OK

Start VM and proceed to configure the OS inside the VM.

Configure network.

In your Custom-Workstation. Open a terminal and edit as a privileged user /etc/rc.conf

You need to configure a single interface, here it is em0, there should not be any other 'ifconfig' statements:

#Increment the octect of IP address for configuring other workstations.
ifconfig_em0="inet 10.152.152.12 netmask 255.255.192.0"
defaultrouter="10.151.152.10"


For the address resolution to work. Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/resolv.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/resolv.conf

and delete everything, then add

nameserver 10.152.152.10

Restart network service:

root_shell> service netif restart

Confirm changes by running ifconfig.

Whonix-GNU/Linux-Workstation[edit]

Easy[edit]

Easiest, but least secure option. (#more security)

For Qubes-Whonix, click on expand on the right.

Create a new VM.

Set sys-whonix as your VMs NetVM.

For Non-Qubes-Whonix, click on expand on the right.

Download and use the default Whonix-Gateway.

Download and import it the same way you would do for Whonix-Default/Download-Version. No other changes required to Whonix-Gateway for this use case!

Set up a Whonix-Custom-Workstation.

There are currently two ways to set up a Whonix-Custom-Workstation. Either 1) manually create a VirtualBox VM (old, stable way); or 2) download and import Whonix-Custom-Workstation (experimental, testers-only).

If you want to manually create a VirtualBox VM (old, stable way), click on expand on the right.

Create a VirtualBox VM.

VirtualBox -> Machine -> New -> Next -> Enter Name (for example: myVM) -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Switch VirtualBox VM settings.

Choose the newly created VM (for example: myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Motherboard -> Pointing Device -> PS/2 Mouse (required so that USB controller may be disabled)

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

(Note: It's Whonix, not whonix. Case sensitive. Capital W.)

USB -> uncheck Enable USB controller

-> OK

If you want to download and import Whonix-Custom-Workstation template (experimental, testers-only), click on expand on the right.

The idea behind this method is, that you do not have to manually create a new virtual machine. To simplify the process, you can just download and import a so called Whonix-Custom-Workstation. This has the advantage, that you have all security settings for the virtual machine, you cannot forget to apply any settings and it is easier.

Latest Whonix-Custom-Workstation Version: 9

Don't wonder, the version number for Whonix-Gateway and Whonix-Default/Download-Version might be higher than the version for Whonix-Custom-Workstation. This is normal. [3]

Download, verify.

Download

OpenPGP Signature

Import.

Rename the virtual machine to something else.[4] (VirtualBox -> Right click on VM -> Settings -> Name) (For example: myVM)

Please report in the forums if you used this and how it worked for you.

Start VM and Install Operating System.

Start the newly created VM (for example: myVM).

Insert the installation dvd.

You don't have to install updates while installing. You can do that right after installing, after the network has been set up.

username: user
computer name: host

Configure network.

For Qubes-Whonix, you do not have to configure the network.

For Non-Qubes-Whonix, click on expand on the right.

In your Custom-Workstation.

Open /etc/network/interfaces in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/network/interfaces

If you are using a terminal-only Whonix, run:

sudo nano /etc/network/interfaces

You only need to configure eth0:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface, leave as it is
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
# increment last octet of IP address on additional workstations
       address 10.152.152.12
       netmask 255.255.192.0
       #network 10.152.152.0
       #broadcast 10.152.152.255
       gateway 10.152.152.10

In your Custom-Workstation. Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/resolv.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/resolv.conf

and delete everything, then add

nameserver 10.152.152.10

Download operating system updates.

For Debian based Linux, such as Ubuntu, see updates.

Whonix-Android-Workstation[edit]

Easy[edit]

VM settings are the same: attach the network adapter to the internal network named Whonix

Android x86 doesn't seem to support static IPs for Ethernet, so a DHCP server needs to be set up on Whonix-Gateway.

Install a DHCP server package:

sudo apt-get install isc-dhcp-server

Note that it won't start, because it's not configured yet

Modify /etc/dhcp/dhcpd.conf to look like this:


option domain-name "whonix";
option domain-name-servers 10.152.152.10;
subnet 10.152.128.0 netmask 255.255.192.0 {
        range 10.152.152.12 10.152.152.15;
        option subnet-mask 255.255.192.0;
        option broadcast-address 10.152.191.255;
        option routers 10.152.152.10;
}
default-lease-time 600;
max-lease-time 7200;

Run

sudo dpkg-reconfigure isc-dhcp-server

and choose eth1 as interface for the DHCP server to run on.

After this the DHCP server on workstation starts properly and the Whonix Gateway is ready to serve a dynamic IP to the Android x86 Whonix-Workstation.

More security[edit]

Recommendations:

  • Verify operating system installation CD, compare with sha256 hash or even better verify the gpg signature, if available.
  • Install while the Virtual Machine has no internet connection.
  • Set your username to user.
  • Disable Internet Time Syncing.
  • Set your Time Zone to UTC.
  • Set up a static IP.
  • In case you want to run more than one Whonix-Workstation at the same time, it's recommended reading the Introduction in the Multiple Whonix-Workstations article.
  • Read Security Guide, Documentation and Design (which is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific) and try to apply as much from it to Windows as possible.

Even more security[edit]

General[edit]

Recommendations:

  • Prevent Transparent Proxy Leaks by disabling Whonix-Gateway's Transparent Proxy feature. Instead use your Windows Whonix-Workstation behind an Isolating Proxy. See Stream Isolation for more information and instructions on how to disable the Transparent Proxy feature.
  • Check your host clock out of band (use a watch or atomic clock).
  • Set your host and your Workstation clock to show seconds as well. After booting the Whonix-Windows-Workstation, add a random skew to your clock, maybe +/- 1 to 30 seconds. Optimal values are still under investigation. For reference, see Whonix's Secure And Distributed Time Synchronization Mechanism, it's Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific, but most information also applies to Windows. Since we are not aware of a tails_htp alternative for Windows, you have to do it manually.

VM settings[edit]

Qubes-Whonix users, can skip this.

For Non-Qubes-Whonix, click on expand on the right.

If you downloaded and imported the Whonix-Custom-Workstation template, this section can be skipped. [5]

If you manually created a VirtualBox VM, click on expand on the right.

Find out the VM name you are using.

vboxmanage list vms

Apply these settings. [6]

VBoxManage modifyvm "yourvmname" --synthcpu on
VBoxManage modifyvm "yourvmname" --acpi on
VBoxManage modifyvm "yourvmname" --ioapic on
VBoxManage modifyvm "yourvmname" --rtcuseutc on
VBoxManage setextradata "yourvmname" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" "1"

Disable clipboard sharing. Only matters if guest additions are installed which is recommended against. Just in case.

VBoxManage modifyvm "yourvmname" --clipboard disabled

Disable Drag'n'Drop support. Only matters if guest additions are installed which is recommended against. Just in case.

VBoxManage modifyvm "yourvmname" --draganddrop disabled

It would be prudent if you verify, that we haven't forgot any settings on this wiki page compared to settings we are using in Whonix source code. If you are interested, click on Expand on the right.

In Whonix source code look into build-steps.d/2500_create-vbox-vm for the functions general_setup, workstation_specific. Apply any missing settings from build-steps.d/2500_create-vbox-vm. You can and should drop the "sudo -u $USERNAME".

The following settings are not required (because recommended earlier or done by the gui creation process):

  • --name
  • storagectl
  • storageattach
  • --memory
  • --pae
  • --intnet1
  • --cableconnected
  • --macaddress1
  • --audiocontroller
  • --audio
  • --rtcuseutc

Whonix Packages[edit]

Whonix's Debian Packages (overview), such as for example uwt, are available for installation from source and Whonix's apt repository (example instructions). Installation (of some) anonymity/security/privacy/usability related ones of them might be interesting for users of Debian and Debian derivatives.

Note, that usage of these package outside of Whonix is untested and there is no maintainer that supports this use case.

The current Whonix team can only maintain a limited amount of things, has limited resources and focuses on other priorities. If you have developer skills, would you be interested to contribute by co-maintaining one or another package for using them outside of Whonix?

Most security[edit]

Use the default Whonix VMs and build them yourself from source.

Ubuntu[edit]

Debian[edit]

Whonix-Default/Download-Version is already based on Debian Wheezy / Stable. You may be interested to read:

Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation[edit]

Introduction[edit]

Read first: Comparison of different Whonix variants!

Note: Whonix-BuildYourselfFromSource-Workstation is of course the same as Whonix-Download-Workstation.

Table[edit]

Whonix-Download-Workstation Whonix-Custom-Workstation
Based on Debian Wheezy GNU/Linux Any of your choice.
Amnesic No No
Protection against root exploits (Malware with root rights) on the Workstation [7] Yes [7] Yes [7]
IP/DNS protocol leak protection Full [7] Full [7]
Takes advantage of Entry Guards Yes Yes
Operating System Updates persist once updated Yes Depends if gets installed or is a Live CD.
Hides hardware serials from malicious software Yes [7] Yes [7]
Collects (virtual) hardware serials No Depends on the custom operating system
Includes Tor Browser Yes Your responsibility to install Tor Browser. [8] [9]
Includes Firefox privacy patches [10] and Tor Button (=Tor Browser) Yes, because it uses Tor Browser (without Tor/Vidalia). Your responsibility to install Tor Browser. [8]
Prevents Tor over Tor for Tor Browser Yes Your responsibility to prevent Tor over Tor. [8]
Stream isolation to prevent identity correlation through circuit sharing Yes Your responsibility to use Stream Isolation.
Stream isolation in Tor Browser No [7] No [7]
Encryption Should be applied on host. Should be applied on host.
Cold Boot Attack Protection [7] No No
Secure Distributed Network Time Synchronization Yes Your responsibility to install it.
Hides your time zone (set to UTC) Yes Your responsibility to set clock to UTC.
Hides your operating system account name Yes, set to user. Your responsibility to set username to user.
Hides your MAC address from websites Invalid [7] Invalid [7]
Secures your MAC address from local LAN (sometimes ISP) [7] No, planned, see. [7] Your responsibility. [7]
Hides your hosts MAC address from applications Yes [7] Yes [7]
Secure gpg.conf Yes Your responsibility to use a secure gpg.conf.
Privacy enhanced IRC client configuration. Yes Your responsibility to configure the IRC client for enhanced privacy.

Conclusion[edit]

The Whonix-Download-Workstation is already preconfigured with all Whonix extra security features.

A Whonix-Custom-Workstation can be made (Your responsibility!) as secure as a Whonix-Download-Workstation. If you simply create [11] a Whonix-Custom-Workstation it has still some security advantages, for example full IP/DNS protocol leak protection, but not all, for example it lacks Secure Distributed Network Time Synchronization. The details are listed in the table above.

Missing Documentation[edit]

You might wonder what "your responsibility" means. Some users are wondering, where the documentation for these aspects can be found. No documentation has been written yet. There is a lack of resources to maintain such instructions. I.e. writing them, and more so, keeping them up to date, testing them, answering support requests, fixing bugs and implementing feature requests. Please contribute. For more detailed explanation, see also Whonix Packages.

References[edit]

  1. This is because redistributing a newer Whonix-Custom-Workstation is only worth the effort, if the settings for the virtual machine have changed. For example, these have not changed between Whonix 9 and Whonix 9.2. So Whonix-Custom-Workstation version 9 is up to date enough (because it comes with an empty virtual hard drive, so no software could be outdated).
  2. It would not be necessary to rename the VM at this point, but if users are told to rename it now, and later import another Whonix-Custom-Workstation, they won't run into any naming conflicts due to another VM using that name.
  3. This is because redistributing a newer Whonix-Custom-Workstation is only worth the effort, if the settings for the virtual machine have changed. For example, these have not changed between Whonix 9 and Whonix 9.2. So Whonix-Custom-Workstation version 9 is up to date enough (because it comes with an empty virtual hard drive, so no software could be outdated).
  4. It would not be necessary to rename the VM at this point, but if users are told to rename it now, and later import another Whonix-Custom-Workstation, they won't run into any naming conflicts due to another VM using that name.
  5. Because the Whonix-Custom-Workstation template already comes with these settings by default.
  6. If you want to know what these settings are good for, see build-steps.d/2500_create-vbox-vm in Whonix source code folder.
  7. 7.00 7.01 7.02 7.03 7.04 7.05 7.06 7.07 7.08 7.09 7.10 7.11 7.12 7.13 7.14 7.15 7.16 Same footnote(s) as in Comparison of Whonix, Tails, Tor Browser Bundle, Qubes OS TorVM and Corridor and Tor Browser.
  8. 8.0 8.1 8.2 For help using Tor Browser without Tor over Tor (recommended), see:
  9. For explanation of the about:tor "Something went wrong" error, please see this forum thread.
  10. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
  11. Install or use a Live CD/DVD into Whonix-Workstation.

Random News:

We are looking for maintainers (developers).


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.