Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Other Operating Systems

Introduction[edit]

Whonix-Gateway supports torification of any operating system, including Microsoft Windows and others.

Using a default workstation is easier and provides more Security out of the box! It is your responsibility to get the same security features for a Whonix-Custom-Workstation, see Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation at the bottom of the page for details.

Also note that it's strongly discouraged to anonymize VMs that have once connected to the clearnet. It could be the case that they might have leaked an identifier or created some network fingerprint that is still recognizable even when running it with Tor. Using it would unmask your traffic.

Windows-Whonix-Workstation[edit]

Introduction[edit]

Microsoft Windows XP, Vista, 7, 8, 10 are known to work behind Whonix-Gateway. While it is possible, it is not recommended and only for advanced users. This is because, there are issues with Windows. Those are not Whonix issues. Whonix developers cannot fix those issues. One issue is, that Windows is closed source. Rather, Windows is affected by Transparent Proxy Leaks and other issues. For more information and depending on your security requirements, read the following chapters.

Easy[edit]

This is the easiest, but least secure option. (#more security)

For Qubes-Whonix, click on Expand on the right.

1. Create a new VM.

2. Set sys-whonix as your VM's NetVM.

Qube Manager -> right-click vm-name -> NetVM -> sys-whonix -> OK [1]


For Non-Qubes-Whonix, click on Expand on the right.

Download and Use the Default Whonix-Gateway

Download and import the Whonix-Gateway using the same procedure as per the Whonix-Default / Download-Version. No other Whonix-Gateway changes are required in this case!

Set up a Whonix-Custom-Workstation

There are currently two ways to set up a Whonix-Custom-Workstation. Either:

  1. Manually create a VirtualBox VM (established, old method).
  2. Download and import a Whonix-Custom-Workstation (stable method).

Users who want to manually create a VirtualBox VM using the established and old method, click on Expand on the right.

1. Create a VirtualBox VM

Follow these steps in order:

VirtualBox -> Machine -> New -> Next -> Enter Name (for example, myVM) -> Enter Operating System and Version -> Next -> Define RAM -> Next -> Create a new HDD (or not) -> Next -> Disk format doesn't matter (VDI works well) -> Next -> Set dynamically or fixed size preference -> Next -> Set HDD size and location preference -> Next -> Create

2. Switch VirtualBox VM Settings

Follow these steps in order:

  • Choose the newly created VM (for example, myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC
  • System -> Motherboard -> Pointing Device -> PS/2 Mouse (required to disable the USB controller)
  • System -> Processor -> Enable PAE/NX (if available)
  • Network -> Adapter 1 -> Attached to Internal Network (important!)
  • Network -> Adapter 1 -> Name (of Internal Network) (important!): Whonix [2]
  • USB -> Uncheck Enable USB controller
  • -> OK

Users who want to download and import a Whonix-Custom-Workstation template using the stable method, click on Expand on the right.

This method's advantage is that there is need to manually create a new VM. The process is greatly simplified; the Whonix-Custom-Workstation only needs to be downloaded and imported. This approach has several benefits: it is easier, all security settings are set for the VM, and users don't have to remember and apply necessary settings.

The latest Whonix-Custom-Workstation Version is: 14.0.0.9.9

Although the version number for Whonix-Gateway and Whonix-Default / Download-Version might be far higher than the Whonix-Custom-Workstation version, this is normal. [3]

1. Download the Whonix-Custom-Workstation

Download the following image.

Download

2. Download the OpenPGP Signature

Download the corresponding OpenPGP signature.

OpenPGP Signature

3. Verify the Whonix Image

Follow these steps to verify the Whonix image.

4. Import and Rename the Virtual Machine

After importing the image, rename the virtual machine to something else. [4] VirtualBox -> Right-click on VM -> Settings -> Name (for example: myVM)

If this method was used, please report how well it worked in the Whonix forum.


Start VM and Install Operating System

  1. Start the newly created VM (for example: myVM).
  2. Insert the installation DVD.
  3. Updates don't have to installed while installing the OS. Post-install, apply updates after the network has been set up.
  4. The username is: user. The computer name is: host

Configure network.

For Windows 7 (similar in Windows XP): In Control Panel -> Network and Sharing Center: click on "Change adapter settings" Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:

## increment last octet of IP address on additional workstations
IP address 10.152.152.50
Subnet netmask 255.255.192.0
Default gateway 10.152.152.10
Preferred DNS server 10.152.152.10

Download operating system updates.

Tor Browser Settings[edit]


To Help finish instruction to Prevent Tor over Tor when using Tor Browser in Windows-Whonix-Workstation, click on Expand on the right.

These steps are required to use Tor Browser when operating a Custom-Whonix-Workstation, specifically a Windows-Whonix-Workstation.

1. Install Tor Browser.

2. Use Tor Browser without bundled Tor.

Create a new text file in the folder where Tor Browser was extracted. For example, the file could have the following name.

Start TB without Tor.bat

Add the following content to that file. [5]

SET TOR_SKIP_LAUNCH=1

"Start Tor Browser.lnk"

Save.

3. Configure network settings.

Start Tor Browser.

The following links for removing and changing proxy settings do not apply one-to-one for Windows! Removal of proxy settings is best avoided, while changing proxy settings is a better choice.

How this is accomplished on Windows is currently undocumented, but user contributions to finish these instructions are most welcome.

  • Type: SOCKSv5.
  • IP address:
    • Qubes-Whonix
      • If Qubes Tools in the custom workstation are:
        • Installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-gateway inside the custom workstation.
        • Not installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-ip inside sys-whonix.
      • Unfortunately the IP address will not be static. [6] This means after restarting sys-whonix the connection might break and the IP address setting may need to be manually updated.
    • Non-Qubes-Whonix: 10.152.152.10
  • Port: 9100.
  • Do not change the No Proxies for setting.

4. Figure out missing instructions.

Missing instructions need to be ported from Linux-specific to Windows-specific, see Whonix-Linux-Workstation#Tor Browser Settings.

5. The process is now complete.


Whonix-FreeBSD-Workstation[edit]

Create a new FreeBSD VM on VirtualBox

VirtualBox -> Machine -> New -> Next -> Enter Name (for example: myVM) -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Install FreeBSD and upgrade it

This is necessary as freebsd-update or pkg do not support socks.

## Base OS patches as root
root_shell> freebsd-update fetch install 

#Application updates
root_shell> pkg upgrade

You will need a http proxy chained to tor gateway to torify pkg or freebsd-update, else you risk loosing patches. Use one of privoxy/proxychains/tsocks when using the Whonix-Gateway.

Install necessary applications.

root_shell> pkg install privoxy

After this shutdown the VM.

root_shell> shutdown -p now

Change the VirtualBox VM settings

Choose the newly created VM (for example: myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Motherboard -> Pointing Device -> PS/2 Mouse (required so that USB controller may be disabled)

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

(Note: It is Whonix, not whonix. Case sensitive. Capital W.)

USB -> uncheck Enable USB controller

-> OK

Start VM and proceed to configure the OS inside the VM.

Configure network.

In your Custom-Workstation. Open a terminal and edit as a privileged user /etc/rc.conf

You need to configure a single interface, here it is em0, there should not be any other 'ifconfig' statements:

## Increment the octect of IP address for configuring other workstations.
ifconfig_em0="inet 10.152.152.12 netmask 255.255.192.0"
defaultrouter="10.152.152.10"

For the address resolution to work. Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /etc/resolv.conf

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /etc/resolv.conf

If you are using a terminal-only Whonix, run.

sudo nano /etc/resolv.conf

and delete everything, then add

nameserver 10.152.152.10

Restart network service:

root_shell> service netif restart

Confirm changes by running ifconfig.


Whonix-GNU/Linux-Workstation[edit]

Easy[edit]

This is the easiest, but least secure option. (#more security)

For Qubes-Whonix, click on Expand on the right.

1. Create a new VM.

2. Set sys-whonix as your VM's NetVM.

Qube Manager -> right-click vm-name -> NetVM -> sys-whonix -> OK [7]


For Non-Qubes-Whonix, click on Expand on the right.

Download and Use the Default Whonix-Gateway

Download and import the Whonix-Gateway using the same procedure as per the Whonix-Default / Download-Version. No other Whonix-Gateway changes are required in this case!

Set up a Whonix-Custom-Workstation

There are currently two ways to set up a Whonix-Custom-Workstation. Either:

  1. Manually create a VirtualBox VM (established, old method).
  2. Download and import a Whonix-Custom-Workstation (stable method).

Users who want to manually create a VirtualBox VM using the established and old method, click on Expand on the right.

1. Create a VirtualBox VM

Follow these steps in order:

VirtualBox -> Machine -> New -> Next -> Enter Name (for example, myVM) -> Enter Operating System and Version -> Next -> Define RAM -> Next -> Create a new HDD (or not) -> Next -> Disk format doesn't matter (VDI works well) -> Next -> Set dynamically or fixed size preference -> Next -> Set HDD size and location preference -> Next -> Create

2. Switch VirtualBox VM Settings

Follow these steps in order:

  • Choose the newly created VM (for example, myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC
  • System -> Motherboard -> Pointing Device -> PS/2 Mouse (required to disable the USB controller)
  • System -> Processor -> Enable PAE/NX (if available)
  • Network -> Adapter 1 -> Attached to Internal Network (important!)
  • Network -> Adapter 1 -> Name (of Internal Network) (important!): Whonix [8]
  • USB -> Uncheck Enable USB controller
  • -> OK

Users who want to download and import a Whonix-Custom-Workstation template using the stable method, click on Expand on the right.

This method's advantage is that there is need to manually create a new VM. The process is greatly simplified; the Whonix-Custom-Workstation only needs to be downloaded and imported. This approach has several benefits: it is easier, all security settings are set for the VM, and users don't have to remember and apply necessary settings.

The latest Whonix-Custom-Workstation Version is: 14.0.0.9.9

Although the version number for Whonix-Gateway and Whonix-Default / Download-Version might be far higher than the Whonix-Custom-Workstation version, this is normal. [9]

1. Download the Whonix-Custom-Workstation

Download the following image.

Download

2. Download the OpenPGP Signature

Download the corresponding OpenPGP signature.

OpenPGP Signature

3. Verify the Whonix Image

Follow these steps to verify the Whonix image.

4. Import and Rename the Virtual Machine

After importing the image, rename the virtual machine to something else. [10] VirtualBox -> Right-click on VM -> Settings -> Name (for example: myVM)

If this method was used, please report how well it worked in the Whonix forum.


Start VM and Install Operating System

  1. Start the newly created VM (for example: myVM).
  2. Insert the installation DVD.
  3. Updates don't have to installed while installing the OS. Post-install, apply updates after the network has been set up.
  4. The username is: user. The computer name is: host

Configure network.

For Qubes-Whonix, you do not have to configure the network.

For Non-Qubes-Whonix, click on expand on the right.

In your Custom-Workstation.

Open /etc/network/interfaces in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /etc/network/interfaces

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /etc/network/interfaces

If you are using a terminal-only Whonix, run.

sudo nano /etc/network/interfaces

You only need to configure eth0:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface, leave as it is
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
# increment last octet of IP address on additional workstations
       address 10.152.152.12
       netmask 255.255.192.0
       #network 10.152.152.0
       #broadcast 10.152.152.255
       gateway 10.152.152.10

In your Custom-Workstation. Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /etc/resolv.conf

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /etc/resolv.conf

If you are using a terminal-only Whonix, run.

sudo nano /etc/resolv.conf

and delete everything, then add

nameserver 10.152.152.10

Download operating system updates.

For Debian based Linux, such as Ubuntu, see Updates.

Configure Tor Browser Settings[edit]

When using Tor Browser, users should prevent Tor over Tor, click on Expand on the right.



These instructions have been tested with Tor Browser v8.0.4. Connectivity might break in later Tor Browser versions, particularly if developers modify how Tor Browser networking is configured. [11]

1. Manually Download and Install Tor Browser.

2. Set multiple environment variables.


Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /etc/environment

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /etc/environment

If you are using a terminal-only Whonix, run.

sudo nano /etc/environment

Add.

## Deactivate tor-launcher,
## a Vidalia replacement as browser extension,
## to prevent running Tor over Tor.
## https://trac.torproject.org/projects/tor/ticket/6009
## https://gitweb.torproject.org/tor-launcher.git
TOR_SKIP_LAUNCH=1

## Environment variable to disable the "TorButton" ->
## "Open Network Settings..." menu item. It is not useful and confusing to have
## on a workstation, because this is forbidden for security reasons. Tor must be
## configured on the gateway.
TOR_NO_DISPLAY_NETWORK_SETTINGS=1

## environment variable to skip TorButton control port verification
## https://trac.torproject.org/projects/tor/ticket/13079
TOR_SKIP_CONTROLPORTTEST=1

3. Save and reboot.

From this point, only the browser component of Tor Browser will be started.

4. Verify environment variables.

env

The output should show.

TOR_NO_DISPLAY_NETWORK_SETTINGS=1
TOR_SKIP_CONTROLPORTTEST=1
TOR_SKIP_LAUNCH=1

5. Configure network settings. [12]

Now the file ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js must be created. This presupposes Tor Browser has been installed as per step 1 and that a folder ~/.tb/tor-browser exists. If Tor Browser was installed to another folder, the the path must be adjusted.

Open ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js in an editor.

If you are using a graphical environment, run.

kwrite ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

If you are using a terminal (Konsole), run.

nano ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

Add.

user_pref("extensions.torbutton.use_privoxy", false);
user_pref("extensions.torbutton.settings_method", "custom");
user_pref("extensions.torbutton.socks_host", "10.152.152.10");
user_pref("extensions.torbutton.socks_port", 9100);
user_pref("network.proxy.socks", "10.152.152.10");
user_pref("network.proxy.socks_port", 9100);
user_pref("extensions.torbutton.custom.socks_host", "10.152.152.10");
user_pref("extensions.torbutton.custom.socks_port", 9100);
user_pref("extensions.torlauncher.control_host", "10.152.152.10");
user_pref("extensions.torlauncher.control_port", 9052);

Save.

Tor is now disabled in Tor Browser.

The process is now complete.

Disable system-tor over Tor[edit]

system-tor must also be disabled to prevent Tor over Tor.

In the terminal, run.

Stop Tor.

sudo systemctl stop tor

Prevent Tor service from restarting after reboot.

sudo systemctl mask tor

The process is now complete.

Testing[edit]

User must verify that Tor in Tor Browser and system-tor are disabled, click on Expand on the right.


1. To start Tor Browser two options exist.

a) In the desktop file manager, move to the ~/.tb/tor-browser/Browser folder: Double-click: start-tor-browser.desktop

Or

b) In the terminal, move to the Tor Browser folder.

cd ~/.tb/tor-browser/Browser

Next, start Tor Browser.

./start-tor-browser

2. Once Tor Browser is started, verify system-tor is disabled.

sudo systemctl status tor@default

The output should be similar the following showing tor@default service is inactive-(dead).

tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf
   Active: inactive (dead)

3. Next, reconfirm both system-tor and Tor (in Tor Browser) are not running.

Note: Output will show grep tor (command that was just run). This is of no concern.[13]

ps aux | grep tor

Output similar to the following shows system-tor is running. This indicates Tor over Tor prevention is Broken! Users should immediately stop using Tor Browser and seek advise on the Whonix forums.

debian-+   707  0.1  0.9  89320 36400 ?        Ss   21:15   0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

Done!


Whonix-Android-Workstation[edit]

With Static IP[edit]

Preferred!

VM settings are the same: attach the network adapter to the internal network named Whonix.

Configure Android x86 to use a static IP. On the Android VM run the following in the Terminal Emulator (tested on Nougat):

su

ifconfig eth0 10.152.152.12 netmask 255.255.192.0

ip rule add from all lookup main pref 0

busybox route add default gw 10.152.152.10

ndc resolver setnetdns 100 localdomain 10.152.152.10

Static IP routing and DNS should now be working. Note that ping uses ICMP and therefore is unsupported, so open the browser to check your connection.

With DHCP[edit]

VM settings are the same: attach the network adapter to the internal network named Whonix

Android x86 doesn't seem to support static IPs for Ethernet, so a DHCP server needs to be set up on Whonix-Gateway.

Install a DHCP server package:

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the isc-dhcp-server package.

sudo apt-get install isc-dhcp-server

The procedure of installing isc-dhcp-server is now complete.

Note: It won't start, because it is not configured yet.

Open /etc/dhcp/dhcpd.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /etc/dhcp/dhcpd.conf

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /etc/dhcp/dhcpd.conf

If you are using a terminal-only Whonix, run.

sudo nano /etc/dhcp/dhcpd.conf

Replace its contents with the following.

option domain-name "whonix";
option domain-name-servers 10.152.152.10;
subnet 10.152.128.0 netmask 255.255.192.0 {
        range 10.152.152.12 10.152.152.15;
        option subnet-mask 255.255.192.0;
        option broadcast-address 10.152.191.255;
        option routers 10.152.152.10;
}
default-lease-time 600;
max-lease-time 7200;

Save.

Run.

sudo dpkg-reconfigure isc-dhcp-server

and choose eth1 as interface for the DHCP server to run on.

After this the DHCP server on workstation starts properly and the Whonix Gateway is ready to serve a dynamic IP to the Android x86 Whonix-Workstation.


More security[edit]

Recommendations:

  • Verify operating system installation CD, compare with sha256 hash or even better verify the gpg signature, if available.
  • Install while the Virtual Machine has no internet connection.
  • Set your username to user.
  • Disable Internet Time Syncing.
  • Set your Time Zone to UTC.
  • Set up a static IP.
  • In case you want to run more than one Whonix-Workstation at the same time, it is recommended reading the Introduction in the Multiple Whonix-Workstations article.
  • Read Basic Security Guide, Advanced Security Guide, Documentation and Design (which is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific) and try to apply as much from it to Windows as possible.

Even more security[edit]

General[edit]

Recommendations:

  • Prevent Transparent Proxy Leaks by disabling Whonix-Gateway's Transparent Proxy feature. Instead use your Windows Whonix-Workstation behind an Isolating Proxy. See Stream Isolation for more information and instructions on how to disable the Transparent Proxy feature.
  • Check your host clock out of band (use a watch or atomic clock).
  • Set your host and your Workstation clock to show seconds as well. After booting the Whonix-Windows-Workstation, add a random skew to your clock, maybe +/- 1 to 30 seconds. Optimal values are still under investigation. For reference, see Whonix's Secure And Distributed Time Synchronization Mechanism, it is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific, but most information also applies to Windows. Since we are not aware of a tails_htp alternative for Windows, you have to do it manually.

VM settings[edit]

Qubes-Whonix users can skip this.


For Non-Qubes-Whonix, click on Expand on the right.

If the Whonix-Custom-Workstation template was downloaded and imported, this section can be skipped. [14]

If a VirtualBox VM was manually created, click on Expand on the right.

Find out the name of the VM you are using.

vboxmanage list vms

Apply these settings. [15]

VBoxManage modifyvm "yourvmname" --synthcpu on
VBoxManage modifyvm "yourvmname" --acpi on
VBoxManage modifyvm "yourvmname" --ioapic on
VBoxManage modifyvm "yourvmname" --rtcuseutc on
VBoxManage setextradata "yourvmname" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" "1"

Disable clipboard sharing. [16]

VBoxManage modifyvm "yourvmname" --clipboard disabled

Disable Drag'n'Drop support. [17]

VBoxManage modifyvm "yourvmname" --draganddrop disabled

Assistance is welcome in verifying that the settings on this wiki page match those we are using in Whonix source code. This ensures that no settings have been forgotten. If interested, click on Expand on the right.

In Whonix source code, examine build-steps.d/2500_create-vbox-vm for the functions general_setup and workstation_specific. Apply any missing settings from build-steps.d/2500_create-vbox-vm. It is also sensible to drop the "sudo -u $USERNAME" setting.

The following settings are not required. They are either recommended earlier on, or done by the gui creation process:

  • --name
  • storagectl
  • storageattach
  • --memory
  • --pae
  • --intnet1
  • --cableconnected
  • --macaddress1
  • --audiocontroller
  • --audio
  • --rtcuseutc

Whonix Packages[edit]

Whonix's Debian Packages (overview), such as for example uwt, are available for installation from source and Whonix's apt repository (example instructions). Installation (of some) anonymity/security/privacy/usability related ones of them might be interesting for users of Debian and Debian derivatives.

Note, that usage of these package outside of Whonix is untested and there is no maintainer that supports this use case.

The current Whonix team can only maintain a limited amount of things, has limited resources and focuses on other priorities. If you have developer skills, would you be interested to contribute by co-maintaining one or another package for using them outside of Whonix?

Most security[edit]

Use the default Whonix VMs and build them yourself from source.

Ubuntu[edit]

Debian[edit]

Whonix-Default/Download-Version is already based on Debian Wheezy / Stable. You may be interested to read:

Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation[edit]

Introduction[edit]

Read first: Comparison of different Whonix variants!

Note: Whonix-BuildYourselfFromSource-Workstation is of course the same as Whonix-Download-Workstation.

Table[edit]

Whonix-Download-Workstation Whonix-Custom-Workstation
Based on Debian stretch GNU/Linux Any of your choice.
Amnesic No No
Protection against root exploits (Malware with root rights) on the Workstation [18] Yes [18] Yes [18]
IP/DNS protocol leak protection Full [18] Full [18]
Takes advantage of Entry Guards Yes Yes
Operating System Updates persist once updated Yes Depends if gets installed or is a Live CD.
Hides hardware serials from malicious software Yes [18] Yes [18]
Does not collects (virtual) hardware serials Yes Depends on the custom operating system
Includes Tor Browser Yes Your responsibility to install Tor Browser. [19] [20]
Includes Firefox privacy patches [21] and Tor Button (=Tor Browser) Yes, because it uses Tor Browser (without Tor/Vidalia). Your responsibility to install Tor Browser. [19]
Prevents Tor over Tor for Tor Browser Yes Your responsibility to prevent Tor over Tor. [19]
Stream isolation to prevent identity correlation through circuit sharing Yes Your responsibility to use Stream Isolation.
Stream isolation in Tor Browser No [18] No [18]
Encryption Should be applied on host. Should be applied on host.
Cold Boot Attack Protection [18] No No
Secure Distributed Network Time Synchronization Yes, using sdwdate. Your responsibility to install it.
Hides your time zone (set to UTC) Yes Your responsibility to set clock to UTC.
Hides your operating system account name Yes, set to user. Your responsibility to set username to user.
Hides your MAC address from websites Invalid [18] Invalid [18]
Secures your MAC address from local LAN (sometimes ISP) [18] No, planned, see. [18] Your responsibility. [18]
Hides your hosts MAC address from applications Yes [18] Yes [18]
Secure gpg.conf Yes Your responsibility to use a secure gpg.conf.
Privacy enhanced IRC client configuration. Yes Your responsibility to configure the IRC client for enhanced privacy.

Conclusion[edit]

The Whonix-Download-Workstation is already preconfigured with all Whonix extra security features.

A Whonix-Custom-Workstation can be made (Your responsibility!) as secure as a Whonix-Download-Workstation. If you simply create [22] a Whonix-Custom-Workstation it has still some security advantages, for example full IP/DNS protocol leak protection, but not all, for example it lacks Secure Distributed Network Time Synchronization. The details are listed in the table above.

Missing Documentation[edit]

You might wonder what "your responsibility" means. Some users are wondering, where the documentation for these aspects can be found. No documentation has been written yet. There is a lack of resources to maintain such instructions. I.e. writing them, and more so, keeping them up to date, testing them, answering support requests, fixing bugs and implementing feature requests. Please contribute. For more detailed explanation, see also Whonix Packages.

References[edit]

  1. qubes-prefs --set vm-name netvm sys-whonix
  2. Note: It is Whonix, not whonix. Capital W case sensitivity matters.
  3. A newer Whonix-Custom-Workstation only needs to be redistributed if the settings for the VM have changed. For example, these have not changed between Whonix 9 and Whonix 13. Therefore, Whonix-Custom-Workstation version 14.0.0.9.9 is recent enough to function, because it comes with an empty virtual hard drive (meaning software cannot be outdated).
  4. It is not strictly necessary to rename the VM at this point, but this prevents potential naming conflicts if another Whonix-Custom-Workstation is imported later on.
  5. It is necessary to set the SET TOR_SKIP_LAUNCH=1 environment variable, then start Tor Browser. The Tor Browser Launcher add-on will detect this, skip the connection wizard and skip launching Tor.
  6. Qubes feature request: Optional static IP addresses.
  7. qubes-prefs --set vm-name netvm sys-whonix
  8. Note: It is Whonix, not whonix. Capital W case sensitivity matters.
  9. A newer Whonix-Custom-Workstation only needs to be redistributed if the settings for the VM have changed. For example, these have not changed between Whonix 9 and Whonix 13. Therefore, Whonix-Custom-Workstation version 14.0.0.9.9 is recent enough to function, because it comes with an empty virtual hard drive (meaning software cannot be outdated).
  10. It is not strictly necessary to rename the VM at this point, but this prevents potential naming conflicts if another Whonix-Custom-Workstation is imported later on.
  11. Once Tor Browser moves to SocksSocket, these instructions will certainly no longer work. References:
  12. Learn more about the network settings.
    • Type: SOCKSv5.
    • IP address:
      • Qubes-Whonix
        • If Qubes Tools in the custom workstation are:
          • Installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-gateway inside the custom workstation.
          • Not installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-ip inside sys-whonix.
        • Unfortunately the IP address will not be static. This means after restarting sys-whonix the connection might break and the IP address setting may need to be manually updated.
      • Non-Qubes-Whonix: 10.152.152.10
    • Port: 9100.
    • Do not change the No Proxies for setting.
    ## The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables
    ## do not work flawlessly, due to an upstream bug in Tor Button:
    ##    "TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
    ##    https://trac.torproject.org/projects/tor/ticket/8336
    TOR_SOCKS_HOST="10.152.152.10"
    TOR_SOCKS_PORT="9150"
    
  13. grep tor output:
    user 1053 0.0 0.0 12724 948 pts/1 S+ 20:22 0:00 grep tor
  14. The Whonix-Custom-Workstation template already comes with these settings by default.
  15. For further reading on why these settings are beneficial, see build-steps.d/2500_create-vbox-vm in the Whonix source code folder.
  16. This is a precautionary measure.
  17. This is a precautionary measure.
  18. 18.00 18.01 18.02 18.03 18.04 18.05 18.06 18.07 18.08 18.09 18.10 18.11 18.12 18.13 18.14 18.15 18.16 Same footnote(s) as in Comparison of Whonix, Tails, Tor Browser, Qubes OS TorVM and Corridor and Tor Browser.
  19. 19.0 19.1 19.2 For help using Tor Browser without Tor over Tor (recommended), see:
  20. For explanation of the about:tor "Something went wrong" error, please see this forum thread.
  21. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
  22. Install or use a Live CD/DVD into Whonix-Workstation.
Cite error: <ref> tag defined in <references> has no name attribute.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

There are five different options for subscribing to Whonix source code changes.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.