Jump to: navigation, search

Other Operating Systems

Introduction[edit]

The Whonix Framework[1] supports any operating system.

Using a Whonix-Download-Workstation is easier and provides more Security out of the box! It's your responsibility to get the same security features for a Whonix-Custom-Workstation, see Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation at the bottom of the page for details.

The Whonix-Gateway already supports torification of any operating system, including Microsoft Windows and others. As an transparent or isolating proxy, see below for more information.

Windows-Whonix-Workstation[edit]

XP, Vista and Windows 7 are are known to work behind Whonix-Gateway. While it's possible, it's not recommended and only for advanced users. This is because, there are issues with Windows. Those are not Whonix issues. Whonix developers can not fix those issues. One issue is, that Windows is closed source. Rather, Windows is affected by Transparent Proxy Leaks and other issues. For more information and depending on your security requirements, read the following chapters.

Easy[edit]

Easiest, but least secure option.

Download and use the default Whonix-Gateway.

Import it the same way you would do for Whonix-Default/Download-Version

Create a VirtualBox VM.

VirtualBox -> Machine -> New -> Next -> Enter Name -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Switch VirtualBox VM settings.

Choose the newly created VM -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

USB -> uncheck Enable USB controller

-> OK

Start VM and Install Operating System.

You don't have to install updates while installing. You can do that right after installing, after the network has been set up.

username: user computer name: host

(5). Configure network:

For Windows 7 (similar in Windows XP): In Control Panel -> Network and Sharing Center: click on "Change adapter settings" Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:

IP address 192.168.0.50
Subnet netmask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.10

(6). Download operating system updates.

Whonix-GNU/Linux-Workstation[edit]

Easy[edit]

Easiest, but least secure option.

Download and use the default Whonix-Gateway.

Import it the same way you would do for Whonix-Default/Download-Version

Create a VirtualBox VM.

VirtualBox -> Machine -> New -> Next -> Enter Name -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Switch VirtualBox VM settings.

Choose the newly created VM -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

USB -> uncheck Enable USB controller

-> OK

Start VM and Install Operating System.

You don't have to install updates while installing. You can do that right after installing, after the network has been set up.

username: user computer name: host

(5). Configure network:

Open a Terminal and type.

sudo nano /etc/network/interfaces

You only need to configure eth0:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface, leave as it is
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
# increment last octet on additional workstations
       address 192.168.0.12
       netmask 255.255.255.0
       #network 192.168.0.0
       #broadcast 192.168.0.255
       gateway 192.168.0.10

Open /etc/resolv.conf.

sudo nano /etc/resolv.conf

and delete everything, then add

nameserver 192.168.0.10

(6). Download operating system updates.

Debian based Linux, such as Ubuntu:

sudo apt-get update && sudo apt-get dist-upgrade

More security[edit]

Recommendations:

  • Verify operating system installation CD, compare with sha256 hash or even better verify the gpg signature, if available.
  • Install while the Virtual Machine has no internet connection.
  • Set your username to user.
  • Disable Internet Time Syncing.
  • Set your Time Zone to UTC.
  • Set up a static IP.
  • In case you want to run more than one Whonix-Workstation at the same time, it's recommended reading the Introduction in the Multiple Whonix-Workstations article.
  • Read Security Guide, Documentation and Design (which is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific) and try to apply as much from it to Windows as possible.

Even more security[edit]

General[edit]

Recommendations:

  • Prevent Transparent Proxy Leaks by disabling Whonix-Gateway's Transparent Proxy feature. Instead use your Windows Whonix-Workstation behind an Isolating Proxy. See Stream Isolation for more information and instructions on how to disable the Transparent Proxy feature.
  • Check your host clock out of band (use a watch or atomic clock).
  • Set your host and your Workstation clock to show seconds as well. After booting the Whonix-Windows-Workstation, add a random skew to your clock, maybe +/- 1 to 30 seconds. Optimal values are still under investigation. For reference, see Whonix's Secure And Distributed Time Synchronization Mechanism, it's Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific, but most information also applies to Windows. Since we are not aware of a tails_htp alternative for Windows, you have to do it manually.

VM settings[edit]

Find out the VM name you are using.

vboxmanage list vms

Apply these settings. [2]

VBoxManage modifyvm "yourvmname" --synthcpu on
VBoxManage modifyvm "yourvmname" --acpi on
VBoxManage modifyvm "yourvmname" --ioapic on
VBoxManage modifyvm "yourvmname" --rtcuseutc on
VBoxManage setextradata "yourvmname" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" "1"

Disable clipboard sharing. Only matters if guest additions are installed which is recommended against. Just in case.

VBoxManage modifyvm "yourvmname" --clipboard disabled

Disable Drag'n'Drop support. Only matters if guest additions are installed which is recommended against. Just in case.

VBoxManage modifyvm "yourvmname" --draganddrop disabled

It would be prudent if you verify, that we haven't forgot any settings on this wiki page compared to settings we are using in Whonix source code. If you are interested, click on Expand on the right.

In Whonix source code look into build-steps.d/2500_create-vbox-vm for the functions general_setup, workstation_specific. Apply any missing settings from build-steps.d/2500_create-vbox-vm. You can and should drop the "sudo -u $USERNAME".

The following settings are not required (because recommended earlier or done by the gui creation process):

  • --name
  • storagectl
  • storageattach
  • --memory
  • --pae
  • --intnet1
  • --cableconnected
  • --macaddress1
  • --audiocontroller
  • --audio
  • --rtcuseutc

Most security[edit]

Use the default Whonix VMs and build them yourself from source.

Ubuntu[edit]

General[edit]

Moved to Ubuntu

About Ubuntu[edit]

Moved to Ubuntu.

Guest additions for Ubuntu Precise[edit]

Moved to Ubuntu.

Debian[edit]

Whonix-Default/Download-Version is already based on Debian Wheezy / Stable. You may be interested to read:

Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation[edit]

Introduction[edit]

Read first: Comparison of different Whonix variants!

Note: Whonix-BuildYourselfFromSource-Workstation is of course the same as Whonix-Download-Workstation.

Table[edit]

Whonix-Download-Workstation Whonix-Custom-Workstation
Based on Debian Wheezy GNU/Linux Any of your choice.
Amnesic No No
Protection against root exploits (Malware with root rights) on the Workstation 18 Yes 1a Yes 1a
IP/DNS protocol leak protection Full 1 Full 1
Takes advantage of Entry Guards Yes Yes
Operating System Updates persist once updated Yes Depends if gets installed or is a Live CD.
Hides hardware serials from malicious software Yes 16 Yes 16
Collects (virtual) hardware serials No Depends on the custom operating system
Includes Tor Browser Yes Your responsibility to install Tor Browser. [3]
Includes Firefox privacy patches [4] and Tor Button (=Tor Browser) Yes, because it uses Tor Browser (without Tor/Vidalia). Your responsibility to install Tor Browser. [3]
Prevents Tor over Tor for Tor Browser Yes Your responsibility to prevent Tor over Tor. [3]
Stream isolation to prevent identity correlation through circuit sharing Yes Your responsibility to use Stream Isolation.
Stream isolation in Tor Browser No 14 No 14
Encryption Should be applied on host. Should be applied on host.
Cold Boot Attack Protection 8 No No
Secure Distributed Network Time Synchronization Yes Your responsibility to install it.
Hides your time zone (set to UTC) Yes Your responsibility to set clock to UTC.
Hides your operating system account name Yes, set to user. Your responsibility to set username to user.
Hides your MAC address from websites Invalid 19 Invalid 19
Secures your MAC address from local LAN (sometimes ISP) 20 No, planned, see. 21 Your responsibility. 20,21
Hides your hosts MAC address from applications Yes 24 Yes 24
Secure gpg.conf Yes Your responsibility to use a secure gpg.conf.
Privacy enhanced IRC client configuration. Yes Your responsibility to configure the IRC client for enhanced privacy.

Footnotes[edit]

Same footnotes as in Comparison of Whonix, Tails, Tor Browser Bundle, Qubes OS TorVM and Corridor and Tor Browser.

Conclusion[edit]

The Whonix-Download-Workstation is already preconfigured with all Whonix extra security features.

A Whonix-Custom-Workstation can be made (Your responsibility!) as secure as a Whonix-Download-Workstation. If you simply create [5] a Whonix-Custom-Workstation it has still some security advantages, for example full IP/DNS protocol leak protection, but not all, for example it lacks Secure Distributed Network Time Synchronization. The details are listed in the table above.

References[edit]

  1. Technical_Introduction#Whonix_Framework
  2. If you want to know what these settings are good for, see build-steps.d/2500_create-vbox-vm in Whonix source code folder.
  3. 3.0 3.1 3.2 For help using Tor Browser without Tor over Tor (recommended), see https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers and http://www.wilderssecurity.com/showthread.php?t=339051&page=14 beginning from "Does anyone know if separating tor and vidalia from the browser is possible?" and Special:AWCforum/st/id179/#post_1025.
  4. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
  5. Install or use a Live CD/DVD into Whonix-Workstation.


Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss

https | .onion [note] | Mirror | Mirror

This is a wiki. Want to improve this page? See Conditions for Contributions to Whonix, then Edit it! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.