Jump to: navigation, search

Other Operating Systems

Random News:

We are looking for maintainers (developers).

Introduction[edit]

The Whonix Framework[1] supports any operating system.

Using a Whonix-Default/Download-Workstation is easier and provides more Security out of the box! It's your responsibility to get the same security features for a Whonix-Custom-Workstation, see Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation at the bottom of the page for details.

The Whonix-Gateway already supports torification of any operating system, including Microsoft Windows and others. As an transparent or isolating proxy[2], see below for more information.

Windows-Whonix-Workstation[edit]

Introduction[edit]

XP, Vista and Windows 7 are known to work behind Whonix-Gateway. While it's possible, it's not recommended and only for advanced users. This is because, there are issues with Windows. Those are not Whonix issues. Whonix developers can not fix those issues. One issue is, that Windows is closed source. Rather, Windows is affected by Transparent Proxy Leaks and other issues. For more information and depending on your security requirements, read the following chapters.

Easy[edit]

Easiest, but least secure option.

Download and use the default Whonix-Gateway.

Download and import it the same way you would do for Whonix-Default/Download-Version. No other changes required to Whonix-Gateway for this use case!

Set up a Whonix-Custom-Workstation.

There are currently two ways to set up a Whonix-Custom-Workstation. Either 1) manually create a VirtualBox VM (old, stable way); or 2) download and import Whonix-Custom-Workstation (experimental, testers-only).

If you want to manually create a VirtualBox VM (old, stable way), click on expand on the right.

Create a VirtualBox VM.

VirtualBox -> Machine -> New -> Next -> Enter Name (for example: myVM) -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Switch VirtualBox VM settings.

Choose the newly created VM (for example: myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Motherboard -> Pointing Device -> PS/2 Mouse (required so that USB controller may be disabled)

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

(Note: It's Whonix, not whonix. Case sensitive. Capital W.)

USB -> uncheck Enable USB controller

-> OK

If you want to download and import Whonix-Custom-Workstation template (experimental, testers-only), click on expand on the right.

The idea behind this method is, that you do not have to manually create a new virtual machine. To simplify the process, you can just download and import a so called Whonix-Custom-Workstation. This has the advantage, that you have all security settings for the virtual machine, you cannot forget to apply any settings and it is easier.

Latest Whonix-Custom-Workstation Version: 9

Don't wonder, the version number for Whonix-Gateway and Whonix-Default/Download-Version might be higher than the version for Whonix-Custom-Workstation. This is normal. [3]

Download, verify.

Download

OpenPGP Signature

Import.

Rename the virtual machine to something else.[4] (VirtualBox -> Right click on VM -> Settings -> Name) (For example: myVM)

Please report in the forums if you used this and how it worked for you.

Start VM and Install Operating System.

Start the newly created VM (for example: myVM).

Insert the installation dvd.

You don't have to install updates while installing. You can do that right after installing, after the network has been set up.

username: user
computer name: host

Configure network.

For Windows 7 (similar in Windows XP): In Control Panel -> Network and Sharing Center: click on "Change adapter settings" Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:

# increment last octet of IP address on additional workstations
IP address 10.152.152.50
Subnet netmask 255.255.192.0
Default gateway 10.152.152.10
Preferred DNS server 10.152.152.10

Download operating system updates.

Whonix-GNU/Linux-Workstation[edit]

Easy[edit]

Easiest, but least secure option.

Download and use the default Whonix-Gateway.

Download and import it the same way you would do for Whonix-Default/Download-Version. No other changes required to Whonix-Gateway for this use case!

Set up a Whonix-Custom-Workstation.

There are currently two ways to set up a Whonix-Custom-Workstation. Either 1) manually create a VirtualBox VM (old, stable way); or 2) download and import Whonix-Custom-Workstation (experimental, testers-only).

If you want to manually create a VirtualBox VM (old, stable way), click on expand on the right.

Create a VirtualBox VM.

VirtualBox -> Machine -> New -> Next -> Enter Name (for example: myVM) -> Enter Operating System and Version -> Next -> define RAM -> Next -> create a new hdd (or not) -> Next -> disk format doesn't matter, VDI works fine however -> Next -> dynamically or fixed size is a matter of preference -> Next hdd size and location is a matter of preference -> Next -> Create

Switch VirtualBox VM settings.

Choose the newly created VM (for example: myVM) -> Settings -> System -> Motherboard -> Hardware Clock in UTC

System -> Motherboard -> Pointing Device -> PS/2 Mouse (required so that USB controller may be disabled)

System -> Processor -> Enable PAE/NX if available

Network -> Adapter 1 -> attached to Internal Network (Important!)

Network -> Adapter 1 -> Name (of Internal Network) (Important!): Whonix

(Note: It's Whonix, not whonix. Case sensitive. Capital W.)

USB -> uncheck Enable USB controller

-> OK

If you want to download and import Whonix-Custom-Workstation template (experimental, testers-only), click on expand on the right.

The idea behind this method is, that you do not have to manually create a new virtual machine. To simplify the process, you can just download and import a so called Whonix-Custom-Workstation. This has the advantage, that you have all security settings for the virtual machine, you cannot forget to apply any settings and it is easier.

Latest Whonix-Custom-Workstation Version: 9

Don't wonder, the version number for Whonix-Gateway and Whonix-Default/Download-Version might be higher than the version for Whonix-Custom-Workstation. This is normal. [5]

Download, verify.

Download

OpenPGP Signature

Import.

Rename the virtual machine to something else.[6] (VirtualBox -> Right click on VM -> Settings -> Name) (For example: myVM)

Please report in the forums if you used this and how it worked for you.

Start VM and Install Operating System.

Start the newly created VM (for example: myVM).

Insert the installation dvd.

You don't have to install updates while installing. You can do that right after installing, after the network has been set up.

username: user
computer name: host

Configure network.

In your Custom-Workstation. Open a Terminal and type.

sudo nano /etc/network/interfaces

You only need to configure eth0:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface, leave as it is
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
# increment last octet of IP address on additional workstations
       address 10.152.152.12
       netmask 255.255.192.0
       #network 10.152.152.0
       #broadcast 10.152.152.255
       gateway 10.152.152.10

In your Custom-Workstation. Open /etc/resolv.conf.

sudo nano /etc/resolv.conf

and delete everything, then add

nameserver 10.152.152.10

Download operating system updates.

Debian based Linux, such as Ubuntu:

sudo apt-get update && sudo apt-get dist-upgrade

Whonix-Android-Workstation[edit]

Easy[edit]

Warning:
The following instructions are user contributed, untested by Whonix maintainers, and require a DHCP server to be installed on Whonix-Gateway. Whonix maintainers have not researched yet, if there is any feature in DHCP servers that would be problematic in the use case of anonymity distributions that use a two machine isolation approach. Maybe there is such a feature, maybe not. If it exists, maybe it could be easily disabled, maybe not. What is the attack surface here: once an attacker has compromised Whonix-Workstation, an attempt to exploit the DHCP server on Whonix-Gateway could be tried. Worse, maybe DHCP has a feature such as "please tell me the IP address of your upstream router", and that would be your real external IP address and DHCP would answer. To find out if this is actually the case, one would have to read the whole DHCP protocol. Forum discussion. If you are interested anyway, please click on expand on the right side.

VM settings are the same: attach the network adapter to the internal network named Whonix

Android x86 doesn't seem to support static IPs for Ethernet, so a DHCP server needs to be set up on Whonix Gateway.

Install a DHCP server package:

$ sudo apt-get install isc-dhcp-server

Note that it won't start, because it's not configured yet

Modify /etc/dhcp/dhcpd.conf to look like this:


option domain-name "whonix";
option domain-name-servers 10.152.152.10;
subnet 10.152.128.0 netmask 255.255.192.0 {
        range 10.152.152.12 10.152.152.15;
        option subnet-mask 255.255.192.0;
        option broadcast-address 10.152.191.255;
        option routers 10.152.152.10;
}
default-lease-time 600;
max-lease-time 7200;

Run

$ sudo dpkg-reconfigure isc-dhcp-server

and choose eth1 as interface for the DHCP server to run on.

After this the DHCP server on workstation starts properly and the Whonix Gateway is ready to serve a dynamic IP to the Android x86 Whonix Workstation.

More security[edit]

Recommendations:

  • Verify operating system installation CD, compare with sha256 hash or even better verify the gpg signature, if available.
  • Install while the Virtual Machine has no internet connection.
  • Set your username to user.
  • Disable Internet Time Syncing.
  • Set your Time Zone to UTC.
  • Set up a static IP.
  • In case you want to run more than one Whonix-Workstation at the same time, it's recommended reading the Introduction in the Multiple Whonix-Workstations article.
  • Read Security Guide, Documentation and Design (which is Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific) and try to apply as much from it to Windows as possible.

Even more security[edit]

General[edit]

Recommendations:

  • Prevent Transparent Proxy Leaks by disabling Whonix-Gateway's Transparent Proxy feature. Instead use your Windows Whonix-Workstation behind an Isolating Proxy. See Stream Isolation for more information and instructions on how to disable the Transparent Proxy feature.
  • Check your host clock out of band (use a watch or atomic clock).
  • Set your host and your Workstation clock to show seconds as well. After booting the Whonix-Windows-Workstation, add a random skew to your clock, maybe +/- 1 to 30 seconds. Optimal values are still under investigation. For reference, see Whonix's Secure And Distributed Time Synchronization Mechanism, it's Whonix-Example-Implementation-Workstation (based on Debian GNU/Linux) specific, but most information also applies to Windows. Since we are not aware of a tails_htp alternative for Windows, you have to do it manually.

VM settings[edit]

If you downloaded and imported the Whonix-Custom-Workstation template, this section can be skipped. [7]

If you manually created a VirtualBox VM, click on expand on the right.

Find out the VM name you are using.

vboxmanage list vms

Apply these settings. [8]

VBoxManage modifyvm "yourvmname" --synthcpu on
VBoxManage modifyvm "yourvmname" --acpi on
VBoxManage modifyvm "yourvmname" --ioapic on
VBoxManage modifyvm "yourvmname" --rtcuseutc on
VBoxManage setextradata "yourvmname" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" "1"

Disable clipboard sharing. Only matters if guest additions are installed which is recommended against. Just in case.

VBoxManage modifyvm "yourvmname" --clipboard disabled

Disable Drag'n'Drop support. Only matters if guest additions are installed which is recommended against. Just in case.

VBoxManage modifyvm "yourvmname" --draganddrop disabled

It would be prudent if you verify, that we haven't forgot any settings on this wiki page compared to settings we are using in Whonix source code. If you are interested, click on Expand on the right.

In Whonix source code look into build-steps.d/2500_create-vbox-vm for the functions general_setup, workstation_specific. Apply any missing settings from build-steps.d/2500_create-vbox-vm. You can and should drop the "sudo -u $USERNAME".

The following settings are not required (because recommended earlier or done by the gui creation process):

  • --name
  • storagectl
  • storageattach
  • --memory
  • --pae
  • --intnet1
  • --cableconnected
  • --macaddress1
  • --audiocontroller
  • --audio
  • --rtcuseutc

Whonix Packages[edit]

Whonix's Debian Packages (overview), such as for example uwt, are available for installation from source and Whonix's apt repository (example instructions). Installation (of some) anonymity/security/privacy/usability related ones of them might be interesting for users of Debian and Debian derivatives.

Note, that usage of these package outside of Whonix is untested and there is no maintainer that supports this use case.

The current Whonix team can only maintain a limited amount of things, has limited resources and focuses on other priorities. If you have developer skills, would you be interested to contribute by co-maintaining one or another package for using them outside of Whonix?

Most security[edit]

Use the default Whonix VMs and build them yourself from source.

Ubuntu[edit]

General[edit]

Moved to Ubuntu

About Ubuntu[edit]

Moved to Ubuntu.

Guest additions for Ubuntu Precise[edit]

Moved to Ubuntu.

Debian[edit]

Whonix-Default/Download-Version is already based on Debian Wheezy / Stable. You may be interested to read:

Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation[edit]

Introduction[edit]

Read first: Comparison of different Whonix variants!

Note: Whonix-BuildYourselfFromSource-Workstation is of course the same as Whonix-Download-Workstation.

Table[edit]

Whonix-Download-Workstation Whonix-Custom-Workstation
Based on Debian Wheezy GNU/Linux Any of your choice.
Amnesic No No
Protection against root exploits (Malware with root rights) on the Workstation [9] Yes [9] Yes [9]
IP/DNS protocol leak protection Full [9] Full [9]
Takes advantage of Entry Guards Yes Yes
Operating System Updates persist once updated Yes Depends if gets installed or is a Live CD.
Hides hardware serials from malicious software Yes [9] Yes [9]
Collects (virtual) hardware serials No Depends on the custom operating system
Includes Tor Browser Yes Your responsibility to install Tor Browser. [10] [11]
Includes Firefox privacy patches [12] and Tor Button (=Tor Browser) Yes, because it uses Tor Browser (without Tor/Vidalia). Your responsibility to install Tor Browser. [10]
Prevents Tor over Tor for Tor Browser Yes Your responsibility to prevent Tor over Tor. [10]
Stream isolation to prevent identity correlation through circuit sharing Yes Your responsibility to use Stream Isolation.
Stream isolation in Tor Browser No [9] No [9]
Encryption Should be applied on host. Should be applied on host.
Cold Boot Attack Protection [9] No No
Secure Distributed Network Time Synchronization Yes Your responsibility to install it.
Hides your time zone (set to UTC) Yes Your responsibility to set clock to UTC.
Hides your operating system account name Yes, set to user. Your responsibility to set username to user.
Hides your MAC address from websites Invalid [9] Invalid [9]
Secures your MAC address from local LAN (sometimes ISP) [9] No, planned, see. [9] Your responsibility. [9]
Hides your hosts MAC address from applications Yes [9] Yes [9]
Secure gpg.conf Yes Your responsibility to use a secure gpg.conf.
Privacy enhanced IRC client configuration. Yes Your responsibility to configure the IRC client for enhanced privacy.

Conclusion[edit]

The Whonix-Download-Workstation is already preconfigured with all Whonix extra security features.

A Whonix-Custom-Workstation can be made (Your responsibility!) as secure as a Whonix-Download-Workstation. If you simply create [13] a Whonix-Custom-Workstation it has still some security advantages, for example full IP/DNS protocol leak protection, but not all, for example it lacks Secure Distributed Network Time Synchronization. The details are listed in the table above.

Missing Documentation[edit]

You might wonder what "your responsibility" means. Some users are wondering, where the documentation for these aspects can be found. No documentation has been written yet. There is a lack of resources to maintain such instructions. I.e. writing them, and more so, keeping them up to date, testing them, answering support requests, fixing bugs and implementing feature requests. Please contribute. For more detailed explanation, see also Whonix Packages.

References[edit]

  1. Technical_Introduction#Whonix_Framework
  2. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
  3. This is because redistributing a newer Whonix-Custom-Workstation is only worth the effort, if the settings for the virtual machine have changed. For example, these have not changed between Whonix 9 and Whonix 9.2. So Whonix-Custom-Workstation version 9 is up to date enough (because it comes with an empty virtual hard drive, so no software could be outdated).
  4. It would not be necessary to rename the VM at this point, but if users are told to rename it now, and later import another Whonix-Custom-Workstation, they won't run into any naming conflicts due to another VM using that name.
  5. This is because redistributing a newer Whonix-Custom-Workstation is only worth the effort, if the settings for the virtual machine have changed. For example, these have not changed between Whonix 9 and Whonix 9.2. So Whonix-Custom-Workstation version 9 is up to date enough (because it comes with an empty virtual hard drive, so no software could be outdated).
  6. It would not be necessary to rename the VM at this point, but if users are told to rename it now, and later import another Whonix-Custom-Workstation, they won't run into any naming conflicts due to another VM using that name.
  7. Because the Whonix-Custom-Workstation template already comes with these settings by default.
  8. If you want to know what these settings are good for, see build-steps.d/2500_create-vbox-vm in Whonix source code folder.
  9. 9.00 9.01 9.02 9.03 9.04 9.05 9.06 9.07 9.08 9.09 9.10 9.11 9.12 9.13 9.14 9.15 9.16 Same footnote(s) as in Comparison of Whonix, Tails, Tor Browser Bundle, Qubes OS TorVM and Corridor and Tor Browser.
  10. 10.0 10.1 10.2 For help using Tor Browser without Tor over Tor (recommended), see: https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers#UseTorBrowserwithoutbundledTorNIX
  11. For explanation of the about:tor "Something went wrong" error, please see this forum thread.
  12. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
  13. Install or use a Live CD/DVD into Whonix-Workstation.


Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss | Investors | Donate

https | Mirror | Mirror | Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.