Jump to: navigation, search

Qubes/Install

< Qubes(Redirected from Qubes/Binary Install)


First time user?

Installation
Use Qubes Q3.

1. Launch dom0 Terminal Qubes App Launcher (blue/grey "Q")

Qubes-whonix1.png

Then go to:- System Tools -> Konsole

2. Install Whonix-Gateway and Whonix-Workstation TemplateVM

Write down this command inside the konsole , then hit "Enter".

sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw qubes-template-whonix-ws

3. Make sure inactive VMs are shown

Start Qubes VM Manager (QVMM).

Qubes-whonix3.png

In Qubes VM Manager, if you do not see whonix-… in the list, use the “View” menu to toggle the setting “Show/Hide inactive VMs”.

Qubes-whonix5.png

After finishing the download process , you should see whonix-ws and whonix-gw.

Qubes-whonix2.png

4. Enable AppArmor (optional, testers-only security enhancement)

If you are interested, click on Expand on the right.

Do this at your own risk!
Note, if you want to use Tor bridges, AppArmor has been known in the past to cause problems with obfsproxy. [1]

You will want to complete the following directions in both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws). You only need to apply these settings to the TemplateVMs before creating any TemplateBasedVMs based on Whonix templates. [2]

For Whonix-Gateway, complete the following:

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole

Get a list of current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

For Whonix-Workstation, complete the following:

In dom0 terminal.

Get a list of current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

5. Create Whonix-Gateway ProxyVM

Qubes VM Manager -> Create AppVM

Qubes-whonix4.png

Then change the settings as it shown below. (You can choose any name and color you like.)

Create Qubes-Whonix-Gateway ProxyVM23423.png

6. Create Whonix-Workstation AppVM

Qubes VM Manager -> Create AppVM

Create Qubes-Whonix-Workstation AppVM2.png

7. TemplateVM proxy settings

a) Attach Whonix TemplateVMs to a Whonix-Gateway ProxyVM (commonly called sys-whonix)

Qubes VM Manager -> one left click on TemplateVM whonix-gw -> VM-Settings

Whonix templatevms to a GW.png

NetVM: -> sys-whonix -> OK

Qubes-Whonix-Gateway TemplateVM Qubes VM Manager Settings.png

b) Attach Whonix TemplateVMs to a Whonix-Workstation appVM (commonly called ws-whonix)

Qubes VM Manager -> one left click on TemplateVM whonix-ws -> VM-Settings

then

NetVM: -> sys-whonix -> OK

Whonix templatevms to a GW2.png

8. Update your Whonix-Gateway and Whonix-Workstation TemplateVMs

9. start Whonix-Workstation AppVM

For example, start the browser.

Qubes App Launcher (blue/grey "Q") -> Domain: anon-whonix -> Privacy Browser

10. Advanced information (Optional [security] information.)

If you are interested, click on Expand on the right.

Stay tuned[edit]

Introduction[edit]

Reading the latest news is important to stay on top of latest developments. Should security vulnerabilities ever be found in Whonix, any major issues (such as with the updater) happen or should an improved version be released, you should be informed.

Whonix News Blogs[edit]

For your convenience, there are multiple choices to get news. Choose at your preference.

  1. Whonix Important Blog Whonix Important Blog Rss - Most important stuff only. Security vulnerabilities and new stable versions only. For people with very limited time and interest in Whonix development and news.
  2. Whonix Feature Blog Whonix Feature Blog rss - Includes everything from Whonix Important Blog. Also testers-only and developers versions are announced. Has a relaxed posting policy. Also blog posts about updated articles, new features, future features, development, call for testing, general project thoughts and so on will be published.
  3. Other choices. [3]

It's recommended at least to read Whonix Important Blog if you are in a hurry. Have a look into Whonix Feature Blog if you are generally interested to learn about anonymity/privacy/security related things or to see what's going on with Whonix.

Operating System Updates[edit]

You should regularly check for operating system updates on your host operating system, on Whonix-Workstation and on Whonix-Gateway as highly recommended in the Security Guide.

Tor Browser[edit]

Tor Browser's built in update check mechanism also works in Whonix. Use it.

For additional information about Tor Browser updates see Tor Browser. Additionally it might also be wise to subscribe to https://blog.torproject.org for news.

Whonix Version Check and Whonix News[edit]

whonixcheck graphical user interface screnshot
Whonix Version Check (first rectangle in black) and
Whonix News
(second rectangle in green)

Furthermore you will be automatically notified about new Whonix versions and about the most important Whonix News updates [4] by Whonixcheck.

Running Whonixcheck[edit]

By default, Whonixcheck runs automatically from time to time whenever the user starts up a Whonix-Workstation (commonly called whonix-ws). When run, Whonixcheck will verify that the Whonix system is up-to-date and that everything is in proper working order.

Even though Whonixcheck should run automatically from time to time (i.e. not every time the user starts a Whonix-Workstation), you may want to manually run Whonixcheck just to make sure that everything is in order. To do that, follow the directions below

How to manually run whonixcheck[edit]

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> click on the Whonix VM you want to check -> whonixcheck / System Check

[5]

If you are using a graphical Whonix, complete the following steps:

Start Menu -> System -> whonixcheck

If you are using a terminal-only Whonix, complete the following steps:

whonixcheck

Whonixcheck will take a few minutes to run. Assuming everything is good, you should get a print out where each heading "INFO" is in green (not red). See example printout below:

Example of Whonixcheck printout[edit]

INFO: SocksPort Test Result: Connected to Tor. IP: 146.10.104.240 
INFO: TransPort Test Result: Connected to Tor. IP: 91.89.96.88 
INFO: Stream Isolation Test Result: Functional. 
INFO: Whonix News Result:
√ Up to date: whonix-workstation-packages-dependencies 2.5-1
√ Up to date: Whonix Build Version: 11.0.0.3.0 
INFO: Debian Package Update Check Result: No updates found via apt-get. 
INFO: Whonix APT Repository: Enabled. When the Whonix team releases JESSIE updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.whonix.org/wiki/Trust to understand the risk. If you want to change this, use: 
Start menu -> Applications -> System -> Whonix Repository 
INFO: Tor Browser Update Check Result: Up to date. 
INFO: Please consider making a small reoccurring donation. See: https://www.whonix.org/wiki/Donate

Tor Bootstrap[edit]

Tor bootstrap refers to... It's "Tor connecting xx percent...", "Tor not connected", "Tor connected". That's all. It's not about "secure", "not secure", "anonymous", "not anonymous".

Social Media Profiles[edit]

There are some Whonix Social Media Profiles, but please don't rely on them for getting Whonix News and please don't use them to contact Whonix developers. (See Contact for contact information.)

Because some people will do so even though it is not recommended, messages from the Whonix Feature Blog will be automatically mirrored to Whonix Twitter Profile, to Whonix Facebook Profile and to Whonix Google+ Profile.

If you won't get into trouble by letting others learn about Whonix, feel free to follow or like those profiles (with your anonymous account) as a little way to Contribute. You can share this page on: Twitter | Facebook | Google+.

Source Code[edit]

In case you are interested in Whonix source code updates, subscribe to code changes.

Known bugs[edit]

Proxychains Tor Browser Issue[edit]

Want to use Tor Browser in conjunction with proxychains for the connection scheme user -> Tor -> proxy -> internet?
This currently won't work. For more information, see Tunnels/Connecting_to_Tor_before_a_proxy#Tor_Browser_Notes_2.

"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]

This is not a security issue. It is only a warning. More info here (and in the following mails).

If you want, you can get rid of it with the following workaround.

1. Modify /etc/dpkg/origins/default.

sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/debian /etc/dpkg/origins/default

2. Download the source package.

apt-get source package

3. Undo afterwards to prevent unexpected issues.

sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/whonix /etc/dpkg/origins/default

Footnotes[edit]

  1. Since Qubes Q3, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
  2. Other choices.
  3. Such as when a version becomes unsupported, if manual action is required, if major features break, or if security vulnerabilities are found. The policy is to use Whonix News as rarely as possible.
  4. Qubes VM Manager -> right-click on the Whonix VM you want to check -> select "Run command in VM"
    

    Type the following.

    konsole

    Then press.

    <ENTER>
    

    Type the following.

    whonixcheck

    Then press.

    <ENTER>
    

Random News:

Please Contribute by answering questions.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.