HowTo: Install the Stable Version of Qubes-Whonix 14
< Qubes
Introduction[edit]
First time user?[edit]
 | Warning:
|
Installation[edit]
Remove Old Versions[edit]
Users who are already running any version of Qubes-Whonix must uninstall it before performing a complete (re-)installation. This applies to:
- Users who selected Qubes-Whonix auto-configuration when Qubes was installed.
- Users who installed Qubes-Whonix after installing the Qubes platform.
Before re-installation, back up any existing data stored in Whonix VMs. This is unnecessary if users choose to upgrade Whonix 13 to 14 instead of following these instructions.
Update dom0[edit]
To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).
Upgrade Qubes dom0. [1]
sudo qubes-dom0-update
Download Whonix Templates and Configure sys-whonix and anon-whonix[edit]
The recommended approach is to use salt (wrapped by the command qubesctl in Qubes), as this one call automatically: [2]
- Downloads both Whonix-Gateway and Whonix-Workstation TemplateVMs.
- Configures
sys-whonixandanon-whonixsafely. [3]
In dom0, run:
| Before you execute the call, keep in mind that it can take a long time to execute (at least several minutes; some users reported more than 20 mins). No progress indicator is shown. Do not interrupt the salt process once it has started, or this can lead to an unstable system. The process is lengthy, particularly over Tor. [4] |
sudo qubesctl state.sls qvm.anon-whonix
For troubleshooting please see footnotes: [5] [6] [7]
Optional Whonix DVM Template VM[edit]
In Qubes R4 and above, users can choose to set up a whonix-ws-14-dvm DVM Template as a base for Disposable VMs. [8]
In dom0, run.
sudo qubesctl state.sls qvm.whonix-ws-dvm
Optional Updates over Tor[edit]
TemplateVMs[edit]
To force all TemplateVM updates over Tor: [9]
- R3.2: For each template, manually open VM settings and set NetVM to
sys-whonix. - R4: Use salt in dom0:
sudo qubesctl state.sls qvm.updates-via-whonix
In Qubes R4, this setting can be undone by modifying /etc/qubes-rpc/policy/qubes.UpdatesProxy. [10]
dom0[edit]
To force dom0 updates over Tor, set Qubes dom0 UpdateVM to sys-whonix.
Qubes Manager -> System -> Global Settings -> Dom0 UpdateVM: sys-whonix -> OK [11]
To revert this change, set Qubes dom0 UpdateVM to sys-firewall or any other VM of our choice.
Qubes Manager -> System -> Global Settings -> Dom0 UpdateVM: sys-firewall -> OK [12]
Optional: Enable AppArmor[edit]
If you are interested, click on Expand on the right.
The following steps should be completed in dom0 for both whonix-gw-14 and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[13] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway[edit]
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
qvm-prefs -g whonix-gw-14 kernelopts
Qubes R3.2 and later releases will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-14 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the sys-whonix ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation[edit]
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
qvm-prefs -g whonix-ws-14 kernelopts
Qubes R3.2 and later releases will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-14 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the anon-whonix AppVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Update and Launch Applications[edit]
Before starting applications in the Whonix-Workstation AppVM, update both Whonix-Gateway and Whonix-Workstation TemplateVMs.
To launch an application like Tor Browser:
Qubes App Launcher (blue/grey "Q") -> Domain: anon-whonix -> Tor Browser (AnonDist)
To learn about known bugs affecting this release, see here.
Additional Information[edit]
If you are interested, click on Expand on the right.
- Read and apply the Post Installation Security Advice.
- Stay tuned!
Known Bugs[edit]
All Platforms[edit]
"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]
This is not a security issue, but only a warning. Read the entire thread here for more information.
This warning message can be removed with the following workaround below.
1. Modify /etc/dpkg/origins/default
sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/debian /etc/dpkg/origins/default
2. Download the source package.
apt-get source package
3. Undo afterwards to prevent unexpected issues.
sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/whonix /etc/dpkg/origins/default
Proxychains Tor Browser Issue[edit]
Using Tor Browser in conjunction with proxychains for the connection scheme: User -> Tor -> Proxy -> Internet
does not currently work. For more information, see here.
VirtualBox[edit]
Screen Resolution Bug[edit]
If the display presents like the image on the right-hand side, then you are affected by a screen resolution bug which only occurs in the XFCE version of Whonix in VirtualBox. To correct the resolution, apply the following workaround.
1. Maximize the window.
2. VirtualBox VM Windows -> View -> Virtual Screen 1 -> choose any, resize to some other resolution
3. VirtualBox VM Windows -> View -> Auto-resize Guest Display
ATA Freeze[edit]
If you see the following error and freezing.
433.348893] mptscsih: ioc0: attempting target reset! (sc=ffff81021b950940) 433.348896] sd 0:0:0:0: [sda] CDB: ATA command pass through(16): 85 08 0e 00 d5 00 01 00 09 00 4f 00 c2 00 b0 00 433.605026] mptscsih: ioc0: target reset: SUCCESS (sc=ffff81021b950940
It is a known issue.
VirtualBox upstream bug report: https://www.virtualbox.org/ticket/10031
Cannot be fixed by the Whonix team. Patches required.
Hardware specific.
It has been reported that running form internal hdd works better than running from external devices.
A workaround might be "avoid high load on your host operating system". If this bug causes a lot issues to you, your only option is to switch to another platform.
Non-Qubes-Whonix[edit]
Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.
Suspend / Hibernate Issues[edit]
Short: Avoid suspending or hilbernating the computer or Whonix VMs while Whonix is running.
Long: Network Time Syncing, Troubleshooting#Clock Fix. [14]
Mounting (CD / DVD) Devices[edit]
If the device auto mounter is broken, see if Start menu -> System Settings -> Removable Media helps.
The following workaround can be used.
sudo mkdir /mnt/cdrom
sudo mount -o ro /dev/cdrom /mnt/cdrom/
Using the ro flag will mount the CD / DVD in read-only mode. If a CD / DVD is not being mounted, then drop the "-o ro" parameter.
Forum discussion:
https://forums.whonix.org/t/workstation11-doesnt-mount-hdds/1313
Help fixing this bug is welcome! (ticket)
VLC / Video Player Crash[edit]
The following workaround can be used.
(This is the default in recent builds, in Whonix 14. [15])
VLC -> Tools -> Preferences -> Video -> Output -> X11 -> Save
Network Manager Systray Unmanaged Devices[edit]
Short answer: Unmanaged devices are unrelated to Whonix functioning and should not concern the user.
Long answer: [16]
Qubes-Whonix[edit]
[edit]
In Qubes R3.2, anon-whonix in Whonix 14 does not have Qubes appmenus (start menu) entries by default. These must be manually added:
Qubes appmenu -> anon-whonix -> Add more shortcuts
This issue has been fixed in Qubes R4. [17]
Template Installation qubesctl Error[edit]
The following qubesctl error message can be safely ignored: [18]
[user@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix [ERROR ] Command ['dnf', '--quiet', 'clean', 'expire-cache', '--disablerepo=*', '--enablerepo=qubes-templates-community-testing'] failed with return code: 1 [ERROR ] output: Error: Unknown repo: 'qubes-templates-community-testing'
Stay Tuned[edit]
Introduction[edit]
It is important to read the latest Whonix news to stay in touch with ongoing developments. This way users benefit from notifications concerning important security vulnerabilities and improved releases which address identified issues, like those affecting the updater or other core elements.
Stay Tuned[edit]
Whonix News Forums[edit]
For user convenience, there are multiple avenues for receiving news. Choose the most suitable option below.
- Whonix Important News Forum Tag (v3 onion)
- Only critical information is reported. This includes security vulnerabilities and new stable Whonix versions. It is best suited for people with very limited time and interest in Whonix development and news. - Whonix News Forums (v3 onion) - This includes everything including important news and has a relaxed posting policy. Testers-only and developers Whonix versions are announced here, along with the publishing of news about updated articles, new features, future features, development, calls for testing, general project ideas and so on.
- Other choices. [19]
If time-constrained, users should at least read the Whonix Important News Forum Tag. Follow the Whonix News Forums if detailed anonymity / privacy / security-related issues are of interest, or to follow recent Whonix developments.
Operating System Updates[edit]
As strongly recommended in the Security Guide, it is necessary to regularly check for operating system updates on the host operating system, and both the Whonix-Workstation and Whonix-Gateway.
Social Media Profiles[edit]
There are some Whonix Social Media Profiles online, but please do not rely on them for the latest Whonix News or to contact Whonix developers (see Contact for contact information).
As some users will disregard this advice, messages from the Whonix Feature Blog are automatically mirrored to the Whonix Twitter Profile and the Whonix Facebook Profile. However, they are not mirrored to the Whonix Google+ Profile. Diaspora Whonix and Tumblr accounts have also recently been established.
If it is safe to inform others about Whonix, feel free to Contribute via an anonymous account that follows or likes these profiles. This page can be shared on: Twitter | Facebook.
Source Code[edit]
If Whonix source code updates are of interest, subscribe to code changes.
Tor Bootstrap[edit]
Tor bootstrap refers to the process of attempting to connect to the Tor network (successfully or unsuccessfully). Familiar output related to this process includes: "Tor connecting xx percent...", "Tor not connected", "Tor connected" and so on. Bootstrapping does not refer to related concepts, such as whether connections are "secure", "not secure", "anonymous" or "not anonymous".
Tor Browser[edit]
Tor Browser's built-in update check mechanism also works in Whonix, so use it whenever updates become available. [20]
For additional information about Tor Browser updates see Tor Browser. Additionally, consider subscribing to https://blog.torproject.org for developments from The Tor Project.
Whonix Version Check and Whonix News[edit]
whonixcheck can provide notifications about new Whonix versions and critical Whonix News updates. [21]
Running whonixcheck[edit]
whonixcheck verifies that the Whonix system is up-to-date and that everything is in proper working order.
Users can manually run whonixcheck to check the system status by following the steps below.
How to Manually Run whonixcheck[edit]
If you are using Qubes-Whonix, complete the following steps. [22]
Qubes App Launcher (blue/grey "Q") -> click on the Whonix VM you want to check -> whonixcheck / System Check
If you are using a graphical Whonix, complete the following steps.
Start Menu -> System -> whonixcheck
If you are using a terminal-only Whonix, complete the following steps.
whonixcheck
Depending on the system specifications, whonixcheck may take up to a few minutes to run. Assuming everything is working as intended, the output should highlight each INFO heading in green (not red). A successful whonixcheck process results in output similar to the sample below.
Sample whonixcheck Output[edit]
[INFO] [whonixcheck] anon-whonix | Whonix-Workstation | {{whonix-ws}} TemplateBased AppVM | Thu Aug 9 18:09:23 UTC 2018
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases STRETCH-PROPOSED-UPDATES updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.whonix.org/wiki/Trust to understand the risk.
If you want to change this, use:
sudo whonix_repository
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get... ( Documentation: https://www.whonix.org/wiki/Update )
[INFO] [whonixcheck] Debian Package Update Check Result: No updates found via apt-get.
Whonix Repository Testers[edit]
Whonix requires a critical mass of users to properly test planned updates by enabling the stable-proposed-updates or testers repository. [23] Otherwise, bugs might go undiscovered and be inadvertently introduced into the stable repository.
To ensure a stable Whonix system is available at all times, willing testers should:
- Create new Whonix-Workstation and Whonix-Gateway TemplateVMs solely for testing.
- Enable the stable-proposed-updates or testers repository via the Whonix repository tool.
- Platform-specific advice:
- Non-Qubes-Whonix: Create a clean snapshot or use Multiple Whonix-Workstations / Multiple Whonix-Gateways.
- Qubes-Whonix: Use separate TemplateVMs and separate
sys-whonix-testandanon-whonix-testTemplateBasedVMs.
- And perform normal user activities.
Please only report bugs after first searching relevant Whonix forums and developer portals for the problem.
Footnotes[edit]
- ↑ This is required to make sure a recent version of Qubes repository definition files, Qubes salt as well as qubes-core-admin-addon-whonix gets installed.
- ↑
- ↑
- ↑ add salt download progress indicator
- ↑
If an error message appears stating that qubesctl does not exist or the command is not recognized, then it is necessary to enable the testing repository and install
salt.Please report if this was necessary for you!sudo qubes-dom0-update --best --allowerasing --enablerepo=qubes-dom0-current-testing qubes-mgmt-salt-dom0-virtual-machines
- ↑
Sometimes the Qubes Community Templates repository must also be enabled by editing
/etc/yum.repos.d/qubes-templates.repoand settingenabled = 1in the[qubes-templates-community]section. Please report if this was necessary for you! - ↑ If qubesctl still does not work, try shutting down Qubes OS and rebooting the machine. Please report if this was necessary for you!
- ↑ https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-14-dvm.sls
- ↑
- In Qubes-R4 and above, RPC/qrexec UpdatesProxy is used to update TemplateVMs
- doc/software-update-vm/#technical-details-r40
- salt
- https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/updates-via-whonix.sls
- ↑ https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/_jI2uWPPMMA#!topic/qubes-users/_jI2uWPPMMA
- ↑
Set torified UpdateVM.
qubes-prefs updatevm sys-whonix
- ↑
To revert this change, run.
qubes-prefs updatevm sys-firewall
- ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
- ↑ https://github.com/QubesOS/qubes-issues/issues/1764
- ↑
- ↑
Whonix does not use network manager to manage either eth0 or eth1.
- In Non-Qubes-Whonix, networking is managed by ifupdown.
- Qubes-Whonix uses a custom /lib/systemd/system/qubes-whonix-network.service and is unaffected by this issue.
To reduce confusion, the ideal Whonix default would either: prevent the systray item starting, hide the systray item, or suppress the information being presented. Network manager is installed so users can easily setup VPNs with its intuitive graphical user interface.
All attempts to fix this long-standing issue have failed. Help is welcome to fix it.
Fix Unmanaged Devices Network Manager
- ↑ To fix this in Qubes R3.2, developers would need to backport Qubes-Whonix salt:
- ↑ https://github.com/QubesOS/qubes-issues/issues/4154
- ↑
Other choices:
- Whonix Important News Forum Tag RSS (v3 onion) .
- Whonix News Forums RSS (v3 onion) .
- Subscribe to the Whonix News Forums by e-mail. After registering at the Whonix Forums, specific categories of interest such as the Whonix News Forums can be selected.
Whonix News Forums posts are mirrored to the Whonix Development Mailing List(broken)- Whonix Social Media Profiles
- Whonix Important News Forum Tag RSS (v3 onion)
- ↑ The only exception is Tor Browser running in a DisposableVM in Qubes-Whonix, since the update will not persist.
- ↑ For example: When a version becomes unsupported, if manual user action is required, if major features break, or if security vulnerabilities are found. The policy is to use Whonix News sparingly.
- ↑
Qubes VM Manager->right-click on the Whonix VM you want to check->select "Run command in VM"
Type the following.Then press.konsole
<ENTER>
Type the following.
whonixcheck
Then press.
<ENTER>
- ↑ The developers repository is only recommended for experts or those in touch with Whonix developers.
Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.
https | (forcing) onion
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)
Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.
Footnotes[edit]
on R4.0, After uninstalling old whonix templates, and attempting reinstallation via:
[user@dom0 ~]$ sudo qubesctl state.cls qvm.anon-whonix
'state.cls' is not available. DOM0 configuration failed, not continuing
Please help in testing new features and bug fixes in Whonix.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)
Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.