Actions

HowTo: Install the Stable Version of Qubes-Whonix ™ 14

From Whonix

< Qubes

Introduction[edit]

FREE

First time user?[edit]


Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix works.

Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix is the right tool for you based on its limitations.

Installation[edit]

Qubes R4.0 or above required!

Remove Old Versions[edit]

Users who are already running any version of Qubes-Whonix ™ must uninstall it before performing a complete (re-)installation. This applies to:

Before re-installation, back up any existing data stored in Whonix VMs. This is unnecessary if users choose to upgrade Whonix 13 to 14.

In summary, users have three options:

Update dom0[edit]

To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).

Qubes-whonix1.png

Upgrade Qubes dom0. [1]

sudo qubes-dom0-update

Download Whonix ™ Templates and Configure sys-whonix and anon-whonix[edit]

The recommended approach is to use salt (wrapped by the command qubesctl in Qubes), as this one call automatically: [2]

  • Downloads both Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.
  • Configures sys-whonix and anon-whonix safely. [3]

In dom0, run:

Ambox warning pn.svg.png Before you execute the call, keep in mind that it can take a long time to execute (at least several minutes; some users reported more than 20 mins). No progress indicator is shown. Do not interrupt the salt process once it has started, or this can lead to an unstable system. The process is lengthy, particularly over Tor. [4]

sudo qubesctl state.sls qvm.anon-whonix

For troubleshooting please see footnotes: [5] [6] [7]

Optional Whonix ™ DVM Template VM[edit]

In Qubes R4 and above, users can choose to set up a whonix-ws-14-dvm DVM Template as a base for Disposable VMs. [8]

In dom0, run.

sudo qubesctl state.sls qvm.whonix-ws-dvm

Optional Updates over Tor[edit]

TemplateVMs[edit]

To force all TemplateVM updates over Tor, [9] use salt in dom0:

sudo qubesctl state.sls qvm.updates-via-whonix

To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy in dom0. [10]

dom0[edit]

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [11]

Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [12]

Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK

Optional: Enable AppArmor[edit]

If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both whonix-gw-14 and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[13] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™[edit]

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-gw-14 kernelopts

Qubes R3.2 and later releases will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-gw-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-ws-14 kernelopts

Qubes R3.2 and later releases will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Update and Launch Applications[edit]

Before starting applications in the Whonix-Workstation ™ AppVM, update both Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.

To launch an application like Tor Browser:

Qubes App Launcher (blue/grey "Q")Domain: anon-whonixTor Browser (AnonDist)

To learn about known bugs affecting this release, see here.

Additional Information[edit]

If you are interested, click on Expand on the right.

Known Bugs[edit]

All Platforms[edit]

"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]

This is not a security issue, but only a warning. Read the entire thread here for more information.

This warning message can be removed with the following workaround below.

1. Modify /etc/dpkg/origins/default

sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/debian /etc/dpkg/origins/default

2. Download the source package.

apt-get source package

3. Undo afterwards to prevent unexpected issues.

sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/whonix /etc/dpkg/origins/default

Proxychains Tor Browser Issue[edit]

Using Tor Browser in conjunction with proxychains for the connection scheme: UserTorProxyInternet
does not currently work. For more information, see here.

VirtualBox[edit]

ATA Freeze[edit]

If you see the following error and freezing.

433.348893] mptscsih: ioc0: attempting target reset! (sc=ffff81021b950940)
433.348896] sd 0:0:0:0: [sda] CDB: ATA command pass through(16): 85 08
0e 00 d5 00 01 00 09 00 4f 00 c2 00 b0 00
433.605026] mptscsih: ioc0: target reset: SUCCESS (sc=ffff81021b950940

It is a known issue and hardware-specific - VirtualBox upstream bug report: https://www.virtualbox.org/ticket/10031
This cannot be fixed by the Whonix team and patches are required.

It has been reported that running from internal hdd works better than running from external devices.
A workaround might be "avoid high load on your host operating system." If this bug causes a lot of problems, then your only option is to switch to another platform.

Screen Resolution Bug[edit]

Cli4.png

If the display presents like the image on the right-hand side, then you are affected by a screen resolution bug which only occurs in the XFCE version of Whonix in VirtualBox. To correct the resolution, apply the following workaround.

  1. Maximize the window.
  2. VirtualBox VM WindowsViewVirtual Screen 1Choose any, resize to another resolution
  3. VirtualBox VM WindowsViewAuto-resize Guest Display
Cli3.png

Non-Qubes-Whonix[edit]

Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.

Mounting (CD / DVD) Devices[edit]

If the device auto mounter is broken, see if Start menuSystem SettingsRemovable Media helps.

The following workaround can be used.

sudo mkdir /mnt/cdrom
sudo mount -o ro /dev/cdrom /mnt/cdrom/

Using the ro flag will mount the CD / DVD in read-only mode. If a CD / DVD is not being mounted, then drop the "-o ro" parameter.

Forum discussion:
https://forums.whonix.org/t/workstation11-doesnt-mount-hdds/1313

Help fixing this bug is welcome! (ticket)

Network Manager Systray Unmanaged Devices[edit]

Network manger question mark.png Short answer: Unmanaged devices are unrelated to Whonix functioning and should not concern the user.
Long answer: [14]

Suspend / Hibernate Issues[edit]

Short: Avoid suspending or hilbernating the computer or Whonix VMs while Whonix is running.

Long: Network Time Syncing, Clock Fix. [15]

VLC / Video Player Crash[edit]

The following workaround can be used; this is the default in recent builds (like Whonix 14). [16]

VLCToolsPreferencesVideoOutputX11Save

Stay Tuned[edit]

Follow Whonix ™ Developments and news to remain informed about security vulnerabilities and improved packages/releases which address identified issues.

Footnotes[edit]

In Qubes R4.0, after uninstalling old Whonix ™ templates and attempting reinstallation via:

[user@dom0 ~]$ sudo qubesctl state.cls qvm.anon-whonix
The result is.
'state.cls' is not available.
DOM0 configuration failed, not continuing
Solution: Restarting after uninstalling old Whonix ™ versions.

  1. This is required to make sure a recent version of Qubes repository definition files, Qubes salt as well as qubes-core-admin-addon-whonix gets installed.
  2. add salt download progress indicator
  3. If an error message appears stating that qubesctl does not exist or the command is not recognized, then it is necessary to enable the testing repository and install salt.
    sudo qubes-dom0-update --best --allowerasing --enablerepo=qubes-dom0-current-testing qubes-mgmt-salt-dom0-virtual-machines
    Please report if this was necessary for you!
  4. Sometimes the Qubes Community Templates repository must also be enabled by editing /etc/yum.repos.d/qubes-templates.repo and setting enabled = 1 in the [qubes-templates-community] section. Please report if this was necessary for you!
  5. If qubesctl still does not work, try shutting down Qubes OS and rebooting the machine. Please report if this was necessary for you!
  6. https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-14-dvm.sls
  7. https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/_jI2uWPPMMA#!topic/qubes-users/_jI2uWPPMMA
  8. Or manually set the torified UpdateVM in dom0 terminal.
    qubes-prefs updatevm sys-whonix
  9. To revert this change in dom0 terminal, run.
    qubes-prefs updatevm sys-firewall
  10. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
  11. Whonix does not use network manager to manage either eth0 or eth1. It is unnecessary to port to network manager at this point, because there is no reason besides this issue. Ifupdown has functioned admirably in Whonix for a long time and is well tested. It is unclear if network manager, specifically cli, is ready for the prime time yet. Network manager is simply reporting information that it does not manage these devices; this is not an error.
    To reduce confusion, the ideal Whonix default would either: prevent the systray item starting, hide the systray item, or suppress the information being presented. Network manager is installed so users can easily setup VPNs with its intuitive graphical user interface.
    All attempts to fix this long-standing issue have failed. Help is welcome to fix it.
    Fix Unmanaged Devices Network Manager
  12. https://github.com/QubesOS/qubes-issues/issues/1764

No comments for now due to spam. Use Whonix forums instead.


Random News:

We are looking for help in managing our social media accounts. Are you interested?


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.