Actions

Remote Administration

From Whonix


Remoteadmin.png

Introduction[edit]

Warning[edit]

Remote administration of any system should be considered a potential anonymity hazard, since it is not under the user's physical protection and could be compromised. All activities, all programs, everything should be assumed to be monitored by the host of the server (VPS, dedicated server, etc.).

Although counter-intuitive, it is necessary to follow all relevant recommendations in the Surfing Posting Blogging chapter to stay safe:

At a minimum, check the connection is encrypted / authenticated, because Virtual Network Computing (VNC) [archive] by default is unencrypted / unauthenticated. Possible methods:

  • Perhaps by tunneling VNC through SSH;
  • Running VNC through a Tor Onion Service;
  • Using both SSH and an Onion Service, for stronger encryption and authentication; or
  • Onion Services Authentication.

UDP[edit]

It is suggested to utilize software that does not require the User Datagram Protocol (UDP), for the following reason.

Ambox notice.png The Tor software does not yet support UDP, [1] although Tor provides a DnsPort.

If UDP is urgently required in Whonix ™, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.

Remmina[edit]

Remmina Logo

It is possible to remotely administer any operating system with GNU/Linux by using the Remmina [archive] desktop client. Remmina supports multiple network protocols, including RDP, VNC, SPICE, NX, XDMCP, SSH and EXEC. For an overview of Remmina features, see here [archive].

Note there are two separate Debian packages:

  • remmina: the main GTK+ application.
  • remmina-plugins: a set of plugins to support various network protocols.

Install remmina.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the remmina package.

sudo apt-get install remmina

The procedure of installing remmina is complete.

If you are interested in using Remmina, please first search the forums for this topic: https://forums.whonix.org/search?q=remmina [archive]

SSH into Whonix ™[edit]

Introduction[edit]

It is possible to install an SSH server on either Whonix-Gateway ™ and/or Whonix-Workstation ™ and make it accessible through an anonymous onion service.

SSH into Whonix-Gateway[edit]

1. Update the package lists and install necessary software.

sudo apt-get update

Install the openssh-server package.

sudo apt-get install --no-install-recommends openssh-server

2. Optionally harden SSH.

3. Make necessary Whonix-Gateway ™ adjustments.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add.

HiddenServiceDir /var/lib/tor/gateway_ssh_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServiceVersion 3

Save.

4. Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

5. Retrieve the Tor onion service url.

sudo cat /var/lib/tor/gateway_ssh_service/hostname

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.

/var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key

Qubes-Whonix ™

Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key

The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.

/home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key

Consider moving the file from the QubesIncoming folder to another preferred location.

Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.

Non-Qubes-Whonix ™

TODO document
Also see: File Transfer.

SSH into Whonix-Workstation[edit]

1. Update the package lists and install necessary software.

sudo apt-get update

Install the openssh-server package.

sudo apt-get install --no-install-recommends openssh-server

2. Optionally harden SSH.

3. Make necessary Whonix-Gateway ™ adjustments.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add.

Qubes-Whonix Note: Cannot use 10.152.152.11:22. See page Onion Services for /qubes-ip.

HiddenServiceDir /var/lib/tor/workstation_ssh_service/
HiddenServicePort 22 10.152.152.11:22
HiddenServiceVersion 3

Save.

4. Reload Tor.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, click HERE for instructions.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

5. Retrieve the Tor onion service url.

sudo cat /var/lib/tor/workstation_ssh_service/hostname

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.

/var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key

Qubes-Whonix ™

Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key

The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.

/home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key

Consider moving the file from the QubesIncoming folder to another preferred location.

Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.

Non-Qubes-Whonix ™

TODO document
Also see: File Transfer.

6. Adjust Whonix-Workstation ™ firewall settings.

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly called anon-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSystemUser Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Workstation ™, complete these steps.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add.

EXTERNAL_OPEN_PORTS+=" 22 "

Save.

7. Reload the firewall.

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

Graphical[edit]

Introduction[edit]

It is possible to install a VNC server on either Whonix-Gateway ™ and/or Whonix-Workstation ™ and make it accessible through an anonymous onion service.

x2go[edit]

Installation[edit]

1. Set up SSH first as per above chapters.

This is because x2go uses SSH. x2go might be incompatible with SSH hardening. It has been reported that x2go is incompatible with password protected SSH keys but this was not investigated further or reported upstream.

2. Update the package lists and install necessary software.

Either on Whonix-Gateway ™ or Whonix-Workstation ™, depending on where it should be accessible.

sudo apt-get update

Install the x2goserver package.

sudo apt-get install --no-install-recommends x2goserver

Usage[edit]

In remote-support-provider VM.

Start x2goclient in a Whonix-Workstation ™. [2]

As user. Run x2goclient.

  • host: the onion v3 domain
  • login: the user name such as user
  • password: the user login password such as changeme
  • session type: connect to local desktop
  • media -> disable client side printing support
  • media -> disable sound support
  • settings for better performance
    • connection -> connection speed -> WAN
    • connection -> image quality 0
    • connection -> method -> 8-jpeg
    • feel free to experiment with these settings
  • OK
  • Click on the newly setup connection
  • OK

Alternatively session type terminal could be used.

Test Results[edit]

Using Non-Qubes-Whonix. All times are created with an external stopwatch and should have +/- 2 seconds human caused inaccuracy.

  • keypress delay: 2 seconds
  • maximize xfce4-terminal-emulator window: 1.5 seconds
  • cd /etc && ls -la: 2 seconds
  • clock in systray (shows seconds) update: every 1 or 2 seconds
  • start thunar: 5 seconds

Using Qubes / Qubes-Whonix is a lot slower, has additional challenges and is still under development, see Dev/Qubes_Remote_Support.

See Also[edit]

Help Wanted[edit]

Please contribute by helping to create full working instructions in Whonix! See: add user documentation for Remote Administration, Keystroke Fingerprinting, Stylometry [archive].

Future Research[edit]

[1] comparing vnc, nx(x2go) and spice. VNC sends the least amount of data. nx has a stable perf irrelevant of bandwidth conditions however one disadvantage I came across was it is heavily tied to X11 and therefore not future proof. https://bbs.archlinux.org/viewtopic.php?id=225765 [archive]

[1] http://www.diva-portal.org/smash/get/diva2:530960/FULLTEXT01.pdf [archive]

VNC perf depends heavily on implementation details. TigerVNC is better than realvnc, but Remmina is commented to be better than tiger. "A 2010 reviewer found the TigerVNC product "much faster than Vinagre <https://en.wikipedia.org/wiki/Vinagre [archive]>, but not quite as responsive as emmina <https://en.wikipedia.org/wiki/Remmina [archive]>"" https://en.wikipedia.org/wiki/TigerVNC [archive]

Tiger can be further optimized for constrained environments by ratcheting up the compression and lowering the jpeg quality. NB turbo isn't in Debian and it seems geared towards 3D usage. https://turbovnc.org/About/TigerVNC [archive]

Footnotes[edit]

  1. https://trac.torproject.org/projects/tor/ticket/7830 [archive]
  2. Or any other system with transparent torification. It cannot be easily made to work using socksifier torsocks.


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

We are looking for contributors and developers.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.