Remote Administration
From Whonix
Introduction[edit]
Warning[edit]
Remote administration of any system should be considered a potential anonymity hazard, since it is not under the user's physical protection and could be compromised. All activities, all programs, everything should be assumed to be monitored by the host of the server (VPS, dedicated server, etc.).
Although counter-intuitive, it is necessary to follow all relevant recommendations in the Surfing Posting Blogging chapter to stay safe:
- Beware of Keystroke and Mouse Fingerprinting.
- Beware of Stylometry.
- Beware of difficulties in paying anonymously, see Money.
At a minimum, check the connection is encrypted / authenticated, because Virtual Network Computing (VNC) [archive] by default is unencrypted / unauthenticated. Possible methods:
- Perhaps by tunneling VNC through SSH;
- Running VNC through a Tor Onion Service;
- Using both SSH and an Onion Service, for stronger encryption and authentication; or
- Onion Services Authentication.
UDP[edit]
It is suggested to utilize software that does not require the User Datagram Protocol (UDP), for the following reason.
The Tor software does not yet support UDP, [1] although Tor provides a
DnsPort
.
If UDP is urgently required in Whonix ™, a limited workaround is provided. For the most secure method, see Tunnel UDP over Tor.
Remmina[edit]
It is possible to remotely administer any operating system with GNU/Linux by using the Remmina [archive] desktop client. Remmina supports multiple network protocols, including RDP, VNC, SPICE, NX, XDMCP, SSH and EXEC. For an overview of Remmina features, see here [archive].
Note there are two separate Debian packages:
remmina
: the main GTK+ application.remmina-plugins
: a set of plugins to support various network protocols.
Install remmina
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the remmina
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends remmina
The procedure of installing remmina
is complete.
If you are interested in using Remmina, please first search the forums for this topic: https://forums.whonix.org/search?q=remmina [archive]
SSH into Whonix ™[edit]
Introduction[edit]
It is possible to install an SSH server on either Whonix-Gateway ™ and/or Whonix-Workstation ™ and make it accessible through an anonymous onion service.
SSH into Whonix-Gateway[edit]
1. Update the package lists and install necessary software.
sudo apt-get update
Install the openssh-server package.
sudo apt-get install --no-install-recommends openssh-server
2. Optionally harden SSH.
3. Make necessary Whonix-Gateway ™ adjustments.
Open /usr/local/etc/torrc.d/50_user.conf
.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway ™, complete the following steps.
sudo nano /usr/local/etc/torrc.d/50_user.conf
Add.
HiddenServiceDir /var/lib/tor/gateway_ssh_service/ HiddenServicePort 22 127.0.0.1:22 HiddenServiceVersion 3
Save.
4. Reload Tor.
After editing /usr/local/etc/torrc.d/50_user.conf
, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf
and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')
→ Reload Tor
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ Reload Tor
If you are using a terminal-only Whonix-Gateway ™, click
HERE
for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
5. Retrieve the Tor onion service url.
sudo cat /var/lib/tor/gateway_ssh_service/hostname
Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.
/var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key
Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.
sudo qvm-copy-to-vm vault /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key
The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.
/home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key
Consider moving the file from the QubesIncoming folder to another preferred location.
Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.
TODO document
Also see: File Transfer.
SSH into Whonix-Workstation[edit]
1. Update the package lists and install necessary software.
sudo apt-get update
Install the openssh-server package.
sudo apt-get install --no-install-recommends openssh-server
2. Optionally harden SSH.
3. Make necessary Whonix-Gateway ™ adjustments.
Open /usr/local/etc/torrc.d/50_user.conf
.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)
→ Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway ™, complete the following steps.
sudo nano /usr/local/etc/torrc.d/50_user.conf
Add.
Qubes-Whonix Note: Cannot use 10.152.152.11:22
. See page Onion Services for /qubes-ip
.
HiddenServiceDir /var/lib/tor/workstation_ssh_service/ HiddenServicePort 22 10.152.152.11:22 HiddenServiceVersion 3
Save.
4. Reload Tor.
Reload Tor.
After editing /usr/local/etc/torrc.d/50_user.conf
, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf
and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')
→ Reload Tor
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu
→ Applications
→ Settings
→ Reload Tor
If you are using a terminal-only Whonix-Gateway ™, click
HERE
for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
5. Retrieve the Tor onion service url.
sudo cat /var/lib/tor/workstation_ssh_service/hostname
Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway ™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.
/var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key
Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.
sudo qvm-copy-to-vm vault /var/lib/tor/workstation_ssh_service/hs_ed25519_secret_key
The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.
/home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key
Consider moving the file from the QubesIncoming folder to another preferred location.
Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.
TODO document
Also see: File Transfer.
6. Adjust Whonix-Workstation ™ firewall settings.
Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf
appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM. Make sure folder /usr/local/etc/whonix_firewall.d
exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q")
→ Whonix-Workstation ™ AppVM (commonly called anon-whonix)
→ Whonix User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu
→ Applications
→ System
→ User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf
with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf
.
The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf
contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration, ## which will override the defaults found here. When Whonix is updated, this ## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q")
→ Template:
whonix-ws-15
→ Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu
→ Applications
→ Settings
→ Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
Add.
EXTERNAL_OPEN_PORTS+=" 22 "
Save.
7. Reload the firewall.
Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q")
→ Whonix-Workstation ™ AppVM (commonly named anon-whonix)
→ Reload Whonix Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu
→ Applications
→ System
→ Reload Whonix Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
Graphical[edit]
Introduction[edit]
It is possible to install a VNC server on either Whonix-Gateway ™ and/or Whonix-Workstation ™ and make it accessible through an anonymous onion service.
x2go[edit]
Installation[edit]
1. Set up SSH first as per above chapters.
This is because x2go uses SSH. x2go might be incompatible with SSH hardening. It has been reported that x2go is incompatible with password protected SSH keys but this was not investigated further or reported upstream.
2. Update the package lists and install necessary software.
Either on Whonix-Gateway ™ or Whonix-Workstation ™, depending on where incoming x2go connection should be accepted.
sudo apt-get update
Install the x2goserver package.
sudo apt-get install --no-install-recommends x2goserver
Usage[edit]
In a Whonix-Workstation ™ (remote-support-provider
VM). [2]
1)
Install x2goclient
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the x2goclient
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends x2goclient
The procedure of installing x2goclient
is complete.
2) Start x2goclient
.
As user. Run x2goclient
.
host
: the onion v3 domainlogin
: the user name such asuser
password
: the user login password such aschangeme
session type
:connect to local desktop
media
->disable client side printing support
media
->disable sound support
- settings for better performance
connection
->connection speed
->WAN
connection
->image quality
0
connection
->method
->8-jpeg
- feel free to experiment with these settings
OK
- Click on the newly setup connection
OK
Alternatively session type
terminal
could be used.
Test Results[edit]
Using Non-Qubes-Whonix. All times are created with an external stopwatch and should have +/- 2 seconds human caused inaccuracy.
- keypress delay: 2 seconds
- maximize xfce4-terminal-emulator window: 1.5 seconds
cd /etc && ls -la
: 2 seconds- clock in systray (shows seconds) update: every 1 or 2 seconds
- start thunar: 5 seconds
Using Qubes / Qubes-Whonix is a lot slower, has additional challenges and is still under development, see Dev/Qubes_Remote_Support.
See Also[edit]
Help Wanted[edit]
Please contribute by helping to create full working instructions in Whonix! See: add user documentation for Remote Administration, Keystroke Fingerprinting, Stylometry [archive].
Future Research[edit]
[1] comparing vnc, nx(x2go) and spice. VNC sends the least amount of data. nx has a stable perf irrelevant of bandwidth conditions however one disadvantage I came across was it is heavily tied to X11 and therefore not future proof. https://bbs.archlinux.org/viewtopic.php?id=225765 [archive]
[1] http://www.diva-portal.org/smash/get/diva2:530960/FULLTEXT01.pdf [archive]
VNC perf depends heavily on implementation details. TigerVNC is better than realvnc, but Remmina is commented to be better than tiger. "A 2010 reviewer found the TigerVNC product "much faster than Vinagre <https://en.wikipedia.org/wiki/Vinagre [archive]>, but not quite as responsive as emmina <https://en.wikipedia.org/wiki/Remmina [archive]>"" https://en.wikipedia.org/wiki/TigerVNC [archive]
Tiger can be further optimized for constrained environments by ratcheting up the compression and lowering the jpeg quality. NB turbo isn't in Debian and it seems geared towards 3D usage. https://turbovnc.org/About/TigerVNC [archive]
Footnotes[edit]
- ↑ https://trac.torproject.org/projects/tor/ticket/7830 [archive]
- ↑
Or any other system with transparent torification. It cannot be easily made to work using socksifier
torsocks
.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Join us in testing our new AppArmor profiles for improved security! ( forum discussion)
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.