Jump to: navigation, search

VMware

Status of Support for Running Whonix in VMware[edit]

Current state[edit]

  • Rarely (officially) tested
  • It works, but highly experimental
  • VMware is closed source, therefore security through obscurity[1].
  • Recommended against
  • Recommended to use a supported platform

Goal[edit]

Whonix needs a contributor, maintainer, to support Whonix in VMware!

What does "maintainer" mean in this context?

Important:


Ideal:

  • Someone who creates, signs, uploads .ova images for VMware.
  • Future development.
  • Describes best security practices

Unofficial Supported VMware Products[edit]

VMware Workstation was tested. It's currently in a it works state, but rarely tested.

VMware ESX(i) (up to version 6.0) is tested and it works.

VMware Server or other products are untested, but most likely also in a it works state.

VMware Player is tested by an anonymous user in the old forum [2] and works as well. This is unconfirmed. Setting up the internal network can sometimes be tricky, this article contains instructions how to setup.

About VMware[edit]

Maybe I am spoiled by Free Software (see [3] for definition). VMware is not very open, but in my opinion openness is important for security. I haven't found out how to submit a bug report. It looks like only buying customers may submit bug reports and there is only community support for products that are free in price. There is also no list with open bugs. Without a list of known bugs, I am unable to determine if VMware is suitable for Whonix, i.e. does not compromise the user's anonymity. Since bug reports remained entirely unanswered, it's also demotivating to investigate, contribute and submit further report bugs.


HowTo[edit]

Do not forget to read the Documentation.

VMware Workstation[edit]

Newer third party video:
How to Install Whonix 13 for Anonymous Web Browsing + Review on VMware Workstation [HD]

Existing instructions:

Importing the appliances:

  • You can either import the Download version or manually build from source.
  • Import Whonix-Gateway.ova and Whonix-Workstation.ova.
  • Due to a VMware upstream bug, you may have to press retry when importing the .ova images (to relax the importing requirements).


Setting up the network:

  • Connect the virtual network adapter to custom. This is important! No host-only, no NAT, no bridging! I used VMnet9 virtual network, as it wasn't used by anything else.
  • Adjust the adapters with the following settings:
    • Whonix-Gateway set network adapter 2 to custom, /dev/vmnet8 (or on Windows probably: vmnet9).
    • Whonix-Workstation set network adapter 1 to custom, /dev/vmnet8 (or on Windows probably: vmnet9).
  • Note: if vmnetX, such as for example vmnet8 is already used by the NAT adapter, do not re-use it for the custom adapter. In that case, use something else, such as vmnet9.


Tweaks:

  • Due to a VMware upstream bug, VM time is not set to UTC. Set VM time to UTC, otherwise Tor might not be able to connect.

VMware ESX(i)[edit]

Importing the .ova templates will simply not work. ESX(i) will not recognize the hardware family. However, there is a workaround - extracting .ova and editing .ovf. An example can be found here[4]. Another way is to use extracted .vmdk (VM virtual disk).

Importing the appliances:

  • Create two virtual machines in ESX(i) with default settings, do not create a virtual disk for them.
  • Import both ova templates in VirtualBox, yes, VirtualBox.
  • Once they are imported, grab the .vmdk disk files from their physical location on your disk (VirtualBox has extracted them from the .ova)
  • Upload both disk files to the datastore that you are using in ESX(i)
  • Attach the disk files to the appropriate virtual machines.


Set the networking:

  • Make sure the Whonix-Gateway has two network adapters configured as a virtual machine, the Whonix-Workstation only one.
  • Attach the first Whonix-Gateway network adapter to your outside network vSwitch (this can be WAN, LAN, DMZ, ...)
  • Attach the second Whonix-Gateway network adapter to an isolated vSwitch. Preferably create a new vSwitch, which will be used only by Whonix-Gateway and Whonix-Workstation. Attach no physical NICs to this vSwitch! Make sure you create a new vSwitch, not simply a new portgroup. Promiscuous mode within a vSwitch might screw you over.
  • Attach the Whonix-Workstation network adapter to the isolated vSwitch from previous step.


Once the machines boot, everything should come online nicely. Double check the vSwitch logic in your setup!

Harden VMware products[edit]

See also Security Guide and Advanced_Security_Guide.

General[edit]

  • Remove printer
  • Disable 3D acceleration
  • Remove CD/DVD drive
  • Remove Floppy drive
  • Remove USB controller (at least disable automatically connect new devices)
  • Remove sound card
  • Do not install VMware Tools or open-vm-tools (comfort vs. security). VMware Tools leak information towards the Host OS or Hypervisor.


Additional Security[edit]

One might wish to access the Whonix-Workstation through SSH. Therefore you could add a second network adapter with Host-Only Networking. Beware about this adapter! This can cause information leakage!

If you install the proper routing or proxy software on your host computer, you can establish
a connection between the host virtual Ethernet adapter and a physical network adapter on the
host computer. This allows you, for example, to connect the virtual machine to a Token Ring
or other non-Ethernet network.

On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only
networking in combination with the Internet connection sharing feature in Windows to allow a
virtual machine to use the host's dial-up networking adapter or other connection to the
Internet. See your Windows documentation for details on configuring Internet connection
sharing.

VMware upstream bug reports[edit]

Troubleshooting[edit]

(Windows 8 specific forum help thread:
No Tor/Internet connection with Windows 8 on VMware - Whonix Gateway.)

(Black screen forum help thread:
Special:AWCforum/st/id268/Gateway_7_issue_on_Vmware_workst....html)

Footnotes[edit]

  1. https://en.wikipedia.org/wiki/Security_through_obscurity
  2. https://sourceforge.net/p/whonix/discussion/general/thread/84452a10/?limit=25&page=1#8f27
  3. https://en.wikipedia.org/wiki/Free_software
  4. https://github.com/DartNecrON/WhonixESXi

Random News:

Want to make Whonix more safe and usable? We're looking for helping hands. Check out Open Issues and development forum.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.