Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(Add virtual network installation instructions)
(Clarify that instructions are for Whonix 15)
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM.
+
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM.  These instructions were tested with Whonix 15.
  
 
== Both Whonix-Gateway and Whonix-Workstation ==
 
== Both Whonix-Gateway and Whonix-Workstation ==
  
Download Whonix-Gateway from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix clearnet link]).
+
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
  
 
Extract it:
 
Extract it:
  
  tar -xvf Whonix-Gateway*.libvirt.xz
+
  tar -xvf Whonix*.libvirt.xz
  
 
Install the Whonix virtual networks:
 
Install the Whonix virtual networks:
Line 18: Line 18:
 
  virsh -c qemu:///system net-start internal
 
  virsh -c qemu:///system net-start internal
  
Then, create two Debian Stretch ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.
+
Then, create two Debian Buster ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.
 
 
Install <code>dirmngr</code> (this is required in order to import the Whonix signing key):
 
 
 
apt-get install dirmngr
 
  
 
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
 
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
Line 30: Line 26:
 
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
 
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
  
  <nowiki>echo "deb http://deb.whonix.org stretch main" | tee /etc/apt/sources.list.d/whonix.list</nowiki>
+
  <nowiki>echo "deb http://deb.whonix.org buster main" | tee /etc/apt/sources.list.d/whonix.list</nowiki>
  
 
== Whonix-Gateway ==
 
== Whonix-Gateway ==
  
Unfortunately, Whonix's <code>tor</code> package, which is a required dependency of Whonix-Gateway, is not available for ppc64el.  Debian's <code>stretch-backports</code> repo does have a <code>tor</code> package that works, we just need to edit its metadata to make the package manager happy.  First, we download the <code>tor</code> package and extract it:
+
Run the following:
  
  <nowiki>echo "deb http://http.debian.net/debian stretch-backports main" | tee /etc/apt/sources.list.d/stretch-backports.list
+
  apt-get update
apt-get update
 
apt-get download -t stretch-backports tor
 
mkdir tor_extracted
 
dpkg-deb -R ./tor_*.deb ./tor_extracted</nowiki>
 
  
Then, run the following command.  It will fail with a dependency error, note the minimum <code>tor</code> version that it wants.
+
Then, run one of the following, depending on whether you want the Whonix-Gateway to use KDE, XFCE, or CLI-only:
  
  sudo apt-get install non-qubes-whonix-gateway-kde whonix-gateway-shared-packages-shared-meta whonix-gateway-packages-recommended-cli tor-geoipdb
+
  apt-get install non-qubes-whonix-gateway-kde
  
Then, edit the metadata file:
+
apt-get install non-qubes-whonix-gateway-xfce
  
  nano tor_extracted/DEBIAN/control
+
  apt-get install non-qubes-whonix-gateway-cli
  
And replace the Version field with the minimum version you noted earlier.  Then exit <code>nano</code>.
+
If you get prompted with questions during package installation, you can choose the defaults.
  
Rebuild the package and install it:
+
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
  mkdir tor_rebuilt
+
  rm /etc/apt/sources.list
dpkg-deb -b tor_extracted tor_rebuilt
 
apt-get install ./tor_rebuilt/tor*.deb
 
 
 
Now we can install the Whonix packages:
 
 
 
apt-get install non-qubes-whonix-gateway-kde
 
  
 
Shut off the VM.
 
Shut off the VM.
Line 69: Line 55:
  
 
Launch the VM again; Whonix-Gateway should be running.
 
Launch the VM again; Whonix-Gateway should be running.
 +
 +
If you get errors about the Tor service failing to start, this is probably a bug in Whonix's AppArmor configuration; you can fix it by editing the file <code>/etc/apparmor.d/tunables/home.d/live-mode</code> and commenting out the line <code>@{HOMEDIRS}+=/rw/home/</code> (i.e. prefix it with a <code>#</code> character, so it will look like <code>#@{HOMEDIRS}+=/rw/home/</code>).  Restart the VM again and Tor should work.
  
 
== Whonix-Workstation ==
 
== Whonix-Workstation ==
  
This one's a lot easier, since Whonix's <code>tor</code> package version isn't a requirement.
+
Run the following:
 +
 
 +
apt-get update
 +
 
 +
Then, run one of the following, depending on whether you want the Whonix-Gateway to use KDE, XFCE, or CLI-only:
 +
 
 +
apt-get install non-qubes-whonix-workstation-kde
 +
 
 +
apt-get install non-qubes-whonix-workstation-xfce
 +
 
 +
apt-get install non-qubes-whonix-workstation-cli
 +
 
 +
If you get prompted with questions during package installation, you can choose the defaults.
  
Install the Whonix packages:
+
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
  sudo apt-get update
+
  rm /etc/apt/sources.list
sudo apt-get install non-qubes-whonix-workstation-kde
 
  
 
Shut off the VM.
 
Shut off the VM.
Line 84: Line 83:
  
 
Launch the VM again; Whonix-Workstation should be running.
 
Launch the VM again; Whonix-Workstation should be running.
 +
 +
== Known Issues ==
 +
 +
=== Checking for virtualization ===
 +
 +
<code>whonixcheck</code> in both VM's reports this error:
 +
 +
<nowiki>[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)
 +
 +
Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
 +
It may already work, but is highly experimental.
 +
 +
 +
 +
This might endanger your anonymity. Do not proceed unless you know what you are doing.
 +
 +
If you wish to ignore this warning and to continue whonixcheck anyway, you can set
 +
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
 +
in /etc/whonix.d/30_whonixcheck_default.conf.
 +
 +
Recommended action:
 +
- Shut down.
 +
- Read Whonix documentation [4].
 +
- Use Whonix with a supported virtualizer or Physical Isolation [5].
 +
 +
Footnotes:
 +
 +
[1] https://www.whonix.org/wiki/LeakTests
 +
[2] https://www.whonix.org/wiki/Test
 +
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
 +
[4] https://www.whonix.org/wiki/Documentation
 +
[5] https://www.whonix.org/wiki/Physical_Isolation</nowiki>
 +
 +
It is not clear why this error shows up, or whether anything bad will happen if it's ignored.  The only mention of this error that I can find in upstream documentation is [http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/error-virtualizer-unsupported-by-whonix-developers/4471 this forum thread], which doesn't have any solution.

Revision as of 06:26, 18 May 2019

Whonix (clearnet link) can be installed on the Talos using KVM. These instructions were tested with Whonix 15.

Both Whonix-Gateway and Whonix-Workstation

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

virsh -c qemu:///system net-define Whonix_external*.xml
virsh -c qemu:///system net-define Whonix_internal*.xml
virsh -c qemu:///system net-autostart external
virsh -c qemu:///system net-start external
virsh -c qemu:///system net-autostart internal
virsh -c qemu:///system net-start internal

Then, create two Debian Buster ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.

Import the Whonix signing key (source):

apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

Add the Whonix package repository (source):

echo "deb http://deb.whonix.org buster main" | tee /etc/apt/sources.list.d/whonix.list

Whonix-Gateway

Run the following:

apt-get update

Then, run one of the following, depending on whether you want the Whonix-Gateway to use KDE, XFCE, or CLI-only:

apt-get install non-qubes-whonix-gateway-kde
apt-get install non-qubes-whonix-gateway-xfce
apt-get install non-qubes-whonix-gateway-cli

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the external Network source.

Add a 2nd NIC to the VM, and set it to use the internal Network source.

Launch the VM again; Whonix-Gateway should be running.

If you get errors about the Tor service failing to start, this is probably a bug in Whonix's AppArmor configuration; you can fix it by editing the file /etc/apparmor.d/tunables/home.d/live-mode and commenting out the line @{HOMEDIRS}+=/rw/home/ (i.e. prefix it with a # character, so it will look like #@{HOMEDIRS}+=/rw/home/). Restart the VM again and Tor should work.

Whonix-Workstation

Run the following:

apt-get update

Then, run one of the following, depending on whether you want the Whonix-Gateway to use KDE, XFCE, or CLI-only:

apt-get install non-qubes-whonix-workstation-kde
apt-get install non-qubes-whonix-workstation-xfce
apt-get install non-qubes-whonix-workstation-cli

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the internal Network source.

Launch the VM again; Whonix-Workstation should be running.

Known Issues

Checking for virtualization

whonixcheck in both VM's reports this error:

[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)

Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
It may already work, but is highly experimental.



This might endanger your anonymity. Do not proceed unless you know what you are doing.

If you wish to ignore this warning and to continue whonixcheck anyway, you can set
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
in /etc/whonix.d/30_whonixcheck_default.conf.

Recommended action:
- Shut down.
- Read Whonix documentation [4].
- Use Whonix with a supported virtualizer or Physical Isolation [5].

Footnotes:

[1] https://www.whonix.org/wiki/LeakTests
[2] https://www.whonix.org/wiki/Test
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
[4] https://www.whonix.org/wiki/Documentation
[5] https://www.whonix.org/wiki/Physical_Isolation

It is not clear why this error shows up, or whether anything bad will happen if it's ignored. The only mention of this error that I can find in upstream documentation is this forum thread, which doesn't have any solution.