Difference between revisions of "Whonix"
JeremyRand (talk | contribs) (Add some Whonix 15 instructions) |
JeremyRand (talk | contribs) (→Whonix-Workstation: KDE is no longer supported by upstream Whonix) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM. | + | [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM. These instructions were tested with Whonix 15. |
== Both Whonix-Gateway and Whonix-Workstation == | == Both Whonix-Gateway and Whonix-Workstation == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]). | Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]). | ||
Line 18: | Line 8: | ||
tar -xvf Whonix*.libvirt.xz | tar -xvf Whonix*.libvirt.xz | ||
− | |||
− | |||
Install the Whonix virtual networks: | Install the Whonix virtual networks: | ||
Line 30: | Line 18: | ||
virsh -c qemu:///system net-start internal | virsh -c qemu:///system net-start internal | ||
− | Then, create two Debian | + | Then, create two Debian Buster ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM. |
− | |||
− | |||
− | |||
− | |||
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]): | Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]): | ||
Line 42: | Line 26: | ||
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]): | Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]): | ||
− | <nowiki>echo "deb http://deb.whonix.org | + | <nowiki>echo "deb http://deb.whonix.org buster main" | tee /etc/apt/sources.list.d/whonix.list</nowiki> |
== Whonix-Gateway == | == Whonix-Gateway == | ||
− | + | Run the following: | |
− | + | apt-get update | |
− | apt-get update | ||
− | |||
− | |||
− | |||
− | Then, run the following | + | Then, run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only: |
− | apt-get install non-qubes-whonix-gateway- | + | apt-get install non-qubes-whonix-gateway-xfce |
− | + | apt-get install non-qubes-whonix-gateway-cli | |
− | + | If you get prompted with questions during package installation, you can choose the defaults. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos): | The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos): | ||
Line 85: | Line 53: | ||
Launch the VM again; Whonix-Gateway should be running. | Launch the VM again; Whonix-Gateway should be running. | ||
+ | |||
+ | If you get errors about the Tor service failing to start, this is probably a bug in Whonix's AppArmor configuration; you can fix it by editing the file <code>/etc/apparmor.d/tunables/home.d/live-mode</code> and commenting out the line <code>@{HOMEDIRS}+=/rw/home/</code> (i.e. prefix it with a <code>#</code> character, so it will look like <code>#@{HOMEDIRS}+=/rw/home/</code>). Restart the VM again and Tor should work. | ||
== Whonix-Workstation == | == Whonix-Workstation == | ||
− | + | Run the following: | |
+ | |||
+ | apt-get update | ||
− | + | Then, run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only: | |
− | apt-get | + | apt-get install non-qubes-whonix-workstation-xfce |
− | apt-get install non-qubes-whonix-workstation- | + | |
+ | apt-get install non-qubes-whonix-workstation-cli | ||
+ | |||
+ | If you get prompted with questions during package installation, you can choose the defaults. | ||
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos): | The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos): |
Revision as of 01:43, 24 May 2020
Whonix (clearnet link) can be installed on the Talos using KVM. These instructions were tested with Whonix 15.
Contents
Both Whonix-Gateway and Whonix-Workstation
Download Whonix from the Whonix KVM download page (clearnet link).
Extract it:
tar -xvf Whonix*.libvirt.xz
Install the Whonix virtual networks:
virsh -c qemu:///system net-define Whonix_external*.xml virsh -c qemu:///system net-define Whonix_internal*.xml virsh -c qemu:///system net-autostart external virsh -c qemu:///system net-start external virsh -c qemu:///system net-autostart internal virsh -c qemu:///system net-start internal
Then, create two Debian Buster ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.
Import the Whonix signing key (source):
apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
Add the Whonix package repository (source):
echo "deb http://deb.whonix.org buster main" | tee /etc/apt/sources.list.d/whonix.list
Whonix-Gateway
Run the following:
apt-get update
Then, run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
apt-get install non-qubes-whonix-gateway-xfce
apt-get install non-qubes-whonix-gateway-cli
If you get prompted with questions during package installation, you can choose the defaults.
The Whonix packages will install their own sources.list
data in /etc/apt/sources.list.d/debian.list
, which means you should delete the sources.list
that Debian came with (in order to avoid warnings from apt-get
about duplicated repos):
rm /etc/apt/sources.list
Shut off the VM.
Set the VM's NIC to use the external
Network source.
Add a 2nd NIC to the VM, and set it to use the internal
Network source.
Launch the VM again; Whonix-Gateway should be running.
If you get errors about the Tor service failing to start, this is probably a bug in Whonix's AppArmor configuration; you can fix it by editing the file /etc/apparmor.d/tunables/home.d/live-mode
and commenting out the line @{HOMEDIRS}+=/rw/home/
(i.e. prefix it with a #
character, so it will look like #@{HOMEDIRS}+=/rw/home/
). Restart the VM again and Tor should work.
Whonix-Workstation
Run the following:
apt-get update
Then, run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
apt-get install non-qubes-whonix-workstation-xfce
apt-get install non-qubes-whonix-workstation-cli
If you get prompted with questions during package installation, you can choose the defaults.
The Whonix packages will install their own sources.list
data in /etc/apt/sources.list.d/debian.list
, which means you should delete the sources.list
that Debian came with (in order to avoid warnings from apt-get
about duplicated repos):
rm /etc/apt/sources.list
Shut off the VM.
Set the VM's NIC to use the internal
Network source.
Launch the VM again; Whonix-Workstation should be running.
Known Issues
Checking for virtualization
whonixcheck
in both VM's reports this error:
[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false) Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors. It may already work, but is highly experimental. This might endanger your anonymity. Do not proceed unless you know what you are doing. If you wish to ignore this warning and to continue whonixcheck anyway, you can set WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1" in /etc/whonix.d/30_whonixcheck_default.conf. Recommended action: - Shut down. - Read Whonix documentation [4]. - Use Whonix with a supported virtualizer or Physical Isolation [5]. Footnotes: [1] https://www.whonix.org/wiki/LeakTests [2] https://www.whonix.org/wiki/Test [3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection [4] https://www.whonix.org/wiki/Documentation [5] https://www.whonix.org/wiki/Physical_Isolation
It is not clear why this error shows up, or whether anything bad will happen if it's ignored. The only mention of this error that I can find in upstream documentation is this forum thread, which doesn't have any solution.