From RCS Wiki
Revision as of 20:47, 22 September 2018 by JeremyRand (talk | contribs) (Add a Known Issues section)
Jump to navigation Jump to search

Whonix (clearnet link) can be installed on the Talos using KVM.

Both Whonix-Gateway and Whonix-Workstation

Download Whonix-Gateway from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix-Gateway*.libvirt.xz

Install the Whonix virtual networks:

virsh -c qemu:///system net-define Whonix_external*.xml
virsh -c qemu:///system net-define Whonix_internal*.xml
virsh -c qemu:///system net-autostart external
virsh -c qemu:///system net-start external
virsh -c qemu:///system net-autostart internal
virsh -c qemu:///system net-start internal

Then, create two Debian Stretch ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.

Install dirmngr (this is required in order to import the Whonix signing key):

apt-get install dirmngr

Import the Whonix signing key (source):

apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

Add the Whonix package repository (source):

echo "deb http://deb.whonix.org stretch main" | tee /etc/apt/sources.list.d/whonix.list


Unfortunately, Whonix's tor package, which is a required dependency of Whonix-Gateway, is not available for ppc64el. Debian's stretch-backports repo does have a tor package that works, we just need to edit its metadata to make the package manager happy. First, we download the tor package and extract it:

echo "deb http://http.debian.net/debian stretch-backports main" | tee /etc/apt/sources.list.d/stretch-backports.list
apt-get update
apt-get download -t stretch-backports tor
mkdir tor_extracted
dpkg-deb -R ./tor_*.deb ./tor_extracted

Then, run the following command. It will fail with a dependency error, note the minimum tor version that it wants.

apt-get install non-qubes-whonix-gateway-kde whonix-gateway-shared-packages-shared-meta whonix-gateway-packages-recommended-cli tor-geoipdb

Then, edit the metadata file:

nano tor_extracted/DEBIAN/control

And replace the Version field with the minimum version you noted earlier. Then exit nano.

Rebuild the package and install it:

mkdir tor_rebuilt
dpkg-deb -b tor_extracted tor_rebuilt
apt-get install ./tor_rebuilt/tor*.deb

Now we can install the Whonix packages:

apt-get install non-qubes-whonix-gateway-kde

Shut off the VM.

Set the VM's NIC to use the external Network source.

Add a 2nd NIC to the VM, and set it to use the internal Network source.

Launch the VM again; Whonix-Gateway should be running.


This one's a lot easier, since Whonix's tor package version isn't a requirement.

Install the Whonix packages:

apt-get update
apt-get install non-qubes-whonix-workstation-kde

Shut off the VM.

Set the VM's NIC to use the internal Network source.

Launch the VM again; Whonix-Workstation should be running.

Known Issues

Checking for virtualization

whonixcheck in both VM's reports this error:

[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)

Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
It may already work, but is highly experimental.

This might endanger your anonymity. Do not proceed unless you know what you are doing.

If you wish to ignore this warning and to continue whonixcheck anyway, you can set
in /etc/whonix.d/30_whonixcheck_default.conf.

Recommended action:
- Shut down.
- Read Whonix documentation [4].
- Use Whonix with a supported virtualizer or Physical Isolation [5].


[1] https://www.whonix.org/wiki/LeakTests
[2] https://www.whonix.org/wiki/Test
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
[4] https://www.whonix.org/wiki/Documentation
[5] https://www.whonix.org/wiki/Physical_Isolation

It is not clear why this error shows up, or whether anything bad will happen if it's ignored.