Just try unistalling your existing whonix templates (whonix-*) and then reinstall it from the repo packages. You can also refer this link under Whonix official site - https://www.whonix.org/wiki/Whonix_Debian_Packages#Meta_Package_Missing_Warning
Not according to public information as far as I am aware at time of writing.
(And no, before you're asking, I don't have any other information either.)
That's incredibly overkill. Such overkill that I'm not actually able to think of a threat model that would need something like this. Ever.
Step 1: Encrypt your entire machine with LUKS or VeraCrypt. Use a password that is long and strong. Think: 30 characters or more at 100+ bits of entropy.
Step 2: Purchase a Mullvad account with cash (use Tor and their .onion site to register).
Step 3: Route all connections on host OS through Tor.
Step 4: Route all connections on Workstation through VPN so that you aren't plagued with Captchas and blocked websites while browsing.
It's that simple. If the site you are viewing gets served for your information, they get a VPN that has only been connected to via Tor. VPN provider knows absolutely nothing about you or your connection. Your ISP only sees that you connect to Tor. There's very little to compromise here in terms of your connection. The more one overcomplicates things, the more room there is for error. There are people doing bad things on bad sites (drugs, etc) using Tails and tails alone.
Nobody might know the answer as such a setup are probably not very popular. Therefore, I suggest:
If you wish to thank me, toss a coin in to the Whonix tip jar.
It doesn't go to me, but it does go to some very deserving folks who are working for all our privacy
Anything is possible. Just needs code.
Current recommendation is "do this manually": https://www.whonix.org/wiki/Pre_Install_Advice#Recommendation_to_use_Whonix_on_External_Media
But why run workstation inside gateway? I mean, perhaps it could be made to work, but then a compromised workstation could control the gateway. I think this gateway inside workstation idea is unrelated to Live USB.
I don't believe there are any official mirrors of Whonix, but if you can find an unofficial mirror that has a better download speed, you can just download the file signatures from the Whonix website and compare them to ensure the integrity and that it isn't modified.
Qubes has Whonix integrations, but it's quite different from a normal operating system. I believe they do have mirrors for Qubes.
Doing something like this would probably be possible however it would be a surefire way to de-anonymize yourself. You'd have two different fingerprints attached to the machine you're running and instead of blending in with everybody else using whonix, or everybody else running tails, you'd match neither of those groups. On the other hand, there's info here about using whonix within qubes which is generally regarded to be more secure than using a virtualbox vm. Tails can also be run within qubes.
I've been running Whonix in virt-manager on my Arch KDE laptop for months without any major issues. If you follow the instructions under the KVM download link here you should be just fine.
What is the best seasoning?
I know weird question, but seriously think about it. Isn't it a question you would have a hard time (or not at all) answering unless you knew what I was preparing? Same goes with security/privacy/anonymity. You have provided nothing for us to base our answers on.
Anyways, what about checking the docs?
That is a VirtualBox issue.
Unrelated to Whonix. No VM would work, Whonix or non-Whonix.
Recommended to resolve as per:
https://www.whonix.org/wiki/Free_Support_Principle
Move computer mouse pointer to the invalid settings symbol to see a popup which setting in invalid. See also:
I can't test from this machine but Whonix is running on Debian, which suggests software installation should be the same as on Debian but the OS uses additional repositories for Whonix-specific packages. You should be able to install synaptic if you want a reliable GUI to add software.
from terminal:
sudo apt install synaptic
​
Whonix also offers this page as a reference:
"Same as in Debian."
https://www.whonix.org/wiki/About#Based_on_Debian
What I mean, this is a (Debian) Linux beginner question. Nothing special about Whonix in that regard. This allows you to tap into the much richer resource of (Debian) Linux knowledge found online.
Pointer:
You need to know basics of file access rights (any Linux).
Whonix with KDE:
terminal emulator:
sudo your-command
Or become root.
sudo su
kdesudo dolpin
Whonix with XFCE:
kdesudo thunar
At the moment Whonix doesn't integrate with I2P besides having documentation and how to manually combine the two.
https://www.whonix.org/wiki/I2P
You might be interested in this development discussion I2P integration
:
This guide should be useful for what you're trying to do.
You could also go to a coffee shop or somewhere with free WiFi and perform the upgrade there.
But of course, you have right about trust. As I said, I tested different things myself, but Whonix is let's say specific. I wanted to know, does exist some "but" with split-tunneling.
Second thing, why I really need not use VPN > Tor, I think is among other things, just a possibility to know how to-do. I have a time to test that option, discuss about choice, and so on. Except that, Tor it's not very enabled VPN will be only worst. I don't trust ISP same as VPN, so does not matter about who can try saw something. And it not was a big effort, because only what I did was:
​
>If you’ve tested it on other VMs, then you have your answer. You didn’t say if you’re using KVM or VirtualBox or what…
In title I wrote "VB" - this relates to VirtualBox.
​
>But use the same outbound network setup for the Gateway that you used for the guests you tested successfully, and you’ll be good.
Well, it's very simple. I just type "Mullvad exclude VirtualBox", and that's all. VirtualBox will start automatically with split-tunneling.
​
>I have to ask though - why don’t you want it routing through VPN?
If my host will be connected to VPN, each of my VMs too. Then Whonix-Gateway will be inherit VPN IP, I don't want this. We can distinguish various types of connections, each have advantages and disadvantages, for example:
Each of them have advantages and disadvantages and should be used carefully. About your question - why User > VPN > Tor > Internet
is bad for me, answer is very simple. That method could be very useful in place, where Tor is illegal, but VPN is legal. In that way, we first connect to VPN, instead of Tor and national ISP don't have a problem. In my country Tor is full legal, so I don't need that combination.
You theoretically can, but it's gonna be very slow. It's also very wasteful for the tor network and you shoudln't be doing that. A good alternative would be getting a VPN service. I can recommend ProtonVPN.
They both have their place, as long as you use a reputable VPN service (Mullvad for me). Using Whonix or Tor or Tails because you need security from a limiting country without certain freedoms is totally appropriate - but a VPN service is a completely different tool for a completely different set of needs. Mullvad with a hardened browser (like Librewolf, for example) may be used for everyday browsing when you seek a secure experience that may make you more secure. If you seek anonymity and need to access the dark/deep web, then something like Whonix/Tails/Tor is the way to go. They are for completely different types of browsing, and aren’t comparable in the slightest.
No security issue I'm aware of. I usually run with Gateway in CLI mode and the minimal 256MB RAM
https://www.whonix.org/wiki/RAM_Adjusted_Desktop_Starter
>Whonix-Gateway ™ RAM can be reduced to 256 MB and still function.
https://www.whonix.org/wiki/Surfing_Posting_Blogging#Mouse_Fingerprinting
It says this:
The author of the kloak software tool has noted high accuracy device fingerprinting can be performed with DOM event timestamps and this affects both keyboard and mouse events. A potential solution is being tested which involves slights delays of mouse events to throw off phase estimation
15 -> 16 major upgrade was a major change because then the underlying Debian version was upgraded.
16 point release changed background colors.
Otherwise that shouldn't change yourself. Perhaps you earlier you didn't pay attention?
I wouldn't worry, because (non-)Indicators of Malware:
https://www.whonix.org/wiki/Malware_and_Firmware_Trojans#Compromise_Indicators
Can you confirm this page works and its not just blank? I'm trying to get an ISO. Downloading from the onion is slow.
https://www.whonix.org/wiki/Download
I just loaded up Tor and it didn't work on there either, but the .onion version of whonix works fine still.
You can download xfce GUI for both Gateway and Workstation. Then just update the Gateway VM settings to have 256MB RAM. It will boot into CLI mode automatically, and continue using GUI for Workstation.
Then when you want to do an update or other admin that might be easier with the GUI, just bump the RAM back up.
New thread won't help. Will get stale as last one. Issue very, very most likely won't be fixed unless you describe what you did, and help.
>i read all troubleshoot info and stuff but to no help
Reading alone has no chance of fixing the issue.
You need to see chapter General Troubleshooting and do it. Then report:
1...
3...
...
8...
Lastly, the General VirtualBox Troubleshooting Steps have also 14 things to try and check.
"Highest level?"
Probably the most secure setup available today is Whonix on Qubes, *if* you are experienced enough with Linux to set it up and configure it
https://www.whonix.org/wiki/Qubes
​
>the best way is one-use laptop
I would strongly disagree. What OS will the laptop be running? Will it be a hardened OS?
Based on the way you ask the question, I suspect your best option is probably /r/Tails
Just load Tails onto a USB, and boot from the USB. No Linux or virtual machine administration required.
I suggest to research if/how that's possible with Tor + Debian. Without Whonix. Even without Qubes.
As per https://www.whonix.org/wiki/Free_Support_Principle
Once you found out anything, I might be possible to combine this with Whonix / Qubes.
NetVM implies Qubes. In that case, learn if that is possible at all with Qubes and how to do so without adding Whonix to the mix. As per https://www.whonix.org/wiki/Free_Support_Principle
That's why I posted a direct link to the chapter which applies.
It's not chapter Qubes-Whonix ™ System Requirements.
Then what's left is only chapter Non-Qubes-Whonix System Requirements.
https://www.whonix.org/wiki/Free_Support_Principle applies. This is about any TCP. Not just TCP originating from Whonix. Could be re-phrased with Tor Browser on the host.
Whonix uses whatever networking the virtualizer on the host provides. Nothing special.
Not much related to Whonix.
How well the VPN function with killswitch on the router works, if that leaks or not, that is completely up to the router. Unspecific to Whonix. Any sane VPN firewall implementation should cover it all, TCP, UDP, DNS, IPv4, IPv6...
Windows with all its calling-home functions etc probably is the least suitable OS for staying anonymous. In my opinion, Ubuntu is off the table, too. They have sold user data to Amazon which in turn host server farms for the CIA. Once this went public, Canonical said that they've halted data sharing with Amazon, but some still don't trust them. Apart from that, Ubuntu works very well with Virtualbox and Whonix. I guess what you have experienced was - sorry - a user error.
I'd recommend a light Linux distribution with a small attack surface like Debian or Arch Linux. I don't know Manjaro myself but am sure it's sound advice.
The good people from Whonix are working on "Kicksecure", a hardened version of Debian. The world is on its toes, waiting for a usable production version ...
See this: https://www.whonix.org/wiki/Multiple_Whonix-Workstation
FYI, creating multiple user accounts will NOT make your computer more secure. Doing so instead INCREASES the attack surface, creates more complicated code etc., making the whole system more vulnerable. You are a lot better off using a single user in terms of security.
You should never leave your computer on when you are not using it because you are done for once someone smart enough gets access to your computer while running. The login screen is really just a permission entry and is by no means a security improvement whatsoever.
If you are paranoid, turn off your computer when you are not using it. Use full disk encryption to protect it instead of unnecessary login screens. When someone simply has physical access to your computer, they can only modify the bootloader while it is off. If it is on, they can modify anything.
On forgetting to start gateway -> non-issue. Documented here:
https://www.whonix.org/wiki/Dev/Leak_Tests#Leaks_through_the_host_or_VM
I'm aware of this but as per Whonix Documentation you just referenced (https://www.whonix.org/wiki/Whonix-Host) : " Important warning: Whonix-Host is experimental software and still in early development. It is currently still lacking some core features, such as a working firewall on the Host, and is not yet ready for production, nor intended for end-users. "
Whonix doesn't develop VirtualBox.
This is a complex VirtualBox issue which very most likely won't be resolved in this place.
Wrong place to ask as per https://www.whonix.org/wiki/Free_Support_Principle
Well, since Windows can get what you type this should be a problem, we are not even talking about the huge memory access that the system has, I'm talking about what you type on keyboard. I think you might be a bit safer if you use Whonix virtual keyboard to type private info, such names, passwords, nicknames, birthdate...
I didn't try this application specially but I updated this chapter just now for a generic answer:
https://www.whonix.org/wiki/Features#Tor_Network_.2F_Torification
>If you followed everything on
>
>https://www.whonix.org/wiki/KVM
>
> including using the qcow2 and .xml files, then I would suggest running another VM first to ensure KVM is setup and running properly. You shouldn't be using an iso, but the qcow2 from that page. With the XML's there really is nothing else to configure on a default install. You may also add more RAM and be more patient on boot up if you can't give it 2GB or more.
I don't understand what you're saying. I downloaded a libvirt file, not qcow2. I don't know how to get a qcow2 file on KVM to work
Plus, there is no tutorial on how to install Whonix on KVM under Debian
>If you followed everything on
>
>https://www.whonix.org/wiki/KVM
>
> including using the qcow2 and .xml files, then I would suggest running another VM first to ensure KVM is setup and running properly. You shouldn't be using an iso, but the qcow2 from that page. With the XML's there really is nothing else to configure on a default install. You may also add more RAM and be more patient on boot up if you can't give it 2GB or more.
I followed your advice. I tried VirtualBox on Debian to install on Whonix, it worked very well without problems. But apparently, my pc can't handle both Gateway and Workstation at the same time. I think the cause of my computer is ram memory because my pc has only 4 go ram so 1 go for gateway and 2 go for workstation. That means it's better to have 8 gigas (4x2) on pc to better run it, isn't it?
If you followed everything on https://www.whonix.org/wiki/KVM including using the qcow2 and .xml files, then I would suggest running another VM first to ensure KVM is setup and running properly. You shouldn't be using an iso, but the qcow2 from that page. With the XML's there really is nothing else to configure on a default install. You may also add more RAM and be more patient on boot up if you can't give it 2GB or more.
Likely unspecific to Whonix.
Monero community might have better ideas how to debug this.
Suggest to resolve as per:
To widen your search:
"Forget about Whonix." Rephrase... "I am using Tor Browser and websites are blocking Tor. What can I do?"
See:
https://www.whonix.org/wiki/Tor_Browser#Bypass_Tor_Censorship
Added few more keywords to perhaps make that easier discoverable next time.
https://www.whonix.org/w/index.php?title=Desktop&type=revision&diff=60760&oldid=60757
> I am sure it is disabled by default
It's not.
> Perhaps the dev team is really against the idea?
Not against it.
https://www.whonix.org/wiki/Free_Support_Principle applies. Same as Debian (`buster` at time of writing) with XFCE.
I think you have to disable Tor for the Tor browser, whonix has documentation on this under Configure Tor Browser Settings. See: https://www.whonix.org/wiki/Other_Operating_Systems#Configure_Tor_Browser_Settings
Oh, i thinks i've just found smth alike the solution for this problem... Oh crap, i guess they just invite me to bring over one more crappy pc on this.
And, you know what ? Fine, I actually DO have one more crappy PC near me, but now i'm really starting to question myself, as i literally taking the project with main idea based around virtualization, but the deeper i'm diving into this, the lesser virtualization-based it becomes...
At the time of writing, the VMs come pre-configured by default. No changes recommended, required.
See also:
Did you start https://www.whonix.org/wiki/Tor_Browser#Tor_Browser_Downloader_by_Whonix_.E2.84.A2 in that AppVM?
Bad idea, the whonix website says tor over tor could decrease anonymity.
https://www.whonix.org/wiki/DoNot#Allow_Tor_over_Tor_Scenarios
Using paths longer then 3 nodes makes denial of security attacks easier and it acts as an identifier if only a few people do it.
"Normal." It's a GPG usability issue imo. To avoid
gpg --armor --export
That limits output to non-weird characters. Much better.
https://www.whonix.org/wiki/Free_Support_Principle applies. In this case, it's best to connect with GnuPG community.
Need to post exact error message.
Also likely answered by this:
https://www.whonix.org/wiki/Tor_Browser#Tor_Browser_Launch_Errors
If I understand you correctly, you are asking about a safe host operating system for a Whonix installation. Well, the Whonix developers are working on their own hardened Debian called Kicksecure but there is no ISO yet which could be installed barebone. So, currently you'll have to pick the safest bet you can handle.
In case you are familiar with Linux, I'd recommend a fresh Debian installation without desktop and then distro-morph it into a Kicksecure version yourself as described here https://www.whonix.org/wiki/Kicksecure
If this doesn't work for you, then there's still the option of using any easy to handle Linux distribution like e.g. Linux Mint. Install Virtualbox et voilà.
There are even loadable KVM kernel modules for FreeBSD if that's your cup of tea.
Personally, I'd stay away from Windows under all circumstances.
I just posted recently how many props you deserve for the awesome Whonix documentation ... and for making the wiki publicly editable.
Please accept my upvote, my immense respect, and my meager donation :)
Fedora is pretty good for virtualization and passthrough since it's related to RHEL (servers are the most popular use case for virtualization) and because they devote more time to testing the kernel so they can use it immediately.
I would not recommend Arch for virtualization though, it still lists unpatched critical vulnerabilities in Spice and libvirt.
https://security.archlinux.org
Qubes is designed with the highest security in mind and is what a lot of people use for Whonix.
I suggest making something simpler, an USB storage device work first. When that works, you could try something more advanced. See:
https://www.whonix.org/wiki/File_Transfer#Adding_USB_device_to_VirtualBox
As page https://www.whonix.org/wiki/VirtualBox says:
CLI version is for advanced users.
XFCE is for beginners.
Just try XFCE first. You won't miss any features.
Best sorted out as per https://www.whonix.org/wiki/Free_Support_Principle
There is nothing Whonix specific about this question. Whonix isn't involved when migrating cookies from whatever platform running Firefox to whatever platform running Tor Browser (which is also a Firefox fork).
Should work in theory. But unlikely anyone will spend thought on it since this is such an unusual question.
> But Whonix's site seems to say it would be VPN>VPN>Tor.
Citation required.
> How would one make it VPN>Tor>VPN?
Host VPN + Workstation VM
OR
Gateway VPN + Workstation VM
See also:
Server provider can see everything you are doing. Whonix or not Whonix that is just the usual default.
See also:
Which virtualizer?
Kloak in Qubes is currently unsupported.
Since you posted "sudo kloak -r /dev/input/event0" that is usually Qubes users wanting to try kloak. But in Qubes /dev/input/event0 is not a keyboard. To prove that, I posted output of command "ls -la /dev/input/by-path/platform-pcspkr-event-spkr".
Kloak is installed in Non-Qubes-Whonix ™ Whonix-Workstation ™ 15 by default. It's running by default as a systemd unit.
Testing instructions are here:
https://www.whonix.org/wiki/Keystroke_Deanonymization#Defense_Testing
Though, "Train normal, test normal" is "hard" - as kloak is already running. You need to disable it first or do "Train normal, test normal" (without kloak) in another non-Whonix VM or on the host.
I can see where confusion might come from. Readme mentions sudo kloak something. That is not required in Whonix because kloak was installed by default and is already running as systemd unit file. That part of the readme was written by upstream (original developer) when it was:
Therefore these instructions cannot be used 1 to 1 inside Whonix.
You'd have to stop kloak first by stopping the kloak systemd unit.
sudo systemctl stop kloak
Iso? Sure? At time of writing it's called `Whonix-Host Developers-Only Preview Version 15.0.1.2.7`.
Not VM?
Which CLI commands for what?
Electrum is installed by default in Whonix-Workstation VM.
It's a non-issue.
https://www.whonix.org/wiki/Reporting_Bugs#Sample_Non-issue
Also also no longer happening in Whonix 15.0.0.9.4 (and above).
I assume you are talking about the grub boot screen. I've always just chosen the first option. However, I never really paid attention to it. The 2nd and 4th options get you recovery modes. However, the 3rd option is a Live mode. In essence, the OS runs in ram, and any changes are lost when you shut down. This is actually very cool. I used to just use VM snapshots to achieve essentially the same functionality, but this is still useful.
There's not much you can do wrong. Keep the gateway updated and running. If you forget to start the gateway, "not a big deal", "just no connectivity".
> Is there any way of being able to tell if they are functioning togeather.
Use whonixcheck.
> If I were to clone my sys-whonix on qubes and rename it to let say sys-whonix-home to separate tor usage from home vs public, does that create a new profile in which the tor relay would assign me a new entry node?
No. Tor on Whonix-Gateway does not react based on its own VM name. See also:
New documentation chapter addressing that has been written just now, please have a look:
https://www.whonix.org/wiki/Tor_Browser#Tor_Browser_ended_with_non-zero_.28error.29_exit_code
Whonix has no source code which would enforce VT-x setting. It's a VirtualBox "issue", but also a non-issue because...
Downloadable Whonix images are 64bit. These won't boot without VT-x. Out of luck. Unless perhaps build from source code. See:
Ok so I found these posts, they removed it on purpose.
https://forums.whonix.org/t/where-is-the-circuit-button-in-tor-browser/4667 https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Disabled_Torbutton_Functions
Still cant find anything saying how to check what your circuit is. /u/whonix-os is there any way to view what your circuit is?
If you install the gateway on a laptop, setting up your host to use the gateway shouldn't be a big problem. I haven't looked that deep in the workstations configuration but this could be a hint where to start:
PS: I wanted to do the same but then thought about the benefits of a vBox Workstation. Easy to manage. Easy to delete/reinstall etc. Separated from the host. Harder to fingerprint.
Typing or not wouldn't influence the process. So no user mistake possible there.
​
Shouldn't take long until it looks like https://www.whonix.org/w/images/d/dc/Cli3.png. Usually just seconds. Let's than 10 seconds. (Depends on computer performance and other tasks done on host.) But if it doesn't happen after 1 (very long) to 10 (insane long) minutes then for sure a bug is happening here.
Multiple workstations with 1 gateway is possible.
​
You'll need to follow instructions (in case of Non-Qubes-Whonix - needed to change IP of second workstation).
​
https://www.whonix.org/wiki/Multiple_Whonix-Workstations
​
> Also as a side question, I usually don't bother logging in on the gateway--is there any privacy risk associated here?
​
No.
Does something not work as expected or is this just a message you are wondering about?
​
If it's just an unexplained message, then https://www.whonix.org/wiki/FAQ#Non-Responsiveness_to_Concerns applies.
> Is hardware acceleration disabled for security reasons?
​
Yes. Not enabled by default in VirtualBox settings. See VirtualBox manual for security discussion.
​
There are no restrictions in Whonix source code hindering from using hardware acceleration. If you figure out how to enable it on Debian, the same would apply to Whonix as per https://www.whonix.org/wiki/Free_Support_Principle.
Did you perform a web search with the terms "electrum whonix"?
​
There's a whole page on that subject.
​
Whonix is experimental and the Devs say use with care but with that out of the way...
The answer to your question depends on your attacker and the NIT. If it's a widely deployed NIT designed to capture IP and MAC address info then Whonix should protect against that. It's designed to prevent information leaking.
If however your attacker knows you are running Whonix and has sufficient resources they may be able to exploit a unknown weakness in the hypervisor to break out of the virtual box. That's a rather complex scenario though.
Check out this link which references an old NIT as point 2 under TBB - https://www.whonix.org/wiki/Security_in_Real_World
You sure it's stuck and not just taking ages?
This is barely related to Whonix as per https://www.whonix.org/wiki/Free_Support_Principle. More a question for your Linux distribution on how to install VirtualBox.
Well, he is correct: its a complete waste of time using the installer. I don't see how an entire subreddit could be put off by a factual statement. And I'm not sure how you're unaware of this tool, because you can even see the installer under the downloads for Linux section.
As a new user to whonix I'm put off by installers that suck. I think /u/suddenlypenguins had a valid post.
well apparently you use sdwgui-date on the AppVMs when you run themhttps://www.whonix.org/wiki/Post_Install_Advice#Network_Time_Syncing https://www.whonix.org/wiki/Advanced_Security_Guide#Network_Time_Synchronization
I can't browse to whonix.org. I clicked on the WhonixForum icon on my desktop. Got a pretty surprise when the page didn't load and thought that Tor had stopped working. So was not the case though
Monereo can be a bit confusing if that is your very first linux application since it's only a console client (CLI).
I am not sure they have released a graphical user interface (GUI) yet.
Did you see https://www.whonix.org/wiki/Monero?
A snapshot of a VM being shut down should be okay. Otherwise if it was still trackable, then this would be a bug in Tor Browser.
Restoring a snapshot of a running VM is not great due to the clock lagging behind.
https://www.whonix.org/wiki/Post_Install_Advice#Network_Time_Syncing
In short: nothing to do.
Long:
It is a virtual console that you can see for a few seconds before X / the login manager is starting. That happens with many Linux distributions such as Debian.
Perhaps you have figured it out by this point, but you can also verify the gateway and workstation with gpg4win via the command line. I followed these steps with success: https://www.whonix.org/wiki/Verify_the_virtual_machine_images_using_the_command_line
Note: It does take quite a few minutes (~10-15 minutes, maybe a little longer) to verify each (for me at the least).
yes but only th whonix gateway or the whonix workstation. if you want to run them natively you need 2 pcs. thats called physical isolation https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation
>Does anyone have a quick overview of Whonix?
https://www.whonix.org/wiki/About
>The web site pretty much dives straight into threats and how they mitigate them. But I am still not clear on the architecture.
Debian GNU/Linux
>So the Gateway is basically a VM running virtual router with TOR on the WAN side, right?
The Gaeway is a Tor Proxy running in a VM.
>Most normal router functions are stripped out to keep it from being exploited. But where is the router? Is it an App or did they build it into the network drivers?
No.
>Questions: How does the LAN between the Gateway and the Workstation work?
Well. >Is only the Whonix Workstation routed through the Gateway? I.E. other VMs and host traffic is not inside the TOR tunnel?
Depends on what you point at the VM. It does not care what connects to it, whether it be Whonix Workstation, or some other VM. It will transparently torify anything that has not been configured to access its socksport.
>BTW, if the Gateway is acting as a TOR router, and the Workstation can only send network traffic via an encrypted LAN to the Gateway. Why do you have to use the TOR browser on the Workstation? Shouldn't all of it's traffic be anonymized by TOR and encrypted by HTTPS from a regular browser or other app.
Tor browser is basically a hardened firefox with anonymity settings baked in. Tor browser doesn't use its built in tor in Whonix-Workstation, is is redirected to the Whonix-Gateway.
>Also, how do I validate that Whonix is working? (onion routing, encrypting, not leave any cleartext traces on the host.)
Can you access hidden services? Can you find any traces on the host?
Sorry for all the noob questions. I am trying to figure out which TOR O/S I should use. I'm not a linux power user so if Whonix requires much in the way of technical competence/diligence I might be better off with Tails.
I think what you are looking for would be Qubes OS. You can specify the connection Each individual "Qube (VM)" uses. You would route the connection from the Whonix-Qubes over Tor while another another Qube you use for browising or whatever you are doing could have its connection routed through the VPN. Hope this helps.
These are the base system requirements for Qubes 4.x according to the developers:
64-bit Intel or AMD processor (x86_64 aka x64 aka AMD64) Intel VT-x with EPT or AMD-V with RVIIntel VT-d or AMD-Vi 4 GB RAM 32 GB disk space
And these are the HP Stream 11 stats:
Processor series: Intel Atom x5 E8000 Intel 64: Yes Processor frequency: 1.6 GHz Hard drive: 64 GB eMMC Internal memory: 4 GB DDR3L-1600 SDRAM Intel Virtualization Technology (VT-x): Y
Seems fine to me.
Installing Qubes with whonix to a USB drive works perfectly fine, if a bit slow. There are instructions for that on the website, and I don't see any recommendation against it besides a warning that it's slower than using an internal drive.
It's not the same as a live USB though because it's not intended to be portable. It's a regular install, and it's about as portable as if you yanked your internal drive and put it in other hardware (so not very).
Well, /u/Cold-Code has given you the best answer, I think.
Something to consider though:
Try to determine whether your definition of "anonymous" means "more private". Attempting to come close to true anonymity is insanely intense.
Like, who do you wish to be tracked less by? Your ISP? Google? Government intelligence? You will exhaust yourself if you prepare for an adversary you'll never have to defend against.
Only slightly on-topic, but I find it hilarious and ballsy that a VPN company wrote this blog post, but....it's spot on. Have a read.
Layers of encryption is Paramount.
https://github.com/lfit/itpol/blob/master/linux-workstation-security.md
Those two are a good start. Think about how information from your computer accesses the net. Start by locking down the internals (spoofing mac addys etc) then move on to attack vectors (ex browsers).
Move on to your router. Configure it with OpenWRT to only route through VPN.
Research all the attack vectors and start plugging the holes. Security by isolation is a great way to go about it. This is where your Whonix/QubesOS comes in.
Lastly, remember that human error is the biggest security risk. Develop persona management and NEVER allow your anonymous persona to contaminate your regular user self. Conduct yourself accordingly. Learn a thing or two about Social Engineering. Always be vigilant.
You've got a lot of work ahead of you.
Remember to do your own research before reaching out for help on irc.
Good luck!
This is a good VPN chart that list many of the differences. The reason I prefer Mullvad over the rest is the location, price, ability to pay anonymously, record, wireguard/openvpn, and especially the location. You must check where the VPN provider is because many countries will subject them to draconian privacy laws. Switzerland passed surveillance laws in 2015 known as BÜPF & NDG. The USA doesn't even have data retention laws. Switzerland has them on all forms of communication for 12 months. Guess where proton mail is?
Tutanota is a good alternative.
In general combining a VPN & TOR is not recommended. It actually weakens your TOR anonymity. If you're worried about leaks you can check the Whonix website I believe. If you did want to combine TOR & VPN you would want to do it routing the network over separate VMs on a Qubes or Arch build. If you're already using a VPN, you can usually check on the VPN website to see if IP/DNS are being leaked. The idea is that your TOR traffic is encrypted, your VPN never knows your actual identity because it never gets your personal IP address, or your payment info (pay crypto/Mullvad), and your ISP never knows you're using TOR because it's all being sent over a VPN.
VPN ? Proxy ? I’m sorry I’m not of a great help as a noob myself, but I’m willing to search. Yesterday my VPN (Mullvad) was preventing all connections. It works fine on the host but I can’t find a way to run it in whonix (workstation or gateway) through a Tor connection.
Mullvad offers a SOCKS5 proxy at 10.8.0.1 on TCP 1080. It can get you through most captchas and all exit node bans from within a whonix workstation if you have few other options or little time.