



Introduction [ edit ]

Whonix-Gateway ™ supports torification of any operating system, including Microsoft Windows and others.

Using a default workstation is easier and provides more Security out of the box! It is your responsibility to get the same security features for a Whonix-Custom-Workstation ™, see Security Comparison: Whonix ™-Download-Workstation vs. Whonix-Custom-Workstation ™ at the bottom of the page for details.

Also note that it's strongly discouraged to anonymize VMs that have once connected to the clearnet. It could be the case that they might have leaked an identifier or created some network fingerprint that is still recognizable even when running it with Tor. Using it would unmask your traffic.

Introduction [ edit ]

Microsoft Windows XP, Vista, 7, 8, 10 are known to work behind Whonix-Gateway ™. While it is possible, it is not recommended and only for advanced users. This is because, there are issues with Windows. Those are not Whonix ™ issues. Whonix ™ developers cannot fix those issues. One issue is, that Windows is closed source. Rather, Windows is affected by Transparent Proxy Leaks [archive] and other issues. For more information and depending on your security requirements, read the following chapters.

Easy [ edit ]

This is the easiest, but least secure option. ( #more security )

For Qubes-Whonix ™ , click on Expand on the right. 1. Create a new VM. 2. Set sys-whonix as your VM's NetVM. Qube Manager → right-click vm-name → NetVM → sys-whonix → OK [1]

For Non-Qubes-Whonix ™ , click on Expand on the right. Download and Use the Default Whonix-Gateway ™ Download and import the Whonix-Gateway ™ using the same procedure as per the Whonix ™-Default / Download-Version. No other Whonix-Gateway ™ changes are required in this case! Set up a Whonix-Custom-Workstation ™ There are currently two ways to set up a Whonix-Custom-Workstation ™. Either: Manually create a VirtualBox VM (established, old method). Download and import a Whonix-Custom-Workstation ™ (stable method). Users who want to manually create a VirtualBox VM using the established and old method, click on Expand on the right. 1. Create a VirtualBox VM Follow these steps in order: VirtualBox → Machine → New → Next → Enter Name (for example, myVM) → Enter Operating System and Version → Next → Define RAM → Next → Create a new HDD (or not) → Next → Disk format doesn't matter (VDI works well) → Next → Set dynamically or fixed size preference → Next → Set HDD size and location preference → Next → Create 2. Switch VirtualBox VM Settings Follow these steps in order: Choose the newly created VM (for example, myVM ) → Settings → System → Motherboard → Hardware Clock in UTC

→ → → → System → Motherboard → Pointing Device → PS/2 Mouse (required to disable the USB controller)

→ → → System → Processor → Enable PAE/NX (if available)

→ → Network → Adapter 1 → Attached to Internal Network (important!)

→ → Network → Adapter 1 → Name (of Internal Network) (important!): Whonix [2]

→ → USB → Uncheck Enable USB controller

→ → OK Users who want to download and import a Whonix-Custom-Workstation ™ template using the stable method, click on Expand on the right. This method's advantage is that there is need to manually create a new VM. The process is greatly simplified; the Whonix-Custom-Workstation ™ only needs to be downloaded and imported. This approach has several benefits: it is easier, all security settings are set for the VM, and users don't have to remember and apply necessary settings. The latest Whonix-Custom-Workstation ™ Version is: 15.0.1.3.4 Although the version number for Whonix-Gateway ™ and Whonix ™-Default / Download-Version might be far higher than the Whonix-Custom-Workstation ™ version, this is normal. [3] 1. Download the Whonix-Custom-Workstation ™ Download the following image. Download 2. Download the OpenPGP Signature Download the corresponding OpenPGP signature. Download 3. Verify the Whonix Image Follow these steps to verify the Whonix image. 4. Import and Rename the Virtual Machine After importing the image, rename the virtual machine to something else. [4] VirtualBox → Right-click on VM → Settings → Name (for example: myVM) If this method was used, please report how well it worked in the Whonix forum.

Start VM and Install Operating System

Start the newly created VM (for example: myVM ). Insert the installation DVD. Updates don't have to installed while installing the OS. Post-install, apply updates after the network has been set up. The username is: user . The computer name is: host

Configure network.

For Windows 7 (similar in Windows XP): In Control Panel → Network and Sharing Center: click on "Change adapter settings" Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:

## increment last octet of IP address on additional workstations IP address 10.152.152.50 Subnet netmask 255.255.192.0 Default gateway 10.152.152.10 Preferred DNS server 10.152.152.10 ## increment last octet of IP address on additional workstations IP address 10.152.152.50 Subnet netmask 255.255.192.0 Default gateway 10.152.152.10 Preferred DNS server 10.152.152.10

Download operating system updates.

Tor Browser Settings [ edit ]

Warning: Untested and unfinished. Please contribute by testing and finishing these instructions.

Whonix ™-FreeBSD-Workstation [ edit ]

Create a new FreeBSD VM on VirtualBox

VirtualBox → Machine → New → Next → Enter Name (for example: myVM) → Enter Operating System and Version → Next → define RAM → Next → create a new hdd (or not) → Next → disk format doesn't matter, VDI works fine however → Next → dynamically or fixed size is a matter of preference → Next hdd size and location is a matter of preference → Next → Create

Install FreeBSD and upgrade it

This is necessary as freebsd-update or pkg do not support socks.

## Base OS patches as root root_shell> freebsd-update fetch install #Application updates root_shell> pkg upgrade ## Base OS patches as root root_shell> freebsd-update fetch install #Application updates root_shell> pkg upgrade

You will need a http proxy chained to tor gateway to torify pkg or freebsd-update, else you risk loosing patches. Use one of privoxy/proxychains/tsocks when using the Whonix-Gateway ™.

Install necessary applications.

root_shell> pkg install privoxy root_shell> pkg install privoxy

After this shutdown the VM.

root_shell> shutdown -p now root_shell> shutdown -p now

Change the VirtualBox VM settings

Choose the newly created VM (for example: myVM) → Settings → System → Motherboard → Hardware Clock in UTC

System → Motherboard → Pointing Device → PS/2 Mouse (required so that USB controller may be disabled)

System → Processor → Enable PAE/NX if available

Network → Adapter 1 → attached to Internal Network (Important!)

Network → Adapter 1 → Name (of Internal Network) (Important!): Whonix

(Note: It is Whonix ™, not whonix. Case sensitive. Capital W.)

USB → uncheck Enable USB controller

→ OK

Start VM and proceed to configure the OS inside the VM.

Configure network.

In your Custom-Workstation. Open a terminal and edit as a privileged user /etc/rc.conf

You need to configure a single interface, here it is em0, there should not be any other 'ifconfig' statements:

## Increment the octect of IP address for configuring other workstations. ifconfig_em0="inet 10.152.152.12 netmask 255.255.192.0" defaultrouter="10.152.152.10" ## Increment the octect of IP address for configuring other workstations. ifconfig_em0="inet 10.152.152.12 netmask 255.255.192.0" defaultrouter="10.152.152.10"

For the address resolution to work. Open file /etc/resolv.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. sudoedit /etc/resolv.conf sudoedit /etc/resolv.conf

and delete everything, then add

nameserver 10.152.152.10 nameserver 10.152.152.10

Restart network service:

root_shell> service netif restart root_shell> service netif restart

Confirm changes by running ifconfig.

Whonix ™-OpenBSD-Workstation [ edit ]

Note: Chapter Whonix ™-OpenBSD-Workstation not tested, reviewed by Whonix ™ developers. Documentation contribution by anonymous user.

1. Download OpenBSD iso.

Go to: https://www.openbsd.org/ [archive]



Download installXX.iso (current version: install67.iso) from https://cdn.openbsd.org/pub/OpenBSD/6.7/amd64/ [archive] and the SHA256 and SHA256.sig files.



2. Verify OpenBSD iso.

In Whonix-Workstation or Debian-based systems. Install the signify-openbsd package.

sudo apt-get update sudo apt-get install signify-openbsd sudo apt-get update sudo apt-get install signify-openbsd



Install OpenBSD keys. The version in buster only contains older keys, so install a newer version of the signify-openbsd-keys package. Temporarily replace your stable repository with testing:

sudo sed -i s/buster/testing/g /etc/apt/sources.list.d/debian.list sudo sed -i s/buster/testing/g /etc/apt/sources.list.d/debian.list

sudo apt-get update sudo apt-get install signify-openbsd-keys sudo apt-get update sudo apt-get install signify-openbsd-keys



Change your repositories back to stable.

sudo sed -i s/testing/buster/g /etc/apt/sources.list.d/debian.list sudo sed -i s/testing/buster/g /etc/apt/sources.list.d/debian.list



Change directory to where you downloaded install67.iso, SHA256, and SHA256.sig.

cd /home/user/Downloads cd /home/user/Downloads



Verify OpenBSD iso.

signify-openbsd -C -p /usr/share/signify-openbsd-keys/openbsd-67-base.pub -x SHA256.sig install67.iso signify-openbsd -C -p /usr/share/signify-openbsd-keys/openbsd-67-base.pub -x SHA256.sig install67.iso

Must show

install67.iso: OK install67.iso: OK



3. Begin installation of OpenBSD.

Create, configure and boot your virtual machine from install67.iso according to instructions specific to your hypervisor.

Note: This guide assumes two virtual disks, one for the system and one for the /home partition.



4. Install OpenBSD.

Once the system boots from the iso, you will be prompted by:

Welcome to the OpenBSD/amd64 6.7 installation program. (I)nstall, (U)pgrade, (A)utoinstall, or (S)hell? Welcome to the OpenBSD/amd64 6.7 installation program. (I)nstall, (U)pgrade, (A)utoinstall, or (S)hell?

Type I to install and press Enter.





Choose your keyboard layout ('?' or 'L' for list) [default] Choose your keyboard layout ('?' or 'L' for list) [default]

Keep default and press Enter.





System hostname? (short form, e.g. 'foo') System hostname? (short form, e.g. 'foo')

Type host and press Enter.





Which network interface do you wish to configure? (or 'done') [xxx0] Which network interface do you wish to configure? (or 'done') [xxx0]

Press Enter.





IPv4 address for xxx0? (or 'dhcp' or 'none') [dhcp] IPv4 address for xxx0? (or 'dhcp' or 'none') [dhcp]

Note: xxx0 will be something else instead, em0 or specific to your hypervisor.



Qubes-Whonix ™ : Enter address of the VM (can be viewed in the qube's settings).

Non-Qubes-Whonix ™ :

10.152.152.12 10.152.152.12





Netmask for xxx0? [255.255.255.0] Netmask for xxx0? [255.255.255.0]

Qubes-Whonix ™ :

255.255.255.255 255.255.255.255

Non-Qubes-Whonix ™ :

255.255.192.0 255.255.192.0





IPv6 address for xxx0? (or 'autoconf' or 'none') [none] IPv6 address for xxx0? (or 'autoconf' or 'none') [none]

Keep none and press Enter.





Which network interface do you wish to configure? (or 'done') [done] Which network interface do you wish to configure? (or 'done') [done]

Continue.





DNS domain name? (e.g. 'example.com') [my.domain] DNS domain name? (e.g. 'example.com') [my.domain]

Enter localdomain.





DNS nameservers? (IP address list or 'none') [none] DNS nameservers? (IP address list or 'none') [none]

Qubes-Whonix ™ : Enter address of your Whonix-Gateway (can be viewed in the qube's settings).

Non-Qubes-Whonix ™ :

10.152.152.10 10.152.152.10





Password for root account? (will not echo) Password for root account? (will not echo)

Type your desired root password.





Start sshd(8) by default? [yes] Start sshd(8) by default? [yes]

Type no and press Enter.





Do you expect to run the X Window System? [yes] Do you expect to run the X Window System? [yes]

Keep default and continue.





Do you want the X Window System to be started by xenodm(1)? [no] Do you want the X Window System to be started by xenodm(1)? [no]

Keep default and continue.





Setup a user? (enter a lower-case loginname, or 'no') [no] Setup a user? (enter a lower-case loginname, or 'no') [no]

Enter user.





Available disks are: sd0 sd1 sd2 Which disk is the root disk? ('?' for details) [sd0] Available disks are: sd0 sd1 sd2 Which disk is the root disk? ('?' for details) [sd0]

Continue.





Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]

Continue.





Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a]

E to edit, because /usr will need more space than the default.





sd0> sd0>

Type h or ? for help.

Type p M to print the disk layout in megabytes.

Type d e to remove the /home partition (you will set it up on another disk).

Type w to write label to disk.

Type m d to modify the /usr partition and expand it.





offset: [xxxxxxx] offset: [xxxxxxx]

Keep and press Enter.





size: [xxxxxxx] size: [xxxxxxx]

Enter your desired size here, either in bytes or megabytes, at least 5120.0M or more recommended.





FS type: [4.2BSD] FS type: [4.2BSD]

Keep and press Enter.





mount point: [/usr] mount point: [/usr]

Keep and press Enter.

w to write label to disk.

p M again to print the disk layout in megabytes and make sure the changes were written correctly.

q to quit and save changes.





Which disk do you wish to initialize? (or 'done') [done] Which disk do you wish to initialize? (or 'done') [done]

Enter sd1





Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]

E to edit.

Type edit 0

Type A6 and press Enter.





Do you wish to edit in CHS mode? [n] Do you wish to edit in CHS mode? [n]

Keep n.





Partition offset [0 - xxxxxxx]: [0] Partition offset [0 - xxxxxxx]: [0]

Keep.





Partition size [1 - xxxxxxx] Partition size [1 - xxxxxxx]

Type your desired size or use the maximum and enter.

w to write changes to disk.

quit to save changes and exit.





Label editor (enter '?' for help at any prompt) Label editor (enter '?' for help at any prompt)

p M to print the disk layout in megabytes.

Type a to add a partition.





offset: [0] offset: [0]

Keep.





size: [xxxxxxx] size: [xxxxxxx]

Type desired size in megabytes or use the maximum and enter.





FS type: [4.2BSD] FS type: [4.2BSD]

Keep.





mount point: [none] mount point: [none]

Type /home and press Enter.





sd1*> sd1*>

w to write changes to disk.

q to save changes and exit.





Which disk do you wish to initialize? (or 'done') [done] Which disk do you wish to initialize? (or 'done') [done]

Done.

Proceed with the installation.





Directory does not contain SHA256.sig. Continue without verification? Directory does not contain SHA256.sig. Continue without verification?

yes can be typed safely (explained in OpenBSD installation FAQ).





What timezone are you in? ('?' for list) What timezone are you in? ('?' for list)

Enter UTC.





Exit to (S)hell, (H)alt or (R)eboot? [reboot] Exit to (S)hell, (H)alt or (R)eboot? [reboot]

Reboot.







5. Configure Whonix-OpenBSD Workstation.

Login as root.



Connect the Whonix-OpenBSD workstation to the Gateway.

Run

vi /etc/mygate vi /etc/mygate

Press a to append text and type the address of the Whonix-Gateway.

Non-Qubes-Whonix ™ :

10.152.152.10 10.152.152.10

Press Esc.

Type :w to write the file. Type :q to exit.





vi /etc/ntpd.conf vi /etc/ntpd.conf

a to append text, then comment all lines. They will not be needed as ntpd is broken behind Whonix-Gateway.

:w to write the file. :q to exit.

rcctl disable ntpd rcctl disable ntpd

to prevent it from starting.



Configure network interface.

ls /etc ls /etc

Should show a file hostname.xxx0.





vi /etc/hostname.xxx0 vi /etc/hostname.xxx0

Change the cursor position to the end of

inet [address of VM] inet [address of VM]

and hold x to delete everything after

inet [address of VM] inet [address of VM]

Instead append, enter a new line, and type

Non-Qubes-Whonix ™ :

netmask 255.255.192.0 netmask 255.255.192.0

Qubes-Whonix ™ :

netmask 255.255.255.255 netmask 255.255.255.255

Esc, :w, :q.



Run

sh /etc/netstart sh /etc/netstart

to apply the changes.





6. Install system updates.

Run

syspatch syspatch

Reboot.





7. Optional: Install a desktop environment (Xfce used as example here.)

As root:

pkg_add xfce consolekit2 slim slim-themes pkg_add xfce consolekit2 slim slim-themes

Configure Xfce.

touch /etc/rc.conf.local /etc/rc.local /root/.xinitrc /home/user/.xinitrc touch /etc/rc.conf.local /etc/rc.local /root/.xinitrc /home/user/.xinitrc

echo "exec /usr/local/bin/ck-launch-session /usr/local/bin/startxfce4" >> /root/.xinitrc echo "exec /usr/local/bin/ck-launch-session /usr/local/bin/startxfce4" >> /root/.xinitrc

echo "exec /usr/local/bin/ck-launch-session /usr/local/bin/startxfce4" >> /home/user/.xinitrc echo "exec /usr/local/bin/ck-launch-session /usr/local/bin/startxfce4" >> /home/user/.xinitrc

echo 'pkg_scripts="messagebus avahi_daemon"' >> /etc/rc.conf.local echo 'pkg_scripts="messagebus avahi_daemon"' >> /etc/rc.conf.local

echo "/etc/rc.d/slim start" >> /etc/rc.local echo "/etc/rc.d/slim start" >> /etc/rc.local





8. Optional: Install packages to increase usability.

As root:

pkg_add bash sudo nano pkg_add bash sudo nano

Allow user to use sudo.

As root, run:

visudo /etc/sudoers visudo /etc/sudoers

Uncomment the line.

%wheel ALL=(ALL) SETENV: ALL %wheel ALL=(ALL) SETENV: ALL

Optional: Change shell to bash. As root:

chsh -s /usr/local/bin/bash chsh -s /usr/local/bin/bash

Repeat for user user.





9. Install torsocks.

sudo pkg_add torsocks sudo pkg_add torsocks

Tor will be installed as a dependency. To prevent it from automatically starting, comment the line

RunAsDaemon 1 RunAsDaemon 1

in /etc/tor/torrc.



Configure torsocks.

sudoedit /etc/torsocks.conf sudoedit /etc/torsocks.conf

or

sudo nano /etc/torsocks.conf sudo nano /etc/torsocks.conf

Make sure the following lines are present and uncommented:

TorAddress [address of Whonix-Gateway] TorPort 9050 TorAddress [address of Whonix-Gateway] TorPort 9050

Whonix ™-GNU/Linux-Workstation [ edit ]

Easy [ edit ]

This is the easiest, but least secure option. ( #more security )

For Qubes-Whonix ™ , click on Expand on the right. 1. Create a new VM. 2. Set sys-whonix as your VM's NetVM. Qube Manager → right-click vm-name → NetVM → sys-whonix → OK [7]

For Non-Qubes-Whonix ™ , click on Expand on the right. Download and Use the Default Whonix-Gateway ™ Download and import the Whonix-Gateway ™ using the same procedure as per the Whonix ™-Default / Download-Version. No other Whonix-Gateway ™ changes are required in this case! Set up a Whonix-Custom-Workstation ™ There are currently two ways to set up a Whonix-Custom-Workstation ™. Either: Manually create a VirtualBox VM (established, old method). Download and import a Whonix-Custom-Workstation ™ (stable method). Users who want to manually create a VirtualBox VM using the established and old method, click on Expand on the right. 1. Create a VirtualBox VM Follow these steps in order: VirtualBox → Machine → New → Next → Enter Name (for example, myVM) → Enter Operating System and Version → Next → Define RAM → Next → Create a new HDD (or not) → Next → Disk format doesn't matter (VDI works well) → Next → Set dynamically or fixed size preference → Next → Set HDD size and location preference → Next → Create 2. Switch VirtualBox VM Settings Follow these steps in order: Choose the newly created VM (for example, myVM ) → Settings → System → Motherboard → Hardware Clock in UTC

→ → → → System → Motherboard → Pointing Device → PS/2 Mouse (required to disable the USB controller)

→ → → System → Processor → Enable PAE/NX (if available)

→ → Network → Adapter 1 → Attached to Internal Network (important!)

→ → Network → Adapter 1 → Name (of Internal Network) (important!): Whonix [8]

→ → USB → Uncheck Enable USB controller

→ → OK Users who want to download and import a Whonix-Custom-Workstation ™ template using the stable method, click on Expand on the right. This method's advantage is that there is need to manually create a new VM. The process is greatly simplified; the Whonix-Custom-Workstation ™ only needs to be downloaded and imported. This approach has several benefits: it is easier, all security settings are set for the VM, and users don't have to remember and apply necessary settings. The latest Whonix-Custom-Workstation ™ Version is: 15.0.1.3.4 Although the version number for Whonix-Gateway ™ and Whonix ™-Default / Download-Version might be far higher than the Whonix-Custom-Workstation ™ version, this is normal. [9] 1. Download the Whonix-Custom-Workstation ™ Download the following image. Download 2. Download the OpenPGP Signature Download the corresponding OpenPGP signature. Download 3. Verify the Whonix Image Follow these steps to verify the Whonix image. 4. Import and Rename the Virtual Machine After importing the image, rename the virtual machine to something else. [10] VirtualBox → Right-click on VM → Settings → Name (for example: myVM) If this method was used, please report how well it worked in the Whonix forum.

Start VM and Install Operating System

Start the newly created VM (for example: myVM ). Insert the installation DVD. Updates don't have to installed while installing the OS. Post-install, apply updates after the network has been set up. The username is: user . The computer name is: host

Configure network.

For Qubes-Whonix ™ , you do not have to configure the network.

For Non-Qubes-Whonix ™ , click on expand on the right. In your Custom-Workstation. Open file /etc/network/interfaces in an editor with root rights. (Qubes-Whonix ™: In TemplateVM) This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. sudoedit /etc/network/interfaces sudoedit /etc/network/interfaces You only need to configure eth0: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface, leave as it is auto lo iface lo inet loopback auto eth0 #iface eth0 inet dhcp iface eth0 inet static # increment last octet of IP address on additional workstations address 10.152.152.12 netmask 255.255.192.0 #network 10.152.152.0 #broadcast 10.152.152.255 gateway 10.152.152.10 # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface, leave as it is auto lo iface lo inet loopback auto eth0 #iface eth0 inet dhcp iface eth0 inet static # increment last octet of IP address on additional workstations address 10.152.152.12 netmask 255.255.192.0 #network 10.152.152.0 #broadcast 10.152.152.255 gateway 10.152.152.10 In your Custom-Workstation. Open file /etc/resolv.conf in an editor with root rights. (Qubes-Whonix ™: In TemplateVM) This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. sudoedit /etc/resolv.conf sudoedit /etc/resolv.conf and delete everything, then add nameserver 10.152.152.10 nameserver 10.152.152.10

Download operating system updates.

For Debian based Linux, such as Ubuntu, see Updates.

Configure Tor Browser Settings [ edit ]

When using Tor Browser, users should prevent Tor over Tor, click on Expand on the right.

Warning: These instructions are new and only for willing testers. Some connectivity issues may be experienced. Please contribute by testing these instructions. Warning: These instructions prevent Tor over Tor for Tor Browser and system-tor. However, it is possible future updates to system-tor or the Tor Browser Bundle (TBB) could break this custom configuration and fail to prevent Tor over Tor without the users knowledge. Therefore, users should use caution and thoroughly test prior to each use to ensure complete Tor over Tor prevention. See this forum thread for more [archive]. These instructions have been tested with Tor Browser v8.0.4. Connectivity might break in later Tor Browser versions, particularly if developers modify how Tor Browser networking is configured. [11] 1. Manually Download and Install Tor Browser. 2. Set multiple environment variables. Note for Qubes users:

If a TemplateBasedVM is used, this change must be applied in the TemplateVM. The reason is the file modification happens in the root image.

If a StandaloneVM is used, no special action is required. These VMs have their own copy of the whole filesystem.

Open file /etc/environment in an editor with root rights. (Qubes-Whonix ™: In TemplateVM) This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link. sudoedit /etc/environment sudoedit /etc/environment Add. ## Deactivate tor-launcher, ## a Vidalia replacement as browser extension, ## to prevent running Tor over Tor. ## https://trac.torproject.org/projects/tor/ticket/6009 ## https://gitweb.torproject.org/tor-launcher.git TOR_SKIP_LAUNCH=1 ## Environment variable to disable the "TorButton" → ## "Open Network Settings..." menu item. It is not useful and confusing to have ## on a workstation, because this is forbidden for security reasons. Tor must be ## configured on the gateway. TOR_NO_DISPLAY_NETWORK_SETTINGS=1 ## environment variable to skip TorButton control port verification ## https://trac.torproject.org/projects/tor/ticket/13079 TOR_SKIP_CONTROLPORTTEST=1 3. Save and reboot. From this point, only the browser component of Tor Browser will be started. 4. Verify environment variables. env env The output should show. TOR_NO_DISPLAY_NETWORK_SETTINGS=1 TOR_SKIP_CONTROLPORTTEST=1 TOR_SKIP_LAUNCH=1 5. Configure network settings. [12] Now the file ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js must be created. This presupposes Tor Browser has been installed as per step 1 and that a folder ~/.tb/tor-browser exists. If Tor Browser was installed to another folder, the the path must be adjusted. Open ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js in an editor as a regular, non-root user. If you are using a graphical environment , run. mousepad ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js mousepad ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js If you are using a terminal , run. nano ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js nano ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js Add. user_pref("extensions.torbutton.use_privoxy", false); user_pref("extensions.torbutton.settings_method", "custom"); user_pref("extensions.torbutton.socks_host", "10.152.152.10"); user_pref("extensions.torbutton.socks_port", 9100); user_pref("network.proxy.socks", "10.152.152.10"); user_pref("network.proxy.socks_port", 9100); user_pref("extensions.torbutton.custom.socks_host", "10.152.152.10"); user_pref("extensions.torbutton.custom.socks_port", 9100); user_pref("extensions.torlauncher.control_host", "10.152.152.10"); user_pref("extensions.torlauncher.control_port", 9052); Save. Tor is now disabled in Tor Browser. The process is now complete.

Disable system-tor over Tor [ edit ]

system-tor must also be disabled to prevent Tor over Tor.

In the terminal, run.

Stop Tor.

sudo systemctl stop tor sudo systemctl stop tor

Prevent Tor service from restarting after reboot.

sudo systemctl mask tor sudo systemctl mask tor

The process is now complete.

Testing [ edit ]

User must verify that Tor in Tor Browser and system-tor are disabled, click on Expand on the right.

Note for Qubes users: Tor Browser should only be run the AppVM. 1. To start Tor Browser two options exist. a) In the desktop file manager, move to the ~/.tb/tor-browser/Browser folder: Double-click: start-tor-browser.desktop Or b) In the terminal, move to the Tor Browser folder. cd ~/.tb/tor-browser/Browser cd ~/.tb/tor-browser/Browser Next, start Tor Browser. ./start-tor-browser ./start-tor-browser 2. Once Tor Browser is started, verify system-tor is disabled. sudo systemctl status tor@default sudo systemctl status tor@default The output should be similar the following showing tor@default service is inactive-(dead). tor@default.service - Anonymizing overlay network for TCP Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor prese Drop-In: /lib/systemd/system/tor@default.service.d └─30_qubes.conf Active: inactive (dead) 3. Next, reconfirm both system-tor and Tor (in Tor Browser) are not running. Note: Output will show grep tor (command that was just run). This is of no concern.[13] sudo ps aux | grep tor sudo ps aux | grep tor Output similar to the following shows system-tor is running. This indicates Tor over Tor prevention is Broken! Users should immediately stop using Tor Browser and seek advise on the Whonix ™ forums [archive]. debian-+ 707 0.1 0.9 89320 36400 ? Ss 21:15 0:01 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 Done!

Whonix ™-Android-Workstation [ edit ]

With Static IP [ edit ]

Preferred!

VM settings are the same: attach the network adapter to the internal network named Whonix .

Configure Android x86 to use a static IP. On the Android VM run the following in the Terminal Emulator (tested on Nougat):

su su

ifconfig eth0 10.152.152.12 netmask 255.255.192.0 ifconfig eth0 10.152.152.12 netmask 255.255.192.0

ip rule add from all lookup main pref 0 ip rule add from all lookup main pref 0

busybox route add default gw 10.152.152.10 busybox route add default gw 10.152.152.10

ndc resolver setnetdns 100 localdomain 10.152.152.10 ndc resolver setnetdns 100 localdomain 10.152.152.10

Static IP routing and DNS should now be working. Note that ping uses ICMP and therefore is unsupported, so open the browser to check your connection.

With DHCP [ edit ]

More security [ edit ]

Recommendations:

Verify operating system installation CD, compare with sha256 hash or even better verify the gpg signature, if available.

Install while the Virtual Machine has no internet connection.

Set your username to user .

. Disable Internet Time Syncing.

Set your Time Zone to UTC .

. Set up a static IP.

In case you want to run more than one Whonix-Workstation ™ at the same time, it is recommended reading the Introduction in the Multiple Whonix-Workstation ™ article.

Read Basic Security Guide, Advanced Security Guide, Documentation and Design (which is Whonix ™-Example-Implementation-Workstation (based on Debian GNU/Linux) specific) and try to apply as much from it to Windows as possible.

Even more security [ edit ]

General [ edit ]

Recommendations:

VM settings [ edit ]

Qubes-Whonix ™ users can skip this.

For Non-Qubes-Whonix ™ , click on Expand on the right. If the Whonix-Custom-Workstation ™ template was downloaded and imported, this section can be skipped. [14] If a VirtualBox VM was manually created, click on Expand on the right. Find out the name of the VM you are using. vboxmanage list vms Apply these settings. [15] VBoxManage modifyvm "yourvmname" --synthcpu on VBoxManage modifyvm "yourvmname" --acpi on VBoxManage modifyvm "yourvmname" --ioapic on VBoxManage modifyvm "yourvmname" --rtcuseutc on VBoxManage setextradata "yourvmname" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" "1" Disable clipboard sharing. [16] VBoxManage modifyvm "yourvmname" --clipboard disabled Disable Drag'n'Drop support. [17] VBoxManage modifyvm "yourvmname" --draganddrop disabled Assistance is welcome in verifying that the settings on this wiki page match those we are using in Whonix source code. This ensures that no settings have been forgotten. If interested, click on Expand on the right. In Whonix source code, examine build-steps.d/2500_create-vbox-vm for the functions general_setup and workstation_specific. Apply any missing settings from build-steps.d/2500_create-vbox-vm. It is also sensible to drop the "sudo -u $USERNAME" setting. The following settings are not required. They are either recommended earlier on, or done by the gui creation process: --name

storagectl

storageattach

--memory

--pae

--intnet1

--cableconnected

--macaddress1

--audiocontroller

--audio

--rtcuseutc

Whonix ™ Packages [ edit ]

Whonix ™ Debian Packages (overview [archive]), such as for example uwt [archive], are available for installation from source and Whonix ™ apt repository (example instructions [archive]). Installation (of some) anonymity/security/privacy/usability related ones of them might be interesting for users of Debian and Debian derivatives.

Note, that usage of these package outside of Whonix ™ is untested and there is no contributor that supports this use case.

The current Whonix ™ contributors can only maintain a limited amount of things, has limited resources and focuses on other priorities. If you have developer skills, would you be interested to contribute by co-maintaining one or another package for using them outside of Whonix ™?

Most security [ edit ]

Use the default Whonix ™ VMs and build them yourself from source.

Ubuntu [ edit ]

Debian [ edit ]

Whonix ™-Default/Download-Version is already based on Debian Wheezy / Stable. You may be interested to read:

How to obtain Debian safely: Debian ISO gpg verification

Security Comparison: Whonix ™-Download-Workstation vs. Whonix-Custom-Workstation ™ [ edit ]

Introduction [ edit ]

Read first: Comparison of different Whonix ™ variants!

Note: Whonix ™-BuildYourselfFromSource-Workstation is of course the same as Whonix ™-Download-Workstation.

Table [ edit ]

Whonix ™-Download-Workstation Whonix-Custom-Workstation ™ Based on Debian buster GNU/Linux Any of your choice. Amnesic No No Protection against root exploits (Malware with root rights) on the Workstation Yes Yes IP/DNS protocol leak protection Full Full Takes advantage of Entry Guards Yes Yes Operating System Updates persist once updated Yes Depends if gets installed or is a Live CD. Hides hardware serials from malicious software Yes Yes Does not collects (virtual) hardware serials Yes Depends on the custom operating system Includes Tor Browser Yes Your responsibility to install Tor Browser. [19] [20] Includes Firefox privacy patches [21] and Tor Button (=Tor Browser) Yes, because it uses Tor Browser (without Tor/Vidalia). Your responsibility to install Tor Browser. [19] Prevents Tor over Tor for Tor Browser Yes Your responsibility to prevent Tor over Tor. [19] Stream isolation to prevent identity correlation through circuit sharing Yes Your responsibility to use Stream Isolation. Stream isolation in Tor Browser No No Encryption Should be applied on host. Should be applied on host. Cold Boot Attack Protection No No Secure Distributed Network Time Synchronization Yes, using sdwdate. Your responsibility to install it. Hides your time zone (set to UTC) Yes Your responsibility to set clock to UTC. Hides your operating system account name Yes, set to user. Your responsibility to set username to user. Hides your MAC address from websites Invalid Invalid Secures your MAC address from local LAN (sometimes ISP) No, planned, see. Your responsibility. Hides your hosts MAC address from applications Yes Yes Secure gpg.conf Yes Your responsibility to use a secure gpg.conf. Privacy enhanced IRC client configuration. Yes Your responsibility to configure the IRC client for enhanced privacy. Other numerous security/privacy enhancements [archive] which will not all be listed in this table such as defense against Keystroke Deanonymization or TCP ISN CPU Information Leak Protection [archive]. Yes Your responsibility to configure these.

Conclusion [ edit ]

The Whonix ™-Download-Workstation is already preconfigured with all Whonix ™ extra security features.

A Whonix-Custom-Workstation ™ can be made (Your responsibility!) as secure as a Whonix ™-Download-Workstation. If you simply create [22] a Whonix-Custom-Workstation ™ it has still some security advantages, for example full IP/DNS protocol leak protection, but not all, for example it lacks Secure Distributed Network Time Synchronization. The details are listed in the table above.

Missing Documentation [ edit ]

You might wonder what "your responsibility" means. Some users are wondering, where the documentation for these aspects can be found. No documentation has been written yet. There is a lack of resources to maintain such instructions. I.e. writing them, and more so, keeping them up to date, testing them, answering support requests, fixing bugs and implementing feature requests. Please contribute. For more detailed explanation, see also Whonix ™ Packages.

References [ edit ]

Expand all Collapse all



Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow:

Donate:

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.