Install Whonix: Virtual and extra secure

We have looked at a similar operating system before, namely Tails. This may be a safer environment for outside threats due to its configuration options and extra tools, but Whonix prides itself on even better security and relies on Kicksecure, a Debian-Linux distribution with security in mind in particular. You can read about which security functions are implemented at www.kwikr.nl/kicks.

To name a few: using AppArmor profiles to restrict system access by applications, applying various kernel hardening techniques from KSPP (Kernel Self Protection Project), and an encrypted swap file for optimal protection of local data.

Whonix was first launched in 2012 under the name TorBOX, where a virtual machine acts as a transparent proxy that routes all internet traffic through the Tor network.

If you want to learn more about the security functions of Whonix, you can refer to the tables at www.kwikr.nl/whovs. These may come from Whonix itself – the authors aren’t afraid to admit that this may encourage (unintentional) bias – but the information remains interesting.

in the section Security Numerous security functions in eleven areas, including Network, Browser Plugin Security, judicial and hardeningCompared between Whonix and the likes of Tails and Tor Browser.

As mentioned, Whonix revolves around two machines: a gateway and a workstation. Although you can use two physical machines for this, by installing the gateway on one machine and the workstation (virtualized) on the other machine, we stay connected to only one physical machine, albeit with two VMs in our scenario.

Whonix can be installed on various systems and on a USB stick with some difficulty, but a USB image is not yet available. The most common method is via a hypervisor, and Whonix itself provides VirtualBox with an almost out-of-the-box ova application (Open Virtual Appliance). You can download the hypervisor itself for free. We assume it’s already installed on Linux, macOS or Windows.

Those interested in the Whonix repository can visit https://gitlab.com/whonix. The easiest way to download the VM is via www.kwikr.nl/whovm. You will find that two versions of Whonix are available: a CLI variant (command line interface) and a GUI version (with an Xfce desktop environment). It is also possible to combine an Xfce workstation with a CLI gateway (see ‘GUI and CLI’ below).

To install Whonix, start VirtualBox, open menu File and choose you Import device. Look for the ova file downloaded via the folder icon. Bee Settings Device You immediately notice that there are two related VMs. If you wish, you can also click here and set certain properties. confirm with import and together To accept (2 times).

You should now find two VMs in the Virtualbox management module. You can still change the components in Settings. Note that some options can only be set when the VM is shut down.

With a double click, you have already started the gateway virtual machine. after clicking Understood (2x), a wizard will ask you how you want to connect to the Tor network. This can be done ‘automatically’ via Connectbut also through configure, you can specify a Tor bridge here. After booting you should have a Tor connection.

Once accepted, go to the workstation’s VM where you can launch the applications you want. Open Tor Browser and browse https://check.torproject.org to verify that you are indeed browsing Tor. Here you will also see the IP address of the Tor relay.

Settings such as screen resolution and keyboard layout, Apps / Settings. Or you use the console to set things up. At www.kwikr.nl/whocli you will find a summary of the most important commands.

You will notice that you cannot start using Tor Browser from the gateway. The idea is that you only do this from the workstation. For this purpose, Whonix has set up an internal virtual network. You will notice this when you open the workstation’s VM settings in VirtualBox and Network chooses. this network adapter is connected with internal network by name whonix.

The gateway’s VM has two virtual network adapters enabled: one is also connected to this internal network while the other WET connected. This NAT mode causes VirtualBox’s network engine to act as a router, placing itself between each VM and the host. This allows the gateway to access the remote network, but the host cannot access the VM unless you define port forwarding rules.

Both VMs cannot reach each other, but connecting them to the same internal network makes it possible, so you can access the internet from the workstation through the gateway that routes all traffic through the Tor network.

As mentioned, it is also possible to connect an Xfce workstation to a headless gateway. For example, this can be done like this: download the ova file from the CLI gateway and open this file in 7-Zip File Manager. Select the corresponding vmdk file and drag it to your desktop, for example.

After that, go to VirtualBox where you make sure both Whonix VMs are powered off. Create a new VM in VirtualBox, give it a suitable name (for example Whonix-Gateway-CLI), set to Linux, Debian (64-bit) and allocate enough memory for it. choose Use an existing virtual hard disk fileClick the folder icon and Add and hover over your extracted vmdk file.

Before starting the new VM, compare all the settings of the previously installed Xfce gateway with the CLI machine and adjust the second one if necessary. For example, you need to enable a second network adapter to connect to the network. internal network by name whonix to connect.

When starting the CLI gateway, you can login with credentials at startup. user and change me and then enable Tor. You can also start your workstation after the system check.