mirror of
https://github.com/ditatompel/insights.git
synced 2025-01-08 03:12:06 +07:00
213 lines
8.9 KiB
Markdown
213 lines
8.9 KiB
Markdown
|
---
|
||
|
title: Whonix on KVM for Online Privacy
|
||
|
description: Get started with Whonix KVM, how to install and configure this secure environment for better online privacy.
|
||
|
summary: Get started with Whonix KVM, how to install and configure this secure environment for better online privacy.
|
||
|
date: 2024-11-17T17:30:00+07:00
|
||
|
lastmod:
|
||
|
draft: false
|
||
|
noindex: false
|
||
|
nav_weight: 1000
|
||
|
categories:
|
||
|
- Privacy
|
||
|
tags:
|
||
|
- Whonix
|
||
|
- KVM
|
||
|
- Linux
|
||
|
images:
|
||
|
authors:
|
||
|
- ditatompel
|
||
|
---
|
||
|
|
||
|
In today's digital age, online privacy is a crucial aspect of our lives. With
|
||
|
the increasing amount of personal data being collected and stored online, it is
|
||
|
essential to understand the importance of protecting our individual rights to
|
||
|
privacy.
|
||
|
|
||
|
## Intro to Whonix
|
||
|
|
||
|
If you're looking for a solution to protect your online privacy,
|
||
|
[Whonix][whonix-web] is an excellent option. Whonix is a Linux-based
|
||
|
distribution specifically designed with privacy and security in mind, providing
|
||
|
its users with a robust platform for shielding their digital footprints.
|
||
|
|
||
|
One of the key features that makes Whonix an attractive option for me is its
|
||
|
KVM images. These images enable users to create isolated virtual machines that
|
||
|
can be easily spun up and down as needed.
|
||
|
|
||
|
In this article, I will summarize my steps to set up and run Whonix system
|
||
|
using KVM and Virt-Manager. This covers everything from creating the KVM
|
||
|
images and virtual networks for both the Gateway and Workstation
|
||
|
configurations to successfully booting up your secure Whonix environment.
|
||
|
|
||
|
However, before starting, you need to install [KVM][kvm-web] and
|
||
|
[Virt-Manager][virt-manager-web] first. I have uploaded a [video documentation
|
||
|
of my installation process for Virt-Manager on Arch
|
||
|
Linux][virt-manager-install-yt]; please watch the video if needed.
|
||
|
|
||
|
## Download and Configuring Whonix KVM
|
||
|
|
||
|
Download the [compressed archive of Whonix KVM][whonix-kvm-archives] from its
|
||
|
official page and place it in the `~/Downloads` directory. There are two
|
||
|
versions: GUI and CLI. The Whonix CLI version is designed for advanced users
|
||
|
who want to use Whonix without a graphical user interface (GUI). In this
|
||
|
article, I will be using the GUI version, which uses **Xfce** as its desktop
|
||
|
environment.
|
||
|
|
||
|
Extract the downloaded archive using the `tar` utility:
|
||
|
|
||
|
```shell
|
||
|
cd ~/Downloads
|
||
|
tar -xvf Whonix*.libvirt.xz
|
||
|
```
|
||
|
|
||
|
The extracted archive contains important documents, including the License
|
||
|
Agreement and disclaimer, as well as XML templates and Whonix image files for
|
||
|
both Gateway and Workstation.
|
||
|
|
||
|
You can modify the XML files and adjust the virtual machine settings before
|
||
|
importing them. But, unless you're familiar with libvirt's XML structure,
|
||
|
editing the default configuration is not recommended; instead, make
|
||
|
modifications through Virt-Manager later if needed.
|
||
|
|
||
|
### Adding Whonix Virtual Networks
|
||
|
|
||
|
To add virtual networks for your Whonix virtual machines, import both
|
||
|
`Whonix_external_network.xml` and `Whonix_internal_network.xml` by issuing
|
||
|
these commands:
|
||
|
|
||
|
```shell
|
||
|
sudo virsh -c qemu:///system net-define Whonix_external*.xml
|
||
|
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
|
||
|
```
|
||
|
|
||
|
Open the Virt-Manager application, right-click on your KVM connection, and
|
||
|
select **"Details"** from the menu. Then, go to the **"Virtual Networks"** tab
|
||
|
and ensure that the **"Auto Start on Boot"** checkbox is checked for both
|
||
|
Whonix Internal and Whonix External virtual networks.
|
||
|
|
||
|
![Whonix Network Auto Start](whonix-network-auto-start.jpg#center)
|
||
|
|
||
|
The Whonix Internal network is an isolated, virtual network shared between
|
||
|
the Whonix-Gateway and the Whonix-Workstation. This network is entirely
|
||
|
separate from the external network and does not directly connect to the
|
||
|
Internet.
|
||
|
|
||
|
The external network used by the Whonix-Gateway to establish a connection with
|
||
|
the Tor network via the host machine's network interface. In summary, the
|
||
|
Whonix-Gateway acts as the sole router for the Whonix-Workstation, ensuring
|
||
|
that all traffic is anonymized through the Tor Network.
|
||
|
|
||
|
![Whonix Concept](whonix-concept-detailed.jpg#center)
|
||
|
|
||
|
### Whonix Image Files
|
||
|
|
||
|
The Whonix XML files are configured to use image files from the
|
||
|
`/var/lib/libvirt/images` directory, which is the default libvirt storage
|
||
|
location for most Linux distributions.
|
||
|
|
||
|
Go back to the terminal and move the Whonix VM image files to the
|
||
|
`/var/lib/libvirt/images` directory:
|
||
|
|
||
|
```shell
|
||
|
sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
|
||
|
sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
|
||
|
```
|
||
|
|
||
|
**Note**: Whonix disk images are **sparse files**, which means that you need
|
||
|
to use the `--sparse=always` flag when copying them instead of moving them. For
|
||
|
example:
|
||
|
|
||
|
```shell
|
||
|
sudo cp --sparse=always Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
|
||
|
sudo cp --sparse=always Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
|
||
|
```
|
||
|
|
||
|
### Importing Whonix VM Templates
|
||
|
|
||
|
Import your Whonix-Gateway and Workstation virtual machines from the XML
|
||
|
configuration file. To do this, run the following commands in the terminal:
|
||
|
|
||
|
```shell
|
||
|
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
|
||
|
sudo virsh -c qemu:///system define Whonix-Workstation*.xml
|
||
|
```
|
||
|
|
||
|
Note that these commands will import the XML configuration files and create the
|
||
|
corresponding virtual machines. Make sure you have the correct file names and
|
||
|
paths to avoid errors.
|
||
|
|
||
|
Additionally, after importing the templates, you may want to verify that your
|
||
|
virtual machines are created successfully by checking their status using the
|
||
|
following command:
|
||
|
|
||
|
```bash
|
||
|
sudo virsh list --all
|
||
|
```
|
||
|
|
||
|
This will display a list of all the virtual machines running on your system,
|
||
|
including the Whonix-Gateway and Workstation.
|
||
|
|
||
|
### Whonix-Gateway CLI mode
|
||
|
|
||
|
If your host operating system has limited RAM, you can run Whonix-Gateway in
|
||
|
CLI mode by simply changing the memory allocation to 512MB or less. However,
|
||
|
please be aware that resource-intensive operations, such as upgrading the
|
||
|
operating system with a minimum amount of memory, can cause virtual machines
|
||
|
to freeze or become unresponsive. To avoid this, make sure to allocate
|
||
|
sufficient resources to your Whonix VMs, especially when performing any
|
||
|
software updates or upgrades.
|
||
|
|
||
|
Apart from controlling Tor and installing updates, there is not much else to
|
||
|
do on Whonix-Gateway. Activities such as running applications, especially the
|
||
|
Tor Browser, should never be started on Whonix-Gateway. Instead,
|
||
|
all user-centric applications ought to be launched from Whonix-Workstation to
|
||
|
safely utilize the Tor network.
|
||
|
|
||
|
## Using Whonix-Workstation
|
||
|
|
||
|
Since Whonix-Workstation relies on Whonix-Gateway for online functionality, you
|
||
|
need to start the Whonix-Gateway before booting up the Whonix-Workstation.
|
||
|
Failure to do so will result in the Whonix-Workstation being unable to connect
|
||
|
to the Internet or access external resources.
|
||
|
|
||
|
### Pre-installed Applications and Utilities
|
||
|
|
||
|
Whonix-Workstation provides bunch of utilities to maintain the VM, such as
|
||
|
upgrading the operating system without requiring root privileges using
|
||
|
`upgrade-nonroot` utility. It also provides stream isolation for many
|
||
|
pre-installed or custom-installed applications, such as **Hexchat** and
|
||
|
**Thunderbird**, using a dedicated Tor `SocksPort` to prevent identity
|
||
|
correlation that may otherwise occur.
|
||
|
|
||
|
## My View on Privacy and Anonymity
|
||
|
|
||
|
Online privacy and anonymity have become intertwined concepts, but, they're
|
||
|
not exactly the same thing. In my view, online privacy refers to the ability
|
||
|
to control who has access to our personal information, while online anonymity
|
||
|
refers to the ability to conceal or hide our identity online.
|
||
|
|
||
|
Online anonymity can often increase online privacy in several ways:
|
||
|
|
||
|
1. **Masking Personal Data**: By using Tor or I2P, individuals can mask their
|
||
|
IP addresses, locations, and browsing habits.
|
||
|
2. **Reducing Surveillance**: Online anonymity can reduce the amount of
|
||
|
surveillance being conducted on individuals, as it becomes harder for
|
||
|
governments and corporations to monitor their online interest and activities.
|
||
|
|
||
|
But I'm a little skeptical about online anonymity. I believe that with
|
||
|
sufficient time, power, and resources, it's possible to trace everything back
|
||
|
to its origin. While this might sound pessimistic, it's a harsh reality we must
|
||
|
confront. With advancements in technology and data collection, it has become
|
||
|
increasingly easy for governments, corporations, and hackers to track down
|
||
|
individuals online.
|
||
|
|
||
|
Although online anonymity can increase online privacy, it's not a foolproof
|
||
|
solution. However, it's always a good idea to use a combination of tools and
|
||
|
strategies to maintain online privacy and security.
|
||
|
|
||
|
[whonix-web]: https://www.whonix.org "Whonix Official Website"
|
||
|
[kvm-web]: https://linux-kvm.org/page/Main_Page "KVM Official Website"
|
||
|
[virt-manager-web]: https://virt-manager.org/ "Virt-Manager Official Website"
|
||
|
[virt-manager-install-yt]: https://www.youtube.com/watch?v=Y01SwRqkX8I "My Virt-Manager Installation Process Video"
|
||
|
[whonix-kvm-archives]: https://www.whonix.org/wiki/KVM#Download_Whonix
|