Proxmox - A dedicated KVM platform for Whonix?

In considering options to run Whonix via KVM, I had a brief look at the Debian/KVM-based, Proxmox, a dedicated “virtualization environment” . I am curious about two things:

  1. Has anyone here has attempted to install and run Whonix in Proxmox? Is that even possible or advisable? If so, can you share any thoughts concerning: the installation process, overall performance, bugs, security issues and/or support for features such shared folders?

  2. Overall, would you consider Proxmox to be a user-friendly and straightfoward approach to install and maintain a KVM platform? In this regard, does it offer any advantages or disadvantages compared to installing and maintaining KVM on a more conventional Debian (or Debian-based) installation?

From looking around before, I’ll tell you there is quite a number of similar virtualization managers and TBH I won’t be (re-)analyzing each and every one you discover. The two things you should look at before reporting about them here are:

  1. Do they support automatic apparmor confinement by using something like sVirt
  2. Do they have a GUI interface for importing VM and virtual network definition files

Well this too is even useful … toward a check-list for Whonix-supporting platforms. Thx!

The three main management GUIs geared towards users are aqemu, GNOME Boxes and Libvirt. Libvirt is the best supported with most features. The rest are enterprise interfaces.

I’m using Proxmox already for regular KVM images and I’m planning on trying out Whonix using Proxmox soon. If I have any experiences I will write back here. Or, if the OP has already plunged ahead with this please let us know how it went.

I seem to have made some good progress. Here’s what it seems you have to do:

  1. Log into the Proxmox web interface.
  2. Click on your host server in the list and click the Network tab.
  3. Create a new Linux bridge, with IP address 10.152.152.10 and ports/slaves setting blank. There is no way to change bridge_stp to “on” in the Proxmox interface as recommended for Whonix, but I’m not sure if this is necessary. If so, you can edit in in /etc/network/interfaces manually after step 5.
  4. If you have a DHCP server on the Proxmox server, make sure it is only listening on the old bridge interface, not the one you just created.
  5. Reboot to activate the new bridge interface (sorry). Note, for me it didn’t come up automatically after booting (not sure why not), so I had to use ifup to bring it up.
  6. Back in the Proxmox web interface, click the Create VM button.
  7. Enter the following settings:
    a. Name Whonix-Gateway
    b. OS Linux 4.X
    c. CD/DVD do not use
    d. Disk size 100Gb and keep defaults
    e. CPUs 1 and keep defaults
    f. Memory 512Mb (default)
    g. Network: choose NAT (this adapter is for the external network).
  8. On the console, cd to /var/lib/vz/images/xxx where xxx is whatever ID Proxmox has assigned to your new machine.
  9. Overwrite Proxmox’s generated vm-xxx-disk-1.qcow2 file with the downloaded Whonix-Gateway-13.0.0.1.4.qcow2 and make sure its ownership and permissions are the same.
  10. Edit the new VM before you start it to add a second network adapter for the internal network. This one should be set in bridged mode using the new bridge that you created.
  11. Start the VM and complete the configuration as per the instructions at Whonix ™ for KVM and Whonix Quick-Start Guide v0.1 - #8 by torjunkie.
  12. For making new VMs, I guess just ensure that they are on the same network bridge as Whonix-Gateway. But I haven’t done this yet.

As to whether this provides automatic apparmor confinement or some equivalent, I don’t know. How would I test that?

1 Like

To see what aaparmor profiles are loaded look under enforced profiles output from: sudo aa-status

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/usr/bin/lxc-start
/usr/sbin/mysqld
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/bin/lxc-start (2938)
/usr/sbin/mysqld (1813)
/usr/sbin/mysqld (5403)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Nope not confined.

OK thanks, I’ll report this to Proxmox to see whether they want to add this in a future release.

I expect that they might say that it’s overkill for KVM, because KVM is already its own container and apparmor isn’t as necessary as it is for LXC—except in the case where there is a bug in KVM which enables the user to escalate their privileges and break out of their machine to inspect the host’s filesystem or memory.

Is this accurate, or is there an additional reason to have apparmor?

1 Like

Each layer of defense counts. Without apparmor the host is more vulnerable.

Well, that’s how I have it and it is working for me. But I wouldn’t swear it’s the best configuration. The only difference is that in my interfaces file I have lines “network 10.152.128.0” and “broadcast 10.152.191.255”. Try adding those.

I have no idea what you are doing here… But…

	post-up echo 1 > /proc/sys/net/ipv4/ip_forward

I discourage using IP forwarding. The beauty of Whonix is, that we don’t
need IP forwarding and therefore have a lot lower risk for leaks.

So I can tell you what I have in case it helps. On my Whonix gateway I have this:

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.152.152.10
netmask 255.255.192.0

I already showed you what I have on my Whonix workstations.

My DHCP server is running on the Proxmox host, which has a direct connection to the Internet (more or less), and its network is a bit more complicated, but here is part of its interfaces file:

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
iface eth1 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.152.152.10
netmask 255.255.255.0
bridge_ports none
bridge_stp on
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.1.2
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off
bridge_fd 0

Do you have other (non-Whonix) Proxmox VMs that can access the Internet? If not, that would be the first thing to get straight before adding Whonix into the equation.

3 Likes

Is there any progress?

Today I will follow this steps and try it! :slight_smile:

1 Like

@terminus you have some update on this?

I’m no longer using Proxmox, sorry, so I can no longer help to debug.

Are you using other platform like proxmox to add whonix?

The only other I’ve used is Virtualbox, which is officially supported.

1 Like