Best Practice for cloning Whonix VMs?

It is very convenient to have many separate Whonix VMs for compartmentalization, and cloning new ones from a template is very quick. However, I could not find anything in the documentation regarding the correct and safest way to do this in KVM (nor in VB).

I am changing from VB to KVM and here is how I usually set things up:

  • Create a template Gateway & Workstation, proceed to harden settings and tweak them to my default liking and never use the template for anything but setting defaults or updating.
  • Clone many Gateway and workstation sets for each use case, sometimes simply deleting and cloning a new one to “refresh” them after some time.

In VB I simply right clicked and cloned and set it to “randomize mac” in the menu.

Was this good practice in VB? How might something similar be done in KVM?

My experience so far with KVM is that I set up a template and spent awhile configuring it, upon cloning it using the gui interface and not messing with any networking settings, ALL whonix vms suddenly were unable to complete whonixcheck and connect to the network, it is stuck on tor circuit: not established 2% done including the original template, I deleted the clones and tried to use the template but it is still not connecting.

So to restate the purpose of this thread: What are the correct ways to go about managing a Whonix template and clones step by step, how do you do it and are there is there anything missing in this process that could improve your workflow? Perhaps we can document this.

are you running the original templates and the clones at the same time?

No, and even after I deleted the clones the original template network connection no longer works, it seems they all broke after the first time I booted the clone up.

hmmmm. i’m trying to reproduce. but, i can’t. by chance, when you clone the original virtual machines, are you using the “shared” image option? you should avoid that. if something breaks with the clone, and the disk image was shared, that might break the original too.

in follow up to this, in case i wasn’t clear, on my system, cloning a vm with virt-manager defaults to using a “shared” disk for the clone. so, if you missed that, changes that happen to your clone would happen on your template as well. try creating a new disk image for your clone and see if the problem persists with both. if you attempt to run originals and clones at the same time, and didn’t set up a new network interface for your clones, the result of the local ip addresses being the same will kill network connectivity.

as an aside, there’s ways to set your original backing image as an immutable source for other virtual machines with qemu-img, which will likely save you hd space. i plan on documenting that soon.

No, when I cloned I got a separate image.

As to the default, for me to create shared image is not even an option as it is greyed out, only creating new disk is option.

For extra info, I have encountered this same problem on two different host devices with the same software settings (Minimal debian netinst morphed with kicksecure)

Update: After changing the host to manjaro cloning and networking works without problem on KVM for Whonix & Kicksecure.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Multiple_Whonix-Gateway#KVM this documentation is useful for anyone here curious about cloning procedure.

And as to my networking difficulties, I believe this had to do with Gufw Firewall automatically being turned off by a vpn client. If anyone has this issue, try this: reboot, turn vpn on, then turn firewall back on, and then open your whonix or kicksecure VM, the networking should work, there seems to be a conflict when no firewall is active. So may have been unrelated to cloning.

Also, for best workflow, it would be nice if whonix host not only included kvm whonix vm template but also kvm kicksecure vm template, or at least as an option at install. Not sure if this is planned but I think it would be a great addition to whonix host.

2 Likes