First time around I just want to get setup and had trouble initially with the kvm way but so I just ended up going with virtualbox but I want to figure the kvm way properly now for the reasons stated in the wiki- that is is properly FOSS- and I prefer its more stripped down nature in general. I now have the time and inclination to getting it cracked. I have used kvm in the past but have just used it via making my own shell scripts with the commands to run a vm, not using virsh.
I actually prefer that way but I guess it would not be practical here since the virsh xml files contain a lot of the setup info? and it would be cirtcuitous to do it that way for setting the gateway and workstation up?
Also can I do cli-gateway and xfce-worstation because I think it is superfluous to have a desktop for the gateway since it is not used.
My general philosophy is in line with linux philosophy of most simple and efficient so it was good to see that xfce was being considered to replace kde.
Where should I get the latest downloads for cli-gateway and whonix-xfce? and corresponding info on how to setup?
Also regarding encryption, would you need to setup an encrypted partition and just setup kvm within that? rather than there just being a simple switch like in virtualbox for kvm which deals with encryption?
There is a command to convert virsh settings into QEMU commands but you lose out on security enhancements such as svirt apparmor sandboxing of VMs. If you are OK with that I can find it for you.
You can but you will need to build a cli-only GW for the moment as I haven’t gotten around to doing cli-specific builds.
You setup a partition and just move the image there and point the VM settings to the alternate location. It would be easier to just encrypt your entire host to begin with.
Thanks. I guess it is a good idea to run it in a stock way as per the base instructions before trying the more exotic builds/flavors as to qemu commands and the like.
Ah so xfce is the standard DE now with this download link in the KVM instructions? I presume so since it gives xfce troubleshooting at the bottom. As I was reading around forum posts a couple days ago I didn’t hit on any message that it had actually been rolled out and was still much in development stage; maybe I just didn’t reach to the latest posts as I was only skimming around :).
Yes I already knew the KVM install link it was just that when I tried initially, maybe 8-9 months ago, KDE was still the default.
Cool. I shall start again from the top with the wiki and concern myself with my other issues later if needed. It might be moot now anyway, regarding the cli version since xfce is lightweight anyway so that circumvents the original concern such as to now be a non-issue.
I am tied up in a bit of a mess here with libvirt commands
$ virsh -c qemu:///system net-define Whonix_external*.xml
error: Failed to define network from Whonix_external_network-14.0.1.4.4.xml
error: operation failed: network 'external' already exists with uuid 417ba234-1cde-4fbb-8837-417a0b6453a
I have already undefined and deleted the old attempt/previous version from many months ago but how do I get rid of all this net stuff because it is conflicting with this current attempt.
I was not sure what I need to search for online and c+p of the error didn’t bear and fruit on my cursory inspection.
$ virsh net-list --all
Name State Autostart Persistent
-----------------------------------------------
external inactive yes yes
internal inactive no yes
Hey I have never used virsh (apart from that brief failed attempt in the past) so no step is obvious yet to me :). As I said I’m used to qemu but I shall persist and see if I get the hang of it.
Now sorry for stupid questions but how do I remove it + if there is a common place I can look for these obvious answers related to libvirt where is it?
I am reading the archwiki for libvirt but it doesn’t seem completely answer such issues.
EDIT just saw the link. Will read now. Thanks.
EDIT2: ah virsh net-undefine <name> was what I was after; found in the virsh man. I always forget man pages are the first place you should look
Ok now I can’t delete them for system? only session.
Sessions removed as expected but when I ran sudo for the other commands the networks still show yet when I try and undefine them they show success yet still show up and I can’t re-add them because it is still saying the already exist.
Also do all these commands have to be run with system virsh? I am guessing so? because I tried doing them for session earlier and it said that the last command
Ok I installed it now and got it running but sudo virt-viewer --connect qemu:///system Whonix-Gateway when I get in I am not allowed to get past the terms as the mouse will not respond to clicking the radio.
I tried tabbing and it works to scroll to the accept however if I press enter it will still just exit and shutdown.
EDIT: got that with some tabbing and also up and down arrow. No mouse at all, need to play around there, something to do with virt-viewer I guess and nothing to do with whonix.
Sorry this applies to the virtual machine manager gui which you should have installed as per wiki instructions. In this network pane you will see all virtual networks and can manipulate them from there.
Ok I have everything setup now nearly. Running the console from virt-manager solved the kb/mouse issues.
One last thing though- copy and paste from host to guest works on gateway but not on workstation. Why would that be? I will be needing it most for the workstation obviously because that is the one that is being used.
I suppose I will look into debugging spice and that side of things.
Clipboard sharing is disabled by default for security reasons as per official documentation:
SPICE allows accelerated graphics and clipboard sharing. The clipboard is disabled by default for security reasons to prevent accidentally copying a link to a website you visited anonymously to your non-anonymous host browser or vice versa and to stop malware in Whonix ™ Workstation from pilfering sensitive info from your clipboard.
You can easily enable it if you want to (be aware of the security implications):
If you still want to enable it, edit the VM config file, then change <clipboard copypaste='no'/> to ‘yes’ then save and restart.
You could enable clipboard sharing if you accept the risks (=the Workstation has access to the host’s clipboard content and vice-versa).
Otherwise I guess you could create a veracrypt container with your passwords inside on your host (or if your are really paranoiac, you could create it on a machine without internet access, then copy it to the host) that you would access from the Workstation with a shared folder.
Use a password manager in the WS like keepassx which we now include I believe. Then regularly make backups of the encrypted manager database and archive that.