Noob Questions - Whonix On a Single Hard Drive Machine + Hardware capabilities

I’ve been reading the IVPN guides for a whonix setup using RAID and multiple hard drives. I only have a one hard drive machine available for the time being (I do have an external), is this an issue? I haven’t been able to find a definitive answer to my question or to the contrary.

Given 8gb ram, but only dual core, what latency/speed can I expect with a hdd - would an ssd be preferable given the dual core cpu, in spite of ram? I would want to follow the IVPN guides and have VMs for at least two VPN + tor + pfSense firewalls.

Good day,

Could you please link to what you’re talking about? IVPN isn’t endorsed with Whonix, so we can hardly give support for whatever they may write, as they are a third party. What Whonix would have to do with RAID of any sorts would be quite interesting, as the way you store Whonix that has nothing to do with our project directly, so a link to the guide would be nice.

Furthermore, RAID of any sorts only works with more then one partition, though again, this is completely independent to Whonix.

Your PC seems to be fine, though of course dual core CPU isn’t just dual core CPU. It depends on things like architecture, frequency and so one.

Have a nice day,

Ego

Here is the link: https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-4

• what I refer to is under the ‘Hardware’ subtitle.

So it is perfectly adequate to have just one hard drive? Even if one were to have excess of 7 VMs? I’ll let you peruse the link and get back to me with more detail.

The CPU I have is the I5-2520M (2.5 GHZ): http://ark.intel.com/products/52229/Intel-Core-i5-2520M-Processor-3M-Cache-up-to-3_20-GHz

Regards,
Afer

Good day,

sorry to tell you, but the guide provided by this “company” is riddled with mistakes, misunderstandings and half knowledge.

First of all, Ubuntu is not a good host. It’s a great Linux for starters, don’t get me wrong, but it’s also a resource hog compared to other systems better suited to virtualisation.

Second, VirtualBox is the least efficient virtualizer, espescially when it comes to this amount of VMs, as it only barely builds on hardware, compared to KVM or Xen, which, especially the latter via Qubes, are much easier to use, maintain and all around just safer.

At this rate it might get a little bit tight, though if you use VBox you are giving away performance you’d otherwise safe. When using Qubes, you should actually be able to use this amount of VMs on a 5400rpm drive. I know this, because that’s the setup (I5-3230M, 1Tb 5400rpm HDD, 8GB DDR3) I’m currently using Qubes on with nine Whonix WS’s and one GW running independently.

Have a nice day,

Ego

You need MORE COLORS!

I plan on working through all of the guides myself - haven’t yet though. I’ve read some of the posts on stackexchange written by the guide’s author, mirimir, and they have all been very knowledgeable. To mirimir’s credit, I have never seen him promote this company that he works with - found them independently. I would guess that if he is advocating a suboptimal solution, it’s only to fit in with his target audience.

Ego’s advice is strong! (You’re planning on running 7 VMs simultaneously right? If you’re just using a couple at a time, then do whatever you want.)

Also, some of those guides promote configs that are overkill for even Whonix power users. Overkill can make you safer but it also introduces risks (anonymous payments, proper configurations and maintenance, extra complexity that confuses you down the road, etc.) IMHO, you only want as much complexity as you need.

Legal note:
Note, that the IPVN instructions are proprietary, non-free software. We
may quote and comments parts of it, but incorporating them into Whonix
wiki will not be allowed. Anything they mention (that would be useful in
Whonix wiki) has to be rewritten from scratch.

Thank you massively Ego and entr0py

Despite the guides being overkill such overkill (but not ‘over-risk’) is what I’d like to achieve. Alternatively put, I want a device that can be as close to not leaking anything (and secure) as I can get it without raising risk elsewhere that can’t be mitigated technically or behaviorally.

The IVPN Guides seemed like a good place to start, though now that you’ve remarked on the poor quality, Ego, I am at a loss of guidance for my particular goal - likely I’ll need to do far more research.

Was wondering if you’d concluded how RAID is useful (besides for data loss)

Good day,

Therefore, I’d recommend Qubes Whonix, because, as mentioned before it is safer than VBox and creates less overhead.

I’d recommend this quide for you. It’s actually the simplest in that regard and can setup you up in minutes: https://www.whonix.org/wiki/Qubes/Install

Let me rephrase what I typed before: The guide shows and explains a lot of things which have been surpassed by more safe and efficitent methods a while ago.

Depending on the configuration and amount of drives, potentially speed, regard this: http://www.storagecraft.com/blog/raid-performance/ As explained there though, solutions like RAID 0 increase the potential for data loss by a huge margin, so rather use something like RAID 10, if you want to be safe there.

Like I’ve said though, with an efficient virtualizer this shouldn’t be needed, as explained above. Furthermore, with virtualization you are far sooner going to run in a based CPU bottleneck, then a disk speed based one, which is why most VServer-Hosters have servers with massive processing power, though rather slow drives most of the time.

Have a nice day,

Ego

P.S.: Just mirrored five VMs in VBox and started them, seem to run fine independently even there. My host in this case is Arch Linux.

This discussion has missed the crux of the issue: Hardware requirements for each VM depends on the purpose of the VM. It’s understandable if you don’t want to reveal too many specifics of your intended usage but realize that specifying 7 VMs has no bearing on what your actual hardware requirements might be.

In my case (mostly using Qubes), I usually run 8-10 VMs - a mix of Fedora, Debian, and Whonix. Half of those I would consider “utility” VMs - for networking, gateways (vpn, firewall, etc), usb, and “single-purpose” machines. One of my single-purpose machines is the Vault, which I use only for offline password management. The requirements for that VM are basically the minimum requirements for Debian 8 - couple hundred MBs of RAM, and a couple GBs disk space. It is idle 99.9% of the time. I could reduce the requirements even further with some tweaking. My “work” machines are mostly used for “office” work, email, browsing, amateur-level coding, etc. They may be stressed individually from time to time but very rarely making demands on the CPU at the same time.

For me, the bottleneck is neither the CPU (mid-range Intel quad-core) or persistent storage (early gen SSD), but RAM (16GB). I like to allocate extra RAM to each VM just to prevent pagefile usage. With enough RAM, and my current usage patterns, I could easily run another 10 (even 20) more VMs. As a whole, my CPU and disks are idle 90% of the time. The only time my machine is stressed is during boot / shutdown. On the other hand, 1-2 VMs compiling code or running massive data analysis simultaneously would bring my machine to its knees. If you plan on hosting file / web servers or VPS, then your needs will obviously differ and your gateway VMs will be significantly more stressed.

I’ve used USB3 pendrives for hosting VirtualBox Whonix VMs and even then performance has been adequate for my needs as long as RAM was sufficient. The only time I noticed signifcant slowdowns was when working with Windows VMs (re: Ego’s point about OS overhead).

To answer your question regarding RAID, yes, RAID10 is faster and more redundant than not using RAID at all. If your use case is like mine, then no, RAID is not necessary. Whether you use RAID10 or not, you still need backups.

Whonix (on every platform) is designed not to leak on its own. Without reading the guide, I can’t comment on what additional benefits a network of VPNs is designed to provide. Curious though, will read soon…

Thanks for the response entr0py,

An estimate of my usage can be roughly equated to what is contained in the IVPN guides. Though now I will significantly deviate from them in employing Qubes and whatever else entails this change. My intended use is to have at least 2 VPNs and Tor in a nested chain with firewalls for each, all on whonix. I’ll likely need no more than three whonix ‘work’ machines, if that - though as I learn more I could very well need more sooner than I am expecting.

Appreciate the detail of your reply. When you do check out the IVPN guides it would be very helpful to give me some insight into which methods detailed are useful toward security or not/negligibly - as well as elaborating on how the guides supposedly prevent leaks despite whonix doing this already?

Note: the setup I am aiming for is one designed for the eighth scenario described https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me

Okay. Got my feet wet with:

Will a VPN Service Protect Me?
3 Planning Advanced VM and VPN Setup
7 Paying Anonymously with Cash & Bitcoins
8 Creating Nested Chains of VPN’s & Tor

The guides were very well-written and mostly approachable for computer literate newcomers. I especially liked Planning Advanced VM and VPN Setup and its emphasis on compartmentalization with regards to identities. I thought strategies were well-reasoned and balanced, especially in light of the fact that he has a vested interest in promoting VPN use. I think he does a good job at outlining potential pitfalls. Author has a fully functional tinfoil hat (see DNA obfuscation for cash transactions)

It’s not surprising that many of his thoughts coincide with what I’ve read on whonix.org. After all, he’s a fan of Whonix docs:

(comments from https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-7)

This information [guide] is far more valuable than even the whonix documentation at the official site and that is saying something because the whonix documentation is very well done.

mirimir says:
May 25, 2014 at 6:49 am
I must disagree about the Whonix documentation, though. That is far more comprehensive.

The first thing that should be pointed out is that the guides are over two years old - Qubes was in its early versions and Whonix-Qubes did not exist at the time. The setup in the guides is unnecessarily complicated and as Ego pointed out, inefficient in resource usage.

In terms of specific configuration recommendations, well, there aren’t any. mirimir, himself, points out that the setup is arbitrarily complex, implying that the optimal number of hops is unknown. The basic example shown in Creating Nested Chains of VPN’s & Tor can be diagrammed as follows:

user -> VPN1 -> VPN2 -> Tor -> VPN3 -> destination

To use the classifications from Will a VPN Service Protect Me? where you mentioned you were concerned about the 8th threat model, Whonix by default is configured to deal with the 5th threat model (user -> Tor -> destination).

For censorship circumvention, Whonix provides access to bridge relays and provides methods for users to implement additional measures on their own (user -> proxy / bridge -> Tor -> destination). (Not all of which are entirely recommended.)

In any setup, VPN3 should only be used when required since it is harmful to anonymity.

There is also a disagreement in philosophy. Whonix docs tend to favor tested / audited / large® anonymity set methods that leave little room for fatal user error. While VPN use and chaining is certainly not experimental by any means, the user base that might implement the example setup would be very small indeed. My bigger concern is the potential for user error, especially managing rarely-used critical identities.

The justification in the guide for adding 2 VPN hops before entering Tor is to provide a backup layer should a method for deanonymizing Tor users be discovered. VPN1 is hosted by a popular service in a non-suspicious locale (such as a Five Eyes country) and is used to hide Tor usage. VPN2 is designed to distribute the trust placed in VPN1 and also provide obstacles against provider cooperation by being located in a non-cooperative region. The reasoning goes: if Tor is compromised, the attacker would then need to successfully attack 2 additional entities to reveal the target. Would an adversary that has the resources to break Tor be able to compromise 2 VPNs? If yes, are there any number of VPNs that could stop this attacker?

Tunnels before and through Tor are one of the most popular topics on this forum. Documentation is also very in-depth. You should be able to find all the info you need in those 2 places. Unfortunately, you’ll have to decide for yourself what configuration best fits your threat model. The good news is that most configurations are quite straightforward to setup.

For example,
user -> VPN1 -> Tor -> VPN2 -> destination
can be set up with nothing but Whonix Gateway & Workstation.
Just remember, if you screw up signing-up / paying for VPN2, you might as well not be using Tor at all.

Thanks for being so prompt in checking out the guides and replying, adds much more dimension to the perspectives present.

Could you elaborate on user error in managing critical identities? Initially coming to mind is logging into non-pseudonymous accounts and acquiring a VPN non-pseudonymously.

You make a very good point about the strength of advesary given Tor being compromised. At this point I felt inclined to suggest that JonDonym could provide a little more security. I had the same thought with having VPN1 in a non-cooperative region. However if I am a part of a small handful in my country using VPN1 IP address I am easier to detect, however a local VPN will not oppose government and could it not indicate I am connecting to VPN2 if queried? There is always the option of VPN3 (before Tor), but I believe this hinges on the policy and defense capabilities of the VPN to protect against general attack and my ability to connect to latter VPNs anonymously to avoid being targeted.

Apologies, you mean to say that the IVPN Guides + Whonix documentation will contain all necessary info for my goal?

If you have anything to share in regard to firewalls I’d very much appreciate that too. The IVPN Guides used pfSense to force all traffic through the VPN. I’m about to read more into firewall abilities packaged with qubes-whonix and proxy gateway VMs.

Edit: Seeing this post has aroused some doubt in the hardware I described and the security I want to achieve: [Discussion]Down the Qubes/Whonix rabbit hole..

Also, sorry for another question; is SSD any more secure in qubes-whonix? I have read that there is a lot of room for plaintext to somehow gather and be left out in the open.

Good day,

The same can be said for any OS, as long as you don’t use full disk encryption. That’s nothing specific to Qubes. FDE should be used under all circumstances anyway.

Regarding the rest of your post, I’m not really certain what to tell you here. You seem to be quite keen on using the IVPN guide. The thing is though that of course that guide will always recommend you use a VPN (for obvious reasons) even though it might not be needed or actually less secure than using Whonix in the standard configuration with pluggable transports. So the question we need to ask ourselfs here is wether you need a VPN to enter Tor. Do you?

Have a nice day,

Ego

In that case there is no difference of the SSD between OS, or that initial FDE overcomes the pitfall mentioned?

My selectivity for IVPN Guide is only because I do not currently have much else resource to refer to, I’m still researching, and as in entr0py’s previous response the IVPN guide does have useful information in it, but not all is as useful in present time. Would you help me by elaborating how a VPN would be less secure given my goal (stated in earlier responses)? As far as my knowledge can determine for me I do need a VPN, potentially as a ‘safety-net’ for if a Tor bridge could no longer hide my Tor activity or if Tor was compromised but I was passively targeted. I am not sure what else there is besides a VPN (maybe a self-composed secure server?) that could add that layer of security + anonymity; or how lack of any additional security layers is better security?

Kind regards

Good day,

Full disk encription “overcomes that pitfall”. As long as a proper passphrase is chosen, current forensics have no known way of “getting in there”.

Has been explained here in detail: https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services

The fact that you trust a third party who, despite claiming otherwise, may log whatever they want on you, while not offering any benefit if you are “going through Tor” anyways, is in of itself quite frightening.

By design, when using pluggable transport, there is currently no way of finding out that you even use Tor. Even if that would happen, all which could be “found out” would be you accessing Tor. This security can’t be offerd by a VPN, as the protocols used by VPN are far less advanced then what Tor uses. Which is why it would be far easier to find out that you use Tor when you’d choose a VPN over the solutions provided by Tor to hide Tor.

Like I’ve said, pluggable transport. Not even deep packet inspection can at the current time beat it.

That’s actually a quite smart question. You see, the answer to it is the same to the question why Tor “only” uses three nodes instead of more, trust. The less partys you have to trust the less likely is it mathematicaly that one of them is an attacker, especially if, like with Tor, the connection changes periodically. If you now trust a fixed party which is using less secure standards it makes your surface of attack much bigger.

Have a nice day,

Ego

Gonna bounce around randomly and post many links (many answers better than mine already exist).

Right. Managing identities is not a trivial task. (Qubes helps a lot with this though because you can dedicate entire workstations to individual identities). I think Planning Advanced VM does a good job of illustrating some of the complexities of juggling pseudonyms. Sure, it’s easy enough to get it all right while you are setting it up and it’s all fresh in your mind.

Assume now that you lose yourself in your work for 3-6 months, and realize it’s time to renew subscriptions or change providers. Will you know which IP this pseudonym has used before? Which browser / workstation should you use? Which wallet will you pay from? Do bitcoin anonymizing services work? Are they doing what they say they do? All it takes is one small mistake to undo all prior anonymity. I consider myself fairly organized (avid notetaker, checklist lover) but I’ve been confused before.

Whonix forums (search “VPN”) + Whonix documentation (large section on using tunnels)

If you begin with the assumption that there is no cost / downside to using additional hops, then the only logical conclusion is to use an infinite number of them

User error and trust (as Ego said) are the 2 big issues. (Latency might be a factor as well.) Remember VPNs use ISPs too. Do you trust their ISPs more than yours?
Also:
https://www.torproject.org/docs/faq.html.en#ChoosePathLength

The VPN-Firewall that is referred to in one of the guides was written by adrelanos = Patrick (the Whonix one). Included in Whonix. Again, read the docs and you’ll see how much thought has already gone into Whonix. Personally, I plan on reading the pfSense & Wireshark chapters to develop my Networking literacy (not needed for Qubes/Whonix though). need a good iptables tutorial too…

Very reasonable setup. Everything has tradeoffs though. That person is running 5 Whonix Gateways and connecting to (potentially) 5 different Tor Entry Guards. Multiple Whonix-Gateways. How many IPs in the world will be doing that? Could connect to each of those through a VPN first… then the question is, how many IPs in the world connect to 5 VPNs? and so forth.

Also, Qubes founder setup here:

Of course, non-forensic methods for circumventing FDE will always exist: someone looking over your shoulder, grabbing a laptop running on a battery, or the favorite rubber hose method.

As Ego said, obfuscated bridges (using pluggable transports) is the censorship circumvention method endorsed by the Tor Project. If you are fearful that it might be fingerprinted (as obfsproxy3 obfs2 was) or the consequences of being revealed to be a Tor user are severe, then you could try connecting to an obfs bridge using a VPN. How do you find a trustworthy VPN? (Or make your own?).

I always envision VPNs being run by some pimply-faced teenager from his Mom’s basement. As long as he has a fancy website with all the right catchphrases, who would know? Who’s been to Iceland and Moldova to audit his server farms? or his no log policy? Even without breaking encryption, metadata / traffic patterns can reveal when you sleep, whether you celebrate Christmas, etc. Why wouldn’t this kid sell your unencrypted VPN traffic to the highest bidder? to any bidder? Who would know? If NSA was holding my head in the toilet, I know what I’d do…

EDIT: correction obfs2 is deprecated, not obfs3

Good day,

Actually, you aren’t so far of. To tell you the truth, there are far less providers of VPNs on planet earth than it might seem when doing a simple google search. Actually, most businesses offering VPNs are using the same servers. Why? Because some of the biggest VPN providers are actually also resellers to smaller VPN bussinesses. They offer them the software, hardware and experience needed for less than a 1000usd a month. For the bussinesses using these service, it means that they won’t have to configure anything, just sit back and make money. The problem here is that, even though the bussiness you might aquire the VPN from is in some country with “good” legislation, those resellers still are for-profit-companies in the US in most cases. And they have to accept the laws opposed by the US govnerment.

Exemples of famous resellers:

Please keep in mind that I’m not trying to imply that IVPN is of this kind, if it came accross that way, I’m sorry, that wasn’t intended. I can’t tell you were/how they aquire their servers and what they really have to store, as well as which laws really apply despite their business location, simply because this is never possible with VPNs by their design.

Have a nice day,

Ego

Didn’t realize it was that easy. Lost my pimples years ago but I could still be that kid! Plus WhonixVPN.com is available

/cc @mirimir (author of IPVN guides)