I’m using Proxmox already for regular KVM images and I’m planning on trying out Whonix using Proxmox soon. If I have any experiences I will write back here. Or, if the OP has already plunged ahead with this please let us know how it went.
I seem to have made some good progress. Here’s what it seems you have to do:
- Log into the Proxmox web interface.
- Click on your host server in the list and click the Network tab.
- Create a new Linux bridge, with IP address 10.152.152.10 and ports/slaves setting blank. There is no way to change bridge_stp to “on” in the Proxmox interface as recommended for Whonix, but I’m not sure if this is necessary. If so, you can edit in in /etc/network/interfaces manually after step 5.
- If you have a DHCP server on the Proxmox server, make sure it is only listening on the old bridge interface, not the one you just created.
- Reboot to activate the new bridge interface (sorry). Note, for me it didn’t come up automatically after booting (not sure why not), so I had to use ifup to bring it up.
- Back in the Proxmox web interface, click the Create VM button.
- Enter the following settings:
a. Name Whonix-Gateway
b. OS Linux 4.X
c. CD/DVD do not use
d. Disk size 100Gb and keep defaults
e. CPUs 1 and keep defaults
f. Memory 512Mb (default)
g. Network: choose NAT (this adapter is for the external network). - On the console, cd to /var/lib/vz/images/xxx where xxx is whatever ID Proxmox has assigned to your new machine.
- Overwrite Proxmox’s generated vm-xxx-disk-1.qcow2 file with the downloaded Whonix-Gateway-13.0.0.1.4.qcow2 and make sure its ownership and permissions are the same.
- Edit the new VM before you start it to add a second network adapter for the internal network. This one should be set in bridged mode using the new bridge that you created.
- Start the VM and complete the configuration as per the instructions at Whonix ™ for KVM and Whonix Quick-Start Guide v0.1 - #8 by torjunkie.
- For making new VMs, I guess just ensure that they are on the same network bridge as Whonix-Gateway. But I haven’t done this yet.
As to whether this provides automatic apparmor confinement or some equivalent, I don’t know. How would I test that?
1 Like
To see what aaparmor profiles are loaded look under enforced profiles output from: sudo aa-status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/usr/bin/lxc-start
/usr/sbin/mysqld
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/bin/lxc-start (2938)
/usr/sbin/mysqld (1813)
/usr/sbin/mysqld (5403)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Nope not confined.
OK thanks, I’ll report this to Proxmox to see whether they want to add this in a future release.
I expect that they might say that it’s overkill for KVM, because KVM is already its own container and apparmor isn’t as necessary as it is for LXC—except in the case where there is a bug in KVM which enables the user to escalate their privileges and break out of their machine to inspect the host’s filesystem or memory.
Is this accurate, or is there an additional reason to have apparmor?
1 Like
Each layer of defense counts. Without apparmor the host is more vulnerable.
Well, that’s how I have it and it is working for me. But I wouldn’t swear it’s the best configuration. The only difference is that in my interfaces file I have lines “network 10.152.128.0” and “broadcast 10.152.191.255”. Try adding those.
I have no idea what you are doing here… But…
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
I discourage using IP forwarding. The beauty of Whonix is, that we don’t
need IP forwarding and therefore have a lot lower risk for leaks.
So I can tell you what I have in case it helps. On my Whonix gateway I have this:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.152.152.10
netmask 255.255.192.0
I already showed you what I have on my Whonix workstations.
My DHCP server is running on the Proxmox host, which has a direct connection to the Internet (more or less), and its network is a bit more complicated, but here is part of its interfaces file:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
iface eth1 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.152.152.10
netmask 255.255.255.0
bridge_ports none
bridge_stp on
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.1.2
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off
bridge_fd 0
Do you have other (non-Whonix) Proxmox VMs that can access the Internet? If not, that would be the first thing to get straight before adding Whonix into the equation.
3 Likes
Is there any progress?
Today I will follow this steps and try it! 
1 Like
I’m no longer using Proxmox, sorry, so I can no longer help to debug.
Are you using other platform like proxmox to add whonix?
The only other I’ve used is Virtualbox, which is officially supported.
1 Like
Just to say, working in Proxmox server
3 Likes
I am trying to start it there too. Could you please tell me, where to turn off the time syncing? While system checking in the workstation, I’ve got “kvm-clock tsc hpet acpi_pm detected”.
Unrelated to timesync.
How to turn of this check is already explained in the very message which mentions it. That however doesn’t fix the original reason for the check.
How to fix the root issue? Users won’t be able to fix this. No developers are working on this.