I seem to have made some good progress. Here’s what it seems you have to do:
- Log into the Proxmox web interface.
- Click on your host server in the list and click the Network tab.
- Create a new Linux bridge, with IP address 10.152.152.10 and ports/slaves setting blank. There is no way to change bridge_stp to “on” in the Proxmox interface as recommended for Whonix, but I’m not sure if this is necessary. If so, you can edit in in /etc/network/interfaces manually after step 5.
- If you have a DHCP server on the Proxmox server, make sure it is only listening on the old bridge interface, not the one you just created.
- Reboot to activate the new bridge interface (sorry). Note, for me it didn’t come up automatically after booting (not sure why not), so I had to use ifup to bring it up.
- Back in the Proxmox web interface, click the Create VM button.
- Enter the following settings:
a. Name Whonix-Gateway
b. OS Linux 4.X
c. CD/DVD do not use
d. Disk size 100Gb and keep defaults
e. CPUs 1 and keep defaults
f. Memory 512Mb (default)
g. Network: choose NAT (this adapter is for the external network). - On the console, cd to /var/lib/vz/images/xxx where xxx is whatever ID Proxmox has assigned to your new machine.
- Overwrite Proxmox’s generated vm-xxx-disk-1.qcow2 file with the downloaded Whonix-Gateway-13.0.0.1.4.qcow2 and make sure its ownership and permissions are the same.
- Edit the new VM before you start it to add a second network adapter for the internal network. This one should be set in bridged mode using the new bridge that you created.
- Start the VM and complete the configuration as per the instructions at Whonix ™ for KVM and Whonix Quick-Start Guide v0.1 - #8 by torjunkie.
- For making new VMs, I guess just ensure that they are on the same network bridge as Whonix-Gateway. But I haven’t done this yet.
As to whether this provides automatic apparmor confinement or some equivalent, I don’t know. How would I test that?