Qubes + Whonix

Update:

An initial version of Qubes + Whonix integration has been successfully achieved.

Qubes + Whonix wiki page:

Qubes + Whonix mailing list announcement:

https://www.whonix.org/pipermail/whonix-devel/2014-August/000200.html

The original development discussion is below…

============================================================================================

============================================================================================

Hello Patrick, Whonix team and community…

I’ve been using VirtualBox + Whonix for quite some time now but am now in NEED of the greater endpoint security that Qubes provides. Though I’d like to still take advantage of the anonymity and security improvements built into Whonix.

I’ve just been reading through what I can find about integrating Qubes + Whonix…

https://groups.google.com/d/topic/qubes-devel/2vnGqsoM9p0

From what I can tell, it seems that this has not been done yet, at least not publicly shared.

I’ve read a couple of Patrick’s past calls for someone to help complete this work and would like to see if I could be that person now at this time.

I’ve currently got a shiny new installation of Qubes OS up and running on my computer and am starting to read through the Qubes documentation to get up to speed.

I’ve also got a little bit of programming/scripting experience (app level stuff).

For my important personal needs for running Whonix + Qubes, I’m now very motivated to get this configuration working ASAP.

If I could get some guidance here while implementing, I’d be happy to attempt whatever development, configuration, testing tasks that I’m able to, and share my work with the Whonix community.

Very interested in what it would take to make Qubes + Whonix happen and if I can help make it happen now!

Thoughts, Advice, Support?

Thanks!

Great!

I see three different approaches here:

Use the .qcow2 images that Whonix offers for download and use them as HVM in Qubes OS?

If you wanted to use Qubes Tools (similar to VirtualBox guest additions, but more secure, for things like mouse integreation, shared clipboard, file transfer with VMs and so forth), then you would have to find out if or how Qubes Tools can be used in Qubes HVMs.

Package Whonix’s source packages for Fedora.

No issues with Qubes Tools expected here - you would be using the more standard Qubes official / canonical way.

To oversimplify it: Whonix is just a collection of configuration files and scripts. These have recently been split, put into different source packages (Whonix · GitHub).

Also recently those have been packaged as Debian .deb packages. The packaging is generic (generic make file, mostly generic debian/control, debian/rules etc.). Generic means here, port one package in a generic way = no need to reinvent packaging for the other packages. Two birds with one stone.

So if you could invent this generic packaging (if that is possible with Fedora’s toolchain) for Whonix’s source package, i.e. if you could package Whonix’s source packages for Fedora, you could then install these packages in Fedora. After being done perhaps create a Qubes Template Anon-VM, perhaps install some packages in Qubes OS TorVM.

Use Qubes OS’s Debian templates, then install Whonix’s Debian packages?

Less standard then 2).

I don’t know how well Qubes OS’s Debian templates are supported in Qubes OS. Also I don’t like the idea to have Qubes OS being based on Fedora (learning their package manager etc.) and having guest VMs based on Debian (learning apt-get). But that is up to you. I’ll support this cause either way, maybe one day we support all 3 ways.

I try to hang out one irc (irc.oftc.net #Whonix) some more, I guess you may have a lot little questions we can sort out there faster. Forum-only would work as well, that’s up to you.

Thanks Patrick!

I’m going to spend today reading through as much Qubes documentation as I can and playing around with the OS, in order to learn the fundamentals of what is what inside the Qubes world.

Then I’ll start diving into these three approaches for integrating Whonix & Qubes.

Yes, I will likely have plenty of questions and issues come up throughout this process.

Thanks so much for your support! Talk soon.

Qubes docs, here I come…

Hello again,

So I’ve now read through a lot of Qubes documentation and feel pretty familiar with the fundamental concepts of Qubes.

I’m running Qubes OS R2rc1 on my development system with VT-x, VT-d, and TXT supported.

I’m working on this Qubes + Whonix setup full-time right now, so I should be pretty active here.

Regarding the 3 approaches you listed out…

My immediate personal goal is to get at least a minimally functional and meaningfully secure implementation of Whonix running in Qubes as soon as I possibly can. From there, I could maybe pursue working on more optimal and standardized ways of Qubes + Whonix integration.

Based on this initial goal, approach #1 or #3 looks most efficient for me to accomplish right now.

So I guess that I need to start looking into the detailed components of these…

Approach #1:

• Look into the details of Qubes Tools.
• Get a HVM installed in my Qubes OS with the Whonix .qcow2 images.

Approach #3:

• Look into Qubes’ Debian templates.
• If supported enough, install, and attempt Whonix Debian packages integration.

How I envision the final VM networking configuration of Whonix inside of Qubes is the following…

Whonix-WorkstationVM --> Whonix-GatewayVM --> FirewallVM --> NetVM --> LAN/Internet

I’m assuming that the Whonix-GatewayVM would be setup as a ProxyVM based on a Debian/Whonix-Gateway Template HVM inside of Qubes?

I’m assuming that the Whonix-WorkstationVM would be setup as an AppVM based on a Debian/Whonix-Workstation Template HVM inside of Qubes?

Also look into QubesOS TorVM. Whonix-Gateway would be similar to QubesOS TorVM with respect to the FirewallVM/NetVM thing.

[quote=“WhonixQubes, post:4, topic:374”]How I envision the final VM networking configuration of Whonix inside of Qubes is the following…

Whonix-WorkstationVM → Whonix-GatewayVM → → LAN/Internet[/quote]
Sounds good. Please also consider discussing this on the qubes-devel mailing list (Redirecting to Google Groups). They can answer better about Qubes specifics, such as if the above “Whonix-WorkstationVM → Whonix-GatewayVM […]” makes sense. (To me it makes, but they’ll know better.) I am subscribed to that list, but if it involves Whonix, please add adrelanos@riseup.net to cc for extra notification (they have quite a lot traffic and I can’t read everything).

I'm assuming that the Whonix-GatewayVM would be setup as a ProxyVM based on a Debian/Whonix-Gateway Template HVM inside of Qubes?

I'm assuming that the Whonix-WorkstationVM would be setup as an AppVM based on a Debian/Whonix-Workstation Template HVM inside of Qubes?

Thanks Patrick… Will do.

Looks like the Qubes developers uploaded a Debian Qubes Template to the “templates-community” repository, just now on July 28.

https://groups.google.com/d/topic/qubes-users/f0SsskqIvls

https://wiki.qubes-os.org/wiki/Templates/Debian

Though, it looks like it is based on Debian Jessie ( 8 ) (testing).

Question:

Are current versions of Whonix packages compatible with Debian Jessie ( 8 ) (testing) or just Wheezy (7) (stable) right now?

Only ~“95%” compatible with testing (jessie). The scripts and configs should be mostly agnostic, but some dependencies changed in jessie. Shouldn’t be too difficult to fix and in mid term future I need to do it anyway. Perhaps even before Whonix 9.

That would be a delight! Will be very interested to hear when that Debian Jessie compatibility happens for Whonix.

I’m thinking Qubes Debian Jessie Template + Whonix 9 Debian Packages (.deb) could be very straightforward and easy.

Although, there would be the ongoing Debian testing update compatibility issues (like with Whonix 7), but, well worth dealing with that for me.

No need to wait for me by the way. This isn’t something only I can figure out or black magic.

Just try building and installing the packages (Whonix · GitHub) one by one. Or build all packages at once (automated by https://github.com/Whonix/Whonix/blob/master/build-steps.d/1200_create-debian-packages) and install them from local repository. Or maybe I should put up a remote repository for this use case.

It may sound a bit confusing… Because we have no good terminology yet… Anyway… You know physical isolation already?

The clue… It is possible to run with physical isolation (–bare-metal) build script switch not only on a physically isolated machine, but also in an existing Debian VM.

./whonix_build --bare-metal --build --tor-gateway

By the way, developers-only git dev tags can be found here:

I just now tested 8.6.4.1 in an existing Wheezy VM and it worked.

I can’t say a 100% way, because that’s development. I am 100% sure though, that this is doable and that this is one of the more easy development tasks (Frequently Asked Questions - Whonix ™ FAQ).

[quote=“Patrick, post:9, topic:374”]No need to wait for me by the way. This isn’t something only I can figure out or black magic.

Just try building and installing the packages…[/quote]

Thanks Patrick…

I’m currently playing around with Whonix VM binary images and Qubes HVM, seeing how approach #1 goes.

I’m just speculating that the Qubes Tools may be a limiting factor for Debian Wheezy based Whonix right now. Will know more soon enough.

Working on building and installing the Whonix packages in the Qubes Debian Jessie Template will likely be my next approach to work on soon.

I’m not really familiar with OS level development, or Linux/Debian packaging, and am not a professional-grade programmer by any rigorous means. Have just programmed, from scratch, a dozen or so private party applications over the past decade, in a few different languages. However, I probably have enough programming/scripting knowledge and determined stubbornness to figure Whonix development out soon with relative efficiency and predictability. Which will be a good thing too, since then I can get more familiar and closer to making development contributions to Whonix in the future, as well as further tweaking my own Whonix systems.

Will continue updating on various approaches as I make more progress soon.

Qubes + Whonix is a beautiful thing who’s time has come to exist!

Quick Impressions:
I haven’t looked into in a while, but I assumed that our gateway would be a a qubes proxy vm, used where their basic Tor VM is being used right now.

If you want to get it running as soon as possible, it seems that #1 is the answer: Get our images loaded as HVMs (App and Proxy), figure out the networking issues involved, then work on getting Tools loaded if you can. I’m assuming that #3 (using their debian VM) is more trouble (different deb version) than it’s worth (still an HVM no?). I guess that’s what you’re trying to figure out.

The long term (that is, complete) solution – when someone is ready for the job – is making a fedora(/qubes) based Whonix (solution #2).

Good thoughts, Jason!

I saw that you were interested/working on Qubes + Whonix before as well.

Feel free to jump in with anything you wish regarding this current Qubes + Whonix effort I’m undertaking.

Yeah, that’s what made the most sense to me.

Whonix-Gateway = ProxyVM

Whonix-Workstation = AppVM

As Patrick pointed out, TorVM could be used as the ProxyVM instead of Whonix-Gateway.

However, I personally would prefer Whonix-Gateway as the ProxyVM, instead of TorVM.

I think, if I’m not mistaken, Whonix-Gateway handles timing issues better and also runs its own traffic/updates over Tor, plus maybe a few other belt and suspenders attributes for more optimal Tor-centric anonymity.

Yup, that is what I’m working on right now. Qubes Tools is the uncertain part still, which I haven’t gotten a chance to get to just yet. Will know more soon on this approach.

Yeah, their new Qubes Debian Template is based on Debian Jessie ( 8 ) (testing).

It is supposedly a Qubes Template, similar in nature to the built-in Qubes Fedora Template.

So it might not be an HVM version. Maybe just the “native” version of Qubes template?

I haven’t played with it, yet. Will know more about it in the near future.

Links…

https://groups.google.com/d/topic/qubes-users/f0SsskqIvls

https://wiki.qubes-os.org/wiki/Templates/Debian

However, the main issues would be Whonix Debian package compatibility with Debian Jessie, which Patrick and I briefly discussed in this thread, as well as getting the networking setup correctly, which is needed regardless of approach.

Supposedly the Qubes Debian Jessie Template would have Qubes Tools integration already taken care of. And Patrick mentioned how the Whonix Debian packages will be made compatible with Jessie, potentially before Whonix v.9. Seems that with proper networking configuration, this setup could work almost right out of the box.

Yet, Whonix package compatibility with Debian Jessie is the primary step to be completed here.

Yes. Or maybe Debian can simply replace Fedora in Qubes, including for dom0 (AdminVM). I’ve read that there is community push to have Debian as an alternative to Fedora on all levels. So maybe the new Qubes Debian Jessie Template can already accomplish this?

Exciting times for Qubes + Whonix!

Good news. I’m sure many people are in need of this.

If feasible, another idea is to create a USB bootable Qubes + Whonix. mirimir would definitely be interested:

Hello z!

Absolutely! Me very much so. Hopefully Qubes + Whonix will soon be a reality.

Should be doable.

From Qubes documentation…

“However, you can install it on an external USB hard drive and run from it, at least for testing (normally such disks are orders of magnitude slower than even the slowest internal hard drives).”

https://wiki.qubes-os.org/wiki/InstallationGuideR2rc1

We just need the Whonix compatibility side.

Working on that now!

An open question, most likely to Patrick, does Qubes provide new opportunities for connection chaining? Like could it make it easy to chain connections (i2p-Gateway, VPN-Gateway, etc.) with also much better leakproof firewalls between them.

Could Whonix Gateway become a template for Qubes where you could choose the connection type for each Whonix Gateway (proxy,vpn,i2p,tor…) and chain easily as you like? Or does Qubes doesn’t make things any easier in this context?

Qubes Tools:
I would suppose, that Virtual Box guest additions are similar to Qubes Tools. Just more secure. Maybe installing Qubes Tools inside Debian stable is “only” equally difficult as manually installing Virtual Box guest additions. Usual ./configure, make, make install approach, I mean.

This is what probably the Debian testing template developer did:
https://qubes-os.org/wiki/BuildingNonFedoraTemplate

This is probably about Qubes Tools:
Redirecting……

Since the Debian testing template developer already managed getting Qubes Tools running in Debian testing, I could imagine that this person could help backporting it to Debian stable. Maybe most of the research and work is already done.

qubes-dev mailinglist may have less speculative answers to the “How to install Qubes Tools in Debian stable?” question.

Yes.

maybe Debian can simply replace Fedora in Qubes, including for dom0 (AdminVM). I've read that there is community push to have Debian as an alternative to Fedora on all levels.

The topic does indeed interest me. I believe that a USB image of Qubes + Whonix represents the highest in desktop security.

@z
Only the Qubes team can definitively answer the networking question. I do believe, though, that you can chain proxy VMs. As for a VPN based gateway or i2p, it is technically doable, but a question of manpower. I2P and VPN is less complicated than Tor, but we’d need someone dedicated to that.

@Wh-Q
Our Gateway is certainly more… advanced… than their TorVM. I speculate that the TorVM will work with the workstation (for testing, I guess?), however.

I’m sure that only fedora based VMs could be paravirtualized because the kernel (or whatever) of qubes is fedora.

I recommend against doing any significant work in order to get the whonix packages working inside that particular community template:

0: Getting our qow2 images working is the probably the fastest and easiest way to both learn about Qubes and get something running.

1: If you do plan on creating and maintaining a Whonix template, the safest bet is that you’ll have to create you’re own debian/whonix anyway. In that case, it’s not productive to spend time trying make someone else’s incompatible template work with your needs (which may change in the future or be abandoned). Try to make your own first. If that’s too much, I recommend at least waiting until the whonix packages are compatible with that template’s version.

EDIT: Actually, I just remember that getting the whonix packages to work in Jessie is work we’ll need to do anyway. If Patrick agrees, you might as well play with that template if you feel tempted to do so.

[quote=“Patrick, post:16, topic:374”]Qubes Tools:
I would suppose, that Virtual Box guest additions are similar to Qubes Tools. Just more secure.[/quote]

I’m still unfamiliar with the details of Qubes Tools. I’m wondering if these are non-vital like VirtualBox Guest Additions, or if Qubes Tools is fundamental to the core operations of VMs inside of Qubes OS.

If they are not vital to core operation, then I’ll just go straight for HVM Whonix based on Whonix Debian Wheezy, without Qubes Tools integration.

Just speculating… Maybe Qubes Tools is vital in dom0 or Service VMs, but not in other VMs in Qubes. If so, then that’d be nice for skipping the Qubes Tools issue.

Not sure about the details of Qubes Tools (yet).

[quote=“Patrick, post:16, topic:374”]Maybe installing Qubes Tools inside Debian stable is “only” equally difficult as manually installing Virtual Box guest additions. Usual ./configure, make, make install approach, I mean.

This is what probably the Debian testing template developer did:
https://qubes-os.org/wiki/BuildingNonFedoraTemplate

This is probably about Qubes Tools:
Redirecting……[/quote]

Thanks for the further research on Qubes Tools. Looked it over briefly. Will have to come back to it.

Yes. Good thought. Might have to pursue this person(s) for their insights.

Yes.

Yes! Very nice Jason!

[quote=“JasonJAyalaP, post:17, topic:374”]@z
Only the Qubes team can definitively answer the networking question. I do believe, though, that you can chain proxy VMs. As for a VPN based gateway or i2p, it is technically doable, but a question of manpower. I2P and VPN is less complicated than Tor, but we’d need someone dedicated to that.[/quote]

Not sure about the Tor alternative protocols. However, I do know for sure that ProxyVMs can be chained inside of Qubes. This may or may not help with chaining multiple protocols of traffic out on the internet though.

“Proxy VMs that combine both of the above: to Net VMs they look like regular AppVMs, because they are consumers of the networking they provide, but to other AppVMs they act as if they were Net VMs themselves, allowing other VMs to connect to them. Of course the Proxy VMs do not have directly assigned networking devices – they use the networking provided by the Net VM that they connect to. One can chain many Proxy VMs, as we will see below.”

[quote=“JasonJAyalaP, post:17, topic:374”]I recommend against doing any significant work in order to get the whonix packages working inside that particular community template:

0: Getting our qow2 images working is the probably the fastest and easiest way to both learn about Qubes and get something running.

1: If you do plan on creating and maintaining a Whonix template, the safest bet is that you’ll have to create you’re own debian/whonix anyway. In that case, it’s not productive to spend time trying make someone else’s incompatible template work with your needs (which may change in the future or be abandoned). Try to make your own first. If that’s too much, I recommend at least waiting until the whonix packages are compatible with that template’s version.

EDIT: Actually, I just remember that getting the whonix packages to work in Jessie is work we’ll need to do anyway. If Patrick agrees, you might as well play with that template if you feel tempted to do so.[/quote]

Thanks for the thoughts and recommendations Jason!

I’m going in multiple directions at once, probing the various approaches to see what the limiting factors are and which approach can break-through to a solution the fastest, while also assessing which approaches will be more stable solutions for the longer mid-term future.

I of course want to have a more stable solution for Qubes + Whonix. However, I also have a need to get Qubes + Whonix working ASAP for another project of mine. So I’m willing to compromise in the immediate-term.

My decision tree for Qubes + Whonix integration kind of looks like this right now…

Qubes Tools vital?
|
------ No
| |
| ------ Solution: Whonix HVM without Qubes Tools
|
------ Yes
|
------ Qubes Tools integration for Debian Wheezy practical now?
|
------ Yes
| |
| ------ Solution: Whonix HVM with Qubes Tools
|
------ No
|
------ Whonix packaging for Qubes Debian Jessie Template practical now?
|
------ Yes
| |
| ------ Solution: Whonix VM based on Qubes Debian Template
|
------ No
|
------ Look for alternatives or wait for Patrick’s Debian Jessie compatible work

Depends on what you mean by vital. HVMs work without Qubes Tools. I don’t think there are security issues or something like that. But you’ll be missing usability improvements such as easy convenient file transfer between VMs.