Qubes + Whonix

Okay. Renamed page to:

Here’s what I think was causing the Whonix-Gateway 8.2 HVM to not connect to the internet in Qubes before…

Part way through my network package testing with the Whonix-Gateway 8.2 download image, I stopped and did a physical isolation build for Whonix-Gateway 8.2 HVM.

Reference: Build Documentation: Physical Isolation

Before doing the Whonix build, I had the plain Debian Wheezy KDE OS running fine with clearnet internet access on eth0.

After the Whonix-Gateway build completed, I ran the “whonixsetup” script, but it did not connect to the internet anymore. The same no internet result as I had experienced before with the Whonix-Gateway 8.2 image in a HVM.

But I saw some error messages fly by at the end of “whonixsetup” and was able to interrupt and stop them with “Ctrl + z”.

These errors read:

...

+ service tor start
[....] Starting tor daemon... [warn] Could not bind to 192.168.0.10:9050: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9100: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9101: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9102: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9103: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9104: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9105: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9106: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9107: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9108: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9109: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9110: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9111: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9112: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9113: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9114: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9115: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9116: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9117: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9118: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9119: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9120: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9121: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9122: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9123: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9124: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9150: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9152: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9153: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9154: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9155: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9156: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9157: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9158: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9159: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9160: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9161: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9162: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9163: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9164: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9165: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9166: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9167: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9168: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9169: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9170: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9171: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9172: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9173: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9174: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9175: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9176: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9177: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9178: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9179: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9180: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9181: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9182: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9183: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9184: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9185: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9186: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9187: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9188: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9189: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:53: Cannot assign requested address
[warn] Could not bind to 192.168.0.10:9040: Cannot assign requested address
[warn] Failed to parse/validate config: Failed to bind one of the listener ports.
[err] Reading config failed--see warnings above.
failed.
+ exit_code=1

...

And so it seems the problem was simply that an eth1 second network adapter has to be present and configured in order for internet access to work on the Whonix-Gateway.

After I add and configure the eth1 network adapter to the Whonix-Gateway HVM, and re-run “whonixsetup”, everything works well.

So that’s what the internet access problem seemed to be for Whonix-Gateway…

Whonix requires eth0 and eth1 network adapters be present and configured, in order for Whonix-Gateway to grant internet access. Just having eth0, without eth1, does not work.

I haven’t fully tested all the variables out, but this seems to be the cause.

[quote=“Patrick, post:61, topic:374”]Okay. Renamed page to:
https://www.whonix.org/wiki/Qubes[/quote]

Great! Will certainly put it to good use.

Yes.

By the way, if you’re using a desktop environment (kde by Whonix default), you can also scroll up in whonixsetup. It’s a bit weird that this is possible in a “console graphical” application. whonixsetup also advices.

Running:

sudo service tor restart

might help with troubleshooting.

By the way, there is a bunch of troubleshooting / test:

I just submitted some initial content and a step-by-step install guide for the Qubes + Whonix wiki page:

Currently waiting for moderation.

Once the new wiki page is approved, I will later today make some community announcements about our Qubes + Whonix success!

This is amazing. I didn’t have time to test yet, but looks clean and clear! Good work!

Thanks Patrick!

A little gift of extra documentation effort back to the communities that helped me achieve this.

Here are my Qubes + Whonix community announcements:

Whonix mailing list:

https://www.whonix.org/pipermail/whonix-devel/2014-August/000200.html

Qubes mailing list:

https://groups.google.com/d/topic/qubes-users/GhgWH5mHf2E

Tor mailing list:

https://lists.torproject.org/pipermail/tor-talk/2014-August/034562.html

Terrific!

Also blogged about this:

Looks like you’ll be staying with us continuing working on Whonix Qubes support? Even better!

When you think, a Qubes sub forum is justified and/or necessary (we also have one for KVM), it can be quickly created.

Todo:

I think we’ll also need you as the Whonix Qubes maintainer. Going to write a separate post on that topic.

[quote=“Patrick, post:68, topic:374”]Terrific!

Also blogged about this:

Awesome! Thanks Patrick!

Yeah… To me, it really looks like there is presently no better platform for endpoint sec + strict torification implementation than Qubes + Whonix. So, for the foreseeable future, I am really diving into Qubes and Whonix and standardizing all of my own personal systems on this combined platform.

I’ll be doing all this type of work for my own personal needs anyway, so I view it as a win-win to also publicly share this and get more community support growing up around Qubes + Whonix so that it can be even further improved beyond me as time goes on.

So, yes, as long as I’m using Qubes + Whonix, I’ll be sticking around here to work on supporting and furthering the Qubes + Whonix platform.

Good idea…

Unless you want to wait, I would be fine with launching a “Whonix Qubes” sub-forum now.

I saw your Qubes maintainer proposal as well, and I officially accept, since I am planning on being around here doing this type of stuff anyway for my own motives.

So, if you’d like, we could go ahead and create a “Whonix Qubes” sub-forum now, and if applicable transfer all the existing Qubes related threads into it.

Having a separate Qubes focused sub-forum now, which threads get originally posted in or moved to by moderators, would also make it practical for me to monitor and respond to anything related to Qubes + Whonix. Otherwise, I’m not sure I’d be able to practically watch other sub-forum posts and pick out the minority of Qubes related threads.

Unless it is only supposed to be for support issues, this “Whonix Qubes” sub-forum will also allow us to better breakout Qubes + Whonix development related threads (like this monolithic one) into sub-topical threads with more narrow focus, and still have them in a centrally aggregated place for other people to follow, who are interested in Qubes + Whonix development.

[quote=“Patrick, post:68, topic:374”]Todo:
https://www.whonix.org/wiki/Dev/Leak_Tests[/quote]

Yes, still todo.

I’m getting the source code install guide done now, then I will likely tackle this.

I formally accept.

Agreed! Great!

Whonix sub forum created with you as moderator. All Qubes specific discussions will be moved to that forum.

I think for now we’ll use the KVM / Qubes specific sub forums for KVM / Qubes specific development discussions as well as user support discussions. But forums are supposed to be flexible. If development-only / support-only seem more useful in future, we can also do this. The forum really is just a tool for cooperation, so we’re as flexible as desired.

[quote=“Patrick, post:71, topic:374”]Agreed! Great!

Whonix sub forum created with you as moderator. All Qubes specific discussions will be moved to that forum.[/quote]

Got it!

Good. This integrated Qubes support + development sub-forum works best for me!

Small suggestion based on this…

The KVM / Qubes sub-forum descriptions currently read:

“Everything specific to Whonix Qubes Support”

Maybe it would be good to “unlimit” this description by taking off the “support” part:

“Everything specific to Whonix Qubes”

Or, alternatively, maybe by adding development onto these descriptions.

Done.