[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Recomended distro to deploy KVM whonix?


#1

Im trying to deploy a distro specifically to run whonix…

I have 2 days trying to make it work on debian 9.6 followed the this guide ‘https://www.whonix.org/wiki/KVM’ step by step but the gateway has no connection for some reason bootstrap stays stuck on 5% read lot of post from users on the forum with similar problems but no solutions.

I also made a test deployed a windows VM just to test the virtual network but no connection still they can ping each other gust/host also the VM does dns lookup… but doesnt conect to anything.

I know this is not related to whonix, i just want to know which is the recomended distro and the exact version to make whonix work properly out of the box if is even posible since i am unexperienced linux user.


#2

LAst time I tried KVM + Whonix it worked out of the box on a plain debian 9 stable install .

Do you have network connection on the host (wifi/ethernet?)? Does it work correctly? Have you tried to connect to Tor directly from the host (tor package or Tor Browser)? Does it work correctly? What kind of hardware do you have?


#3

I can connect to tor from my windows setup in my whonix via virtualbox so the connection is not censored. to be honest haven’t tried the tor bundle in the debian, since the problem persist in the other vm i setup to test…

after some reading i think the problem is the route through ip tables, I havent setup anything about iptables, im afraid is denying everything today ill do more tests. but i need to read more im also afraid i manage to get it working but not safetly.


#4

Have you checked if the the network ‘default’ is up and running under VMM?

Edit -> connection Details -> Virtual Networks


#5

well i made a test with the default one too on the windows vm and still no connecting, kvm sends alert when the selected network is not up…

but when i made the tests for whonix i ran it with default disabled since imported both templates included with whonix external and internal i checked if they were up and running and they were, but had default disable do i need to start default too?


#6

You should first try to get it working with some non-whonix VM. From my experience it also works out of the box on debian with KVM. Since you can also ping the host and do DNS lookups networking should work to some extend. imho it can only be some firewall or networking issue on the host. libvirtd usually does set some iptables rules itself and uses dnsmasq for networking. Did you change some settings for those?
As a workaround you can try to omit the host network completly by using macvtap + passthrough for the network adapter of the VM.


#7

1st of all thanks for taking the time to answer me.

Tested as you suggested with macvtap and it works guest has connection using that setting.

I did not change anything is a fresh install using dual-boot just to test whonix. I even made the fresh install + step by step guide to install 3 times by now.

I didnt know the libvirt did set rules by it self, if so then there must have to be something wrong with my distribution + the libvirt version im trying to install somehow.

i installed as the guide suggested:

For Debian Stretch+ you need to install:
sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients virt-manager

I just want to make it work i don’t have problems if i have to install another debian version, or if i have to reinstall all from scratch again i have by now around 4 days stuck here.


#8

Btw this the list of rules on the host

sudo iptables --table nat --list

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all – 192.168.122.0/24 base-address.mcast.net/24
RETURN all – 192.168.122.0/24 255.255.255.255
MASQUERADE tcp – 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp – 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all – 192.168.122.0/24 !192.168.122.0/24


#9

These look correct, at least on my system they look the same.Could you maybe also post the output for “iptables -vnL” ? But I guess libvirtd sets up everything correctly. You can also check the official libvirtd documentation for the rules: https://libvirt.org/firewall.html
You could maybe also try to run some other stuff like wget in the VM and see if this works. Or you could try to upgrade to buster and see what happens, this fixed at least some bugs for me. Not related to libvirtd and Whonix though. Your bug is rather odd. But if you just want to use the machine for hosting Whonix VM’s you can also just stick to the macvtap approach. If you need to run more than one gateway you need an additional router VM.


#10

debian:~$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 9902 packets, 3497K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp – virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp – virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp – virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all – virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all – virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all – * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all – virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 9881 packets, 2041K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68

is the macvtap approach safe? i need to read abut that…

but may i know which exact distribution + version are you running ill try with that one since im sick of this bug… im not experienced linux user.


#11

iptables rules look correct. macvtap is probably at least as safe as nat. Debian stable works for me. I can’t come up with any version which did not work for me.


#12

ill try mint now, ill post results after.

in your opinion do u think it may be related to hardware?


#13

Mint is really lacking in the sec department. Some things never patched because no manpower and they don’t believe in CVEs. We didn’t choose Debian by random chance.

Try re-installing Debian from scratch and if it still doesn’t work, then upgrade to buster by changing apt source files. It should be the new stable soon.

Have you installed a firewall package or custom VPN client on the host? There can be interference from them.


#14

Mint is really lacking in the sec department. Some things never patched because no manpower and they don’t believe in CVEs. We didn’t choose Debian by random chance.

yep i figured it up, im setting up debian again, had multiple crashes it has a problem with the VM graphical interface didn’t manage to test the network but ill just stick to debian.

Try re-installing Debian from scratch and if it still doesn’t work, then upgrade to buster by changing apt source files. It should be the new stable soon.

will do it.

Have you installed a firewall package or custom VPN client on the host? There can be interference from them.

Nop i dint install anything just fresh install straight to the whonix step by step.

I will do it again just check if i did not miss anything.

ill install from ‘https://www.debian.org/CD/http-ftp/#stable’ the 650mb image since, only have a 2gb usb available.

Thanks for taking time to answer me.

ill post results as after install from scratch again.


#15

after installing everything from scratch this are the results.

what i noticed

the whonix gateway stays on 5% boot strap just like before.

after that didnt work out i installed a windows guest and tested it with the default network then i used the “external” from whonix template both had same results.

As default the virtual networks on the virtual machines are setup as “virtio” made a test with that setting but in windows guest at least doesnt show any adapter on the adapter list, with this config the guest pings the “192.168.122.1” but is unable to ping the host: “192.168.122.9” also doesnt do any dns lookup.

but then i shut down and setup the virtualnetwork device model: rtl8139 after starting the windows guest again: there is an adapter on the list but showing as limited connectivity.

It does dns lookups i ping google.com and it does resolves the ip but gets “request time out”

It can ping the gateway: “192.168.122.1” but retunrs host unreachable when pinging host ip: “192.168.122.9”

but host can ping guest ip: “192.168.122.84”


made a install with this image ‘https://www.debian.org/CD/http-ftp/#stable’ the 650mb one

fresh install formating root partition and home partition on that disk, then went straight to the step by step on “https://www.whonix.org/wiki/KVM

i dont know what else can i do to make it work i think is kinda odd bug or related to hardware somehow. this the 3rd time i run a fresh install + whonix guide.

i know this is not related to whonix fully but honestly need help to solve this mistery.

Thanks in advance.

Update:

I found virtIO drivers in the iso installed in the guest machine… now the device model VirtIO shows on guest as Ethernet3 Redhad VirIO Driver but still wont connect.

Also there is a difference between the “default” KVM network and the “external” from the whonix template…

the default resolves dns and pings 192.168.122.1 and it can be pinged from host but it cannot ping host from guest.

the external doesnt ping anything neither resolves dns and the return on pings is network unrechable.

This feels like a iptables problem.

i found this “https://serverfault.com/questions/443147/kvm-virtual-machine-unable-to-access-internet” which seens to be like the problem i have but i honestly dont understand which is the “guest-subdomain”


#17

To make things simpler to debug, please stick to using Debian or Whonix guests. Windows does not come with VirtIO drivers and needs them to be installed manually and it may also need additional configuration.

  • Do you see the same problem with a plain Debian guest connected to network “NAT”?

  • Yes Whonix uses network “external” instead of NAT bceuase the Gateway no longer supports DHCP.

  • What is your host’s LAN IP? “sudo ifconfig” If it is the exact same range as the external or NAT subnet, you could be seeing conflicts.

  • Does host connectivity work? If not then you need the Debian image with non-free firmware.


#18

Following this guide:
https://wiki.debian.org/KVM

Make sure you have the package bridge-utils installed.