Setting up Whonix on a VPS versus on own Hardware

So my home PC runs Windows 10 Pro and I was told hosting on Windows is a bad idea. I have a scalable VPS which currently runs Ubuntu. I know that Debian buster is recommended and I will switch to it if what I’m wanting to do will work. I’d like to setup both the Whonix-Gateway and the Whonix-Workstation on the VPS and SSH from my home PC to the VPS in order to use Whonix. However, I’m not sure if doing that compromises anonymity/security. I plan on using VirtualBox with XFCE.

I’m also curious as to what the recommended hardware requirements would be for the VPS. I’m currently using 2 vCPUs and 2GB of Ram but the service is scalable.

As far as I am concerned: Generally speaking, if your host can visualize, it should theoretically be able to visualize Whonix too. The specs on yours are probably too low. But:

If a breach of your anonymity would bring you in trouble, I’d personally highly recommend against using any hardware that e.g. you are not in sole control of OR which leads back to your real identity either by payment or by using unsecured connections (from a windows host, e.g.) to it etc…
Also:

If you are planning on using VBox with XFCE, you’ll have to use a protocol/program that supports displaying stuff other than text.

You’ll find the full warning why that’s a problem here: http://www.whonix.org/wiki/Remote_Administration:

Remote administration of any system should be considered a potential anonymity hazard, since it is not under the user’s physical protection and could be compromised. All activities, all programs, everything should be assumed to be monitored by the host of the server (VPS, dedicated server, etc.).

And you’ll find a even more clear statement about the usage of anything not in your possession here: System Configuration and Access - Kicksecure

Needless to say, Whonix ™ should not be hosted in the cloud, on a foreign server that is not controlled by the user, on a virtual private server (VPS), or other remote hosting options. The risks include:

  • Data on these systems is readily accessible to their owners.
  • Data can be accidentally or deliberately altered / deleted.
  • Legal ownership of data is disputed.
  • Shared technological vulnerabilities include insecure interfaces and application program interfaces (APIs), data loss / leakage and hardware failure.
  • Proven vulnerability to large scale attacks like “hyperjacking” [archive], along with exposure to traditional threats like network eavesdropping, invasion, denial of service attacks, side-channel attacks and so on.

Concluding: Instead, you’d be better of using VBox on your Windows PC and not adding a lot of other attack surfaces.

I’ll agree to that, consider using something, especially if de-anonymization is a risk for your personal well-being.

Feel free to correct me anytime!

2 Likes

Thanks a lot! Very helpful. Would a dual boot be possible to avoid hosting on windows/vps all together? Like add a partition for the linux OS and just restart my computer+select boot device whenever I’d like to switch between linux and windows? Or is just hosting on Windows my best option until I’m able to get a 2nd machine in my possession

1 Like

Good questions. I won’t give a definitive answer here (as in I don’t want to recommend one or the other, as both aren’t optimal), but seeing that the only other option would be going without any anonymization at all for the time being, you’ll probably have to settle with something.

Same page as before: System Configuration and Access - Kicksecure

users should avoid dual / multi-boot configurations. The other OS (like Windows) could modify the unprotected /boot partition or firmware to maliciously compromise … the host OS, and also potentially spy on user activities.

On the other hand, using Windows as a host OS has even more implications, which you can get a list of here:

So none is optimal, until you’ll have separate hardware for running Whonix. Until then, settle for the best option in your opinion and don’t take any unnecessary risks.

2 Likes

Alright, thanks a ton for your time. You’ve answered all of the questions I had. I am probably just going to hold off until I have separate hardware since my situation isn’t urgent and I don’t want to decrease the benefits Whonix offers by being impatient. Again, thank you!!

1 Like

It’s a good question. There are the already mentioned risks when utilizing a remote server for hosting of onion servers vs doing it with hardware under own control.

(Not even necessarily limited in all aspects to onion servers. Similar for clearnet servers.)

However, quote Onion Services - Whonix

Hidden services are definitely weaker than regular Tor circuits

Therefore using a VPS to host servers might have advantages too. If the VPS gets attacked, de-anonymized, that doesn’t necessarily apply to the remote administrator of that service. (Connecting to a compromised VPS would increase attack surface for the remote administrator but that’s certainly better than having a locally compromised VM.)

I don’t think I would make a general recommendation for either option. Seems to complex. Advantages and disadvantages for both solutions. An individual choice based on priorities. However, it would be interesting to explore these two options and good to document in Whonix documentation.

More related documentation:

1 Like

A VPS means your service can be taken down offline or discovered if the datacenter is compromised however it helps reduce risks to your anonymity is you use a minimal remote administration protocol like SSH because the attack surface is very limited. This presupposes that you’ve figured out how to properly pay them in a privacy preserving cryptocurrency because otherwise the money trail will get you.

2 Likes