[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Tails-Whonix: It's doable, here's how. Can we offer it as a variant like Qubes-Whonix?

To Patrick and all who contribute to the project,

Like I’m sure most agree here, Whonix is much safer than Tails as a solution to secure one’s anonymity (i.e. protecting IP address leakage due to exploits in the OS where you do your Internet) due to the ingenious VM sandboxing design.

That’s why Whonix exists.

However, over time I have been increasingly concerned as I discover more ways in which Whonix data (or forensic evidence of its usage) can be leaked, read by, or stored in the host OS system, such as the visual ‘Preview’ pane that shows each VM’s live screen activity in the VirtualBox main GUI (which is enabled by default), or countless other metadata files written deep in your host OS file system, or actual sensitive Whonix data potentially saved to the swap partition.

This forensic data and leakage about your Whonix is a high security risk to many users around the world, in which LUKS encryption of your host OS hard drive is useless if governments can legally seize your equipment and force you to decrypt it anyway.

The RAM-only ‘live’ amnesic computing design, such as the hardened Tails OS, offers a type of security which cannot be replicated by ANY operating system (like Qubes) that writes in-session data to the hard disk. If there were an OS that offered cryptographically secure plausible deniability like the open-source and now well-audited hidden VeraCrypt volume software, it would be different (and VeraCrypt’s Windows hidden OS doesn’t count because researchers defeated it).

That’s why Tails exists.

More than ever, I am strongly interested in Tails as a host OS for Whonix. I’d feel much safer if I knew that all sensitive information or forensic data about Whonix would at least leak to a RAM-only environment that’s instantly and quite securely wiped as soon as I remove the Tails USB drive, instead of potentially being permanently written on an SSD cell somewhere deep on the hard disk as evidence to be collected.

To combine both worlds and still have fully deniable encryption of all sensitive data, you can store your Whonix VMs inside a hidden VeraCrypt volume (on your fast internal SSD) and then run them in a VirtualBox instance on Tails (on your USB). For convenience, you can build your own install scripts and use Tails’ Dotfiles persistence feature to launch your preferred OS settings and the VMs quite automatically at each startup.

So with this in mind I recently experimented with Whonix in Tails and made headway with (almost) getting it to work. (The only remaining step is I’m not sure how to modify Gateway to get its Tor wizard to actually connect, but full Internet is working in any non-Whonix VM.)

Here are my steps for it:


  • Boot up the latest Tails (currently v3.13.1) from a USB.

  • At Tails log in, create an admin password for the session.

  • Open Tails’ Root Terminal and do the following: apt-get update; apt-get install make; apt-get install -y -t sid linux-headers-$(uname -r)

  • Open Tails’ Tor Browser and go to https://www.virtualbox.org/wiki/Linux_Downloads and download the latest “Debian 9” .deb installer file for VirtualBox.

  • Then in Root Terminal do after this example to install VirtualBox: 'dpkg -i ‘/home/amnesia/Tor Browser/virtualbox-6.0_6.0.4-128413~Debian~stretch_amd64.deb’; apt -y --fix-broken install’

  • Optionally, download Oracle’s VirtualBox extension pack and install it in VirtualBox.

  • Now start VirtualBox in Tails, and import or create some VMs for testing them.

(WARNING: When you power on the VM in the following step, it will be connecting to your pre-Tor IP!)

  • Change the VM’s Network settings to ‘Bridged Adapter’, then power it on and test.

So in my testing I see that Whonix-Gateway doesn’t connect out of the box, but interestingly, if you try any vanilla Linux VM like Arch Linux’s live ISO in VirtualBox you’ll see that your ‘naked’ pre-Tor Internet is automatically working in such VMs.

I’m no expert but I’m guessing the kernel modules loaded by VirtualBox are bypassing Tails’ Tor process and iptables security completely. This actually means that we can avoid ‘Tor-over-Tor’ with Whonix in Tails! :slight_smile:

As long as Gateway has its own strict iptables security (which we already rely on with Whonix with any other host OS), IMO this is OK. This is therefore an opportunity to consider Tails like another host OS for Whonix like Qubes, but with the amazing unique feature of hardened amnesia security. (Are there any well-maintained RAM-only live Linux distributions which are accessibly Debian-based and don’t include Tor hardening? I’ve not found one. Maybe Knoppix? It looks like Tails is the biggest one.)

I think that by now, both Tails and Whonix have matured as separate projects which, like Qubes-Whonix, could be combined as ‘Tails-Whonix’ to enjoy the benefits of both projects with no compromise.

In this way Tails and Whonix can still have autonomy from each other, just like how Qubes and Whonix don’t depend on each other incestuously but can compliment one another.

It is ironic that ‘Tails-Whonix’ users would never use the Tails’ Tor Browser but only use Tails as a ‘dumb’ pre-Tor host for Whonix’s superior Tor security. But both projects can still respect, learn and borrow from each other over time in a friendly way. And as another benefit, downloading and setting up Whonix all from within Tails could be a great way to more privately, anonymously, and securely do it. I trust the Tails Project to keep Debian up-to-date and secure.

So, I want to do extensive testing of Whonix inside Tails (and also explore how convenient I can make it Persistence-wise inside a VeraCrypt volume), but I need help in knowing what modification is required in Gateway’s iptables / OS config to make it actually connect to Tor.

I look forward to your thoughts and contributions.

Thanks
AnonymousUser

1 Like

Whonix also has a live-session mode available since a few months. Works well!

See

And

1 Like

Hi onion_knight, as your highlighted post says, ‘Whonix live mode’ isn’t an anti-forensics feature, whereas Tails OS as a host completely is.

Tails-Whonix is specifically to introduce anti-forensics to Whonix. :slight_smile:

1 Like

Why not install as per on https://www.whonix.org/wiki/VirtualBox/XFCE ?

  • Linux Tux.png: please press expand on the right side.

Interesting!

Yes.

I would fine using Tails as a host to run Whonix quite convoluted and bad usability.

Tails is based in Debian Live, which if I remember right, offers optional selective persistence. https://live-team.pages.debian.net/live-manual/

  • Tails as host for Whonix: not good
  • some Linux Live as host for Whonix: better but still not good
  • custom Debian Live based Whonix host: best

Whonix and Tails Collaboration

Related FAQ:

1 Like

Well, stretch-backports has an older version of VirtualBox (v5.2.24), and IMO the situation with private company called Oracle managing VirtualBox is already bad enough so we should at least endeavor to use the latest release where possible to minimize risks of VirtualBox 0-day vulnerabilities. Luckily, VBox 6.x works just fine on Tails in my testing so far.

I’m very glad you say that!

I assumed so too, until I found it quite smooth and surprisingly well-performing even on a crappy computer with 8GB RAM with an old hard drive (and this hard drive is what I’m storing my large Whonix test VMs in a hidden VC volume to experiment with). You actually forget you’re on a live OS.

I mean yes, I of course agree, it’s cleaner to use a non-Tails live host, but I haven’t found anything else in all these years - Qubes Live USB isn’t in the arena yet. There’s nothing else good, stable, and well-maintained as a project. Knoppix website looks like it’s from 2002, and I just don’t trust it to be safe for the wider Whonix community.

Tails I at least trust to keep their Debian live system up-to-date and hardened - I just don’t trust their non-OS-sandboxed environment for my actual Tor browsing. But as a Debian base, it feels quite stable now.

If we could ignore the irony of using Tails as a dumb / non-Tor host OS, I think ‘Tails-Whonix’ could become a winner (if we find it stable after much testing). :slight_smile: The combination of both ‘brands’ could be compelling.

Yeah, I saw that, as well as your inquiries to Tails ticket system many years ago about making Tails more Whonix-compatible from their end (which was met with disinterest :face_with_symbols_over_mouth: ). Which is why I find it amazing that I’ve almost got it working now!

So that brings me back to my humble question.

How would I modify Gateway’s iptables to make it connect (after my Tails steps above)? This is sadly above my knowledge pay-grade and I also wouldn’t want to dangerously play around with it on my own. It’s playing with fire. Any assistance would be greatly appreciated, so that I can intensively test it at my end.

Thanks
AnonymousUser

PS There are a few alternatives I’ve thought of:

  • With Tails as host, just offer a single Workstation VirtualBox VM and tweak it to connect directly to Tails’ host-side proxy that provides their existing Tor tunnel. (My 2c: Although it might seem simpler as it’s only one VM, it’s not as attractive because 1. We rely on an external project for our core Whonix Tor security and 2. Potentially more modification and development burden is needed to maintain a ‘Whonix-workstation-for-Tails’ ova. Still, I thought I’d mention this and that I’ve thought of it.)

  • Still offer the pair of Gateway and Workstation VMs, but modify Gateway to have an option to ‘Connect to Tails Tor’, so that you avoid Tor-over-Tor. (My 2c: Still not as ideal, because again we depend on an external project’s torification security and I just don’t like the feel of that. We are Whonix, and we need autonomy with regards to the core feature that we actually offer.)

  • Wacky idea (actually this is the same as your “custom Debian Live based Whonix host” idea): We turned the graphical Gateway Debian VM into an amnesic, RAM-only ISO to then burn to USB which runs as a live Linux and has its usual wizard to connect to Tor, and it can either come with an already installed VirtualBox and Workstation VM, or the user can download those components themselves and then make it persistent in their own VeraCrypt volume to their heart’s content. Not sure if it’d be safer to have the host OS non-torified and still have double VM system, but that could be worked out. (My 2c: maybe great idea for the future, but loads of development work when we could just slightly tweak Gateway to work in amnesic Tails for now as I’m trying to achieve above.)

So to summarize, I don’t think we should ever Frankenstein Whonix with Tails by relying on their own Tor process, but just outsource their obsession with amnesia and use it to our advantage as one very compelling host option for Whonix.

I don’t think we should ever ship a fork of a (not heavily modified)
Tails that is used to run Whonix. That looks is so confusing for users
(“don’t use anything default installed on the host desktop and our tails
greeter settings are mostly in vain”) that it would be detriment to the
quality standards the Whonix project has been established. An
interesting proof of concept, though.

AnonymousUser via Whonix Forum:

How would I modify Gateway’s iptables to make it connect (after my Tails steps above)?

Whonix works on multiple platforms without modification. VirtualBox,
KVM, physical isolation and even Qubes. If it doesn’t connect, it can be
blamed on the host platform.

You could try to modify or unload Tails host firewall.

We turned the graphical Gateway Debian VM into an amnesic, RAM-only
ISO to then burn to USB which runs as a live Linux and has its usual
wizard to connect to Tor, and it can either come with an already
installed VirtualBox and Workstation VM,

Similar https://www.whonix.org/wiki/OneVM. Disadvantages listed on
wiki/OneVM do not apply here.

I mean yes, I of course agree, it’s cleaner to use a non-Tails live
host, but I haven’t found anything else in all these years

Debian Live project is probably fine and not hard to use for developers.
Live CD/USB and amnesic components are as I guess nicely encapsulated
into the Debian Live project. Tails “only” adds their anonymity flavor
on top.

2 Likes

@AnonymousUser Let’s say we use a full-encrypted disk install of vanilla debian, with VirtualBox and/or Virt-Manager running both Whonix VMs in live-mode without clipboard or shared folders enabled.

Could you please explain me what kind of concrete leaks from our VM sessions could be exploited by someone gaining access to the host machine from a forensics point of view (let’s assume the adversary can decrypt the hard disk)? I am not talking about running an exploit to gain transparent access to the host while running the VMs, that is a whole other topic.

Your proposal is based on the assumption that even using Whonix in live-mode some sensitive information on the VM usage could be leaked and exploited during forensics works. What concrete examples of that do you have in mind? To the best of my knowledge, only metadata, such as when the VM were started and shutdown, could be leaked to the host, but I may be mistaken. Again, I am talking about a scenario when one is using the Whonix VMs exclusively in live-mode.

That’s a general disclaimer. On Linux it should in fact be anti-forensic since the OS does not sabotage this effort by deliberately generating and storing as much info as it can like Windows does.

related FAQ entry: Anti-forensic Claims

At first blush, that makes sense. Confusion is never good. How strange to see Tails Tor ‘connection ready’ notifications when one is completely ignoring it and using Whonix in Tails instead? I also think about such professionalism when advocating Whonix to others.

However, amnesic and anti-forensic computing is too compelling for me to see it as unimportant and non-urgent. I don’t care what it’s called, I want my Whonix to be amnesic at the hard drive level and to be robustly anti-forensic. It’s important for safety. I know it can be. I’m so close.

And at second blush, I realize you could see it differently. ‘Tails-Whonix’ can be seen as Tails AND Whonix, i.e. both offerings in one package! I would only use the Whonix part, because I know Tails is woefully inadequate to guarantee my anonymity online (how’s that for quality standards?), but Tails still is a nice backup for even someone like me and one could regularly use the outer Tails as a different mode of anonymity at a less important level.

So Tails-Whonix doesn’t have to be confusing and ‘clunky’, if users just have a basic knowledge of what they see on the screen. It’s only one of many variants of Whonix, and it can be easily understood here one is actually using BOTH systems at once, where there’s little downside as long as you have 8GB or more of RAM, and with an upside of amnesic security for the entire thing.

All ingeniusly without doing Tor-over-Tor.

OK, so, I’ve done some further testing in regards to this. Very interesting.

On non-Tails host (Debian-based):

  • Stock Debian VM
    • ‘NAT’ mode: works (honors host OS firewall, uses host OS VPN IP)
    • ‘Bridged Adapter’ mode: works (bypasses host OS firewall, uses host OS pre-VPN IP)
  • Unmodified Gateway VM
    • ‘NAT’ mode: works (honors host OS firewall - I assume)
    • ‘Bridged Adapter’ mode: doesn’t work

On Tails host (unmodified):

  • Stock Debian VM
    • ‘NAT’ mode: doesn’t work
    • ‘Bridged Adapter’ mode: works (bypasses host OS firewall, uses Tails’ pre-Tor IP)
  • Unmodified Gateway VM
    • ‘NAT’ mode: doesn’t work
    • ‘Bridged Adapter’ mode: doesn’t work

So based on this observation, it would seem the VirtualBox instance of Gateway simply doesn’t connect when its VM is set to ‘Bridged Adapter’ mode, regardless of host OS.

What is it in Gateway’s Linux (compared to a stock Linux VM) that prevents it from connecting when VM is in ‘Bridged Mode’?

Moving on…

Cool. So OK I’ve tested flushing Tails’ iptables (using this 9-line set of commands), and that does get the Gateway VM to connect to Tor (and thus Workstation is working) in Tails (if it’s set to ‘NAT’ mode, as is default for the OVA). That’s great to test that. Thanks! But again, it’s Tor-over-Tor, so is out of the question as an option.

And if one then eliminates Tor-over-Tor by killing Tails’ Tor process via the command line before turning on Whonix Gateway VM, at this point we have a ‘FrankenTails’, and a way messier and less safe solution than just modifying whatever it is that makes Gateway VM not connect when set to ‘Bridged Adapter’ in VirtualBox. But, I understand you were only offering the idea in the context of my testing, so I’m glad I’ve tested it. :slight_smile:

I also tried Gateway in ‘Bridged Adapter’ mode after flushing Tails’ iptables, and it still doesn’t connect. When on Bridged Adapter, quite simply, nothing happens in VirtualBox Gateway.


So to summarize: We don’t need to ship a fork of Tails, or even develop our own amnesic Debian Live host OS image for now (though long-term it would be awesome if a developer wanted to take that on). We can smartly use existing Tails right now, using this ‘Bridged Adapter’ hack.

What would get Gateway working under ‘Bridged Adapter’?

Thanks
AnonymousUser

PS I’ve thought of another possible alternative that’s equally as clean, if it works. Tails’ ‘Unsafe Browser’ is coded to bypass the Tor security (and use your pre-Tor IP). Some info here and here. What if there’s a simple command or script one can run in Tails to change VirtualBox to be owned by or run as the clearnet user in Tails (or a similar tweak to whitelist VBox at a pre-Tor level), then Gateway would connect in ‘NAT’ mode with no modification needed? I’m not sure how I’d do that though, or of any security implications either.

Related: Warning: Bridged Networking

1 Like

Sorry for insisting @AnonymousUser but I still fail too see why using Whonix in live-mode on a Linux host would be any different from using a whole amnesic system in terms of concrete information leaks? What kind of concrete threats do you have in mind that your proposal would avoid compared to Whonix in live mode?

related FAQ entry: Anti-forensic Claims - nothing specific but without actually doing a basic check, no claims should be made.

Also not specifically on this topic but https://www.whonix.org/wiki/Encrypted_Images explains how contents of VM activity might like to the host.

But now I am wondering why not use https://github.com/Whonix/grub-live ( similar https://www.whonix.org/wiki/Whonix_Live ) on Debian hosts?

I think testing grub-live on Debian hosts as per https://www.whonix.org/wiki/Whonix_Packages_for_Debian_Hosts and testing for forensic leftovers would be very much worth it. Maybe with grub-live on the host, Whonix could become almost as good as or even as good as Tails regarding anti forensics. I need to elaborate on this. Will create a wiki page comparing grub-live with Tails soon.

Thanks @Patrick
It is indeed a complex matter and I think everyone would benefit from having more concrete information on the relative pros and cons of live-boot versus a full amnesic host. The latter is much more complicated to setup (and maintain), so would be nice to know whether it is worth it!

A few months ago while playing with this same idea I did end up with a completely operational system in a single iso file consisting of a debian host system with VBox+Whonix-Vms, that could be written directly to a bootable USB key like Tails, all running in RAM. I could search the scripts I used to achieve this. In my experience it is not really usable as you have no means of updating the system, and must write a new iso every few weeks to keep up with the updates

Thanks for linking me to that Patrick.

From brief glance at that I can see that ‘Bridged Adapter’ mode is very untested, and so is obviously not something we should blindly enable in Gateway from the Whonix security end of things. It’s crucial that info and packets and exploit possibilities between Gateway and the host OS is absolutely minimized, so it needs to be studied a lot.

I’m also very happy to see this further discussion about anti-forensics and making a non-Tails live host OS also. :slight_smile: I appreciate the team’s commitment that I’ve seen for many years now.

For now, I will explore my idea of emulating the clearnet user and ‘Unsafe Browser’ Tails scripts to try to get VirtualBox NAT connectivity working in Tails (but making sure it’s not Tor-over-Tor), and will come back with any reports of success etc. If I am stuck I might ask for some tips too, but either way I am very committed to us being able to have an accessibly downloadable anti-forensic host OS solution for Whonix.

Thanks
AnonymousUser

1 Like

I’ve made some good headway with proof-of-concepting VirtualBox Whonix inside Tails without doing Tor-over-Tor.

By logging in with a root password and temporarily hijacking the clearnet user in Tails and the scripts that the Unsafe Browser runs, I’ve got ‘NAT’ connectivity working now for VirtualBox VMs and yet without doing Tor-over-Tor. So there’s no need to rely on ‘Bridged Adapter’ anymore. :slight_smile:

These are the steps to currently emulate where I’m at:


  • Boot up the latest Tails (currently v3.13.1) from a USB.

  • At Tails log in, create an admin password for the session.

  • Open Tails’ Root Terminal and do the following: apt-get update; apt-get install make; apt-get install -y -t sid linux-headers-$(uname -r)

  • Open Tails’ Tor Browser and go to https://www.virtualbox.org/wiki/Linux_Downloads and download the latest “Debian 9” .deb installer file for VirtualBox.

  • Then in Root Terminal do after this example to install VirtualBox: dpkg -i '/home/amnesia/Tor Browser/virtualbox-*.deb'; apt -y --fix-broken install;

  • Temporarily enable pre-Tor DNS in Tails (n.b. this is completely unsafe for general Tails usage so just for proof-of-concepting), by replacing the contents of /etc/resolv.conf with /etc/resolv-over-clearnet.conf using Root Terminal.

  • Run ‘Unsafe Browser’ (and keep it open during the test. It opens up its chroot thing to temporarily enable this proof of concept).

  • Now do in Tails Terminal: sudo -u clearnet VirtualBox

  • Load any small linux live ISO into a new VM and test the Internet and ip address such as curl ifconfig.co


Result: Internet works in the test VM (in ‘NAT’ mode) and it is definitely using one’s pre-Tor IP address, thus avoiding Tor-over-Tor!

So my next logical step is to fully emulate the Unsafe Browser .desktop and chroot thing to launch a VirtualBox process doing a similar thing and only opening up permissions and system access as is necessary (such as wider filesystem access for VirtualBox so you can load the large Whonix VMs).

I do remind that I am nowhere near a developer, I’m just a passionate tinkerer who really wants to achieve this and share it with others. If anyone wants to play around with this and help me, it would speed up the progress of this and I would really appreciate it.

I know our own in-house developed amnesic host OS ISO for Whonix would be way better down the track, but I don’t want to wait a year when I’m so close using the already well-maintained Tails host for the time being.

1 Like

Why not rather spend the effort on the recent developments on grub-live?

Advantages:

  • easy standard (“everyday”) upgrades [27]
  • release upgrades [28] possible anytime [27] (you can upgrade to Debian buster with newer packages any time without waiting for Tails’ developers)

@AnonymousUser

As already mentioned by @Patrick you can just install the grub-live package or the debian live tools + manual setup on probably any Debian based distro and have roughly the same amount of amnesia or antiforensic capabilities as with Tails on a USB.