Using whonix with qemu-kvm via terminal commands

qemu · August 20, 2014, 1:57pm

Virt-manager and libvirt did not work for me in the past and were slow. But in terminal whonix runs very fast even from USB stick. I can load both gateway and workstation. Gateway has internet connection and timesync works. But unfortunately workstation has no connection. So my question is how should i modify my commands to get internet in workstation too.

I tried this way.
sudo apt-get install vde2 qemu qemu-kvm

sudo vde_switch -hub -tap qtap -sock /var/run/qtap-ctl
and press Enter two times to get $vde command prompt.
Open two other tabs in terminal for other two commands.

sudo /usr/bin/X11/qemu-system-x86_64 -hda ./Whonix-Gateway/Whonix-Gateway.vdi -m 386 -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga std -net vde,sock=/var/run/qtap-ctl,vlan=1,name=whonix -net nic,vlan=1,macaddr=DE:AD:BE:EF:2A:6E -net user,vlan=1,net=192.168.0.0/24,dhcpstart=192.168.0.10 -net nic,vlan=0,macaddr=DE:AD:BE:EF:9C:BC

sudo /usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Workstation/Whonix-Workstation.vdi -m 1500 -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga std -net vde,sock=/var/run/qtap-ctl,vlan=1,name=whonix -net nic,vlan=1,macaddr=DE:AD:BE:EF:4A:47 -net user,vlan=1,net=192.168.0.0/24,dhcpstart=192.168.0.10 -net nic,vlan=0,macaddr=DE:AD:BE:EF:CD:25

I guess the vde network to which both vms are connected does not route packets from workstation to gateway. Any experts?

Patrick · August 20, 2014, 2:10pm

Imagine Whonix KVM development hasn’t started and someone asked “how must a libvirt xml file look like for Whonix to work without leaks and how to check?” - your question is almost as that big question. Outside the scope of a forum answer. Would need development.

What could work however is understanding libvirt as what it is - an abstraction layer for virtualizers. So what libvirt is probably doing is converting the libvirt file into native qemu/kvm commands. Maybe you can get libvirt to tell you what command line that actually is and just use that one.

Virt-manager and libvirt did not work for me in the past and were slow.

Would be probably easier/better to fix the original problem than to invent using without libvirt.

qemu · August 20, 2014, 3:12pm

Why shouldn’t it work without libvirt?

qemu · August 20, 2014, 3:34pm

All commads of qemu should be described in docs. If qemu natively does not provide routing there are other workarounds like tap and bridging linked to qemu. But you must figure out how to configure them properly to provide the said routing capability unless there is something in whonix design attached specifically to virtualbox. If not and it uses standard networking configuration it should work in qemu.

qemu · August 20, 2014, 4:39pm

Patrick, problem partially solved (:
Two commands without vde are enough

sudo /usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Gateway/Whonix-Gateway.vdi -m 386 -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga std -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:9C:BC -net socket,listen=:1234,vlan=0 -net user,vlan=0,net=192.168.0.10/24,dhcpstart=192.168.0.10

sudo /usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Workstation/Whonix-Workstation.vdi -m 1500 -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga std -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:12:4A -net socket,connect=127.0.0.1:1234,vlan=0 -net user,vlan=0,net=192.168.0.11/24,dhcpstart=192.168.0.5

I could ping 0.11 from 0.10 but could not ping 0.10 from 0.11. Then i figured out that it was the firewall of 0.10 causing problems. I did
sudo iptables -F
sudo iptables -A INPUT -j ACCEPT
sudo iptables -A OUTPUT -j ACCEPT

Now i have intenet in 0.11 too but onion sites are not opening! I guess why? Stream isolation works (:
What else can i add to gateway’s firewall to make it more solid and protective?

qemu · August 20, 2014, 4:48pm

Onion sites started to work too. Probably I had a bad exit node. So Patrick, if you modify your gateway’s firewall, whonix is usable with qemu wihtout libvirt, and much faster!

qemu · August 20, 2014, 4:52pm

My guess is that qemu’s virtual LAN is not visitble to VMs which was much mentioned in docs and online and since that VLAN is not allowed specifically by the gateways’ firewall it somehow blocks connections from the workstation which is of course connected to the gateway via the same VLAN. So Patrick, we may try to switch on the workstation firewall and switch off the gateway’s and see if it may help. At least one firewall protection could be a good additional means of protection.

qemu · August 20, 2014, 6:50pm

Patrick, I activated firewall on workstation and it works (: So you need to switch off the gateway’s firewall and switch on the workstation’s to use whonix with qemu.
To switch on the workstation’s one do:
sudo vi /etc/whonix_firewall/30_default
Change 0 to 1
Save and exit.
Then
sudo service networking restart

qemu · August 20, 2014, 6:55pm

After doing the said firewalls’ operation you won’t be able to ping 0.11 from 0.10 and vice versa! It seems more solid then with gateway’s firewall on.

Patrick · August 20, 2014, 9:14pm

I didn’t say that it wouldn’t work with libvirt. Please re-read my answer. Just needs a maintainer/developer working on it and lots of work.

There is a long list of things “that should be done”.

[quote=“qemu, post:5, topic:438”]I could ping 0.11 from 0.10 but could not ping 0.10 from 0.11. Then i figured out that it was the firewall of 0.10 causing problems. I did
sudo iptables -F
sudo iptables -A INPUT -j ACCEPT
sudo iptables -A OUTPUT -j ACCEPT[/quote]
This should only be using during development.

Seems like a question unrelated to qemu / kvm → please consider a separate thread.

Much faster = without Tor?

Leak tests:

Really bad idea.

If it works with libvirt and without firewall modifications, this is a good indication, that it should work without libvirt and qemu as well without firewall modifications. If firewall modifications are required (recommended against), then there must be something wrong with qemu settings.

qemu · August 20, 2014, 10:14pm

Hidden services do not work with gateway’s firewall off and workstation’s on. I allowed the ports of HSs in workstation’s firewall but they still do not work ):

HulaHoop · August 21, 2014, 12:25am

Why shouldn't it work without libvirt?

Like Patrick just mentioned, libvirt is an abstraction API. It does not affect performance in any way.

Running qemu without libvirt removes protections provided by the sVirt framework that are part of it. This will not be encouraged by Whonix devs and therefore will not be documented.

qemu · August 21, 2014, 12:46pm

No need to be afraid of leaks unless you have already solved hardware tracking issues…

I modified the commands because I have come across the out-of-ram issues which resulted in crash of one of whonix vms running in qemu. The modified commands are as follows, sudo not needed:

/usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Gateway/Whonix-Gateway.vdi -m 386M -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga std -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:9C:BC -net socket,listen=:1234,vlan=0 -net user,vlan=0,net=192.168.0.10/24,dhcpstart=192.168.0.10 -usb

/usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Workstation/Whonix-Workstation.vdi -m 1500M -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga std -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:12:4A -net socket,connect=127.0.0.1:1234,vlan=0 -net user,vlan=0,net=192.168.0.11/24,dhcpstart=192.168.0.5 -usb

You can attach usb, press alt ctrl 2, press info usbhost to get xxxx xxxx id, then usb_add host:xxxx:xxxx to attach usb, press alt ctrl 1 to get back to desktop.

The issue to make hidden services working also solved.
Edit file in workstation:

sudo vi /usr/bin/whonix_firewall
Above ##+# OptionalFeatureNr.2# paste:
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp --dport 5280 -j ACCEPT
iptables -A INPUT -p tcp --dport 11009 -j ACCEPT

Save
Then
sudo /usr/bin/whonix_firewall

This will allow to run torchat and ejabberd server for decentralized chat. ejabberd is better because you may use gpg encrypion. Also two ejabberd servers may communicate with each other. Better than torchat.

qemu · August 21, 2014, 2:44pm

To use spice do as follows:
On host (Debian, Ubuntu)
sudo apt-get install spice-client libspice-server1
On guest whonix-workstation
sudo apt-get install xserver-xorg-video-qxl
Stop workstation. Start it now with command
/usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Workstation/Whonix-Workstation.vdi -m 1500M -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga qxl -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:12:4A -net socket,connect=127.0.0.1:1234,vlan=0 -net user,vlan=0,net=192.168.0.11/24,dhcpstart=192.168.0.5 -usb -spice port=5390,addr=127.0.0.1,password=youranyrandomspicepassword,ipv4
Open another terminal tab and to start spice window paste
spicec -h 127.0.0.1 -p 5390 -w youranyrandomspicepassword
To maximize/toggle spice window use shift F11
Cursor autocapture will work.
You may also try to start worksation with
/usr/bin/X11/qemu-system-x86_64 -drive file=~/Whonix-Workstation/Whonix-Workstation.vdi,if=virtio -m 1500M -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga qxl -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:12:4A -net socket,connect=127.0.0.1:1234,vlan=0 -net user,vlan=0,net=192.168.0.11/24,dhcpstart=192.168.0.5 -usb -spice port=5390,addr=127.0.0.1,password=youranyrandomspicepassword,ipv4

It should give HDD boost.

qemu · August 21, 2014, 5:26pm

Ram filling and crash issue has not been solved by -m 1700M.

qemu · August 21, 2014, 6:01pm

The option “-cpu host” activates the nested page feature provided that your guest is 64-bit.

HulaHoop · August 21, 2014, 9:32pm

No need to be afraid of leaks unless you have already solved hardware tracking issues...

These are two separate problems. Hardware serial leakage has been tested for already and is determined not to be a problem. sVirt provides a very important safety net. The developers behind KVM see its relevance. I’d take their opinions seriously if I were you…

Patrick · August 21, 2014, 9:47pm

Problem is, user “qemu” hasn’t refereed to what (s)he meant by “hardware tracking issues”. So now you and (s)he are talking about different things, I think.

I guess he meant this:

qemu · August 21, 2014, 10:58pm

I added -balloon virtio to commands and converted both images to qcow2. OS runs fast like hell but the issue remains. Ram is filled and workstation crashes.

/usr/bin/X11/qemu-system-x86_64 -hda ~/Whonix-Workstation/Whonix-Workstation.qcow2 -m 1500M -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga qxl -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:12:4A -net socket,connect=127.0.0.1:1234,vlan=0 -net user,vlan=0,net=192.168.0.11/24,dhcpstart=192.168.0.5 -usb -spice port=5390,addr=127.0.0.1,password=youranyrandomspicepassword,ipv4 -balloon virtio

/usr/bin/X11/qemu-system-x86_64 -drive file=~/Whonix-Workstation/Whonix-Workstation.qcow2,if=virtio -m 1500M -enable-kvm -machine type=pc,accel=kvm -cpu host -smp 2,sockets=1,cores=2 -vga qxl -net nic,model=e1000,vlan=0,macaddr=DE:AD:BE:EF:12:4A -net socket,connect=127.0.0.1:1234,vlan=0 -net user,vlan=0,net=192.168.0.11/24,dhcpstart=192.168.0.5 -usb -spice port=5390,addr=127.0.0.1,password=youranyrandomspicepassword,ipv4 -balloon virtio

How can i fix this memory issue?

qemu · August 21, 2014, 11:33pm

It seems that i have solved the ram issue. I changed -cpu host to -cpu qemu64,+vmx
Now there is no constant ram increase phenomenon. Ram is quite and stands on one level and even takes less than it was set by -m 1500M.