Whonix Hidden Service Hosting Initiative -> KVM development

zweeble · June 1, 2014, 5:03pm

So there is no intention to make whonix a solution for hosting hidden services? Everything I tested was a disaster and posts about it are regarded as not necessary…
This is sad as this is throwing away a huge potential.

Patrick · June 1, 2014, 5:58pm

There is:

Plus to my knowledge, at time of writing, no major code or documentation contributions have ever been rejected yet.

What is missing?

Everything I tested was a disaster and posts about it are regarded as not necessary...

I don't understand what you mean.

zweeble · June 1, 2014, 8:19pm

Pfff… ^^ all I do is to repeat myself again and again. I agree that whonix is ok for an individual to host his own hidden service (no doubt about that), only for hosting 10 or more it is simply not usable until now.

First I started installing some server configs on the ova images. Cloning these installs is useless as they are unpredictable and loose data and become unusable (known issue).

Second it doesn’t make sense to host 100 GB images - no matter what technology is behind that (known issue). For hosting the performance has to be good, sparse files for sure are OK for one hidden service, but hosting 100 or more services will end up in disaster by disk io. Plus it would need 10 TB hd for 100 services in raw format - this is nonsense.

Third I used qcow images in different configurations. The best result I had until now was a startscreen of the vm with many funny colored ascii (known issue, missing config??).

Fourth I asked about making a build on a vm - again I’ve been told that this is not necessary and so on…

Before it goes on like this (what I don’t like and so will not) I mention also the discussions about the whonix future. Hosting offers a possibility to earn some money (and publicity or even fame) for the whonix project, so use it and open the doors.

My simple mind does not understand why it is so absolutely impossible to create a 10 GB raw image of whonix (or why you guys just don’t want to hear about this). Possible reasons might be that technically that is is not possible, or you have no intention to do something like this, or you don’t know how to make it, or you want to make your own hosting service, or, or… Maybe a straight forward answer would be nice.

Patrick · June 1, 2014, 9:48pm

Not a known issue to me. Cloning VirtualBox VMs always worked for me. No data loss. “Only” the snapshot feature is known to be vulnerable for data loss. When running multiple Whonix-Workstation’s at the same time, a small change is required (Multiple Whonix-Workstation). The latter is non-ideal, but technically difficult to solve and should be within the abilities of someone hosting more than 1 hidden service.

Second it doesn't make sense to host 100 GB images

We're doing this for VirtualBox ova's. No one ever noticed and at least that part works flawless.

For hosting the performance has to be good, sparse files for sure are OK for one hidden service, but hosting 100 or more services will end up in disaster by disk io.

Do you have any data to back this up? http://kparal.wordpress.com/2013/10/01/kvm-disk-performance-raw-vs-qcow2-format/ says the performance qcow2 vs raw is negligible.

For such specialized problems (100+ hidden services) you unfortunately need quite some expertise so or so. Building from source and using own image configuration should be within reach.

Plus it would need 10 TB hd for 100 services in raw format - this is nonsense.

Well, for the specialized problem (100+ hidden services), I'd say, shrink the disk before duplicating it.

Third I used qcow images in different configurations. The best result I had until now was a startscreen of the vm with many funny colored ascii (known issue, missing config??).

Let's see: https://www.whonix.org/forum/index.php/topic,159.msg2201.html#msg2201

Fourth I asked about making a build on a vm - again I've been told that this is not necessary and so on... :(

Well, I thought I made a convincing arguments, described technical challanges and haven't heard convincing arguments for the other side.

Hosting offers a possibility to earn some money (and publicity or even fame) for the whonix project, so use it and open the doors.

Well, everyone has a different advice on what is the best way. What should be supported. I am quite sure, if Whonix was KVM-only, that there would be loads of requests for VirtualBox, "since Windows users are many and will help earn some money". ;)

My simple mind does not understand why it is so absolutely impossible to create a 10 GB raw image of whonix

It's not impossible.

Possible reasons might be that technically that is is not possible,

It's possible. When you build from source, you only need to set one variable. Whonix's build script works with raw images by default. Size is configurable by a variable. Later they are converted to .qcow2 and .ova.

or you want to make your own hosting service, or, or...

No such plans.

or you have no intention to do something like this, or you don't know how to make it,

Maybe a straight forward answer would be nice.

Well, there is no real KVM support by the Whonix project yet as there is for VirtualBox. KVM is in development. I for one, I am not sure yet on how much I can maintain alone. Maybe no more than VirtualBox builds. Therefore help is required with any additional platforms. Everyone wants something else. Qubes OS port, direct Xen port, KVM port, LXC port, Android port, Ubuntu port, BSD port, onionshare support, owncloud support, yacy by default, macchanger, better hidden service support, better circumvention support, list goes on and on and on... In the stream of good suggestions, it's difficult to make the best choice.

zweeble · June 2, 2014, 7:36am

Cloning these installs is useless as they are unpredictable and loose data and become unusable (known issue).
Not a known issue to me. Cloning VirtualBox VMs always worked for me. No data loss. “Only” the snapshot feature is known to be vulnerable for data loss. When running multiple Whonix-Workstation’s at the same time, a small change is required (Multiple Whonix-Workstation). The latter is non-ideal, but technically difficult to solve and should be within the abilities of someone hosting more than 1 hidden service.

Simply not true, you yourself declared cloning vbox images as unreliable when I brought up that problem in the chat. Never mind.
Also for the other issues I have other experiences than you have, my guess is that there might be system and/or configuration differences that play an important role also.

At least I succeeded a terminal only 32 bit gateway build on a wheezy kvm. After fixing the
WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER=“1”
WHONIXCHECK_NO_EXIT_ON_KVMCLOCK_DETECTION=“1”
whonix check runs without any problem and everything else looks nice.

Now I hope that the terminal only option also is thought to work in the workstation?

Patrick · June 2, 2014, 10:21am

[quote=“zweeble, post:5, topic:165”][quote]

Cloning these installs is useless as they are unpredictable and loose data and become unusable (known issue).

Not a known issue to me. Cloning VirtualBox VMs always worked for me. No data loss. “Only” the snapshot feature is known to be vulnerable for data loss. When running multiple Whonix-Workstation’s at the same time, a small change is required (Multiple Whonix-Workstation). The latter is non-ideal, but technically difficult to solve and should be within the abilities of someone hosting more than 1 hidden service.[/quote]

Simply not true, you yourself declared cloning vbox images as unreliable when I brought up that problem in the chat. Never mind.[/quote]
Quite possible, that I expressed that wrongly or just messed up. In any case. The correction and my current opinion is: VBox snapshot feature caused multiple times data loss for me. The VBox clone feature never.

Now I hope that the terminal only option also is thought to work in the workstation? ;)

Yes.

zweeble · June 2, 2014, 8:45pm

Changing network settings…

The 8.1 builds (no 8.2?) look fine but I run into some network trouble, the workstation cannot find the gateway.
During the build they were set to 192.168.0.10 and 11, this does not fit in that network.

Before I start hacking around too much, first some basic questions:

does the build process make a fix network install (I don’t think so, though) or can it be changed afterwards?
the ws ip can be changed, but how about the gw? Is there more to change than in /etc/network/interfaces?

Patrick · June 2, 2014, 10:05pm

The 8.1 builds (no 8.2?) look fine

8.2. should do as well. Only minor changes.

192.168.0.10 and 11, this does not fit in that network.

Why not?

- does the build process make a fix network install (I don't think so, though)

It installs an /etc/network/interfaces on both gw and ws.

or can it be changed afterwards?

Both would be possible. Changing it before would require knowledge of git. Changing it afterwards does not require git knowledge.

- the ws ip can be changed, but how about the gw?

Can also be changed. Required knowledge about valid IPs / subnets. See also:http://www.subnet-calculator.com/

Is there more to change than in /etc/network/interfaces?

Unfortunately you would have to change the IP in a lot of places then.

In Whonix8 source folder.

grep -r 192.168.0.10 *

man/whonix_shared/uwt.1.ronn:`sudo uwt -t 5 -i 192.168.0.10 -p 9104 /usr/bin/apt-get.whonix-orig --yes dist-upgrade`
man/whonix_shared/uwt.1.ronn:    uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget ${1+"$@"}
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:TransPort 192.168.0.10:9040
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:DnsPort 192.168.0.10:53 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9050
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9100
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:#SocksPort 192.168.0.10:9100 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9101 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9102 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9103 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9104
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9105 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9106 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9107 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9108 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9109 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9110 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9111
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9112
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9113
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9114 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9115 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9116 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9117 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9118 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9119
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9120 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9121 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9122
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9123
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9124
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:##  127.0.0.1:9150 to 192.168.0.10:9150.)
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9150
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9152
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9153
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9154
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9155
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9156
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9157
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9158
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9159
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9160 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9161 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9162 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9163 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9164 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9165 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9166 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9167 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9168 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9169 IsolateDestAddr
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9170 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9171 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9172 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9173 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9174 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9175 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9176 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9177 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9178 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9179 IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9180 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9181 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9182 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9183 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9184 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9185 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9186 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9187 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9188 IsolateDestAddr IsolateDestPort
whonix_gateway/usr/share/tor/tor-service-defaults-torrc.whonix:SocksPort 192.168.0.10:9189 IsolateDestAddr IsolateDestPort
whonix_gateway/etc/network/interfaces.whonix:       address 192.168.0.10
whonix_shared/usr/bin/uwt:        echo "         sudo $NAME -i 192.168.0.10 -p 9104 /usr/bin/apt-get --yes dist-upgrade"
whonix_shared/usr/share/whonix/apt-cacher-ng-uwt:   ip="192.168.0.10"
whonix_shared/usr/lib/whonix/whonixcheck/10_preparation:      GATEWAY_IP="192.168.0.10"
whonix_shared/usr/lib/whonix/whonixcheck/10_preparation:      GATEWAY_IP="192.168.0.10"
whonix_shared/etc/sdwdate.d/31_whonix_stream_isolation_plugin:PROXY="192.168.0.10:9108"
whonix_shared/etc/whonix.d/30_uwt_default:      uwtwrapper_gateway_ip="192.168.0.10"
whonix_workstation/usr/bin/torbrowser:GATEWAY_IP="192.168.0.10"
whonix_workstation/usr/bin/whonix_firewall:iptables -A OUTPUT -p udp --dport 53 --dst 192.168.0.10 -j ACCEPT
whonix_workstation/usr/share/whonix/leaktest/simple_ping.py:target = "192.168.0.10"
whonix_workstation/usr/share/whonix/kde/share/config/kioslaverc:socksProxy=http://192.168.0.10 9122
whonix_workstation/usr/share/whonix/home/.torchat/torchat.ini:tor_server = 192.168.0.10
whonix_workstation/usr/share/whonix/home/.torchat/torchat.ini:tor_server = 192.168.0.10
whonix_workstation/usr/share/whonix/home/.xchat2/xchat.conf:# /set net_proxy_host 192.168.0.10
whonix_workstation/usr/share/whonix/home/.xchat2/xchat.conf:net_proxy_host = 192.168.0.10
whonix_workstation/etc/apt/apt.conf.d/90whonix:## running on 127.0.0.1:9104 forwarding to 192.168.0.10:9104.
whonix_workstation/etc/apt/apt.conf.d/90whonix:## running on 127.0.0.1:9104 forwarding to 192.168.0.10:9104.
whonix_workstation/etc/apt/apt.conf.d/90whonix:## running on 127.0.0.1:9104 forwarding to 192.168.0.10:9104.
whonix_workstation/etc/apt/apt.conf.d/90whonix:#Acquire::socks::proxy "socks://192.168.0.10:9104/";
whonix_workstation/etc/network/interfaces.whonix:       gateway 192.168.0.10
whonix_workstation/etc/resolv.conf.whonix:nameserver 192.168.0.10
whonix_workstation/etc/profile.d/20_torbrowser.sh:##   127.0.0.1:9050 to Whonix-Gateway 192.168.0.10:9050 and
whonix_workstation/etc/profile.d/20_torbrowser.sh:##   127.0.0.1:9150 to Whonix-Gateway 192.168.0.10:9150.
whonix_workstation/etc/profile.d/20_torbrowser.sh:#export TOR_SOCKS_HOST="192.168.0.10"
whonix_workstation/etc/rinetd.conf.whonix:127.0.0.1        9050      192.168.0.10    9050
whonix_workstation/etc/rinetd.conf.whonix:127.0.0.1        9150      192.168.0.10    9150
whonix_workstation/etc/rinetd.conf.whonix:127.0.0.1        11109     192.168.0.10    9119
whonix_workstation/etc/rinetd.conf.whonix:127.0.0.1        9051      192.168.0.10    9052
whonix_workstation/etc/rinetd.conf.whonix:127.0.0.1        9151      192.168.0.10    9052

Or in other words…

Search and replace the following files for

192.168.0.10

and replace with the IP you want to use.

Todo change ws and gw:

/usr/lib/whonix/whonixcheck/10_preparation
/etc/sdwdate.d/31_whonix_stream_isolation_plugin
/etc/whonix.d/30_uwt_default

Todo change gw:

/usr/share/tor/tor-service-defaults-torrc
/etc/network/interfaces
/usr/bin/whonix_firewall
   NON_TOR_WHONIXG="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8"

Todo change ws:

/usr/bin/torbrowser
/usr/bin/whonix_firewall
/usr/share/whonix/leaktest/simple_ping.py
/usr/share/whonix/kde/share/config/kioslaverc
/home/user/.torchat/torchat.ini
/usr/share/whonix/home/.xchat2/xchat.conf
/home/user/.xchat2/xchat.conf
/etc/network/interfaces
/etc/resolv.conf
/etc/profile.d/20_torbrowser.sh
/etc/rinetd.conf

Maybe I could come up with a script to search and replace all those files to automate this process.

Or maybe, back to the question, why can’t KVM work with the standard IPs?

Last but not least, it may make sense to change the default IPs for Whonix 9 or 10 to something everyone can live best with as discussed in:

Unfortunately, in the stream of good suggestions, I never got to that and Cerberus has not been active for some time.

Edit:
added https://github.com/Whonix/Whonix/blob/8.2/whonix_gateway/usr/bin/whonix_firewall#L100
NON_TOR_WHONIXG=“192.168.1.0/24 192.168.0.0/24 127.0.0.0/8”

zweeble · June 2, 2014, 10:54pm

ouf, that’s some …

I started the gw build with
eth0 192.168.0.222 (bridge br0 192.168.0.2 on the host)
eth1 virtual whonix network, given 192.168.0.10 by build
whonixcheck runs all ok

and on ws
eth0 virtual whonix network, given 192.168.0.11 by build

on ws I get error tor bootstrap result: tor’s control port could not be reached, code 124
variable for tor_bootstrap_status is empty
check_socks_port_open_test: 28

and of course I cannot create another 192.168.0.0 virtual network in the physical network

HulaHoop · June 2, 2014, 11:11pm

No matter which subnet I assign to he virtual network Whonix seems to work fine with it.

zweeble · June 2, 2014, 11:21pm

I donno what you are using, I talk about physical builds on vms.

Now I put all nics on br0 ^^
gw is ok, but ws complains now about tor’s transport not reachable and so stream isolation test skipped.

debian package update check: libtorsocks(8019): socks v4 connect rejected, server refused connection…

Patrick · June 2, 2014, 11:57pm

That’s the problem. No idea. KVM support is not ready. If HulaHoop doesn’t know… And you’re not finding out… Well, you tell me.

As long as we don’t have a contributor knowledgeable of KVM… Or someone putting effort into figuring out the KVM issues… Or me not finally finding time sorting this out and being able to fix it… There is no KVM support.

zweeble · June 3, 2014, 12:15am

No worries, it was easier to shift the network of my sandbox server than changing all the ips in the whonix gateway ^^

Tomorrow I’ll give it another try.

zweeble · June 3, 2014, 1:16am

Looks much better now, still the TransPort/Stream Isolation problem remains.

This is the workstation:

[INFO] [whonixcheck] Tor Bootstrap Result: Connected to Tor.
[INFO] [whonixcheck] Whonix is produced independently of, with no guarantee from, The Tor Project. Whonix is experimental software. Do not rely on it for strong anonymity. https://www.whonix.org
[INFO] [whonixcheck] SocksPort Test: Testing Tor’s SocksPort…
[INFO] [whonixcheck] SocksPort Test Result: Connected to Tor. IP: 72.52.91.30
[INFO] [whonixcheck] TransPort Test: Testing Tor’s TransPort…
[ERROR] [whonixcheck] TransPort Test Result: Tor’s TransPort was not reachable. (curl return code: [7] - [Failed to connect to host.])
(If you disabled Tor’s TransPort, please disable this check, see whonixcheck /etc/whonix.d/30_whonixcheck_default configuration file.)
[ERROR] [whonixcheck] Stream Isolation Test: Skipped, because TransPort test failed! Can not test stream isolation.
[INFO] [whonixcheck] Whonix News Download: Checking for Whonix news and updates…
[INFO] [whonixcheck] Whonix News Download Result: Installed Whonix Debian Package 8.2-debpackage1 is up to date.
[INFO] [whonixcheck] Whonix News Download Result: Installed Whonix Build 8.1 is up to date.
[INFO] [whonixcheck] Whonix News Download Result: There is no news file available for Whonix Debian Version 8.2-debpackage1 yet.
[INFO] [whonixcheck] Whonix-Workstation Build News:
Due to the Heartbleed bug in OpenSSL, you are advised to run
sudo apt-get update && sudo apt-get dist-upgrade
as fast as possible. (You only have to do this once. Otherwise do just regular upgrades.)
[INFO] [whonixcheck] Whonix Blog Download Result: Success.
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get…
[INFO] [whonixcheck] Debian Package Update Check Result: No updates found via apt-get.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases STABLE updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read Placing Trust in Whonix ™ to understand the risk. If you want to change this, use:
sudo whonix_repository
[INFO] [whonixcheck] Tor Browser Update Check: Checking version…
[INFO] [whonixcheck] Tor Browser Update Check Result: None installed. (/home/user/tor-browser_en-US does not exist.)

zweeble · June 3, 2014, 1:41am

RESOLVED

uncommented in the gw interfaces at eth0: pre-up /usr/bin/whonix_firewall

Now looking forward to do some security testing

Patrick · June 3, 2014, 6:17am

Removing “pre-up /usr/bin/whonix_firewall” results in not loading Whonix’s firewall. No Whonix firewall = no transparent proxying features.

zweeble · June 3, 2014, 12:27pm

Guess this is it. I shut down the qemu bridge on the host and leave it all to libvirt - and voila!
All whonixcheck are green, the gw eth0 now has nat, the rest is behind isolated virtual whonix network 192.168.0.0

The next steps might be? Please advice!

Build cleanup - what can I get rid off?
Testing security…
Build on qcow instead of raw for easy up/download (convert to raw later is no problem)
Build 64 bit workstation for more server power. Somebody succeeded already?
Xen (is much closer now)
Docker Whonix base image (SciFi)

Patrick · June 3, 2014, 1:30pm

Guess this is it. I shut down the qemu bridge on the host and leave it all to libvirt - and voila! :) All whonixcheck are green, the gw eth0 now has nat, the rest is behind isolated virtual whonix network 192.168.0.0

Nice progress! I guess HulaHoop will be happy!

https://www.whonix.org/wiki/Dev/Build_Documentation/8_full#Cleanup
As well as Whonix source folder can be deleted as well as ~/whonix_binary.

- Testing security...

- https://www.whonix.org/wiki/Dev/Leak_Tests - https://www.whonix.org/wiki/Test

- Build on qcow instead of raw for easy up/download (convert to raw later is no problem)

I am not sure I understand.

- Build 64 bit workstation for more server power. Somebody succeeded already?

I made 64 bit builds already. No bigger issues expected. Debian sorted out the 64 bit support. That changes Whonix makes are unrelated to 64 bit besides kernel install and build config (very few cmd parameters), but that is trivial compared to what burden they handled. Very few changes are required in the build config. https://www.whonix.org/wiki/Dev/Build_Documentation/8_full#64bit_Builds_.28Optional.29

- Docker Whonix base image (SciFi)

No idea what that might be.

The next steps might be? Please advice!

Needs more work:

HulaHoop · June 3, 2014, 2:37pm

Good work Zweeble. Although I am technically inept that I don’t know how to replicate all this in my setup without directions. Makes me sad that my efforts have been useless in the project.

Zweeble please see if this fix works with transproxy on: Whonix Forum

zweeble · June 3, 2014, 4:49pm

I will, though meanwhile I fell in another trap ^^ never before I made such intense use (changes, modifications) of virtual networks with libvirt and suddenly my nice and perfect running whonix installs failed starting properly. The reason is that libvirt uses apparmor on the host to control these virtual network devices. Sounds good, but as a fact updating changed libvirt data in apparmor seems to be a wicked issue… comparing my results with theses from your KVM Support - staying the course, it seems obvious to me that all these problems are not whonix issues but libvirt-apparmor related.