Whonix Hidden Service Hosting Initiative -> KVM development

zweeble · June 7, 2014, 9:56am

Made some 64 bit workstation 8.2 builds - all green

Patrick · June 7, 2014, 10:12am

Moved leak testing discussion here:

zweeble · June 7, 2014, 11:22am

some ongoing changes here?

W: Failed to fetch Whonix Developer Meta Files - Browse Files at SourceForge.net Could not resolve ‘tenet.dl.sourceforge.net’

Patrick · June 7, 2014, 12:46pm

[quote=“zweeble, post:43, topic:165”]some ongoing changes here?

W: Failed to fetch Whonix Developer Meta Files - Browse Files at SourceForge.net Could not resolve ‘tenet.dl.sourceforge.net’[/quote]
No. Works for me now. Perhaps just temporary failure somewhere (Tor network, sf, mirror)?

Patrick · June 10, 2014, 11:40am

[quote=“Patrick, post:34, topic:165”]Due to popular request in various places by various people…

Proposal for Whonix 9.

Gateway eth1.

auto eth1
iface eth1 inet static
       address 11.150.150.150
       netmask 255.255.192.0

Workstation eth0.

auto eth0
iface eth0 inet static
       address 11.150.150.151
       netmask 255.255.192.0
       gateway 11.150.150.150

I am currently testing these. This should less likely cause conflicts with physical networks, routers, kvm…

What do you think?[/quote]

Proposal updated in Whonix Forum. Let’s move the IP discussions to Whonix Forum.

zweeble · June 10, 2014, 12:04pm

started workstation firewall for testing, then whonixcheck fails to find gw :’(

where is the config for the firewall?

gw 8.2 32bit
ws 8.2 64 bit
192.168.0.0 isolated virtual network

Patrick · June 10, 2014, 1:01pm

Config folder:
/etc/whonix_firewall.d

iptables rules script:
/usr/bin/whonix_firewall

The latter contains an ugly variable.

NON_TOR_WHONIXG="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8"

NON_TOR_WHONIXG can in Whonix 8 only be configured by editing /usr/bin/whonix_firewall.
Not that a big deal, but non-ideal and will be improved in Whonix 9.

gw 8.2 32bit ws 8.2 64 bit

Fine, I don't think that will ever cause any issues.

Patrick · June 10, 2014, 1:04pm

What IP does the gateway eth1 have? Default 192.168.0.10? Because that IP is hardcoded into whonixcheck (not difficult to change).

But most likely this is not the issue, because whonixcheck worked without the firewall?

HulaHoop · June 15, 2014, 12:20pm

Is there still a problem here that need fixing. If so please explain. Would like to know about so I could change the config accordingly, or if there isn’t, then the blocker is removed.

Patrick · June 16, 2014, 10:49am

Everything works for you know? whonixcheck? TransPort? No leaks? If yes… Then there are indeed no more blockers.

HulaHoop · June 16, 2014, 11:07pm

That is correct, its all running perfect. All checks coming green in whonixcheck when the unsupported hypervisor and kvmclock flags are disabled.

Patrick · June 17, 2014, 12:10am

Ok.

Did you need to disable kvmclock check in whonixcheck? If so, that would be bad. Otherwise we’re all good.

HulaHoop · June 17, 2014, 12:37am

When its disabled in the xml its not detected when whonixcheck is looking for it. I was just lazy and didn’t go back and edit the xml aftert I reverted a snapshot. But we’re good. Sorry for the confusion.

Patrick · June 17, 2014, 10:29am

Okay, no more blockers then.

And I will disable the strong general KVM warning in Whonix 9 in whonixcheck and replace it with a weaker “kvm support was recently added, now in testing phase” warning or something like that. Should kvmclock be detected, whonixcheck will advice to use the kvm instructions at Whonix for KVM.

HulaHoop, can you refresh my mind please? What was the issue that broke whonixcheck and TransPort test for you in kvm in past before zweeble helped us out? I am just asking, to make sure no one else is bumping into this issue. Do the KVM instructions reflect that?

Are the KVM instructions complete for now?

HulaHoop · June 17, 2014, 11:58am

And I will disable the strong general KVM warning in Whonix 9 in whonixcheck and replace it with a weaker "kvm support was recently added, now in testing phase" warning or something like that. Should kvmclock be detected, whonixcheck will advice to use the kvm instructions at https://www.whonix.org/wiki/KVM.

Using the xml I currently uploaded to git, I assure you no kvmclock appears in the vm. I doublechcked and ran whonixcheck with its default values.

HulaHoop, can you refresh my mind please? What was the issue that broke whonixcheck and TransPort test for you in kvm in past before zweeble helped us out? I am just asking, to make sure no one else is bumping into this issue. Do the KVM instructions reflect that?

whonixcheck was never broken and I was confused about the transproxy being off because of the wrong way we did the FIN ACK leak test.

Patrick · June 17, 2014, 12:34pm

Using the xml I currently uploaded to git, I assure you no kvmclock appears in the vm. I doublechcked and ran whonixcheck with its default values.[/quote]
Sure. There will still be people who miss the KVM instructions and Whonix into KVM on their own. For those who don’t have official xml settings, those get kvmclock and be warned and advised to use KVM instructions.

Patrick · June 17, 2014, 1:26pm

I guess forget about the weaker warning. We can rather add this to documentation.

Patrick · June 17, 2014, 3:57pm

Deactivated general kvm warning in whonixcheck:
https://github.com/Whonix/whonixcheck/commit/eb620c4c48c63f6f351438fe92c1f555cc6c8fe6
(https://github.com/Whonix/whonixcheck/blob/master/usr/lib/whonixcheck/check_virtualizer)

Reworded warning if kvmclock is detected a bit:
https://github.com/Whonix/whonixcheck/blob/master/usr/lib/whonixcheck/check_kvmclock#L42

zweeble · June 18, 2014, 8:43am

just in case… if I change the host/domain names on a workstation - does this effect whonix in some way?? Should still work I guess?

Patrick · June 18, 2014, 9:14am

Domain name of workstation = name of the VM? Whonix doesn’t notice even notice the name of the VM, so no. Or do you mean /etc/hostname?