Whonix-installer error line 176 (Kicksecure Whonix, updates over tor, and S76 HCL)

I understand that the virtualizer is not the method proscribed. But wouldn’t you agree that it is good to have multiple pathways to access the software? For example, I said earlier that Whonix work perfectly on VirtualBox but yesterday maybe there was a cyber attack on the dnf update because the .ova was aborted. There is no way to onionize dnf. Oracle went into “Guru Meditation” and I had to rebuild her all over again. Now it works again and it’s the latest update. Maybe the KVM method on the Whonix website is the method I should implement if Fedora sometimes reconfigures VirtualBox with updates that make the imported appliances disfunctional.

So I had decided to return to Qubes thinking that R 4.1.2 might be compatible with my hardware but it still does not recognize Alder Lake Wifi (lspci “unknown”) and the backlight is not at full brightness. Debian also does not recognize Alder Lake Wifi, so I can’t install Debian and then morph it to Kicksecure and install Whonix. I can only virtualize. Now I’m back where I started but I did learn a few things and I think there is more to discover through troubleshooting.

I restarted installing everything with 10G more for the vda. There is no easy way to resize the vda in Gnome Boxes. I tried. Suggestions I found online did not work.

This time around, I found that “su” does not work when Installing KicksecureTM Inside Debian (morphing) but “sudo su” does provide root access. If you look at the sudoers file, the permissions are eqivalent, aren’t they?

I also found that there is an onion for fasttrack now (5phj…)

And there is a way the clock can be skewed in Gnome-Redhat Boxes virtualizer. My host system time is not effected, but the guest in Boxes can be skewed and I don’t know how that happens. I corrected the time an so far it has remained on time but I didn’t close any “hole” that skewed it in the first place because I don’t know how timing attacks are carried out.

Both system tor and TBB are functional but there are the same error messages. I will upload texts of the commands and outputs.
. . .
root@debian: systemctl status tor.service
Active: active

debian@debian: ./tor-browser/Browser/start-tor-browser
curl check.torproject.org - yes connected to the tor network with new ip every time a new circuit is created

This is the result from Nyx with TBB running:
nyx - debian (Linux 5.10.9-20-amd64) Tor 0,4,7,13 (recommended)

debian@debian: torsocks w3m https://check.torproject.org
. . .
I discovered that the timewas off in another OS on Boxes but was correct on the Debian I morphed but ran out of space so deleted. The current enlarged morph has an skewed clock. NTP can get attacked. I have seen an off by a minute skew attack if synced over network but that shouldn’t matter because less than 30min, right? What is the best way to keep the clock correct and why is it off I wonder? Shouldn’t the time have been set correctly during installation?

I manually set the date to the correct time and the errors persist.
Not sure what is going on with Nyx (there should be a Nyx guide)

  1. but torsocks,
  2. TBB,
  3. and system tor
    all appear to be working correctly according to the tests.

Troubleshooting information
. . .
@debian:~$ sudo apt update && sudo apt full-upgrade
Hit:1 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye InRelease
Get:6 tor+http://5phjdr2nmprmhdhw4fdqfxvpvt363jyoeppewju2oqllec7ymnolieyd.onion/debian bullseye-fasttrack InRelease [12.9 kB]
Reading package lists… Done
E: Release file for tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 4h 36min 38s). Updates for this repository will not be applied.
E: Release file for tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye-updates/InRelease is not valid yet (invalid for another 4h 58min 27s). Updates for this repository will not be applied.
E: Release file for tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye-backports/InRelease is not valid yet (invalid for another 4h 58min 26s). Updates for this repository will not be applied.
E: Release file for tor+http://5phjdr2nmprmhdhw4fdqfxvpvt363jyoeppewju2oqllec7ymnolieyd.onion/debian/dists/bullseye-fasttrack/InRelease is not valid yet (invalid for another 5h 45min 26s). Updates for this repository will not be applied.

debian@debian:~$ sudo su
root@debian:/home/debian# bash ./whonix-installer-xfce --onion
whonix-installer-xfce: [NOTICE]: Executing: $ sudo – echo Successful root login
Successful root login
whonix-installer-xfce: [WARN]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
whonix-installer-xfce: [NOTICE]: Testing SOCKS proxy:
whonix-installer-xfce: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY= rsync --dry-run rsync://’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘./whonix-installer-xfce: line 1569: rsync: command not found’
    whonix-installer-xfce: [NOTICE]: Testing SOCKS proxy:
    whonix-installer-xfce: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY= rsync --dry-run rsync://’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘./whonix-installer-xfce: line 1569: rsync: command not found’
    whonix-installer-xfce: [ERROR]: Cannot connect to Tor SOCKS proxy.

root@debian:/home/debian# su
root@debian:/home/debian# bash ./whonix-installer-xfce --onion
whonix-installer-xfce: [NOTICE]: Executing: $ sudo – echo Successful root login
Successful root login
root@debian:/home/debian# systemctl status tor.service
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: e>
Active: active (exited)
Main PID: (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 7062)
Memory: 0B
CPU: 0
CGroup: /system.slice/tor.service

Mar 23 09:29:54 debian systemd[1]: Starting Anonymizing overlay network for TCP>
Mar 23 09:29:54 debian systemd[1]: Finished Anonymizing overlay network for TCP>
lines 1-11/11 (END)

debian@debian:~$ firejail --private=~/tor-browser ./Browser/start-tor-browser
Reading profile /etc/firejail/start-tor-browser.profile
Child process initialized in 164.63 ms
[also tried without firejail sandboxing and same result]
. . .

Clock inside VM can be different form clock on the host.

To check inside VM, run inside the VM:


Most likely your clock is fast by approximately 5 hours.

Also note:

To fix until we fix that in the installer:

sudo apt install rsync

I agree but resources are limited.

Malware, Computer Viruses, Firmware Trojans and Antivirus Scanners chapter Valid Compromise Indicators versus Invalid Compromise Indicators in Kicksecure wiki

Kicksecure ™ in VirtualBox - Troubleshooting - Kicksecure ™ does not Start? chapter Guru Mediation in Kicksecure wiki

Safely Use Root Commands chapter Substitute User (su) Command in Kicksecure wiki

Thank you. I will read up on the information you provided and see if I can make it work. You have the best collection of internet privacy and security guides I have found online!

But the time is correct. The time has been correct and still is but the installer does not complete.

I noticed that Whonix Gateway has a troubleshooting feature in the connections dialogue that provides the option of looking at journalctl if the circuit failed to build. Is there a precise command for looking up the relevant information about the tor connection so I can prove to you that it is not about the time?f

For example,
sudo journalctl -o short
produced this sample:
. . .
, . .

time.gov result

01:31:26 P.M.
Your clock is off by:
+0.196 s

Yes, now the installation is downloading after installing rsync. There is a warning about nested virtualization. Is there a way to make an iso of a virtual guest image so I could un-nest it now that it is built and install directly on hardware? I see that there is even better security with physical isolation. I was thinking about installing Whonix Gateway on a Mobian Posh morphed into Kicksecure with Pine64 LTE and then tethering that to a Whonix Workstation laptop.
. . .
whonix-installer-xfce: [WARN]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
. . .

? ? ? But: torsocks w3m https://forums.whonix.org
Powered by Discourse, best used with JavaScript enabled
And TBB and tor.service running

? ? ? Clock changes itself spontaneously but I can reset it manually.

Host can be compromised
That’s why I wanted Qubes but Incompatible with Alder Wifi.

------------ > Download ova complete!
Towards the end, Whonix Installer asks, agree to start virtualizer? y/n - Y - and then VirtualBox doesn’t start. So nesting won’t work. I read about nesting causing more attack surface but doesn’t Qubes nest qubes-vms on top of Xen hypervisor? So there must be a great deal of complexity involved in VM nesting properly. If I studied Kubevirt would that help to figure out how to nest VMs?

Hopefully Kicksecure or maybe Whonix will complete an iso soon that is compatible with the latest Intel (Alder Lake). Qubes and Debian are not at the moment. What are your fundraising goals?

So the method I tried cannot be done at present. The best I can do is harden Fedora so VirtualBox Guest Whonix is not made derelict with a compromising dnf update. CentOS has onionized EPEL. Maybe Arch with Pacman over tor would be a more secure host.

Thanks for exploring this method. Learned a lot!

Just completed the KVM installation (Virtual Machine Manager) for Fedora of Whonix. It works just like VirtualBox except for sudo setup-dist on the Gateway which is cli. Then, booting live, entering user and password, what comes next? Isrunning sudo systemctl start tor.service on Gateway cli the same as tor connection control panel on the Gateway gui? The Workstation can connect to tor this way but I am not sure what is the best method. Then, if I want to add obs4 there are commands to input into the KVM Gateway cli? The KVM Whonix page does not elaborate. There a a lot of fine-tuning options for Qemu listed but is there any information about Gateway cli commands available?

Please create another thread regarding KVM issue. Let’s keep this thread focused on the installer.

Do not try nesting… try the normal way, it works and has not disadvantages.

The installer is only compatible with Debian, it should only be run on bare metal Debian or bare metal Kicksecure or bare metal Whonix.

The images will be downloaded on your host and then you can start VirtualBox to access the Whonix VMS.
No nesting required.

Sorry for that, this is being fixed.

Please follow the instructions Whonix Linux Installer for VirtualBox

The installer is not supposed to be run as root, privileges is only used when necessary. If you run the installer as root, you are downloading to the root directory and starting virtualbox as root, as well as every other command. I will block calling that installer as root.

For KVM related, I have made another thread in that forum subsection. But that topic is related because KVM is nesting (Kicksecure Template [host b.] in Qubes [host a.]) unless people know how to reproduce the functions of tor-connection-pannel via Whonix Gateway CLI. I don’t have a way to install Kicksecure or Qubes on bare metal. Wish I did. Alder Lake wifi is not compatible with Debian or Qubes at present.

I have and VirtualBox Whonix works well on Fedora except when dnf updates do something that requires rebuilding. Described above.

It wasn’t working the proscribed method, that’s why I tried something different. The only method that works for my system and hardware (System 76) as directed by the standard, official guides is VirtualBox unless someone can provide solutions of KVM on Fedora host.

Since you are most interested in the installer, I will remind you that there still is no explanation for why it wasn’t working because TBB, system tor, and torsocks were all functional. There must be peculiarities particular to certain nesting dynamics. Qubes is nested, so nesting is not an obstacle in the abstract. If done correctly, it can even enhance security. Isn’t that the point of Qubes?

Troubleshooting - Whonix chapter Unsuitable Connectivity Troubleshooting Tools in Whonix wiki

Only this:

Not that I know.

Unspecific to Whonix.

You can completely ignore any GUI tools. These are just simple automation, usability tools. If anything breaks, the config files, logs need to be looked at manually as well as manual debugging.

No, that’s not how that works.

Please do not substitute saying Tor when you means Tor Browser as this causes confusion.

Not KVM specific.

Tor Documentation for Whonix ™ Users chapter Edit Tor Configuration in Whonix wiki

There is this:

Otherwise it is kept as unspecific and as non-weird as possible. This is to allow ease of debugging, keeping things simple and whatnot.

Qubes by default does not use any nested VMs.

I was comparting the functionality of VirtualBox Whonix with KVM Whonix where the former is able to provide a stable tor connection and the later–at least with the Gateway running just tor.service–can be disrupted. In other words, at the same access point and same ISP, I do not require bridges with VirtualBox Whonix, so I should not require bridges with KVM Whonix.

I am not sure what you mean. Shouldn’t Tor Browser function as expected if Tor is functioning as intended via the Gateway (with systemctl start tor.service). I will read up on the “Common Whonix CLI Commands” and see if I can make sense of how to reproduce the quality performance of tor-control-panel via commands.

The KVM installation instructions page specifies how to install for multiple types of linux hosts. RADS is only specific to Kicksecure. I am saying there should be RADS instructions for the rest of the linux hosts, all of which would be specific to KVM according to differnt linux hosts. That said, maybe this is irrelevant if I can determine what commands will make the Gateway function like it is supposed to. tor.service doesn’t preform the same as tor-control-panel. I don’t know why.

Then nesting is a term that could be elaborated upon. If Qubes has Xen at Dom0 (a hypervisor is a VM, isn’t it?) and then VM qubes are built on top of that hypervisor, and even a Kicksecure template VM with Whonix VM on top of that, then isn’t that a structure of multiple nested VMs?

Yes. That’s what I was looking for. Thanks. I will test it.
sudo systemctl start tor.service
is not the same as
lxsudo anon-connection-wizard
sudo service networking restart
sudo service tor restart
is it?
But those are the commands to use for initiating the tor connection, right? No need for RADS then.

No. Need for RADS. I opened a topic in KVM just now to focus on this question. These commands do not improve the function of Whonix in KVM. service networking is systemd like tor.service but corresponding KVM Workstation does not function properly, probably because the Gateway is not connecting to tor in the right way.

KVM setup is quite more complicated than VirtualBox. So what I would suspect that networking could be completely broken in KVM. Meaning, User clearnet on Whonix-Gateway cannot connect to any clearnet destination whatsoever. And if the networkign is completely broken, then Tor won’t work either. To test thatk see Troubleshooting - Whonix chapter Clearnet Connectivity Test in Whonix wiki.

Generally, this page has a ton of troubleshooting steps.

rads doesn’t run on the host operating system.

But perhaps you mean how to assign more/less RAM to KVM VMs. That is undocumented for KVM. This is an imperfection in the documentation. Reported a bug here just now:

No idea when this will be done as I don’t maintain KVM. Meanwhile,this question is unspecific to Whonix. It’s the same for any KVM VM no matter if Whonix or non-Whonix.

No, Qubes really isn’t nested by default.

Nested virtualization means if a virtualizer runs inside a virtualizer.

Whonix being based on Kicksecure doesn’t imply nested virtualization.
Kicksecure being based on Debian doesn’t imply nested virtualization either.

Debian with Kicksecure “running on top” is just a way to say “Kicksecure software packages are installed on Debian”. Not about nested virtualization.

A hypervisor is a software that can run VMs.
A hypervisor is a virtualizer.
A hypervisor is not a VM itself.

One part is commands. The other part is configuration files which I mentioned earlier in a reply to you here somewhere.