Whonix on Mac M1 (ARM) - Development Discussion

Patrick · February 21, 2024, 11:20am

The VM settings are of crucial importance. One would have to go through all of these options one by one, reading the man page and perhaps related materials.

Ideally UTM could use libvirt then UTM could share most of Whonix KVMs configuration more easily rather than using QEMU command line directly. That would simplify things, make different virtualizer support simpler, since these would be more similar.

This is very important, needs most attention to get right to avoid IP leaks.

From the UTM config files. Relevant options:

Whonix-Gateway

-device virtio-net-pci,netdev=external
-device virtio-net-pci,netdev=internal
-netdev user,id=external,ipv6=off,net=10.0.2.0/24
-netdev socket,id=internal,listen=:8010

Whonix-Workstation

-device virtio-net-pci,netdev=internal
-netdev socket,id=internal,connect=127.0.0.1:8010

Doesn’t look crazy. Related documentation:
https://wiki.qemu.org/Documentation/Networking

But it has the same issue that KVM has. VM internal traffic is visible on the host for network sniffers such as wireshark, tshark.

This has lead in the past to a failure of configuring corridor on a Debian host with Whonix KVM.

references:

github.com/rustybird/corridor

testing on Debian host

opened 01:01PM - 24 Jul 16 UTC

HulaHoopWhonix

Hi. I tested corridor on a Debian host running Whonix KVM guests. Results: - It… blocks any new Whonix connections after the corridor service successfully starts while Tor connections on the host still work. - LAN connections are permitted. Is this intentional? Its safer for this to be restricted unless a user wants otherwise. Imagine subscribing to a wireless carrier or ISP which assigns local addresses. Leaking anything to this non-trusted network is dangerous. Two solutions come to mind: adding a LAN permission option to corridor for manual use. Out of scope of this ticket but an interesting topic that should be discussed: add a barebones captive portal responder on the host under its own user account that is exempted by corridor. This keeps leaks absolutely minimal and reduces attack surface when having to deal with captive portals. /cc @adrelanos

So it would be much better if KVM / QEMU (UTM) would hide this from the host operating system. I.e. encapsulate the internal networking better. ChatGPT says this is possible using the hubport option but ChatGPT unfortunately sometimes talkes nonsense. Could you look into it please?

https://chat.openai.com/share/8d7165c4-722a-4e06-8cfd-8b525c552784

related:
USB Passthrough

rng-random would be important to add if that is possible somehow.

Not security related. Usability only. Low priority. Could QCOW2 be used too? (derivative-maker supports it. Just a question if UTM supports it too.)

Created Dev/UTM - Whonix just now.