Whonix - sys-net etc.

First of all I would like to express my enthusiasm and gratitude for the Whonix project, it’s a unique and truly talented project especially needed nowadays to breathe freely.

I would like to know if I install “qubes-core-agent-networking qubes-core-agent-network-manager” in the Whonix Workstation template, can I use it as sys net, usb and firewall?
If so, how safe would this be, as it would get the AppVm sys-net based Whonix-ws traffic clearnet, perhaps the template should be cloned?

Thanks for reading

Welcome to Whonix forums and thank you for your question!

No, Whonix isn’t designed to function as sys-net, sys-firewall in Qubes OS. That’s because the network/firewall modifications required for Whonix would get into the way for clearnet use in these service VMs. Even sys-usb is unsupported.

As an alternative, you might be interested in Kicksecure.

Whonix is based on Kicksecure by the same contributors.

However, just now added a notice here:
https://www.kicksecure.com/wiki/Qubes#Service_VMs

1 Like

Thank you for that.
I have a kicksecure-16 test template I’m studying for now and my current sys-vms are running on it, I can confirm that everything works great, though there are some minor tweaks that I’ll put in the wiki once I figure out how to use it. But I noticed that Kicksecure doesn’t have sdwdate as well as whonix-firewall, and my Whonix always spells user@host and Kicksecure doesn’t spoof the host template.

Kicksecure could theoretically be worse in anonymity?

I was going to create a minimal template for my Gajim, which should I choose for it, Whonix or Kicksecure?

Thanks again for your help

That should be asked at https://forums.kicksecure.com.

Ok, thank you very much

I’m interested in this also, so please @JustinRivm update this thread with your findings.

P.s. Are you running your sys Qubes as disposables? Interested to know if there is value in having Kicksecure in sys Qubes even with them being disposable to prevent/ftrustrate compromise within a given session, as the disposable sys qubes do as much as we can to prevent persistence within them.

Thanks.

@WhoNext Hello, I will post new information if it becomes available.

Yes, I all my sys-vms are disposable and I try to make all virtual machines which by their very nature allow it - disposable.
I’m no expert, and I think Qubes is perfectly secure, but I’m not a proponent of putting all reliability on Qubes and Xen. I don’t have any serious enemies, it’s more like a hobby for me. Kicksecure in this case is like the cherry on the cake. I think it’s better to try to prevent DispVM infection than to rely on the fact that it’s only disposable. Kicksecure is the future of security for Linux and maybe even Unix systems, while Whonix is the last resort for free speech and anonymity.

Kicksecure is completely free and by installing it you don’t sacrifice anything except a bit of disk space, ~200 mb per template and you might need to add quite some RAM to your AppVM or sys-vms for 50 or 100 mb, but I haven’t had to.

I’ve been using Kicksecure’s minimal templates for quite some time and it works fine. If you are worried about Kicksecure causing any problems or increasing the attack surface then you have nothing to worry about, the only problem I encountered was with Snapd, but this is not a problem specific to Kicksecure, it was a problem with qubes-snapd-helper itself because you had to uninstall and reinstall snapd and qubes-snapd-helper in the AppVM of your Snap template, but Kicksecure for some reason would not let me do apt update and apt install, although the internet connection was working fine and I could do wget and scurl. As for the attack surface, based on the information on the forums it doesn’t increase with the installation of Kicksecure or it increases a bit but I don’t really understand it, but anyway even so Kicksecure increases security a lot more.

/////////////////////

To create Kicksecure based on Debian-11 follow these steps:

  1. Install a Debian template or clone an existing one and rename it to kicksecure-16:
    [user@dom0 ~]$ qvm-template install debian-11
    [user@dom0 ~]$ qvm-clone debian-11 kicksecure-16

  2. Install Kicksecure on kicksecure-16 tempalate following the instructions linked to Qubes at Install Kicksecure ™ inside Debian.

  3. Complete the template and reassign it for your sys-vms or the one-off template on which the sys-vms are based to kicksecure-16, restart your computer or templates. Done.
    [user@dom0 ~]$ qvm-shutdown --wait kicksecure-16-minimal

// If you don’t use disposable sys-vms then:
[user@dom0 ~]$ qvm-prefs sys-usb template kicksecure-16
[user@dom0 ~]$ qvm-prefs sys-net template kicksecure-16
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksecure-16

// WARNING If your sys-vms are not single-use then this can break them, follow the instructions on how to create single-use sys-vms: Disposable customization | Qubes OS

// For disposable sys-vms:
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm template_for_dispvms true
[user@dom0 ~]$ qvm-prefs sys-usb template kicksec-16-dvm
[user@dom0 ~]$ qvm-prefs sys-net template kicksec-16-dvm
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksec-16-dvm

///////////////////

To create Kicksecure based on Debian-11-Minimal follow these steps:

  1. Install the Debian Minimal template or clone an existing one and rename it to kicksecure-16-minimal:
    [user@dom0 ~]$ qvm-template install debian-11-minimal
    [user@dom0 ~]$ qvm-clone debian-11-minimal kicksecure-16-minimal

  2. Install Kicksecure on kicksecure-16-minimal following the instructions linked to Qubes at Install Kicksecure ™ inside Debian.

  3. Complete the template and clone it for each of your sys-vms:
    [user@dom0 ~]$ qvm-shutdown --wait kicksecure-16-minimal
    [user@dom0 ~]$ qvm-clone kicksecure-16-minimal kicksec-16-min-net
    [user@dom0 ~]$ qvm-clone kicksecure-16-minimal kicksec-16-min-usb
    [user@dom0 ~]$ qvm-clone kicksecure-16-minimal kicksec-16-min-fw

  4. Install the required packages for the minimal templates:
    [user@dom0 ~]$ qvm-run --pass-io -u root kicksec-16-min-net “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y && poweroff”

[user@dom0 ~]$ qvm-run --pass-io -u root kicksec-16-min-usb “apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agentnautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 ntfs-3g -y && poweroff”

[user@dom0 ~]$ qvm-run --pass-io -u root kicksec-16-min-fw “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates -y && poweroff”

  1. Reassign the template for your sys-vms or the one-time template on which the sys-vms are based to kicksecure 16 minimal, restart your computer or templates. Done.

// If you do not use disposable sys-vms then:
[user@dom0 ~]$ qvm-prefs sys-net template kicksec-16-min-net
[user@dom0 ~]$ qvm-prefs sys-usb template kicksec-16-min-usb
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksec-16-min-fw

// WARNING If your sys-vms are not single-use then this can break them, follow the instructions on how to create single-use sys-vms: Disposable customization | Qubes OS

// For disposable sys-vms:
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm-net
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm-usb
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm-fw

[user@dom0 ~]$ qvm-prefs kicksec-16-dvm-net template_for_dispvms true
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm-usb template_for_dispvms true
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm-fw template_for_dispvms true

[user@dom0 ~]$ qvm-prefs sys-usb template kicksec-16-dvm-net
[user@dom0 ~]$ qvm-prefs sys-net template kicksec-16-dvm-usb
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksec-16-dvm-fw

///////////////////

It may be too cumbersome and complicated, but most of these functions can be done very easily with the Qube Manager

@Patrick maybe this would work for the wiki, but I don’t know how to edit it.