No Way!

Specific groups, such as journalists, lawyers, whistleblowers, and political activists, are often the focus of intelligence agencies and other authorities. Business owners and researchers also can attract unwanted attention and find themselves the targets of attack. To communicate in an encrypted and anonymous way over the Internet and protect themselves from intrusion attempts and sniffer software, these groups often rely on special technological protections.

To shut out unauthorized eavesdroppers, the Whonix project now offers an interesting approach – but not just for these target groups: A specially hardened and isolated system with a connection to the Internet through the Tor network runs on a virtual machine (VM), allowing for encrypted and hard-to-trace communication.

Quartet

Whonix for Linux comes in four packages. In addition to a prepared gateway for VirtualBox weighing in at approximately 1.8GB, the developers supply a complete work environment based on Debian "Stable" with a size of around 2.1GB, which also runs as a separate system in VirtualBox. The two packages are completely preconfigured in OVA format and available for download [1]. Although this solution is aimed at newcomers with little network knowledge, the developers describe it as still in the test phase.

Whonix runs completely in a VirtualBox machine, which means you need it in place on your system. Most distributions have VirtualBox in their repositories, so the installation is typically just a matter of a few mouse clicks. Alternatively, you can download the software directly from Oracle [2], which is also where you will find the appropriate instructions for installing.

Your computer must have a CPU that supports the VT-x or AMD-V hardware virtualization extensions. Additionally, it needs at least 4GB of RAM, because you need to run two VMs for Whonix in addition to the host operating system. To check whether your computer supports the appropriate technology, run:

$ egrep '(vmx|svm)' /proc/cpuinfo
flags : fpu [...] ds_cpl vmx est [...] dtherm arat
[...]

If the command returns an empty result, the PC is too old, or you need to enable hardware virtualization in the computer BIOS.

Whonix also creates two virtual disks, each 100GB, in the VMs; they initially occupy a total of around 10GB of the drive. Because VirtualBox dynamically allocates mass storage, the virtual disks will only grow if disk utilization increases, so you do not need to provide 200GB of mass storage capacity for the two Whonix components. However, the free disk space should be more than 20GB total.

In two other stable packages, Whonix uses KVM technology embedded in the Linux kernel to run in a VM under KVM/Qemu. A gateway and a workstation of about the same size as that for VirtualBox are available, too [3], and can be controlled by graphical front ends such as Microsoft's Virtual Machine Manager, much like VirtualBox.

For both solutions, the download area also offers matching OpenPGP signatures and keys with which you can check the data integrity of downloaded packages. The developers provide a how-to for beginners [4].

Operations

Whonix relies on preset firewall rules to direct all traffic via the Tor connection configured in the gateway, and the Whonix workstation acts as the user interface downstream of the gateway. The workstation uses a network that is isolated from the host system to connect to the Internet.

The gateway has two virtual network interfaces – the project's attempt to achieve maximum security for the user. Among other things, this design keeps unauthorized users from sniffing IP addresses or the websites you have visited. Additionally, the VM is decoupled from the host system to prevent damage to it, should an attacker compromise it with malware unnoticed by the user.

The system thus prevents DNS and IP protocol leaks and effectively prevents an identity correlation using stream isolation, a technique that allows an attacker to draw conclusions about the identity of a user when identical transmission paths are used for various applications on the Tor network.

To maintain the high level of security, you should also be cautious when working with the host running the VMs. A compromise by malicious software can also affect VMs under certain circumstances, so it is advisable to install Whonix on a fresh host system.

Installation

To set up the two Whonix machines, start VirtualBox, and integrate the gateway and the workstation one after another from the File | Import Appliance menu. In the dialog that follows, select the corresponding OVA file in the file manager and click Next. Once the appliance settings appear, you can click Import (Figure 1). VirtualBox now integrates the appropriate package and prepares the VM for use.

Figure 1: The installation of two Whonix modules is quick in VirtualBox.

Please note that VirtualBox does not support some Linux security features possible in Debian, such as the Grsecurity kernel extensions. A KVM/Qemu-based VM with an existing Grsecurity extension under Debian is generally safer than a standard system with VirtualBox. However, KVM/Qemu requires detailed knowledge of the Linux system for the installation and configuration. For detailed instructions on activating KVM and installing the Whonix components, see the wiki on the project site [5].

In VirtualBox

After creating the gateway and the Whonix machine, you then start the gateway in VirtualBox and make the appropriate selection in the boot manager; the software quickly enables a fresh-looking KDE 4.14.2 desktop using the 32-bit version of Debian 8 as its basis. The hardware requirements for the VM thus are not too demanding, and it works well on a system with only 4GB of memory.

The first window you see has some general information you need to confirm; then, the Setup Wizard appears, in which you can define how you want to set up the gateway. The choices are to connect through Tor, connect without Tor, or use a proxy server with an active firewall for network access (Figure 2).

Figure 2: In the Setup Wizard, you set up the Tor connection in Whonix.

After setting up network access, the wizard searches for updates in the Whonix "Stable," "Updates," "Testers," and "Developers" repositories. At the same time, the software displays instructions for customizing the locale and warns you not to use the gateway machine as a normal workstation: It is only designed for configuring Tor and Whonix. After you confirm, the system installs any available updates. After the wizard closes, the basic configuration of the system (Figure 3) is complete.

Figure 3: The default KDE 4.14.2 desktop forms the basis of Whonix.

The fairly large number of KDE desktop icons take you to configuration tools. They are designed for graphical management of the firewall, Tor, and Whonix itself. The central elements that grab your attention here are Arm - Tor Controller and Firewall Settings. A distinction is made between global and user-specific firewall settings.

The Arm - Tor Controller (Anonymizing relay monitor Tor Controller) acts as a monitor for the Tor gateway and shows you not only various statistical values, but also data throughput rates and special messages relating to the connection. The firewall works completely independent of the firewall on the host system and is already hardened in the global settings.

Customization

First you need to make some basic adjustments to the gateway to protect the system against physical access by unauthorized persons. The standard users on the Whonix gateway are user and root, each with the password changeme. By typing the commands

sudo passwd user
sudo passwd root

at the command line, you can quickly change both passwords. In a further step, you might want to change the keyboard layout from the US default if you are using different location settings. The Settings | System Settings | Input Devices option lets you switch to the UK layout, for example, in the Keyboard | Layouts tab.

The developers have also implemented a routine on the system that lets you check for correct configuration at any time by simply clicking the WhonixCheck icon on the desktop. The application performs several tests and checks that a proper connection to the Tor service exists and whether updates are available for the operating system. These tests take a few minutes, and the program communicates the results in an information window (Figure 4).

Figure 4: Using an automated check routine, you can validate the functionality of Whonix.

You can also configure how the system should react to future updates. By default, it updates automatically as soon as you trigger a general update by typing

sudo apt-get dist-upgrade

in the terminal. In this case, the routine installs all updates from the Debian and Whonix developers. Because the package manager also loads the data through the Tor network, this process needs more time compared with a conventional Debian system. Therefore, the Whonix developers offer an option for configuring updates, which you can open by clicking the Whonix Repository icon on the desktop. In a simple dialog, you can now define whether you want to install the new files manually or automatically from a certain Whonix repository.

If you notice problems with Internet access, you can reconfigure and restart the Tor service. Whonix provides an easy-to-use graphical tool on the desktop from the Whonix Setup - Whonix connection wizard icon. With the Stop Tor, Reload Tor, and Restart Tor icons, you can control the service from within the current session, as well.

Firewall

The firewall settings can also be modified simply using existing tools. From the Global Firewall Settings icon on the desktop, you can access the preset rules. After subsequent authentication, KWrite opens the firewall options that apply to the entire system. In the text file, the rules are lined up under appropriate headings, each with a commented paragraph that explains the active rule to help you understand what the rule does (Figure 5).

Figure 5: You can configure the system firewall with a simple text file.

After making changes to the configuration, you should save the file and enable the new rules by clicking on the Reload Firewall desktop icon. You can define your own firewall rules by clicking the User Firewall Settings icon on the KDE desktop; it comes up with an empty KWrite window in which you can enter your own rules freely. This system also enables the rules after you save and reload the firewall.

Workstation

Use the Whonix workstation for anonymous surfing of the Internet. After booting, the system – like the gateway – will start the whonixcheck program to check system parameters. For whonixcheck to complete successfully, the Whonix gateway must be active, because the workstation uses its isolated network to access the Internet. Without a properly working gateway, Whonixcheck exits with an error message.

Like the gateway, the workstation also comes with KDE desktop version 4.14.2 configured for the US keyboard layout. The following steps are already known: Go to System Settings | Input Devices to enable your choice of keyboard layout if needed, then type

sudo apt-get dist-upgrade

to install all the pending updates.

Next, click on the Tor Browser (AnonDist) desktop icon. Whonix opens a dialog for the cryptographically verified installation of the Tor browser: It is missing on the VM because of the fast update cycles. The script always gives you the latest version of the browser; the routine lets you select from multiple versions. The Tor browser is downloaded via the Tor network, which is much slower than using a direct connection (Figure 6).

Figure 6: The Whonix workstation loading the Tor browser off the web for the first time and installing it automatically.

During the session, you can trace the entire data transfer very conveniently on the Whonix gateway. You can call monitoring by clicking on Arm - Tor Controller. A straightforward ncurses screen displays the transfer rates, as well as various statistical data for the active Internet connection and system resources (Figure 7).

Figure 7: The Whonix gateway monitor clearly shows what is happening on the line tunneled through Tor.

Test

After installing the Tor browser, the Tor Browser (AnonDist) icon is now ready for use on the desktop; otherwise, only two launchers for chat applications can be found on the desktop. Even the submenus lack the usual applications and only show you the software for online applications, such as video and audio players or a PDF viewer.

To verify the security of your Internet access, enter http://www.ip-check.info in the Tor browser address bar. After a detailed examination of the connection parameters, you will see a list of components relevant to safety (Figure 8). To avoid the kind of insecure technologies that websites tend to use, the Tor browser uses the NoScript and HTTPS Everywhere extensions, which stop scripts and unencrypted connections.

Figure 8: More or less all systems are go! Whonix has succeeded in keeping the system from revealing too much about the user.

Conclusions

You can achieve a high degree of anonymity on the Internet by deploying Whonix on conventional Linux systems. Unlike special external solutions, such as hardened distributions on USB flash drives that only work in read-only mode, Whonix is also suitable for machines running from a hard drive, saving the user the trouble of booting to change to the secure system. Whonix is fully isolated from the host PC so that no data exchange can take place between the Whonix VM and the host – whether wanted or unwanted.

The Whonix developers always keep the Debian derivative up to date. Tough hardware requirements, thanks to VirtualBox, and having to run two VMs are the only shortcomings. For a smooth experience, the computer should have a reasonably recent processor and enough RAM and disk space. If these conditions are fulfilled, Whonix is one of the best ways of establishing an anonymous Internet connection at any time.