Using the Whonix Templates

[Dogged One]

So I've followed this link
https://groups.google.com/forum/#!searchin/qubes-users/whonix/qubes-users/X0GvIdpQtcM/2uh-BHAh8r8J
and I have my whonix templates installed. Per the directions in that
thread it states that "at first startup there will be some simple
configuration to do."

I know that what some of the gurus consider simple configuration may or
may not be so simple to all users and I'm not entirely sure what that
implies in this case. So upon installation and attempting to run the
tor setup I am running into the vms shutting themselves down and
conflicting with my existing torvm, and not ending up with a complete
working solution. Maybe I am jumping the gun trying to use them but it
seems there are many having good success.

Being that I am tech savvy but not a linux guru I am trying to help
bridge the gap here. Not only for myself but in an effort to bring
QubesOS to the mainstream. So please excuse ignorant or uninformed
questions I may have as I am reading and assimilating as much info as I
can. I can understand fairly well the immense security implecations of
having everything separated in virtual machines and the disconnect from
the outside world with the use of net and firewall vms, even if the
specific technical explanations of which are over my head. I also
understand the immense benefit of having a system like whonix coupled
with qubes to give a new level of security through anonymity.

That said are there plans to expand that thread or create a more
complete installation guide to be able to use the new templates, or is
there some stalling on it to wait for them to not be so expiremental and
a little more well tested first?

Right now it seems we're supposed to bridge the gap ourselves between
the template thread and the other manual setup thread created by the
whonix team to come to conclusions about what is missing, i.e. the TBB,
to have a complete and working whonix-qubes setup via these templates.

I know for myself I cannot at this time be of much help with the deep
technical issues in testing leaks or heavy development, however I would
like to participate as much as possible by bringing up questions average
users wanting a more secure operating system may have, possibly helping
with documentation (as long as I understand well what's happening to
create such guides), or even volunteer some time in the web development
category being that I am a moderate level web designer/developer.

Thanks for any feedback on getting a complete whonix-qubes setup via the
templates, and thanks very much for taking the time to create them.
Please let me know if I can be of any service in the other categories I
mentioned as I am a huge fan of the platform and the efforts that go
into the defense side of technology understanding that they are largely
unpaid and under appreciated whilst sorely needed.

DG1

[WhonixQubes]

Hi DG1!


Regarding the personal issues you're having with the Whonix templates...


Regarding the whonixsetup prompts...

Upon booting up the Whonix-Gateway ProxyVMs and Whonix-Workstation
AppVMs for the first time, there should be a tall whonixsetup window
that scrolls off of the screen.

If this (currently somewhat dysfunctional) whonixsetup prompt is not
properly handled and completed by the user, then the VM will shutdown
and will have to be restarted and prompted again.

One has to maintain proper original focus on the window without clicking
inside the window. Then hit <Enter> to complete the first whonixsetup
window. Then hit <Enter> again to complete the second whonixsetup
windoow. Then choose the following options with arrows and <Enter>.
...going based on memory right now.

Alternatively one could complete the whonixsetup inside the TemplateVMs
so that additionally created ProxyVMs and AppVMs don't need to go
through this whonixsetup process again.

One initiates this in the Whonix TemplateVM terminal with the following
command:

sudo whonixsetup


Regarding getting Tor Browser installed...

There is a built-in updater that prompts itself upon launching Tor
Browser for the first time from the normal app launcher menu. Upon
confirmation, it automatically downloads, verifies, and installs TBB for
Whonix.

This can be done separately for each Whonix-Workstation AppVM, or done
just once in the underlying Whonix-Workstation TemplateVM.


=========


Regarding further development of user documentation, etc...


I am currently leading this stuff over on the Whonix site.


FYI... The primary resources specific to Qubes + Whonix are:

- Wiki: https://www.whonix.org/wiki/Qubes
- Forum: https://www.whonix.org/forum/Qubes
- Blog: https://www.whonix.org/blog/category/Qubes
- Tracker: https://phabricator.whonix.org/tag/Qubes

...as well as the one-off discussions about Whonix here on the Qubes
mailing lists.


Currently, the wiki documentation has not yet been transitioned over to
the new ProxyVM + AppVM platform and is still based on the original
Dual-HVM platform.

I did recently create a richer minimal beta install guide for those
interested here...

https://www.whonix.org/forum/index.php/topic,896.0.html


Here is the plan on my end...

1. Leak Testing:

Once I get the chance to get back to this, I will soon be completing the
public leak testing for the new Qubes + Whonix platform.

2. Complete Install Guides:

Replace the current wiki page with complete install guides for the new
Qubes + Whonix platform.

3. Build Out Wiki Documentation:

Further build out the wiki page with a lot more full information and
how-to guides about accomplishing important secondary tasks and popular
user goals.


So, on the Whonix site, the wiki page (whonix.org/wiki/Qubes) is going
to become the primary destination for much of what you are interested in
for the new Qubes + Whonix platform.


If you wanted to help out with enhancing these existing efforts, then
that would be great! :)


If so, using the dedicated Whonix Qubes forum (whonix.org/forum/Qubes)
would probably be the best place to collaborate on the details.



WhonixQubes

[Dogged One]

Thanks very much for this more thorough explanation....

I got through most of that and what I'm getting now is kinda running in
circles. I run both whonixcheck and whonixsetup on both templates in
the terminal. On the gateway I get WARNING: Tor Check Result: No
Network. Tor is Disabled. I've alread run whonixsetup on this template,
so? When I get to whonixcheck on the workstation I get ERROR: Tor
Bootstrap Result: Tor's Control Port could not be reached. Both error
and warning tell me to run the whonixcheck which is how I came to the
messages.
Per your other instructions I have both templates using the
whonix-gateway proxy vm as their NetVM. And the whonix-gateway VM is
using the firewallvm as it's NetVM. I believe that's all correct.

I have the previous torvm setup and working fine. Would this create
some kind of conflict?

[WhonixQubes]

> Thanks very much for this more thorough explanation....

Sure thing. :)

> I got through most of that and what I'm getting now is kinda running in
> circles. I run both whonixcheck and whonixsetup on both templates in
> the terminal. On the gateway I get WARNING: Tor Check Result: No
> Network. Tor is Disabled. I've alread run whonixsetup on this
> template,
> so? When I get to whonixcheck on the workstation I get ERROR: Tor
> Bootstrap Result: Tor's Control Port could not be reached. Both error
> and warning tell me to run the whonixcheck which is how I came to the
> messages.
> Per your other instructions I have both templates using the
> whonix-gateway proxy vm as their NetVM. And the whonix-gateway VM is
> using the firewallvm as it's NetVM. I believe that's all correct.

It just sounds like something simple is not allowing your Whonix-Gateway
ProxyVM to connect to the internet.

It is natural for whonixcheck to not be getting an internet connection
in the TemplateVM. But internet should be working in the Whonix-Gateway
ProxyVM.

Troubleshooting:

- Your FirewallVM certainly needs a working internet connection through
your NetVM (netvm).

- Whonix-Gateway ProxyVM Firewall Rules in Qubes Manager needs "Allow
network access except..." to be enabled.

- On Whonix-Gateway ProxyVM: "sudo service tor start" to ensure Tor
service is enabled.

- On Whonix-Gateway ProxyVM: "arm" to get detailed Tor connection info.

- Other VM types (Fedora AppVM, etc) should be able to get online
through the Whonix-Gateway ProxyVM as well when internet is working
properly.

- Double check the network configuration diagram that I just added on
following beta instructions post.


I made a few small changes to the beta instructions post here...

https://www.whonix.org/forum/index.php/topic,896.0.html

- I added a network configuration diagram before the install guides.

- I removed the Software Update GUI steps since they were redundant and
seemingly not fetching updates properly (apt-get used instead).

- I added instructions for handling the KEYEXPIRED error present in the
current version when updating.

> I have the previous torvm setup and working fine. Would this create
> some kind of conflict?

TorVM should not have an affect upon Whonix, as far as I know. I've run
both without any problem.


WhonixQubes

[O]

>> And the whonix-gateway VM is using the firewallvm as it's NetVM. I
>> believe that's all correct.

I have only had success with whonix templates and torvm after connecting
the whonix-gateway & torvm to *netvm*, rather than *firewallvm*. So I
would try that and see if that fixes your connection issue.

[WhonixQubes]

Yes. That is another way to do it.

If one has a standard Fedora 20 firewallvm with "Allow network access
except..." enabled, then the Whonix-Gateway ProxyVM with "Allow network
access except..." also enabled should work ok.

But if your firewallvm is somehow getting in the way, then stripping it
out of the networking chain may help get a connection.


Also, for basic orientation, one can see and double check a simple
overview of the networking chain here:

https://www.whonix.org/forum/index.php/topic,896.0.html


WhonixQubes

[JPL]

I am having a similar problem after a routine apt-get  update to  Whonix-proxy and Whonix-gateway experimental.

I can start tor OK in Whonix proxy but on starting Whonix-Workstation I get the Tor-bootstrap error:

ERROR: Tor Bootstrap Result:
Tor's Control Port could not be reached.

Did you start Whonix-Gateway beforehand?
Please run whonixcheck on Whonix-Gateway.
Then restart whonixcheck on Whonix-Workstation
(Technical information:)
(Code: 124)
(tor_bootstrap_timeout_type: sigterm)
(tor_bootstrap_status: Variable check_bootstrap_helper_script_output is empty.)
(check_socks_port_open_test: 28)
(Tor Circuit: not established)

Running whonixupdate in Whonix-gateway produces the same error.

Allow networking except ... is selected on all Whonix VMs and whonix-proxy has FirewallVM as its NetVM

It was working fine until a couple of days ago. Has anyone else had this problem

Thanks

[JPL]

===================================================================

By the way, these are the packages that were installed/updated in Whonix-proxy just before it stopped working

 2015-04-28 06:15:34 install python-greenlet:amd64 <none> 0.3.1-2.5
2015-04-28 06:15:42 install python-gevent:amd64 <none> 0.13.6-1+nmu3
2015-04-28 06:16:14 install control-port-filter-python:all <none> 3:0.4-1
2015-04-28 06:16:45 install python-dateutil:all <none> 1.5+dfsg-0.1
2015-04-28 06:20:13 install libspice-server1:amd64 <none> 0.11.0-1+deb7u1
2015-04-28 06:21:07 install kde-privacy:all <none> 3:0.8-1
2015-04-28 06:21:08 install usability-misc:all <none> 3:0.7-1
2015-04-28 06:21:09 install menu:amd64 <none> 2.1.46
2015-04-28 06:21:25 install kde-common-resolution:all <none> 3:0.7-1
2015-04-28 06:21:29 install xserver-xorg-video-qxl:amd64 <none> 0.0.17-2+b1
2015-04-28 06:22:13 install gpg-bash-lib:all <none> 3:0.7-1
2015-04-28 06:22:32 install whonix-repository-wizard:all <none> 3:0.2-1

[Jason M]

 I am working on testing this issue right now.  I am downloading the original 'whonix-gateway' from the repo.

Whonix just recently (a few days ago) release Whonix 10.  I am wondering if the 9.6 version you currently have installed is attempting to update to Whonix 10.  This is what I am testing for.

I am assuming what is happening is the system is being upgraded to Whonix 10, and the `qubes-whonix` package is not available in the stable repo yet.  Will get back to you in a few hours after my tests.

In the mean time, I have completed the `qubes-whonix` package that will allow a manual upgrade to `Whonix 10`, although it is contained within the whonix developers repo at the moment.  If you are interested in attempting to upgrade, you can follow the instructions at https://phabricator.whonix.org/T288#4171.  Since your installation may be broken, after the steps of enabling the qubes test repo, and whonix developers repo, do this first:

sudo apt-get update
sudo apt-get install qubes-whonix qubes-core-agent
sudo apt-get install -f

# Then continue to upgrade
sudo apt-get dist-upgrade

[JPL]

 Thanks, I'll try that.

Is the fix good to go now? I note from the comments here https://phabricator.whonix.org/T288#4171 that new versions were being moved into different repositories. Has this now been completed and are the instructions still valid - or should I wait a while?

Cheers

 

[nrgaway]

The instructions are valid.  I will keep them up to date.  I tested them with 3 templates; all on Release 3 though, not release 2, but they share the same base. The gateway needs to be updated first.  You can update the workstation once gateway is working. 

If your gateway already got hosed (time sync will not complete) start with the steps about 3 posts down first, then continue to the upgrade.

Please report back your success.

[JPL]

Yes it worked. One or two spurious error messages on the way but I ignored those and followed your instructions.

Many thanks!
 

[nrgaway]

Great!  Thanks for reporting back :)

Ya, all the error messages work themselves out after update is complete.

[JPL]

Might have spoken to soon!

Having restarted my system I have now lost connectivity to the internet in Whonix (other Qubes vms can connect, it's only Whonix that can't).

Running sudo service tor restart in Whonix-Proxy today gives the following error

user@host:~$ sudo tor service restart
May 02 10:07:54.443 [notice] Tor v0.2.5.12 (git-3731dd5c3071dcba) running on Linux with Libevent 2.0.19-stable, OpenSSL 1.0.1e and Zlib 1.2.7.
May 02 10:07:54.443 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
May 02 10:07:54.443 [notice] Read configuration file "/etc/tor/torrc".
May 02 10:07:54.445 [warn] Failed to parse/validate config: Unknown option 'service'.  Failing.
May 02 10:07:54.445 [err] Reading config failed--see warnings above.

I have run sudo apt-cache policy qubes-whonix in all Whonix vms and can confirm they are all updated to 10.0.5-1

Any ideas?

Many thanks
 

[JPL]

Here is /etc/tor/torrc - looks fine to me

 user@host:~$ cat /etc/tor/torrc
# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos at riseup dot net>
# See the file COPYING for copying conditions.

# Use this file for your user customizations.
# Please see /etc/tor/torrc.examples for help, options, comments etc.

# Anything here will override Whonix's own Tor config customizations in
# /usr/share/tor/tor-service-defaults-torrc

# Enable Tor through whonixsetup or manually uncomment "DisableNetwork 0" by
# removing the # in front of it.
DisableNetwork 0

[Jason M]

I have a few :)

First off, Whonix has been converted to use systemd in Qubes, so instead of using service, try this:

sudo systemctl status qubes-whonix-tor.service

- or -

sudo systemctl status tor.service

sudo systemctl restart qubes-whonix-tor.service

If Whonix workstations having a difficult time connecting, in the gateway make sure control-port-filter-python is running:

sudo systemctl status control-port-filter-python.service.  It should be look like the following.  Note the Loaded line should contain /etc/systemd/system/qubes-whonix-control-port-filter-python.service; if not let me know (we DO NOT want it to contain /etc/init.d/control-port-filter-python)

sudo systemctl status control-port-filter-python

qubes-whonix-control-port-filter-python.service - Control Port Filter Proxy
   Loaded: loaded (/etc/systemd/system/qubes-whonix-control-port-filter-python.service; enabled)
   Active: active (running) since Sat 2015-05-02 05:31:45 UTC; 6h ago
  Process: 1891 ExecStart=/sbin/start-stop-daemon --start --quiet --background --make-pidfile --pidfile /var/run/control-port-filter-python/pid --chuid debian-tor:debian-tor --exec /usr/lib/control-port-filter-python/cpfp.py (code=exited, status=0/SUCCESS)
  Process: 1874 ExecStartPre=/bin/chown --recursive debian-tor:debian-tor /var/log/control-port-filter-python.log (code=exited, status=0/SUCCESS)
  Process: 1839 ExecStartPre=/bin/touch /var/log/control-port-filter-python.log (code=exited, status=0/SUCCESS)
  Process: 1776 ExecStartPre=/usr/lib/anon-shared-helper-scripts/torsocks-remove-ld-preload (code=exited, status=0/SUCCESS)
 Main PID: 1897 (cpfp.py)
   CGroup: name=systemd:/system/qubes-whonix-control-port-filter-python.service
           └─1897 /usr/bin/python /usr/lib/control-port-filter-python/cpfp.py

[JPL]

Hmm .. still as dead as a door-nail. It seems that Tor is just not starting.

Here are the results of those commands (run in Whonix-proxy by the way, is that correct?)
 

 user@host:~$ sudo systemctl status qubes-whonix-tor.service
qubes-whonix-tor.service - Whonix Tor anonymizing overlay network for TCP
   Loaded: loaded (/etc/systemd/system/qubes-whonix-tor.service; enabled)
   Active: inactive (dead)

user@host:~$ sudo systemctl status tor.service
qubes-whonix-tor.service - Whonix Tor anonymizing overlay network for TCP
   Loaded: loaded (/etc/systemd/system/qubes-whonix-tor.service; enabled)
   Active: inactive (udo systemctl restart qubes
sudo systemctl restart qubes-whonix-tor.service - *hangs*

user@host:~$ sudo systemctl status control-port-filter-python

qubes-whonix-control-port-filter-python.service - Control Port Filter Proxy
   Loaded: loaded (/etc/systemd/system/qubes-whonix-control-port-filter-python.service; enabled)

   Active: inactive (dead)

[Jason M]

Yes, you run the status commands in the Whonix-Proxy while the update is run in the template.
 

 

 user@host:~$ sudo systemctl status qubes-whonix-tor.service
qubes-whonix-tor.service - Whonix Tor anonymizing overlay network for TCP
   Loaded: loaded (/etc/systemd/system/qubes-whonix-tor.service; enabled)
   Active: inactive (dead)

user@host:~$ sudo systemctl status tor.service
qubes-whonix-tor.service - Whonix Tor anonymizing overlay network for TCP
   Loaded: loaded (/etc/systemd/system/qubes-whonix-tor.service; enabled)
   Active: inactive (udo systemctl restart qubes
sudo systemctl restart qubes-whonix-tor.service - *hangs*

user@host:~$ sudo systemctl status control-port-filter-python
qubes-whonix-control-port-filter-python.service - Control Port Filter Proxy
   Loaded: loaded (/etc/systemd/system/qubes-whonix-control-port-filter-python.service; enabled)
   Active: inactive (dead)

Very strange.  You could attempt to re-install `qubes-whonix` in the template (https://phabricator.whonix.org/T288).  It should re-enable services if they got messed up, but it does not appear so.  If you having problem re-installing, you can always grab the deb and install it manually (http://mirror.whonix.de/whonixdevelopermetafiles/internal/pool/main/q/qubes-whonix/qubes-whonix_10.0.5-1_all.deb).  qvm-copy-to-vm the .deb package and run (in the template vm):

dpkg -i qubes-whonix

sudo journalctl -u qubes-whonix-tor.service may contain better clues as to why tor is not starting

[JPL]

I've obviously managed to bork it some how and will need to reinstall.

Updating qubes-whonix from the .deb did not work  and sudo journalctl -u qubes-whonix-tor.service just gives a *Logs begin at [date] and end at [date]* message.

Never mind. I have just downloaded the R3 iso and will start again with that.

Thanks for all your help