[SOLVED] Any one tried installing Whonix on Proxmox??

[fahadshery]

Hi,

I was thinking to check out the WHONIX on proxmox.
They have a KVM install.

I was wondering if anyone already has tried setting it up and if there are any tips on setting it up?

Cheers

 

[UdoB]

Sure.

My starting sequence was (today , 2023-Oct-13):

# wget -4 https://download.whonix.org/libvirt/17.0.3.0/Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz 
# unxz Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz 
# tar xvf Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt

Then create two VMs. Import the relevant images into them. Like qm importdisk 1160 Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 ssd1

The gateway needs two NICs, the Workstation is fine with a single one.

At which stage (there are several steps... not documented) do you have problems? As I have fiddled around with my local networks settings I can not easily deliver a "howto" for everyone...

The most important command in both VMs was to not forget to change the password of the "local" user

Have fun!

 

[fahadshery]

Then create two VMs. Import the relevant images into them. Like qm importdisk 1160 Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 ssd1

please share their specs...may be their qemu machine configs?

The gateway needs two NICs, the Workstation is fine with a single one.

Why the gateway needs two NICs? what are each of their purpose?
again if you could share your VM specs with some explanation. I should be able to try it out myself.

As I have fiddled around with my local networks settings I can not easily deliver a "howto" for everyone...

what are the key take aways around local network settings?

The most important command in both VMs was to not forget to change the password of the "local" user

Cheers for this...will bear in mind...

Many thanks

 

[UdoB]

please share their specs...may be their qemu machine configs?

If you think it helps, here it comes:

Spoiler: My Whonix Gateway

agent: 1
boot: order=ide0
cores: 4
cpu: x86-64-v2-AES
ide0: ssd1:vm-1160-disk-0,size=100G
memory: 2048
meta: creation-qemu=8.0.2,ctime=1697218012
name: whgw
net0: virtio=4E:9C:70:E5:25:5F,bridge=vmbr2,firewall=1
net1: virtio=E6:08:CC:F8:73:73,bridge=vmbr10,firewall=1
numa: 0
ostype: l26
parent: auto-h-231015090759
scsihw: virtio-scsi-single
smbios1: uuid=643b57de-848e-415c-a945-4b1ffc264a81
sockets: 1
vmgenid: b1791e98-1cda-46bb-a741-2257344f5b86

Spoiler: My Whonix Workstation

agent: 1
boot: 
cores: 4
cpu: x86-64-v2-AES
ide0: ssd1:vm-1162-disk-1,aio=threads,size=100G
ide2: none,media=cdrom
memory: 4096
meta: creation-qemu=8.0.2,ctime=1697218507
name: whwsa
net0: virtio=7E:A9:F7:E6:49:F2,bridge=vmbr10,firewall=1
numa: 0
ostype: l26
parent: auto-h-231015090802
scsihw: virtio-scsi-single
smbios1: uuid=280a4824-8168-4c44-8251-927d0662ec00
sockets: 1
vmgenid: 362224fb-37d9-4790-95d3-14d91fae96fe

Why the gateway needs two NICs? what are each of their purpose?

The only special feature and the whole point of the Whonix concept is to create a workstation which has no "normal" access to the internet. It is forced to route its traffic through a special router (the Whonix Gateway).

The only way to achieve this is to put the workstation into an isolated network for this purpose. I chose 10.152.152.11/18

The gateway must have internet access, of course.

When the gateway needs to have internet access AND access to the isolated network for the workstation to live in, it needs to have at least two network cards: WAN: to access the internet, with a configuration which fits your LAN, possibly via DHCP. And a second ISOLATED NIC: 10.152.152.10/18

(The origin and the reason of the netmask /18 is unclear to me. I do not plan to have 16384 computers in that specific network...)

Those two ISOLATED NICs need be able to talk directly to each other. For this just create an empty bridge, without (!) a physical NIC.

what are the key take aways around local network settings?

Actually... nothing.

Please note that in my example setup the workstation is not reachable from my LAN. To achieve this I would add a second NIC to the Workstation and be very careful not to allow outgoing traffic through that NIC. So this configuration is only usable through the PVE-WebGui graphical Console.

Best regards

 

[fahadshery]

The only special feature and the whole point of the Whonix concept is to create a workstation which has no "normal" access to the internet. It is forced to route its traffic through a special router (the Whonix Gateway).

I already have pfSense managing my network using different VLANs. I can get internet access in a completely isolated VLAN for both gateway and the workstation. or create a bridge in pfSense...any thoughts?

(The origin and the reason of the netmask /18 is unclear to me. I do not plan to have 16384 computers in that specific network...)

I agree, but you could try to have normal /24 network and it should work...??

Those two ISOLATED NICs need to be able to talk directly to each other. For this just create an empty bridge, without (!) a physical NIC.

I am also inclined to create a simple bridge in proxmox and use it as a local network between gateway and the workstation.

Please note that in my example setup the workstation is not reachable from my LAN. To achieve this I would add a second NIC to the Workstation and be very careful not to allow outgoing traffic through that NIC. So this configuration is only usable through the PVE-WebGui graphical Console.

Could you explain the steps you took to make sure workstation won't send it's traffic to the gateway/internet using the LAN side NIC?

Many thanks for your detailed post...really cleared some things up for me... I might create a YouTube video and credit you with the information if I get it to work

Cheers

 

[UdoB]

I already have pfSense managing my network using different VLANs. I can get internet access in a completely isolated VLAN for both gateway and the workstation. or create a bridge in pfSense...any thoughts?

You can build the topology as complicated as you wish
I do prefer to put "bridge building" on the PVE node(s). And my bridges do deliver only untagged traffic into VMs. But this is my personal preference. I do know the strategy with "VLAN aware" bridges. But as I do not use pfSense I can not tell if that is a good idea or if it has real drawbacks.

The point is to have an isolated network which allows ONLY communication between Gateway and Workstation. The Gateway has a second NIC to forward traffic into the internet and it makes sure to use Tor.

I agree, but you could try to have normal /24 network and it should work...??

The network connection between Whonix Gateway and Workstation is a very normal one, there is no magic involved. So yes, I would expect it to work with any usual network config, including a "/24".

If I remember correctly the only reason to use this "10.152..../18" definition was because I found it preconfigured in /etc/network/interfaces.d/30-non-qubes-whonix (on both the workstation and gateway).

Could you explain the steps you took to make sure workstation won't send it's traffic to the gateway/internet using the LAN side NIC?

The Workstation has only one NIC. The only other device on this network is the Whonix Gateway. So the Workstation can only send data to that Whonix Gateway. All other devices in my home, including my real gateway, are actually unreachable.

Many thanks for your detailed post...really cleared some things up for me...

Thank. You might click the "Like"-Buttons ;-)

I might create a YouTube video and credit you with the information if I get it to work

Nothing against it, but not necessary. From my point of view the information I put here is licensed CC0

Best regards

 

[fahadshery]

I think it's time to configure and find out if it works with pfSense VLAN...just need to make sure I don't apply an IP interface on this VLAN.
TVM for your time. Appreciate it

 

[fahadshery]

I do prefer to put "bridge building" on the PVE node(s). And my bridges do deliver only untagged traffic into VMs. But this is my personal preference. I do know the strategy with "VLAN aware" bridges. But as I do not use pfSense I can not tell if that is a good idea or if it has real drawbacks.

Sorry back again, I tried with a VLAN let's say VLAN10 with an IP interface in the range of 10.152.152.1/18. but still can't get workstation to talk to gateway. Could you share a picture or the bridge you created on Proxmox pls?

Much appreciated

 

[UdoB]

Could you share a picture or the bridge you created on Proxmox pls?

My Gateway has two NICs, one is in my DMZ with the default gateway being my DSL Modem. The full config is somewhere above; you can see it contains:

net0: virtio=4E:9C:70:E5:25:5F,bridge=vmbr2,firewall=1
net1: virtio=E6:08:CC:F8:73:73,bridge=vmbr10,firewall=1

These bridges are really standard "untagged" bridges:

~# grep -A4 vmbr2 /etc/network/interfaces
auto vmbr2
iface vmbr2 inet manual
        bridge-ports enp4s0.2
        bridge-stp off
        bridge-fd 0
#dmz

~# grep -A4 vmbr10 /etc/network/interfaces
auto vmbr10
iface vmbr10 inet manual
        bridge-ports enp4s0.10
        bridge-stp off
        bridge-fd 0
#tor

The Workstation has only one NIC. From the config:

net0: virtio=7E:A9:F7:E6:49:F2,bridge=vmbr10,firewall=1

These two virtual machines are the only ones that are connected to vmbr10. This makes it "isolated" for its intended purpose and the Workstation has absolutely no chance to connect to the internet except through the Whonix Gateway.

Best regards

 

[fahadshery]

These two virtual machines are the only ones that are connected to vmbr10. This makes it "isolated" for its intended purpose and the Workstation has absolutely no chance to connect to the internet except through the Whonix Gateway.

I was puzzled by the gateway's DNS settings...I set it up perfectly using pfSense now....
You're a star...thank you for helping out!

Cheers!

 

[fahadshery]

Here is the YouTube video for anyone come looking for this...

 

[nomadmike]

I have watched your video, but my gateway machine will not connect this is my network setup, I added a second card to my mini PC



vmbr2 and created a bridge for the workstation vmbr3

When I load the gateway and run ip a its using a 10.0 ip rang but my router is on 192.168 range



if I try and use vmbr (my internal network from pfsense) whonix will not load with an error vmbr not connected to a physical adapter

The whonix gateway just sits at 5% cannot connect, I have tried connecting using the vmbr0 but have the same issue?