-
Initial Setup
-
First let's make sure all logs get erased upon system shutdown as described in my previous tutorial on host OS hardening (by piping all logs to go to the /tmp/ folder):
-
-
We also make sure that the script to remove logs also includes shutting down the VMs and closes the veracrypt volume just like the emergency shutdown script we detailed in the previous tutorial on homeserver physical security:
-
-
-[ mainpc ] [ /dev/pts/2 ] [~/logremover]
-→ cat /etc/systemd/system/reboot_logremover.service
-[Unit]
-Description=Shutdown Anti forensics
-DefaultDependencies=no
-Before=shutdown.target reboot.target halt.target
-
-[Service]
-Type=oneshot
-ExecStart=/root/shutdown.sh
-TimeoutStartSec=0
-
-[Install]
-WantedBy=shutdown.target reboot.target halt.target
-
-[ mainpc ] [ /dev/pts/2 ] [~/logremover]
-→ cat shutdown.sh
-#!/bin/bash
-
-#remove VMs
-
-sudo virsh -c qemu:///system destroy Whonix-Gateway
-sudo virsh -c qemu:///system destroy Whonix-Workstation
-sudo virsh -c qemu:///system undefine Whonix-Gateway
-sudo virsh -c qemu:///system undefine Whonix-Workstation
-sudo virsh -c qemu:///system net-destroy Whonix-External
-sudo virsh -c qemu:///system net-destroy Whonix-Internal
-sudo virsh -c qemu:///system net-undefine Whonix-External
-sudo virsh -c qemu:///system net-undefine Whonix-External
-
-#then unmount veracrypt volumes
-
-sudo veracrypt -d -f
-
-# then cleanup logs
-
-sudo rm -rf /dev/shm/*
-sudo rm -rf /var/log/*
-sudo dmesg -c
-
-
-
In the shutdown.sh script we also make sure that the VMs are removed, and that the veracrypt volumes are unmounted, before clearing up the logs.
-
-
Next we're going to install libvirt as seen in our previous tutorial on host os hardeninghere:
-
-sudo pacman -S libvirt qemu-full virt-manager dnsmasq bridge-utils
-
-sudo systemctl enable --now libvirtd
-
-#####################vault.sh:#######################################
-#!/bin/bash
-echo "[+] MOUNTING VAULTS..."
-
-sudo cryptsetup luksOpen /dev/nvme1n1p1 VAULT
-sudo mkdir /run/media/nihilist/VAULT 2>/dev/null
-sudo mount /dev/mapper/VAULT /run/media/nihilist/VAULT
-
-echo "[+] VAULTS MOUNTED"
-###################################################################
-
-usermod -a -G libvirt nihilist
-usermod -a -G kvm nihilist
-
-[root@nowhere ~]# vim /etc/libvirt/libvirtd.conf
-[root@nowhere ~]# cat /etc/libvirt/libvirtd.conf | grep sock_group
-unix_sock_group = "libvirt"
-unix_sock_rw_perms = "0770"
-
-sudo chmod 770 -R VMs
-sudo chown nihilist:libvirt -R VMs
-
-cat /etc/libvirt/qemu.conf
-group = "libvirt"
-user = "nihilist"
-
-systemctl restart libvirtd.service
-
-virt-manager
-
-
-
-
Next step we create the veracrypt drives, so use the /dev/sdb harddrive for it:
-
-[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
-→ lsblk
-NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
-sda 8:0 0 1.8T 0 disk
-└─sda1 8:1 0 1.8T 0 part
-sdb 8:16 0 447.1G 0 disk
-sdc 8:32 0 3.6T 0 disk
-└─VAULTBACKUP 253:1 0 3.6T 0 crypt /mnt/VAULTBACKUP
-zram0 254:0 0 4G 0 disk [SWAP]
-nvme1n1 259:0 0 1.8T 0 disk
-└─nvme1n1p1 259:1 0 1.8T 0 part
- └─VAULT 253:0 0 1.8T 0 crypt /mnt/VAULT
-nvme0n1 259:2 0 465.8G 0 disk
-├─nvme0n1p1 259:3 0 511M 0 part /boot
-└─nvme0n1p2 259:4 0 465.3G 0 part /
-
-
-
-
Be aware that the 3 VMs we need to place in a veracrypt container all weigh 100GB each so you need 300Gb for all 3 VMs, so you need at least 2x300Gb to replicate the setup in the decoy partition, so pick a 1.2TB harddrive instead, with some additional space so preferably a 1.8TB one just to be safe, unlike as shown below (a 500gb disk which is not enough!)
-
So let's now setup the hidden partition there:
-
-[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
-→ sudo pacman -S veracrypt
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Now that's done, let's setup the whonix and workstations templates, we will then copy them in the veracrypt harddrive afterward to edit them. So let's go here to download whonix for QEMU:
-
-
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ mv ~/Downloads/Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz .
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ tar -xvf Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
-WHONIX_BINARY_LICENSE_AGREEMENT
-WHONIX_DISCLAIMER
-Whonix-Gateway-Xfce-17.0.3.0.xml
-Whonix-Workstation-Xfce-17.0.3.0.xml
-Whonix_external_network-17.0.3.0.xml
-Whonix_internal_network-17.0.3.0.xml
-Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
-Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
-
-
Next we edit the XML files to have the working VMs, for which we will give 2GB of ram for the gateway, and 4GB of ram for the workstation while also specifying the path to their .qcow2 volumes:
-
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep GiB
- <memory dumpCore='off' unit='GiB'>4
- <currentMemory unit='GiB'>4
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat Whonix-Workstation-Xfce-17.0.3.0.xml| grep source
- <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-
-
-
-
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat Whonix-Gateway-Xfce-17.0.3.0.xml | grep GiB
- <memory dumpCore='off' unit='GiB'>2
- <currentMemory unit='GiB'>2
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
- <source file='/mnt/VAULT/ISOs/whonix/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-
-
and now to make things easier let's put a refreshvms.sh script in there to remove and restart the VMs:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ vim refreshvms.sh
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat refreshvms.sh
-#!/bin/bash
-
-#remove VMs
-
-sudo virsh -c qemu:///system destroy Whonix-Gateway
-sudo virsh -c qemu:///system destroy Whonix-Workstation
-sudo virsh -c qemu:///system undefine Whonix-Gateway
-sudo virsh -c qemu:///system undefine Whonix-Workstation
-sudo virsh -c qemu:///system net-destroy Whonix-External
-sudo virsh -c qemu:///system net-destroy Whonix-Internal
-sudo virsh -c qemu:///system net-undefine Whonix-External
-sudo virsh -c qemu:///system net-undefine Whonix-External
-
-echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
-read
-
-#install VMs
-
-sudo virsh -c qemu:///system net-define Whonix_external*.xml
-sudo virsh -c qemu:///system net-define Whonix_internal*.xml
-sudo virsh -c qemu:///system net-autostart Whonix-External
-sudo virsh -c qemu:///system net-start Whonix-External
-sudo virsh -c qemu:///system net-autostart Whonix-Internal
-sudo virsh -c qemu:///system net-start Whonix-Internal
-sudo virsh -c qemu:///system define Whonix-Gateway*.xml
-sudo virsh -c qemu:///system define Whonix-Workstation*.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ chmod +x refreshvms.sh
-
-
-
then run it:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ ./refreshvms.sh
-error: Failed to destroy domain 'Whonix-Gateway'
-error: Requested operation is not valid: domain is not running
-
-error: Failed to destroy domain 'Whonix-Workstation'
-error: Requested operation is not valid: domain is not running
-
-Domain 'Whonix-Gateway' has been undefined
-
-Domain 'Whonix-Workstation' has been undefined
-
-Network Whonix-External destroyed
-
-Network Whonix-Internal destroyed
-
-Network Whonix-External has been undefined
-
-error: failed to get network 'Whonix-External'
-error: Network not found: no network with matching name 'Whonix-External'
-
-[+] VMs removed, re-install them ? (ctrl+c to exit)
-
-Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
-
-error: Failed to define network from Whonix_internal_network-17.0.3.0.xml
-error: operation failed: network 'Whonix-Internal' already exists with uuid 48298ccf-9352-4b21-b6c4-17ad13ad1d6d
-
-Network Whonix-External marked as autostarted
-
-Network Whonix-External started
-
-Network Whonix-Internal marked as autostarted
-
-Network Whonix-Internal started
-
-Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
-
-
-
Then launch the VMs from virt-manager:
-
-
let's start with the Gateway:
-
-
-
-
-
-
Now that's done you can also finish the initial setup for the workstation:
-
-
-
So from here you can use whonix regularly to browse with the tor browser, don't forget to disable javascript and to always keep the browser up to date like so:
-
-
As suggested above, we'll also upgrade the VMs, and to go further we'll install unattended upgrades (note whonix's default system credentials are user:changeme:
-
-$ passwd
-$ sudo -i
-# apt update -y ; apt upgrade -y ; apt autoremove -y
-# apt install unattended-upgrades apt-listchanges -y
-# dpkg-reconfigure -plow unattended-upgrades
-
-^ select yes there
-
-
-
Next step is to have the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ ls
-refreshvms.sh Whonix_external_network-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
-WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.xml
-WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
-WHONIX_DISCLAIMER Whonix_internal_network-17.0.3.0.xml
-
- 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cp Whonix-Workstation-Xfce-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cp Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
-
-
-
Then edit the new xml file to match the new VM name:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep Workstation2
- <name>Whonix-Workstation2</name>
- <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-
-
Then we include it in the refreshVMs.sh script:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cat refreshvms.sh
-#!/bin/bash
-
-#remove VMs
-
-sudo virsh -c qemu:///system destroy Whonix-Gateway
-sudo virsh -c qemu:///system destroy Whonix-Workstation
-sudo virsh -c qemu:///system destroy Whonix-Workstation2
-
-sudo virsh -c qemu:///system undefine Whonix-Gateway
-sudo virsh -c qemu:///system undefine Whonix-Workstation
-sudo virsh -c qemu:///system undefine Whonix-Workstation2
-
-
-sudo virsh -c qemu:///system net-destroy Whonix-External
-sudo virsh -c qemu:///system net-destroy Whonix-Internal
-sudo virsh -c qemu:///system net-undefine Whonix-External
-sudo virsh -c qemu:///system net-undefine Whonix-Internal
-
-
-
-
-echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
-read
-
-#install VMs
-sudo virsh -c qemu:///system net-define Whonix_external*.xml
-sudo virsh -c qemu:///system net-define Whonix_internal*.xml
-
-
-sudo virsh -c qemu:///system net-autostart Whonix-External
-sudo virsh -c qemu:///system net-start Whonix-External
-
-sudo virsh -c qemu:///system net-autostart Whonix-Internal
-sudo virsh -c qemu:///system net-start Whonix-Internal
-
-sudo virsh -c qemu:///system define Whonix-Gateway*.xml
-sudo virsh -c qemu:///system define Whonix-Workstation2*.xml
-sudo virsh -c qemu:///system define Whonix-Workstation-*.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ ./refreshvms.sh
-error: Failed to destroy domain 'Whonix-Gateway'
-error: Requested operation is not valid: domain is not running
-
-error: Failed to destroy domain 'Whonix-Workstation'
-error: Requested operation is not valid: domain is not running
-
-error: Failed to destroy domain 'Whonix-Workstation2'
-error: Requested operation is not valid: domain is not running
-
-Domain 'Whonix-Gateway' has been undefined
-
-Domain 'Whonix-Workstation' has been undefined
-
-Domain 'Whonix-Workstation2' has been undefined
-
-Network Whonix-External destroyed
-
-Network Whonix-Internal destroyed
-
-Network Whonix-External has been undefined
-
-Network Whonix-Internal has been undefined
-
-[+] VMs removed, re-install them ? (ctrl+c to exit)
-
-Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
-
-Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
-
-Network Whonix-External marked as autostarted
-
-Network Whonix-External started
-
-Network Whonix-Internal marked as autostarted
-
-Network Whonix-Internal started
-
-Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
-
-
-
Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip):
-
-
-
Now that our VM templates are done, let's put them on our veracrypt harddrive:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ ./refreshvms.sh
-[sudo] password for nothing:
-Domain 'Whonix-Gateway' destroyed
-
-Domain 'Whonix-Workstation' destroyed
-
-Domain 'Whonix-Workstation2' destroyed
-
-Domain 'Whonix-Gateway' has been undefined
-
-Domain 'Whonix-Workstation' has been undefined
-
-Domain 'Whonix-Workstation2' has been undefined
-
-Network Whonix-External destroyed
-
-Network Whonix-Internal destroyed
-
-Network Whonix-External has been undefined
-
-Network Whonix-Internal has been undefined
-
-[+] VMs removed, re-install them ? (ctrl+c to exit)
-^C
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ ls
-refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
-WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
-WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
-WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
-Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-
-
-
-
Once mounted, let's copy them here and launch them:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
-→ cd /media/veracrypt1
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cp /mnt/VAULT/ISOs/whonix/* .
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ ls -lash
-total 21G
-4.0K drwxr-xr-x 2 nothing nothing 4.0K Oct 8 13:35 .
-4.0K drwxr-xr-x 3 root root 4.0K Oct 8 13:34 ..
-4.0K -rwxr-xr-x 1 nothing nothing 1.2K Oct 8 13:35 refreshvms.sh
- 40K -rw-r--r-- 1 nothing nothing 39K Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT
- 0 -rw-r--r-- 1 nothing nothing 0 Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
-8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 8 13:35 WHONIX_DISCLAIMER
-4.0K -rw-r--r-- 1 nothing nothing 172 Oct 8 13:35 Whonix_external_network-17.0.3.0.xml
-5.2G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
-4.0K -rw-r--r-- 1 nothing nothing 2.4K Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.xml
-4.0K -rw-r--r-- 1 nothing nothing 97 Oct 8 13:35 Whonix_internal_network-17.0.3.0.xml
-6.9G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
-4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.xml
-7.0G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
-4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.xml
-1.3G -rw-r--r-- 1 nothing nothing 1.3G Oct 8 13:35 Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
-
-
-
Now that's done, you need to edit each XML to make sure it has the correct path in it:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
- <source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
- <source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
- <source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-
-
Then you can use the VMs using the refreshvms.sh script:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ ./refreshvms.sh
-[sudo] password for nothing:
-error: failed to get domain 'Whonix-Gateway'
-
-error: failed to get domain 'Whonix-Workstation'
-
-error: failed to get domain 'Whonix-Workstation2'
-
-error: failed to get domain 'Whonix-Gateway'
-
-error: failed to get domain 'Whonix-Workstation'
-
-error: failed to get domain 'Whonix-Workstation2'
-
-error: failed to get network 'Whonix-External'
-error: Network not found: no network with matching name 'Whonix-External'
-
-error: failed to get network 'Whonix-Internal'
-error: Network not found: no network with matching name 'Whonix-Internal'
-
-error: failed to get network 'Whonix-External'
-error: Network not found: no network with matching name 'Whonix-External'
-
-error: failed to get network 'Whonix-Internal'
-error: Network not found: no network with matching name 'Whonix-Internal'
-
-[+] VMs removed, re-install them ? (ctrl+c to exit)
-
-
-Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
-
-Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
-
-Network Whonix-External marked as autostarted
-
-Network Whonix-External started
-
-Network Whonix-Internal marked as autostarted
-
-Network Whonix-Internal started
-
-Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
-
-
-
Now with this if you are forced to give away the password for that harddrive, you can give them this decoy partition, and they'll find the whonix VMs you've copied there.
-
So now dismount the veracrypt partition, to do that you need to first remove the VMs with the script, and then you need to EXIT the folder, otherwise it'll complain and tell you that the target drive is busy and can't be unmounted:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ ./refreshvms.sh
-error: Failed to destroy domain 'Whonix-Gateway'
-error: Requested operation is not valid: domain is not running
-
-error: Failed to destroy domain 'Whonix-Workstation'
-error: Requested operation is not valid: domain is not running
-
-error: Failed to destroy domain 'Whonix-Workstation2'
-error: Requested operation is not valid: domain is not running
-
-Domain 'Whonix-Gateway' has been undefined
-
-Domain 'Whonix-Workstation' has been undefined
-
-Domain 'Whonix-Workstation2' has been undefined
-
-Network Whonix-External destroyed
-
-Network Whonix-Internal destroyed
-
-Network Whonix-External has been undefined
-
-Network Whonix-Internal has been undefined
-
-[+] VMs removed, re-install them ? (ctrl+c to exit)
-^C
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cd ..
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
-→
-
-
-
Now that's done for the decoy partition, we do the same for the hidden partition:
-
-
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
-→ cd veracrypt1
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cp /mnt/VAULT/ISOs/whonix/* .
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ ls
-refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
-WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
-WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
-WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
-Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-
-
Then edit the paths again:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
- <source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
- <source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
- <source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
-
-
-
Then start the VMs:
-
-[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
-→ ./refreshvms.sh
-[sudo] password for nothing:
-error: failed to get domain 'Whonix-Gateway'
-
-error: failed to get domain 'Whonix-Workstation'
-
-error: failed to get domain 'Whonix-Workstation2'
-
-error: failed to get domain 'Whonix-Gateway'
-
-error: failed to get domain 'Whonix-Workstation'
-
-error: failed to get domain 'Whonix-Workstation2'
-
-error: failed to get network 'Whonix-External'
-error: Network not found: no network with matching name 'Whonix-External'
-
-error: failed to get network 'Whonix-Internal'
-error: Network not found: no network with matching name 'Whonix-Internal'
-
-error: failed to get network 'Whonix-External'
-error: Network not found: no network with matching name 'Whonix-External'
-
-error: failed to get network 'Whonix-Internal'
-error: Network not found: no network with matching name 'Whonix-Internal'
-
-[+] VMs removed, re-install them ? (ctrl+c to exit)
-
-Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
-
-Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
-
-Network Whonix-External marked as autostarted
-
-Network Whonix-External started
-
-Network Whonix-Internal marked as autostarted
-
-Network Whonix-Internal started
-
-Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
-
-Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
-
-
-
You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.
-
-
Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider here, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them):
-
-
-
now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.
-
-
-
-
Now let's add time to our account, and of course we will pay with the only cryptocurrency that's used:
-
-
-
To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.
-
-
Once it finishes installing, create your monero wallet:
-
-
Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones here:
-
-
Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created:
-
-
-
Once you've paid, download the .ovpn file to connect via vpn:
-
-
Then unzip and let's now make sure the vpn goes through tor:
-
-
-
To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:
-
-
before we launch it keep in mind this:
-
-
Then launch the VPN and you can then see that you no longer have a tor exit node IP:
-
-
-
Now check your ip from Firefox, not the tor browser:
-
-
You can also check if there are any DNS leaks:
-
-
here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:
-
-
We can also check if there are any WebRTC leaks:
-
-
and there we see that there are no webRTC leaks either, so it's all good.
-
To make sure the vpn is started automatically we can make it a systemd service:
-
-root@workstation:~# cat /etc/systemd/system/vpn.service
-[Unit]
-Description=VPN
-After=network-online.target
-Wants=network-online.target
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-Type=simple
-WorkingDirectory=/home/user/Desktop/mullvad_config_linux_nl_ams/
-ExecStart=/usr/sbin/openvpn /home/user/Desktop/mullvad_config_linux_nl_ams/mullvad_nl_ams.conf
-ExecStop=kill -9 $(pidof openvpn)
-Restart=always
-
-root@workstation:~# systemctl daemon-reload ; systemctl enable --now vpn.service ; systemctl restart vpn.service
-
-
-
-
Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes.
-
-
-
-
-
-
-
- 
-
-
-
-
-
-
+
+