--- author: nihilist date: 2024-03-10 gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/93" xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 --- # Whonix QEMU Setup ![](0.png) Whonix is an open-source OS made specifically for general anonymous activities. In this tutorial we're going to set it up using the QEMU virtualization setup we installed previously. ## _OPSEC Recommendations:_ 1. Hardware : (Personal Computer / Laptop) 2. Host OS: [Linux](../linux/index.md) 3. Hypervisor: [libvirtd QEMU/KVM](../hypervisorsetup/index.md) 4. Application: [Host-based VPN](../index.md) (if your ISP doesn't allow Tor traffic) I recommend using this setup into one of the above mentioned VMs, for [Anonymous use](../anonymityexplained/index.md), as per the [4 basic OPSEC levels](../opsec4levels/index.md). _Sidenote:_ If your ISP does not allow Tor traffic, make sure that you [route the QEMU VMs traffic through a VPN](../vpnqemu/index.md), to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup ## **Initial Setup** Make sure that you have setup the QEMU / virt-viewer setup we described in [this](../hypervisorsetup/index.md) earlier tutorial Then install download the whonix VMS as follows: First go [here](https://www.whonix.org/wiki/KVM) to download whonix for qemu, ![](1.png) Then extract the .xz file where you want the image to be at: [ 10.8.0.3/24 ] [ nowhere ] [~/Downloads] → mv Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz /mnt/VAULT/VMs/ [ 10.8.0.3/24 ] [ nowhere ] [~/Downloads] → cd /mnt/VAULT/VMs/ [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → tar -xvf Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz WHONIX_BINARY_LICENSE_AGREEMENT WHONIX_DISCLAIMER Whonix-Gateway-XFCE-17.0.3.0.xml Whonix-Workstation-XFCE-17.0.3.0.xml Whonix_external_network-17.0.3.0.xml Whonix_internal_network-17.0.3.0.xml Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2 [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → ls -lash total 7.9G 4.0K drwxr-xr-x 2 nothing nothing 4.0K Dec 29 20:10 . 4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 29 20:09 .. 40K -rw-r--r-- 1 nothing nothing 39K Oct 21 2015 WHONIX_BINARY_LICENSE_AGREEMENT 0 -rw-r--r-- 1 nothing nothing 0 Dec 29 20:10 WHONIX_BINARY_LICENSE_AGREEMENT_accepted 8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 21 2015 WHONIX_DISCLAIMER 4.0K -rw-r--r-- 1 nothing nothing 172 Oct 21 2015 Whonix_external_network-17.0.3.0.xml 2.7G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2 4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Gateway-XFCE-17.0.3.0.xml 4.0K -rw-r--r-- 1 nothing nothing 97 Oct 21 2015 Whonix_internal_network-17.0.3.0.xml 3.8G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Workstation-XFCE-17.0.3.0.Intel_AMD64.qcow2 4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Workstation-XFCE-17.0.3.0.xml 1.4G -rw-r--r-- 1 nothing nothing 1.4G Dec 29 20:06 Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz So now we have the qcow2 files (take note that it can), so we can proceed following the instructions: [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] → vim Whonix-Gateway-XFCE-17.0.3.0.xml [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] → cat Whonix-Gateway-XFCE-17.0.3.0.xml | grep VAULT <****source file='/mnt/VAULT/VMs/Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2'/> [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] → vim Whonix-Workstation-XFCE-17.0.3.0.xml [ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs] → cat Whonix-Workstation-XFCE-17.0.3.0.xml | grep VAULT <****source file='/mnt/VAULT/VMs/Whonix-Workstation-XFCE-17.0.3.0.Intel_AMD64.qcow2'/> [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system net-define Whonix_external*.xml [sudo] password for nothing: Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system net-define Whonix_internal*.xml Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system net-autostart Whonix-External Network Whonix-External marked as autostarted [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system net-start Whonix-External Network Whonix-External started [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system net-autostart Whonix-Internal Network Whonix-Internal marked as autostarted [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system net-start Whonix-Internal Network Whonix-Internal started [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system define Whonix-Gateway*.xml Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-17.0.3.0.xml [ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs] → sudo virsh -c qemu:///system define Whonix-Workstation*.xml Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-17.0.3.0.xml make sure you give them 4gb of RAM before launching them, then launch them: [nihilist@nowhere VMs]$ cat Whonix-Gateway.xml | grep KiB <****memory dumpCore="off" unit="KiB">2097152 <****currentMemory unit="KiB">2097152 [nihilist@nowhere VMs]$ cat Whonix-Workstation.xml | grep KiB <****memory dumpCore="off" unit="KiB">4194304 <****currentMemory unit="KiB">4194304 we can automate the VM startup procedure with a simple bashscript like so : [nihilist@nowhere VMs]$ cat refreshvms.sh #!/bin/bash #remove VMs sudo virsh -c qemu:///system destroy Whonix-Gateway sudo virsh -c qemu:///system destroy Whonix-Workstation sudo virsh -c qemu:///system undefine Whonix-Gateway sudo virsh -c qemu:///system undefine Whonix-Workstation sudo virsh -c qemu:///system net-destroy Whonix-External sudo virsh -c qemu:///system net-destroy Whonix-Internal sudo virsh -c qemu:///system net-undefine Whonix-External sudo virsh -c qemu:///system net-undefine Whonix-External echo '[+] VMs removed, re-install them ? (ctrl+c to exit)' read #install VMs sudo virsh -c qemu:///system net-define Whonix_external*.xml sudo virsh -c qemu:///system net-define Whonix_internal*.xml sudo virsh -c qemu:///system net-autostart Whonix-External sudo virsh -c qemu:///system net-start Whonix-External sudo virsh -c qemu:///system net-autostart Whonix-Internal sudo virsh -c qemu:///system net-start Whonix-Internal sudo virsh -c qemu:///system define Whonix-Gateway.xml sudo virsh -c qemu:///system define Whonix-Workstation.xml You can run it like so: [nihilist@nowhere VMs]$ chmod +x refreshvms.sh [nihilist@nowhere VMs]$ ./refreshvms.sh [sudo] password for nihilist: Domain 'Whonix-Gateway' destroyed Domain 'Whonix-Workstation' destroyed Domain 'Whonix-Gateway' has been undefined Domain 'Whonix-Workstation' has been undefined Network Whonix-External destroyed Network Whonix-Internal destroyed Network Whonix-External has been undefined error: failed to get network 'Whonix-External' error: Network not found: no network with matching name 'Whonix-External' [+] VMs removed, re-install them ? (ctrl+c to exit) Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml error: Failed to define network from Whonix_internal_network-17.0.3.0.xml error: operation failed: network 'Whonix-Internal' already exists with uuid 878828d6-fd1f-49ac-9d0c-9c829c414b80 Network Whonix-External marked as autostarted Network Whonix-External started Network Whonix-Internal marked as autostarted Network Whonix-Internal started Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml ![](2.png) ## **Basic Whonix Usage** So now you can compatmentalize your anonymous usage in a separate VM by using the tor browser there, along with keepass and monero: You can open Onion Circuits on the gateway VM to view the tor connections being built up in real time like so : ![](3.png) And inside the Workstation VM you can browse Tor, and use Keepass just like in the [previous tutorial](../torbrowsing/index.md): ![](4.png) you can also use monero (take note that the default sudo password in whonix is "changeme", so don't forget to change it): [workstation user ~]% passwd [workstation user ~]% sudo apt install monero -y [workstation user ~]% monero-wallet-cli