Multiple Whonix-Gateway

From Whonix
Jump to navigation Jump to search

Compartmentalization. Managing multiple Whonix-Gateway.

Introduction[edit]

Info Note: It is far safer and easier to manage multiple Whonix-Gateway when only one is launched for user activities, rather than running many in parallel.

Multiple Whonix-Gateway can be used alongside multiple Whonix-Workstation, but this has both advantages and disadvantages. One security benefit is the isolation of separate Whonix-Gateway VM instances. In the event that one Whonix-Gateway is compromised, it is not certain the other(s) will be similarly compromised. On the downside, newly cloned Whonix-Gateway(s) will end up with a different set of Tor entry guards unless precautions are taken. [1] [2]

In this configuration ISPs are probably capable of detecting that two different Tor data folders are in use, but this is not necessarily an anonymity threat. Similarly, if multiple Tor Browsers are used with distinct Whonix-Gateway, then a different set of Tor entry guards will be used as well (unless by chance the same Tor guards are chosen for different Whonix-Gateway).

When multiple Whonix-Gateway are run in parallel, the risks explained in the Multiple Whonix-Workstation: Safety Precautions section equally apply.

How to use Multiple Whonix-Gateway[edit]

Platform specific. Select your virtualizer below.

VirtualBox

In VirtualBox Manager, it is necessary to change the name of the internal network for both Whonix-Gateway and Whonix-Workstation.

1. Learn the default Whonix internal network name.

It is Whonix.

2. Pick an alternative internal network name.

For the second, third or nth multiple Whonix-Gateway another internal network name is required. Any name can be used, but make sure it is not re-used in any other Whonix-Gateway which should be isolated from this one. The following example will use Whonix2, however it could be something completely different like for-my-onion-web-server.

3. Change Whonix-Gateway internal network name.

  • VirtualBox → Whonix-Gateway → SettingsNetworkAdapter 2Name: → change Whonix to something else such as Whonix2OK

4. Change Whonix-Workstation internal network name.

  • VirtualBox → Whonix-Workstation → SettingsNetworkAdapter 1Name: → change Whonix to the same internal network name as above → OK

5. Done.

KVM

In this configuration, Whonix-Workstation will not be able to communicate with one another. This is recommended to keep different Tor activity profiles completely separate. To run multiple Whonix-Gateway it is necessary to clone existing VMs; the steps below assume an existing Whonix install.

1. Create clones of the Gateway and Workstation VMs rolled back to clean snapshots.

In Virtual Machine Manager: Highlight VMOpenVirtual MachineClone...Clone

2. Export Whonix internal network settings.

sudo virsh net-dumpxml Whonix-Internal > Whonix-Internal2.xml

3. Edit the network configuration to make it unique.

  • Change the name and bridge name.
  • Delete the mac address and uuid parameters.

Alternatively, replace the configuration with the example below (this assumes the only custom networks are Whonix-related).

<network>
  <name>Whonix-Internal2</name>
  <bridge name='virbr3' stp='on' delay='0'/>
</network>

Save and exit.

CTRL-X
y
CTRL-M

Note:

  • virbr1 is assigned to the Whonix-External network (default Whonix-Gateway external NAT NIC); and
  • virbr2 is assigned to the Whonix-Internal network (default Whonix-Workstation internal NIC).

Therefore, the network name was changed to internal2 and the bridge name to virbr3.

4. Import and start the new network.

virsh -c qemu:///system net-define Whonix-Internal2.xml

virsh -c qemu:///system net-autostart Whonix-Internal2

virsh -c qemu:///system net-start Whonix-Internal2

5. Attach the Gateway and Workstation VM NICs to the new network.

Ensure that one Gateway NIC is attached to the external network. It is important to carefully match internal network interfaces to the new ones and not accidentally switch to a NIC that connects outside.

To edit the VM virtual NIC settings:
Highlight VMOpenSettingsNIC virtual hardware → Set Network Source to: Virtual network 'Whonix-Internal2' : Isolated network, internal and host routing only

Note that the network is exclusively internal and does not communicate with the host in any way.

6. Setup different external network interfaces.

Also required. The Whonix-Gateway lacks a DHCP client for security hardening reasons and so cannot be attached to the same external network without conflicting with other Whonix-Gateways' traffic. So we must repeat the same steps for creating a unique external network per Whonix-Gateway.

sudo virsh net-dumpxml Whonix-External > Whonix-External2.xml

Edit the network configuration to make it unique.

  • Change the name and bridge name.
  • Delete the mac address and uuid parameters.

Alternatively, replace the configuration with the example below (this assumes the only custom networks are Whonix-related).

<network>
  <name>Whonix-External2</name>
  <bridge name='virbr4' stp='on' delay='0'/>
</network>

Save and exit.

CTRL-X
y
CTRL-M

Import and start the new network.

virsh -c qemu:///system net-define Whonix-External2.xml

virsh -c qemu:///system net-autostart Whonix-External2

virsh -c qemu:///system net-start Whonix-External2

Attach the Gateway and Workstation VM NICs to the new network.

Ensure that one Gateway NIC is attached to the external network. It is important to carefully match internal network interfaces to the new ones and not accidentally switch to a NIC that connects outside.

To edit the VM virtual NIC settings:
Highlight VMOpenSettingsNIC virtual hardware → Set Network Source to: Virtual network 'Whonix-External2' : NAT

Related forum discussion: https://forums.whonix.org/t/do-multiple-whonix-gateways-require-different-whonix-external-virtual-nics/19903archive.org

7. Change the number of pinned CPUs.

It is recommended to edit the cloned workstation's configuration and change the number of pinned CPUs to a different value (3 or 4) compared to the existing gateway and primary workstation. This only works if users have a quad-core system.

8. Done.

Qubes-Whonix

It is simple to create additional Whonix-Gateway (sys-whonix instances) in Qubes-Whonix.

Though the procedure is for advanced users who want the security benefit of separate Whonix-Gateway instances in Qubes-Whonix. While it affords some protection in the event that other Whonix-Gateway instances are compromised, it will result in a different set of Tor entry guards unless precautions are taken.

Please ensure that the newly created sys-whonix is based on the whonix-gateway-17 Template and has a distinctive VM name, so it is not confused with other VMs. Additionally, it is recommended not to run multiple Whonix-Gateway instances in parallel, see Multiple Whonix-Gateway.

To create a Whonix-Gateway ProxyVM in Qubes:

  1. Qubes VM ManagerQubeCreate new qube
  2. Name and label: Name the ProxyVM. Do not include any personal information; if the ProxyVM is compromised, the attacker could run qubesdb-read /name to reveal its name. Use a generic naming convention, for example: sys-whonix-2.
  3. Color: Choose a color label for the Whonix-Gateway ProxyVM.
  4. Type: Choose the type AppVM.
  5. Template: Choose Whonix-Gateway Template. For example: whonix-gateway-17.
  6. Networking: Choose the desired clearnet Service Qube from the list. For example: sys-firewall.
  7. Advanced: Place a check mark in the "provides network" box. This will allow the Whonix-Gateway ProxyVM to provide networking for other App Qubes.
  8. Press: OK.
  9. See screenshots in footnotes if needed. [3]
  10. Open a dom0 terminal.
  11. Add qvm-tag anon-gateway to the newly created App Qube. [4]

Note: Replace sys-whonix-2 with the actual name of the VM.

qvm-tags sys-whonix-2 add anon-gateway

12. Done.

See Also[edit]

Footnotes[edit]

  1. Such as manually configuring identical Tor entry guards. Qube-Whonix users can copy the Tor state folder to another instance or use Bridges.
  2. At present, full instructions are not available for every Non-Qubes-Whonix platform.
  3. Figure: Qubes Manager: Create New Qube - Step 1

    Figure: Qubes Manager: Create New Qube - Step 2
  4. Developer documentation about qvm-tags

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!