Whonix-Gateway Security Hardening
Donate
Optional Whonix-Gateway Security Hardening for advanced users.
Introduction[edit]
Whonix comes with
many security features
. Whonix is
Kicksecure™
hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
Tip: Disabling Control Port Filter Proxy (onion-grater) can improve security by decreasing the attack surface, while sacrificing usability.
Note that if onion-grater is disabled, users will no longer receive helpful Whonix notifications when Tor is not fully bootstrapped, since the whonixcheck and sdwdate tools rely upon it.
How-to: Disable Control Port Filter Proxy[edit]
Whonix-Gateway[edit]
Deactivate onion-grater in Firewall[edit]
1. Modify Whonix-Gateway™ User Firewall Settings.
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → User Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.
Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
2. Add the following content.
CONTROL_PORT_FILTER_PROXY_ENABLE=0
3. Save the file.
4. Reload Whonix-Gateway™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall
Deactivate onion-grater[edit]
1. Stop onion-grater.
sudo service onion-grater stop
2. Disable autostart of onion-grater.
sudo systemctl mask onion-grater
3. Reboot.
4. Check if onion-grater is still running or disabled.
ps aux | grep onion-grater
If output similar to the following appears, then disabling did not work.
onion-g+ 911 3.2 1.9 66444 20644 ? Ss 12:21 0:00 /usr/bin/python3 -u /usr/lib/onion-grater --debug --listen-interface eth1
Deactivate whonixcheck onion-grater Running Test[edit]
1. Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /etc/systemcheck.d/50_user.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/systemcheck.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/systemcheck.d/50_user.conf
2. Add the following content.
systemcheck_skip_functions+=" check_control_port_filter_running "
3. Save the file.
Whonix-Workstation™[edit]
Deactivate whonixcheck Tor Bootstrap Test[edit]
Because it relies on onion-grater.
1. Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /etc/systemcheck.d/50_user.conf
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /etc/systemcheck.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /etc/systemcheck.d/50_user.conf
2. Add the following content.
systemcheck_skip_functions+=" check_tor_bootstrap "
3. Save the file.
Deactivate sdwdate Connectivity Test[edit]
Whonix-Workstation only.
1. Open file /usr/lib/helper-scripts/te_pe_tb_check in an editor with root rights.
Non-Qubes-Whonix™
This box uses sudoedit for better security.
sudoedit /usr/lib/helper-scripts/te_pe_tb_check
Qubes-Whonix™
NOTES:
- When using Qubes-Whonix, this needs to be done inside the Template.
sudoedit /usr/lib/helper-scripts/te_pe_tb_check
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Qubes-Whonix™.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /usr/lib/helper-scripts/te_pe_tb_check
2. Replace the existing content with the following text.
#!/bin/bash exit 0
3. Save the file.
4. Restart sdwdate.
sudo systemctl restart sdwdate
The procedure is complete.
Be aware that this setting will not persist after any upgrade of sdwdate, nor is sdwdate currently configurable. [1]
Tor Browser Updater[edit]
In order to update Tor Browser using Tor Browser Updater by Whonix developers while onion-grater is disabled, complete the following step. [2]
update-torbrowser --no-tor-con-check
Or create a file /etc/torbrowser.d/50_user.conf with the following content.
TB_NO_TOR_CON_CHECK="1"
Static VirtualBox IP[edit]
Instead of using DHCP to obtain the internal IP address for the Whonix-Workstation eth0 NAT adapter, a static IP can be used instead. This might marginally improve security because the DHCP package can then be removed.
Open /etc/network/interfaces.d/30_non-qubes-whonix on GitHub and read the comments. Then, comment out DHCP and comment in Static VirtualBox IP.
Footnotes[edit]
- ↑ Any Whonix users interested in further development should create a relevant ticket on Whonix Forums.
- ↑ It is far simpler to update using Tor Browser's internal updater instead.
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!