The Whonix Alternative

Surfing the Web Safely and Anonymously

Experimenting with the Whonix Anonymous Operating System

As you know I think about Internet privacy a lot.  Especially as government officials push more and more to weaken the encryption standards the Internet relies on for information security.  I firmly believe that all people should be free to surf the net without fearing that they are being tracked and spied upon by governments or corporations.  Privacy is a human right.  When I want to surf privately I use Tor and on occasion Tails.  However, I’ve been looking for something somewhere between the convenience of the Tor browser bundle and the security offered by the Tails live system.  My search has led me to experiment with the Whonix Anonymous Operating System.  It is a free OS that runs on VirtualBox among other platforms.  I’m running it on an Ubuntu machine with 16 GB of RAM. With 16 GB of RAM my virtual machines run great for normal use (I’m not a gamer).  The thing that makes Whonix a little better than the Tor browser bundle alone is that it runs within a Virtual Machine thus offering an additional level of protection against viruses, trojans, and other malware.

It is based on the Debian Linux distribution and is designed to force all your Internet traffic through the Tor network.  The system comes in two parts: a Whonix-Gateway and a Whonix-Workstation. I chose to install them as virtual machines using VirtualBox. If you are familiar with VirtualBox the installation should be very easy – just follow the directions on the Whonix website.  The Gateway connects to the Tor network via your Internet connection.  The Workstation is where you do your computing, web surfing, etc. All Internet connections from the Workstation are forced through the Gateway and Tor. They refer to this as “security by isolation.” They developers claim this makes it impossible to suffer DNS leaks or have your true IP address slip out. In short, no connection to the Internet is possible unless it is routed through the Gateway.  I like it because I can minimize VirtualBox and leave it running while working off my regular Ubuntu desktop. When I’m ready to do some anonymous web browsing I simply bring up the Workstation session and surf away.  No need to reboot into a live system.  The Whonix developers have extensive documentation on their website so setup is easy. It also checks automatically for the latest updates and instructs you on how to update your system; usually just running “sudo apt-get update && sudo apt-get dist-upgrade” is sufficient.

Advantages of the Whonix OS

The biggest advantage of this system is that it can force all traffic through the Tor network.  It makes it nearly impossible to screw up with your Workstation settings thereby leaking your real IP address.  If you want to use Flash you can without worrying that it will leak your real IP.  The list of features is long, but I’ll mention a few – it is built using free software, Adobe Flash can be used if you so choose, IRC is supported, email, anonymous chat, IP/DNS leak protection, Java, Javascript, GPA, a password manager, text editors, VLC media player and TorChat.  Whonix sets the time zone to UTC which is probably different from your host system’s time zone.  It is flexible enough that other operating systems can be used with the Gateway.  In addition you can install additional software packages to meet your needs.  If you run a VPN on your host system you can even hide the fact that you are using Tor, as the Gateway goes through the VPN to connect to Tor.

I thought I would take the developers up on their claim that Whonix is compatible with other operating systems. I thought it would be awesome to have the power of Kali Linux piped completely through Tor (evil grin). So, I downloaded Kali Linux into VirtualBox. Here is what I did next:

1. Before starting the Kali virtual machine set Adapter 1 to “Internal Network” “Whonix.”

whonix1

2. Boot the Kali VM

3. At this point edit the /etc/network/interfaces file inside of Kali VM. Add the following lines:

# The primary network interface

auto eth0

#iface eth0 inet dhcp

iface eth0 inet static

address 10.152.152.11

netmask 255.255.192.0

broadcast 10.152.191.255

gateway 10.152.152.10

In the /etc/resolv.conf file replace the contents with:

nameserver 10.152.152.10

Then exit the file and from within Kali’s terminal type:

sudo ifdown eth0

sudo ifup eth0

– if these commands say eth0 is not configured then run – “ifup eth0”

That is all it took. If you have trouble with this do what I did – cheat.  Install the Whonix Workstation and go the Interfaces file and make note of the settings.

whonix2

whonix3

After experimenting with the Kali OS I decided to try and run a Tor hidden service.  I’m not very technical, but even I was able to get a hidden web page up and running.  This was a great learning experience.  Tor hidden services are only accessible using Tor.  Tor hidden services make it possible for people to host web sites whose location remains hidden.  A Tor user can connect to the hidden service and neither party knows the real IP address of the other.  Whonix can provide any TCP based service – web server, IRC, etc. The steps to create a hidden service in the Whonix-Workstation are described in detail on their website.

The basic steps I followed are as follows:

1. On the Whonix-Gateway open the /etc/tor/torrc file

sudo nano /etc/tor/torrc

2. Add two lines:

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 10.152.152.11:80

These two lines direct where the hidden service file will be stored and configures the virtual port, the IP address, and the port of the Whonix-Workstation which hosts the server software that will handle the incoming hidden service connections.

3. Save and restart Tor.

4. Run sudo cat /var/lib/tor/hidden_service/hostname to get your new hidden URL.

5. Back up your hidden service private key. It can be found at /var/lib/tor/hidden_service/private_key

6. On the Whonix-Workstation install the server software. The Whonix website provides instructions for installing lighttpd as your server.

After step six you can begin setting up your web page or other hidden service.  The nice thing about this method of hosting your hidden service is that even if someone hacks your Workstation server software they won’t get very far because the private key is stored on the Gateway.  You can clean up the Workstation and start again. For me this was largely an experiment and learning exercise.  But I must admit, it is fun to watch your first hidden service go online.

selection_006

Disadvantages

Whonix does have its limitations. It does not hide the fact that you are using Tor.  An exit node can still eavesdrop on your communications.  Thus, man-in-the-middle attacks can still occur.

Whonix does not encrypt your documents by default and if you want to encrypt the hard disk that needs to be done on the host machine itself.  This points to what may be the biggest disadvantage of the system.  It is not “amnesic.” Meaning, it is not run from a Live CD and will leave traces on your hard drive.  It does not wipe your RAM on shutdown. Any files you want to get rid of need to be securely wiped.  Whonix writes to the disk like a regular operating system.  It will leave traces of deleted files, temp files, backup files, browser history, and swap space data.  About all you can really do to remedy this is to encrypt the host machine.  When it comes to working with super sensitive data one should probably use an encrypted flash/external drive and the Tails OS.  It does not clear your metadata automatically.  It does, however, come with MAT (the Metadata Anonymisation Toolkit).  If someone does manage to successfully exploit the VM and break out into your host system it is pretty much game over at that point – so be careful. One other factor that frustrates me is that I cannot seem to use a USB flash drive with Whonix.  The developers don’t support USB connections for security reasons. This makes file transfer cumbersome.  Well, no system is perfect and the Whonix OS is no exception. Sometimes we have to compromise and make sacrifices in order to maintain security.  USB is one such instance.  There is good documentation on their website about vulnerabilities, file transfers, and other important features.  So you should take the time to read everything carefully.  Again, I like it as a compromise between running the Tor browser off my host machine and rebooting into Tails.  Your situation may be different.

Conclusion

The Whonix Anonymous OS is a great way to advance anonymity and privacy on the Internet. In my view the advantages of the system outweigh the disadvantages.  The OS is not perfect and the developers tell you that up front.  However, if used wisely it provides a much needed layer of security.

As with any VM, if the Whonix-Workstation becomes corrupted you can trash it without harming your host system.  The instructions on how to set up and use the Whonix-Gateway and Workstation are well documented so I won’t repeat them here. You will want to check out their site in any case to keep current with all the system updates and news. Using open source projects like Tails, Tor, and Whonix are a way each of us can make an impact in the real world fight for privacy and anonymity.  In addition, I would encourage people to make a small donation to these groups so they can keep doing their important work.  Each download and install of privacy software is a vote to protect our fundamental rights.  Now is the time to make a stand so these rights don’t slip away little by little. Now, go surf the web anonymously!

Check them out at:

https://www.whonix.org/

https://www.whonix.org/wiki/VirtualBox#Install

https://www.whonix.org/wiki/Authorship