Surfing the Web Safely and Anonymously: Experimenting with Whonix Anonymous Operating System

by Jim L

I've been thinking about Internet privacy a lot lately.  Especially as government officials push more and more to weaken the encryption standards the Internet relies on for information security.  I do use Tor and on occasion Tails.  However, I've been looking for something somewhere between the convenience of the Tor browser bundle and the security offered by the Tails live system.

My search has led me to experiment with the Whonix Anonymous Operating System.  It is a free OS that runs on VirtualBox among other platforms.  I'm running it on an Ubuntu machine with 16 GB of RAM.  With 16 GB of RAM my virtual machines run great for normal use (I'm not a gamer).  The thing that makes Whonix a little better than the Tor browser bundle alone is that it runs within a Virtual Machine (VM), thus offering an additional level of protection against viruses, Trojans, and other malware.

It is based on the Debian Linux distribution and is designed to force all your Internet traffic through the Tor network.  The system comes in two parts: a Whonix Gateway and a Whonix Workstation.  I chose to install them as virtual machines using VirtualBox.

If you are familiar with VirtualBox, the installation should be very easy - just follow the directions on the Whonix website.  The Gateway connects to the Tor network via your Internet connection.  The Workstation is where you do your computing, web surfing, etc.  All Internet connections from the Workstation are forced through the Gateway and Tor.  They refer to this as "security by isolation."  The developers claim this makes it impossible to suffer DNS leaks or have your true IP address slip out.  In short, no connection to the Internet is possible unless it is routed through the Gateway.  I like it because I can minimize VirtualBox and leave it running while working off my regular Ubuntu desktop.

When I'm ready to do some anonymous web browsing I simply bring up the Workstation session and surf away.  No need to reboot into a live system.  The Whonix developers have extensive documentation on their website so setup is easy.  It also checks automatically for the latest updates and instructs you on how to update your system; usually just running sudo apt-get update && sudo apt-get dist-upgrade is sufficient.

Advantages of the Whonix OS

The biggest advantage of this system is that it can force all traffic through the Tor network.  It makes it nearly impossible to screw up your Workstation settings and leak your real IP address.  If you want to use Flash, you can without worrying that it will leak your real IP.  The list of features is long, but I'll mention a few.  Adobe Flash can be used if you so choose, IRC is supported, email, anonymous chat, IP/DNS leak protection, Java, JavaScript, GNU Privacy Assistant, a password manager, text editors, VLC media player, and TorChat.

Whonix sets the time zone to UTC, which is probably different from your host system's time zone.  It is flexible enough that other operating systems can be used with the Gateway.  Also, you can install additional software packages to meet your needs.  If you run a VPN on your host system, you can even hide the fact that you are using Tor, as the Gateway goes through the VPN to connect to Tor.

I thought I would take the developers up on their claim that Whonix is compatible with other operating systems.  I thought it would be awesome to have the power of Kali Linux piped completely through Tor (evil grin).

So, I downloaded Kali Linux into VirtualBox.  Here are the necessary steps:

1.)  Before starting the Kali virtual machine, set Adapter 1 to "Internal Network" "Whonix".

2.)  Boot the Kali virtual machine.

At this point, edit the /etc/network/interfaces file inside of Kali VM.  Add the following lines:

# The primary network interface
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 10.152.152.11
netmask 255.255.192.0
broadcast 10.152.191.255
gateway 10.152.152.10

In the /etc/resolv.conf file replace the contents with:

nameserver 10.152.152.10

Then exit the file and from within Kali's terminal type:

sudo ifdown eth0
sudo ifup eth0

If these commands say eth0 is not configured, then run - ifup eth0.

That is all it took.  If you have trouble with this, do what I did: cheat.  Install the Whonix Workstation and go to the Interfaces file and make note of the settings.

After experimenting with the Kali OS, I decided to try and run a Tor hidden service.  I'm not very technical, but even I was able to get a hidden web page up and running.  Tor hidden services are only accessible using Tor.  Tor hidden services make it possible for people to host websites whose location remains hidden.  A Tor user can connect to the hidden service and neither party knows the real IP address of the other.  Whonix can provide any TCP-based service - web server, IRC, etc.  The steps to create a hidden service in the Whonix Workstation are described in detail on their website.

The basic steps are as follows:

1.)  On the Whonix Gateway open the /etc/tor/torrc file:

# nano
$ sudo nano /etc/tor/torrc

# vim
$ sudo vim /etc/tor/torrc

2.)  Look for the following lines.  You need to uncomment (or add) these lines and update them accordingly:

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 10.152.152.11:[PORT]

# Where PORT is the port number on which your application is accessible on the localhost.
# Example: HiddenServicePort 80 127.0.0.1:80
# The first 80 is the port that you expect traffic to come IN on.
# The second 80 is the port that your web server is using.

These two lines direct where the hidden service file will be stored and configures the virtual port, the IP address, and the port of the Whonix Workstation which hosts the server software that will handle the incoming hidden service connections.

3.)  Save and restart Tor.

4.)  Run:

$ sudo cat /var/lib/tor/hidden_service/hostname

to get your new hidden URL.

5.)  Back up your hidden service private key.  It can be found at: /var/lib/tor/hidden_service/private_key

6.)  On the Whonix Workstation, install the server software.  The Whonix website provides instructions for installing lighttpd as your server.

After Step 6, you can begin setting up your web page or other hidden service.

The nice thing about this method of hosting your hidden service is that even if someone hacks your Workstation server software, they won't get very far because the private key is stored on the Gateway.  You can clean up the Workstation and start again.  For me this was largely an experiment and learning exercise.  But I must admit, it is fun to watch your first hidden service go online.

Disadvantages

Whonix does have its limitations.

It does not hide the fact that you are using Tor.  An exit node can still eavesdrop on your communications.  Thus, "man-in-the-middle" attacks can still occur.

Whonix does not encrypt your documents by default and, if you want to encrypt the hard disk, that needs to be done on the host machine itself.  This points to what may be the biggest disadvantage of the system.  It is not "amnesic."  Meaning, it is not run from a Live CD and will leave traces on your hard drive.  It does not wipe your RAM on shutdown.  Any files you want to get rid of need to be securely wiped.

Whonix writes to the disk like a regular operating system.  It will leave traces of deleted files, temp files, backup files, browser history, and swap space data.  About all you can really do to remedy this is to encrypt the host machine.  When it comes to working with super sensitive data, one should probably use an encrypted flash/external drive and the Tails OS.  It does not clear your metadata automatically.  It does, however, come with MAT (the Metadata Anonymisation Toolkit).  If someone does manage to successfully exploit the VM and break out into your host system, it is pretty much "game over" at that point, so be careful.

One other factor that frustrates me is that I cannot seem to use a USB flash drive with Whonix.  The developers don't support USB connections for security reasons.  This makes file transfer cumbersome.  Well, no system is perfect and the Whonix OS is no exception.  Sometimes we have to compromise and make sacrifices in order to maintain security.  USB is one such instance.  There is good documentation on their website about vulnerabilities, file transfers, and other important features.  So you should take the time to read everything carefully.  Again, I like it as a compromise between running the Tor browser off my host machine and rebooting into Tails.  Your situation may be different.

Conclusion

The Whonix Anonymous OS is a great way to advance anonymity and privacy on the Internet.  In my view, the advantages of the system outweigh the disadvantages.  The OS is not perfect and the developers tell you that up front.  However, if used wisely, it provides a much needed layer of security.

As with any VM, if the Whonix Workstation becomes corrupted, you can trash it without harming your host system.

The instructions on how to set up and use the Whonix Gateway and Whonix Workstation are well documented, so I won't repeat them here.  You will want to check out their site in any case to keep current with all of the system updates and news.  Using open-source projects like Tails, Tor, and Whonix are a way each of us can make an impact in the real world fight for privacy and anonymity.

In addition, I would encourage people to make a small donation to these groups so they can keep doing their important work.  Each download and install of privacy software is a vote to protect our fundamental rights.  Now is the time to make a stand so these rights don't slip away little-by-little.

Now, go surf the web anonymously!

Check them out at:
Return to $2600 Index