September 12, 2019
In this post, we install Whonix 15 on a Linux computer using VirtualBox for virtualization. Our examples are all for a recent version of Debian or Ubuntu, but you can easily adapt them for other Linux distros.
For a general discussion of security for political activists, see https://program-think.blogspot.com/2019/01/Security-Guide-for-Political-Activists.html. If necessary, use https://translate.google.com to translate into your own language.
Before you begin, you will need a host computer running a Linux distribution. If you have a host computer running Windows and you want to completely replace Windows with Linux, you can refer to the posts https://arcdetri.github.io/install-ubuntu-18-04.html or https://arcdetri.github.io/install-debian-10-xfce.html.
If you are behind the GFW, you will also need the configuration details of a ShadowsocksR server. You can either use a friend's SSR server, or you can set up one yourself. Some instructions for creating an SSR server on a VPS are given in the post https://arcdetri.github.io/shadowsocksr-ssr-on-ubuntu.html.
Before you go any further, update your existing software packages on your host computer. Open a terminal emulator and issue the commands:
sudo apt update
sudo apt upgrade
The GFW blocks Tor and all public bridges. If you are behind the GFW, you can obfuscate your use of Tor using ShadowsocksR. The instructions for installing the SSR client on Linux are given in the post https://arcdetri.github.io/shadowsocksr-ssr-on-ubuntu.html. The process is similar for both Debian and Ubuntu. Here is a short summary of the necessary commands. For comments on the purpose of these commands, see the post just linked to.
sudo apt install wget zip unzip python-m2crypto libsodium23
cd ~/Downloads
wget https://github.com/shadowsocksrr/shadowsocksr/archive/manyuser.zip
unzip manyuser.zip
mv shadowsocksr-manyuser shadowsocksr
sudo vi /etc/shadowsocks.json
Edit the configuration JSON file to match the parameters required by your server. When you have done so, write the file to disk and quit the editor. You can then start the SSR client daemon running:
cd shadowsocksr/shadowsocks
sudo python local.py -c /etc/shadowsocks.json -d start
Once the SSR client is running and listening on localhost port 1080, configure Firefox to proxy traffic to localhost port 1080. Again, there are more details of how to do this on the post just linked to.
Install the prerequisites for VirtualBox and the Linux kernel headers for your distro with the command:
sudo apt install gcc make perl linux-headers-$(uname -r)
Now open Firefox and download VirtualBox for your Linux distro from https://www.virtualbox.org/wiki/Linux_Downloads. Currently the download for recent Ubuntu and Debian distros is named virtualbox-6.0_6.0.12-133076~Ubuntu~bionic_amd64.deb. It is about 100 MB.
Also download the SHA256 checksums file from that same page. Look for the line giving the expected SHA256 checksum for your distro. In our example, that would be the line:
2258c9966a4f73fa6402c42babaab4a22f217aeb013d57186f7d878776b0bcbe *virtualbox-6.0_6.0.12-133076~Ubuntu~bionic_amd64.deb
Open a terminal emulator and issue the commands:
cd ~/Downloads
sha256sum virtualbox-6.0_6.0.12-133076~Ubuntu~bionic_amd64.deb
You should see a result that matches the stated value. For example:
2258c9966a4f73fa6402c42babaab4a22f217aeb013d57186f7d878776b0bcbe
Once you have verified the VirtualBox download, install VirtualBox with the command:
sudo dpkg -i virtualbox-6.0_6.0.12-133076~Ubuntu~bionic_amd64.deb
You likely have dependency problems that result in errors. Resolve them with the command:
sudo apt install -f
Add your user to the vboxusers group:
sudo usermod -a -G vboxusers yourusername
replacing yourusername with your actual user name.
In Firefox, visit https://www.virtualbox.org/wiki/Downloads and download the VirtualBox Extension Pack.
It has a name that looks like Oracle_VM_VirtualBox_Extension_Pack-6.0.12.vbox-extpack. It is currently about 22 MB.
Launch Oracle VM VirtualBox. Go to File > Preferences > Extensions. Add your downloaded VirtualBox extension pack. Click Install. Read the license agreement, and click I Agree. Enter your password and click Authenticate. Click OK to close the Preferences window.
Whonix 15 introduces unified ova downloads. Rather than separate Whonix-Gateway ™ and Whonix-Workstation ™ ova downloads, there is now only a single Whonix ova, which includes both Whonix virtual machines (VMs): Whonix-Gateway and Whonix-Workstation.
To download the Whonix virtual appliance, open Firefox and visit https://www.whonix.org/wiki/VirtualBox/XFCE.
Download the virtual appliance. This is currently named Whonix-XFCE-15.0.0.4.9.ova. It is about 1.6 GB.
Also download the OpenPGP signature for the virtual appliance, which is currently Whonix-XFCE-15.0.0.4.9.ova.asc. This is just 1 kB.
Download the Whonix signing key (i.e. Patrick Schleizer's OpenPGP public key) from the page at https://www.whonix.org/wiki/Patrick_Schleizer and save it as ~/Downloads/patrick.asc. This is 61 kB.
Check the fingerprint before you do the actual import. Open a terminal emulator and issue the commands::
cd ~/Downloads
gpg --keyid-format long --import --import-options show-only --with-fingerprint patrick.asc
Verify the output. The output should look like the following:
pub rsa4096/8D66066A2EEACCDA 2014-01-16 [SC] [expires: 2021-04-17]
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
uid Patrick Schleizer <adrelanos@riseup.net>
sub rsa4096/3B1E6942CE998547 2014-01-16 [E] [expires: 2021-04-17]
sub rsa4096/10FDAC53119B3FD6 2014-01-16 [A] [expires: 2021-04-17]
sub rsa4096/CB8D50BB77BB3C48 2014-01-16 [S] [expires: 2021-04-17]
Once you have verified the fingerprint, import the signing key:
gpg --import patrick.asc
The output should confirm that 1 key was processed and 1 key was imported.
Start the cryptographic verification of the Whonix virtual appliance. It can take several minutes.
gpg --verify-options show-notations --verify Whonix-XFCE-15.0.0.4.9.ova.asc Whonix-XFCE-15.0.0.4.9.ova
If the virtual appliance download is valid, the output will tell you that you have a Good signature.
It is normal to see messages:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
If you have any doubts about the validity of the virtual appliance, consult the full instructions at https://www.whonix.org/wiki/VirtualBox/Verify_the_virtual_machine_images_using_the_command_line.
Launch Oracle VM VirtualBox on your host. Click File, then choose Import Appliance.
Locate and select the Whonix image (Whonix-XFCE-15.0.0.4.9.ova in our example). Click Next.
Do not change any of the default options. Just click Import.
When you see the software license agreement, click Agree.
Wait until Whonix-XFCE-15.0.0.4.9.ova has been imported. This can take several minutes.
In VirtualBox, select the virtual machine for Whonix-Gateway-XFCE. Click the Start button. Wait while the virtual machine starts up.
Read and then dismiss the notifications.
When you come to information screen 1/2, read it, select the radio button for Understood / Verstanden, and click Next. Again with page 2/2, read it, select the radio button for Understood / Verstanden, and click Next. Click Finish.
If you are not behind a restrictive firewall, you can connect directly. Select the radio button Connnect, and click Next.
If you are behind the GFW, you must proxy Tor through SSR.
Instead of connecting immediately, select the radio button Configure, and click Next.
Leave the checkbox for Tor bridges unchecked, and click Next.
Check the box for local proxy configuration.
10.0.2.2.1080.The effect of using this control panel is to add a line to /usr/local/etc/torrc.d/40_tor_control_panel.conf:
Socks5Proxy 10.0.2.2:1080
Click Next.
Click Next again.
Tor bootstrapping happens. You should see messages "Tor bootstrapping done" and "Bootstrap phase: Connected to the Tor network!"
Click Finish.
Leave the gateway machine running.
In VirtualBox, select the virtual machine for Whonix-Workstation-XFCE. Click the Start button.
The workstation VM is where you will do all your work. Wait while it start.
Read and then dismiss the notifications.
When you come to information screen 1/2, read it, select the radio button for Understood / Verstanden, and click Next. Again with page 2/2, read it, select the radio button for Understood / Verstanden, and click Next. Click Finish.
Wait a few minutes for the workstation to carry out its checks in the background.
Check end-to-end connectivity by opening the Web Browser (Tor Browser AnonDist). The first time you do this, there is some information to read about safe browsing and disabling of JavaScript. Click Yes or No according to your requirements.
In the Tor Browser, visit:You should see a message: "Congratulations. This browser is configured to use Tor."
To end your Whonix session, shut down the Whonix-Workstation first.
Shut down the Whonix-Gateway second.
Then close VirtualBox.
If you have been using ShadowsocksR on the host, open a terminal emulator on the host and issue the commands:
cd ~/Downloads/shadowsocksr/shadowsocks
sudo python local.py -d stop
Also undo your proxy settings in Firefox.