Tutorial: Bootable and Encrypted Whonix on 8GB USB Stick
This is a step-by-step tutorial explaining how to create a bootable USB stick with VirtualBox and encrypted Whonix.
If you've never used Linux before you should be able to complete the tutorial anyway, as every necessary step is mentioned.
With this system you have the portability of a persistent Tails with the additional security of Tor entry guards and virtual machines.
The tutorial also explains how to optionally tunnel Tor through a OpenVPN connection in ninja mode (cover traffic through torrents).
You can boot the USB stick on any modern computer with AMD or Intel processor, including Macs (if they support booting from USB sticks).
The host OS (Xubuntu) will not be encrypted, so make sure you don't use Xubuntu for storing sensitive data or browsing subversive websites.
Only use the encrypted Whonix virtual machines for that. Xubuntu will not hide that you were using TrueCrypt and VirtualBox with Whonix, so there is no plausible deniability.
There can be better performance than with this type of Whonix installation on a USB stick, however this is the most portable one. You can also easily throw it away without leaving any traces on your main OS.
You must use a quality USB stick with decent speed. Cheap CNMemory USB sticks will most likely not always work reliably and will be annoyingly slow.
The Whonix installation process may fail or freeze a lot with low quality USB sticks.
However even if the installation to the USB stick freezes, the usability of the system may later be acceptable.
You could also use a USB hard drive.
The tutorial works with Whonix 0.5.6, it's uncertain whether it will work properly with a new Whonix version on a 8GB USB stick.
System requirements:
* Computer with modern AMD or Intel CPU (recommended: 64-bit with multiple cores)
* 4GB RAM
* 8GB quality USB stick (recommended: USB3, if your computer has USB3 ports)
Time needed: 3+ hours
Skill needed: being able to use a keyboard and mouse
CC-BY Bernd Liefert, 02.09.2013
Updated 08.09.2013
1. Downloads
CLEARNET WARNING!! Multiple sites are linked in this article and have not been verified by SR staff.
For this tutorial we use Xubuntu 12.04, because the size is smaller than Xubuntu 13.04.
You might as well use Lubuntu, but you shouldn't use anything else than Xubuntu or Lubuntu if you only have 4GB RAM and 8GB USB stick.
If you have a 64bit Intel or AMD CPU download this image:
http://se.archive.ubuntu.com/mirror/cdi ... -amd64.iso
If you have a 32bit CPU download this image:
http://se.archive.ubuntu.com/mirror/cdi ... p-i386.iso
If the above images are not available any longer, you can download the latest Xubuntu images from here:
http://se.archive.ubuntu.com/mirror/cdi ... 4/release/
Download UNetBootin for your OS, this tutorial will most likely not work with Pendrive Linux USB Installer.
UNetbootin - Homepage and Downloads
If you use Windows, download EaseUS Partition Master:
Free Partition Magic alternative. Best Free Partition Manager Freeware for Windows 2000/XP/Vista/7/8 32 bit & 64 bit - EaseUS Partition Master Free Edition.
Download the latest version of Whonix-Gateway.ova and Whonix-Workstation.ova:
https://www.whonix.org/wiki/Download
Note that if you download Whonix over the clearnet, some secret service may know that you downloaded it. That could be seen as suspicious. You may want to use a VPN, Tor or an internet cafe to download it.
https://www.whonix.org/wiki/Hide_Tor_an ... m_your_ISP
http://zo7fksnun4b4v4jv.onion/wiki/Hide ... m_your_ISP
2. Preparing the USB stick
First we need to partition the USB stick. You can do this with GParted under Linux or EaseUS Partition Master under Windows. If you use a Mac, find a partitioning tool which can deal with USB sticks.
We will delete the partition(s) on the USB stick and create 2 new partitions.
This part of the manual describes how to do prepare the USB stick with EaseUS PM, it's not much different with other partition tools however.
Select the partitions to delete (if you have one hard drive in your system you would have to select Disk 3 in EaseUS PM) and click the Delete button.
Now the entire space of the USB stick should display "Unallocated".
Click the "Apply" button to write the changes to the USB stick. All data on the USB stick will be lost after clicking the Apply button.
Select the Unallocated space on the USB stick and click the "Create" button.
Change "Logical" to "Primary" and change the file system to FAT32.
Change the size of the partition to about 1350MB and click OK. You can make it 2000MB if you use a 16GB USB stick, but that's not really necessary, unless you want to use Xubuntu for more than just starting TrueCrypt and VirtualBox.
Select the Unallocated space on the USB stick and click the "Create" button.
If there is a warning about Windows not recognizing stuff, click Yes.
The partition will use the rest of your USB stick, about 6300MB on a 8GB USB stick.
Give the new partition a descriptive label, e.g. Krypton.
Change "Logical" to "Primary", change the file system to NTFS and click OK.
Click the "Apply" button to write the changes to the USB stick. Close the partitioning program when done.
3. Using UNetBootin to install Xubuntu to the USB stick
Start UNetBootin and click the "..." button to select the Xubuntu*.iso you've downloaded.
Change the amount of persistent Ubuntu storage to 500MB. You can make it 1000MB if you use a 16GB USB stick, but that's not really necessary.
Make sure the right USB stick is selected, then click OK.
When the installation is done, you can reboot the computer and boot from the USB stick. It is assumed that you already know how boot from USB. Use Google or ask in this thread if you don't.
4. Setting up Xubuntu
Boot from the USB stick and press Enter at UNetBootin boot menu to start Xubuntu.
4.1. (Optional) Change keyboard layout
If you're not from the USA you may have to change the keyboard layout.
Click the start button on the upper left on the Xubuntu desktop and go to
Settings -> Settings Manager -> Keyboard
Select the Layout tab and uncheck "Use system defaults".
Click the "Add" button, select your keyboard layout (optionally select a variant) and click OK.
Select "English(US)", click the "Delete" button and "Close".
4.2. Install VirtualBox
Click the start button on the upper left on the Xubuntu desktop and start Ubuntu Software Center.
In the search box enter "virtualbox".
Select the "VirtualBox" icon and click the now visible Install button.
When the installation is done, close the Ubuntu Software Center window and proceed to the next step.
4.3. Install TrueCrypt
Click the Xubuntu start button and start the Web Browser.
Go to TrueCrypt - Downloads and download the appropriate Linux version of TrueCrypt.
If you are using the amd64 version of Xubuntu, select the "Standard 64-bit" version, otherwise select the 32-bit version.
On the Xubuntu desktop, doubleclick the Home -> Downloads folder.
Click the truecrypt archive icon with the right mouse button and select Extract Here.
Doubleclick the truecrypt-*-setup icon, click Install TrueCrypt, agree with the license agreement and click OK.
Press Enter to exit when prompted.
Delete the files from the Downloads folder.
5. Setting up TrueCrypt
We are using TrueCrypt for encryption because it's easier to setup for Linux novices.
We are using a TrueCrypt container because this is easier to backup later.
To increase the performance during the installation you could create the TrueCrypt container on your hard drive instead, and copy it to the Krypton folder later.
Writing data (installing) to the USB stick is slower than reading data (booting, running programs).
You do need to know how much space is left in the Krypton folder however, so the TrueCrypt container won't be too large.
5.1. Creating the TrueCrypt container
Click the Xubuntu start button and start Accessories -> TrueCrypt.
Click "Create Volume" and click Next to create an encrypted file container.
Click Next to create a standard TrueCrypt volume.
Uncheck "Never save history" and click the Select File button.
On the right side of the window, select the Krypton folder, enter a name on the top of the window, e.g. kryptonite, and click Save.
Click Next to get to the encryption algorithm selection.
Select either AES-Twofish (fastest, double encryption), Serpent-AES (slower, stronger double encryption) or AES-Twofish-Serpent (slowest but triple encryption) as Encryption Algorithm.
Select Whirlpool as Hash Algorithm.
If you have a slow computer you may want to use AES and RIPEMD, but those can be cracked faster. Police won't be able to crack it in reasonable time, but the NSA may be able to.
Try the benchmark to see how fast they are on your computer. 100mb/s should be enough, as USB2 sticks are way slower than that anyway. So encryption is still faster than your USB stick.
Click Next and enter the size of the TrueCrypt volume to be created.
On an 8GB USB stick it should show about 6.2 GB available, enter 6200 (MB). If there is more space on
your USB stick, make it larger.
Enter a strong password for the volume. The password should have more than 20 characters and numbers and the words shouldn't be found in a dictionary.
Click Next and select "I will store files larger than 4GB on the volume".
Click Next and select Linux Ext2 as filesystem type.
Click Next because we may want to mount the volume on another OS in future.
Move your mouse around randomly for 30 seconds over the TrueCrypt window, then click Format.
This can take a while, depending on the quality of your USB stick.
TrueCrypt may freeze when the format is done 100%. If it freezes for longer than a few minutes, simply reboot the system by clicking the
Xubuntu start button -> Log Out -> Restart
5.2. Mounting the TrueCrypt container
Start Accessories -> TrueCrypt again, if you had to reboot in the last step.
If you didn't have to reboot, click Dismount All in the TrueCrypt window.
Select Slot 1 in the TrueCrypt window and click the Select File button.
Select Krypton -> kryptonite and click Open.
Click the Mount button and enter the encryption password.
6. Setting up VirtualBox
Click the Xubuntu start button -> Accessories -> VirtualBox.
In the VirtualBox Manager, click File -> Preferences.
Click the Default Machine Folder selector and select Other...
On the right side of the window select the "truecrypt1" folder and click Open.
Click OK to close the VirtualBox Settings window.
6.1. Importing Whonix
In the VirtualBox Manager, click File -> Import Appliance.
Click Choose and find the Whonix-Gateway.ova file you've downloaded.
Click Next, in the next window click Import.
This can take a few minutes, depending on the quality of your USB stick. It shouldn't take more than 3-4 minutes.
In the VirtualBox Manager, click File -> Import Appliance.
Click Choose and find the Whonix-Workstation.ova file you've downloaded.
Click Next, in the next window click Import.
This can take 10+ minutes, depending on the quality of your USB stick. If it takes much longer than 10 minutes than your USB stick sucks.
6.2. Setting up Whonix
To increase the speed on multicore CPU's the virtual machine settings have to be changed.
In the VirtualBox Manager, select Whonix-Workstation and click the Settings button.
Go to System -> Processor and increase the number of Processors to the number of cores your CPU has.
Click OK to close the settings window and increase the number of processors of the Whonix-Gateway.
It is not recommended to change any other virtual machine settings. E.g. don't increase the memory size.
6.2.1. Whonix Gateway
In the VirtualBox Manager, select Whonix-Gateway and click the Start arrow.
Click OK to dismiss any popup windows.
You should see a command prompt (user@host:~$) after the gateway is booted.
Wait 60 seconds until whonixcheck starts and tests the network connection.
You should see the messages "You are successfully using Tor" and "Checking for operating system updates...".
If instead there is an error message after 2 minutes, enter "whonixcheck" at the command prompt.
If you see an error message again you have to repeat this, until you are successfully using Tor and Whonix is checking for operating system updates.
The update check can take 10+ minutes to complete, depending on the current speed of the Tor circuit.
Wait until you see the "Last run .... of Network Time Synchronization..." message.
6.2.1.1. (Optional) Change keyboard layout
If you are not from the USA, you may have to change the keyboard layout.
At the command prompt enter
Code: [Select]
sudo dpkg-reconfigure console-data
You may have to use your numpads "-" key, depending on your keyboard.
Enter the password "changeme" when prompted.
Use the cursor keys to select "Select keymap from arch list" and press Enter.
Select the appropriate keyboard layout family for your country, then select the keyboard layout and a keyboard variant.
6.2.2.2. Update Whonix-Gateway software packages
At the command prompt enter
Code: [Select]
sudo apt-get update && sudo apt-get dist-upgrade
Enter the password "changeme" if prompted.
Enter "y" to continue the software update when prompted.
Updated packages will get downloaded now. This can take 10+ minutes, depending on the speed of the current Tor circuit.
When the downloads are finished you will probably get prompted about configuration file updates. Just press Enter when there are any questions.
When the installation process is finished and you see the command prompt (user@host:~$) again, proceed to the next step.
6.2.2. Whonix Workstation
In the VirtualBox Manager, select Whonix-Workstation and click the Start arrow.
Click OK to dismiss any popup windows.
When the Whonix desktop is booted you should see the whonixcheck time synchronization window.
You may want to wait 3+ minutes until the whonixcheck time synchronization window disappears, otherwise the desktop may be a little unresponsive.
The speed of this process depends on the quality of your USB stick and the current Tor circuit speed.
When the larger whonixcheck window appear, click OK to close it.
When the mouse pointer gets captured by the virtual machine you can uncapture it again by clicking the right CTRL key on the keyboard.
6.2.2.1. (Optional) Change keyboard layout
If you are not from the USA, you may have to change the keyboard layout.
Click the K(DE) start button on the lower left and select System Settings.
Click the Input Devices icon and select the Layouts tab.
Check "Configure layouts" and click the Add button.
Click the "Limit selection by language" selector and choose your language.
Click the "Layout" selector and choose your language.
Click OK to close the selection window, select "us English (US)" and click the Remove button.
Click the Apply button and close the keyboard settings window.
6.2.2.2. Update Whonix-Workstation software packages
Doubleclick the Konsole icon on the Whonix desktop and enter
Code: [Select]
sudo apt-get update && sudo apt-get dist-upgrade
Enter the password "changeme" when prompted and enter "y" when prompted to start the package downloads.
Updated packages will get downloaded now. This can take 45+ minutes, depending on the speed of the current Tor circuit.
When the downloads are finished you will probably get prompted about configuration file updates. Just press Enter when there are any questions.
When the installation process is finished (this can take 30+ minutes) and you see the command prompt (user@host:~$) again,
enter "sudo reboot" in the Konsole window to reboot the Whonix workstation.
6.2.2.3. (Optional) VirtualBox Guest Additions
To be able to use Whonix in full screen resolution or simply resize the virtual machine window we need to install the VirtualBox Guest Additions.
This will also stop the mouse pointer from getting captured by the virtual machine and enables you to turn on clipboard sharing (not recommended)
and shared folders (not recommended).
Note that the installation of the guest additions is not recommended by the Whonix developer.
Have a look at this page and the links to see why, do not follow the instructions on that page however:
http://zo7fksnun4b4v4jv.onion/wiki/Virt ... _Additions
or
https://www.whonix.org/wiki/VirtualBox_Guest_Additions
Those issues are probably neglectable, and some users may find it a lot more convenient to be able to resize the Whonix desktop.
Click the Xubuntu start button and start the Ubuntu Software Center.
Enter "virtualbox-guest-additions" in the search box and select
"Transitional package for virtualbox-guest-additions-iso / virtualbox-guest-additions".
Click Install and close the Ubuntu Software Center window when the installation is complete.
In the Whonix-Workstation virtual machine window, select Devices -> Install Guest Additions.
On the Whonix desktop, doubleclick the Konsole icon.
Enter this line and enter your password when prommpted:
Code: [Select]
sudo apt-get install build-essential linux-headers-$(uname -r)
Enter "y" and wait for the downloads and installation to be completed.
When you see the command prompt again, enter these case sensitive lines:
Code: [Select]
sudo mkdir /media/cdrom
sudo mount /dev/sr0 /media/cdrom
sudo /media/cdrom/VBoxLinuxAdditions.run
When this is done and you see the command prompt again, enter "sudo reboot" to reboot the Whonix virtual machine.
After rebooting Whonix-Workstation you should be able to resize the Whonix desktop and use full screen resolution and other guest addition features.
7. Finishing the installation and cleaning up
7.1. Update Tor Browser
On the Whonix desktop, doubleclick the Update Tor Browser icon.
Click Yes to start the update when prompted.
Note that using this method to update the Tor Browser will discard your old bookmarks. They will be backed up in the Home folder however.
7.2. (Optional, recommended) Install Xfce4
If you prefer the look and feel of the Xubuntu desktop over the Whonix (KDE) desktop you can install Xfce4 to make Whonix look more like Xubuntu.
This should also speed up boot up times a little.
Doubleclick the Konsole icon and enter these lines:
Code: [Select]
sudo apt-get install xfce4
sudo reboot
Enter your user password when prompted. Downloading and installation should take less than 10 minutes.
If you need to change your keyboard layout after rebooting, see step 4.1. how to do it.
7.3. Cleaning up
On the Whonix desktop, doubleclick the Konsole icon and enter:
Code: [Select]
sudo rm /var/cache/apt/archives/*deb
Enter the password "changeme" when prompted.
Enter the same line in the Whonix-Gateway window.
Click the Xubuntu start button, start Accessories -> Terminal Emulator and enter the same line.
7.4. Change passwords
This doesn't really add much security, but it is recommended that you change the default password in both Whonix-Workstation and Whonix-Gateway.
On the Whonix desktop, start Konsole and enter "passwd".
Enter the current password ("changeme"), then enter the new password two times. The password doesn't need to be overly strong.
This is the user password.
Enter "sudo su" and enter the password.
Again, enter "passwd" and enter the new password two times. You can use the same password as before, as this doesn't add much security.
This is the root (admin) password.
On the Whonix gateway, enter "passwd".
Enter the current password ("changeme"), then enter the new password two times. You can use the same password you used on the Whonix workstation.
Enter "sudo su" and enter the password.
Again, enter "passwd" and enter the new password two times.
7.5. Create a PGP key
Click the KGpg icon on the Whonix desktop.
Click the small arrow on the right side of the Whonix task bar and select KGpg.
In the KGpg window, select Keys -> Generate Key Pair
Enter a fake name and fake email address.
Set key size to 4096 and click OK.
Enter a strong password (20+ characters) and click OK.
Click OK when the key generation is finished.
7.6 Disable automatic updates
We don't need automatic Xubuntu updates on a persistent live system with only little space left.
Click the Xubuntu start button -> Ubuntu Software Center
In the Edit -> Software Source select the Updates tab and set Automatically check for updates to Never.
Close and Software Sources window and the Ubuntu Software Center
7.7. Backup the TrueCrypt container
Shutdown both Whonix virtual machines.
On the Whonix desktop, click the KDE start button and select Leave -> Shutdown. Click Turn Off Computer and OK.
On the Whonix gateway, enter "sudo halt" and enter the user password when prompted.
On the Xubuntu desktop, open the Krypton folder, click the kryptonite file with the right mouse button and select Copy.
Select a destination from the panel on the right side, e.g. another USB stick, click the folder display on the right side with the right mouse button and select Paste.
If the USB stick ever breaks, simply repeat steps 1-4 to create a new persistent Xubuntu with VirtualBox and TrueCrypt. Instead of creating a new TrueCrypt
container, copy the kryptonite file to the Krypton folder and mount it in TrueCrypt. That way you can create copies of the bootable USB stick within less then 15 minutes.
8. Tor configuration
These steps are not really necessary for Tor to function properly in most cases. It will already use entry guards, one of the main advantages over Tails.
You can skip steps 8.* if you don't want to use specific fast entry nodes or bridges and you don't want to block relays in certain countries from becoming the exit node.
Selecting public entry guards in your own country (step 8.2.1.) is recommended, if you don't need to hide that you are using Tor.
Not hiding that you are using Tor is to be prefered over not hiding it properly. If you try to hide using Tor and don't do it properly, then this will just make you more suspcicious.
8.1. Common Tor configuration
In the Whonix-Gateway window, enter this line at the command prompt:
Code: [Select]
sudo nano /etc/tor/torrc
Press enter and enter your Whonix-Gateway user password when prompted.
Scroll down to the bottom of the text by using the cursor keys or the Page Down key on your keyboard and enter these lines:
Code: [Select]
AvoidDiskWrites 1
ClientOnly 1
StrictNodes 1
Press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
8.2. Optional Tor configuration (entry nodes, bridges, blocking exit nodes)
To be able to copy+paste something into the Whonix-Gateway it's necessary to use SSH. You probably don't want to type fingerprints or list of bridges by hand.
Shutdown the Whonix-Gateway by entering "sudo halt".
Select Whonix-Gateway in the VirtualBox manager and click it with the right mousebutton.
Select Settings and click Network and Advanced.
Click the Port Forwarding button and click "+" (Insert new rule)
Enter these values by doubleclicking the empty fields:
Host IP: 127.0.0.1
Host Port: 2200
Guest Port: 22
Click OK to save the settings, click OK again to close the settings window
Boot the Whonix-Gateway virtual machine again.
On the Xubuntu desktop, Start Accessories -> Terminal Emulator and enter
Code: [Select]
ssh user@localhost -p 2200
Enter the Whonix-Gateway user password when prompted.
At the command prompt, start the nano text editor by entering
Code: [Select]
sudo nano /etc/tor/torrc
8.2.1. (Optional) Entry Nodes
Instead of using random Tor entry nodes you may want to use a little selection of trusted or fast entry nodes in your own country.
If you prefer to use obfuscated bridges instead you can skip this step.
Go to http://torstatus.blutmagie.de/index.php (TorStatus - Tor Network Status) ... th&SO=Desc and search for 5-10 of the fastest relays in your country (top of the list = fastest relays).
Click the relay name to get more informations about the relay and copy the fingerprint line.
The fingerprint looks like this:
CFA4 8FC3 E843 DFF0 1AA0 26EC 7701 0AB5 7E8C 2FF0
Copy it to the clipboard and scroll down to the bottom of the text file in the nano text editor which is running in the Terminal Emulator window.
Enter a new line and paste the fingerprint.
Remove the spaces in the fingerprint and add a $ to the beginning, so it will look like this:
$CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0
Do this with at least 3 relays, 5 or more are better.
Add commas between each fingerprint and put them all into one line, then add "EntryNodes " to the beginning of the line like this:
EntryNodes $CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0,$CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0,$CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0
Unless you want to further change the Tor configuration, press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
8.2.2. (Optional) Bridges
Some users may want to use obfuscated bridges. If someone is sniffing your internet connection it will be harder for them to find out that you are using Tor.
However bridges are less reliable and tend to have lower performance than normal entry nodes. Right now Whonix only supports obfs2 and non-obfuscated bridges by default.
Using normal non-obfuscated bridges is pretty much useless, if someone with enough resources (China, Five Eyes, ...) is doing deep packet inspection.
If getting a list of obfuscated bridges is too much hassle for you, but you do need to hide the fact that you are using Tor, then you should use a VPN instead.
See step 9. how to set up a OpenVPN connection.
8.2.2.1. (Optional) Obfuscated bridges
Find the "## Using obfuscated bridges #" section in the nano text editor which is running in the Terminal Emulator window.
Find the line "#UseBridges 1" and remove the "#" at the beginning of the line.
Find the line "#ClientTransportPlugin obfs2 exec /usr/bin/obfsproxy --managed" and remove the "#" at the beginning of the line.
Create a new line and enter your obfs2 bridges like this:
Bridge obfs2 111.22.33.44:1234
Bridge obfs2 44.33.22.111:1234
You should use at least enter 3 bridges, each in a seperate line.
Go to this page and write an email to get help with obfuscated bridges:
https://bridges.torproject.org/
8.2.2.2. (Optional) Normal public bridges
If you have to use normal bridges because your ISP is blocking Tor, scroll down to the bottom of the text file in the nano text editor which is running in the Terminal Emulator window,
and add this line:
UseBridges 1
Below that line enter the bridges like this, each in a seperate line:
Bridge 111.22.33.44:1234
Bridge 44.33.22.111:1234
You can get a list of normal bridges from here: https://bridges.torproject.org/bridges
Unless you want to further change the Tor configuration, press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
8.2.3. (Optional) Block countries from becoming the clearnet exit node
It's possible to block certain countries from becoming the exit node. This is mostly useless, but in some rare cases it may actually be useful.
To block exit nodes in Five Eyes & friends countries from becoming your exit node, scroll down to the bottom of the text file in the nano editor and enter this line:
Code: [Select]
ExcludeExitNodes {us},{gb},{ca},{au},{nz},{ie},{sg},{??},{a1},{a2},{o1}
You can find a list of more country codes here (these are not always the same as internet top level domains)
ISO 3166-1 alpha-2 - Wikipedia, the free encyclopedia
Do not add too many countries to the list however, as this may reduce anonymity.
Press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
9. (Optional) VPN
If you need to hide that you are using Tor you may want to use a VPN instead of obfuscated bridges.
Do not use PPTP VPN's. The PPTP protocol was developed by Microsoft and can most likely easily be decrypted by Five Eyes countries.
That's why this tutorial only covers the installation and usage of OpenVPN.
Using VPN's in Sweden (or Singapore) may also offer no protection against the Five Eyes knowing about your Tor usage, as the Swedish government submissively lets the USA
do anything they want with Swedish internet cables. So tunneling Tor through a VPN in Sweden may make you even more interesting to the Five Eyes adversaries than simply using Tor alone.
If you do use a VPN in a "safe" country (that country should also have neighbouring "safe" countries), then you should set up Tor to use entry guards in that country or its
neighbours, and make sure the traffic between the VPN and the entry guard does not pass through sea cables which have been compromised by the Five Eyes and their submissive friends.
Note that even when using a VPN to conceal that you are using Tor, the Five Eyes may under certain circumstances still detect that you are using Tor by using time/size correlation resp. end-to-end correlation attacks.
To make this harder you could install a Bittorrent client and download copyrighted torrents from The Pirate Bay while using the VPN.
Do NOT download torrents through Whonix/Tor however, because that would make deanonymization even easier. Use Xubuntu to download torrents.
9.1. Installing OpenVPN
Start the Terminal Emulator and enter
Code: [Select]
sudo apt-get install -y openvpn network-manager-openvpn-gnome
9.2. Preparing the system for OpenVPN usage
Normally you would simply import the .ovpn file in Xubuntu start button -> Settings -> Network Connections -> VPN, but that does not work properly in current versions of Xubuntu.
Open the Home folder on the desktop and create a new folder named "vpn".
Open the vpn folder and copy the .ovpn file you've downloaded from your VPN provider into it.
Click the background of the folder with the right mouse button and select Create Document -> Empty File.
Enter "credentials" as name.
Doubleclick the credentials file and enter your VPN username and password in the text editor, each in a seperate line.
Example:
Code: [Select]
snowden
r1s3.uP.4Nd.74k3.7H3.p0w3r.b4cK,17s.71m3.7H3.f47.c47s.h4d.4.h34R7.4774cK
Save the file and close the text editor.
Click the background of the folder with the right mouse button and select Create Document -> Empty File.
Enter "startvpn.sh" as name.
Doubleclick the startvpn.sh file and enter these lines:
Code: [Select]
cd /home/xubuntu/vpn
xterm -e "sudo openvpn --config CHANGEME.ovpn --auth-user-pass credentials"
xterm -e "echo ATTENTION! The VPN has been disconnected or failed. Whonix will connect to Tor with your real IP; sleep 30"
Replace CHANGEME.ovpn with the filename of the .ovpn file you've downloaded from your VPN provider.
Save the file and close the text editor.
Click the startvpn.sh file with the right mousebutton and select Properties.
Select the Permissions tab and check "Allow this file to run as a program" and close the Properties window.
You can now test the VPN connection by clicking the startvpn.sh icon on the desktop.
If you want to disconnect from the VPN, select the VPN window and press CTRL + C.
If you ever see the message "ATTENTION! The VPN has been disconnected or failed" you should pause or shutdown the Whonix virtual machines immediately.
9.2. (Optional) Create a link on the desktop
The recommended way to start the VPN is by making it start when the Xubuntu desktop starts.
If instead you want to start the VPN manually by doubleclicking it, then you can create a link on the desktop.
Note that if you forget starting the VPN before starting Whonix then your Tor usage may get detected by adversaries from secret services.
If you want to prevent that anyone except the VPN provider (and the secret service in the country which hosts the VPN) knows that you are using Tor you can skip this step and proceed to step 9.3.
Click the startvpn.sh file with the right mouse button and select Send To -> Desktop (Create Link).
You can now start the VPN connection by doubleclicking the startvpn.sh icon on the Xubuntu desktop.
9.3. (Optional) Start the VPN with the desktop
Instead of manually starting the VPN you may want to start the VPN when the Xubuntu desktop starts.
Click the Xubuntu start button -> Settings -> Settings Manager.
Doubleclick the Session and Startup icon and select the Application Autostart tab.
Click the Add button and enter VPN as name.
Enter /home/xubuntu/vpn/startvpn.sh in the Command text box and click OK.
Click Close to close the Session and Startup window.
Reboot Xubuntu to see if the VPN starts up when booting.
Start the web browser and go to ip-check.info to see if your IP is concealed.
9.4. (Optional, recommended) Cover traffic with Bittorrent
Xubuntu already comes with the Transmission Bittorrent client pre-installed, so we only have to configure it properly.
As we use an 8GB USB stick we don't want to download torrents to it, but to our hard drive instead.
As we don't want to select a new torrent once per hour we deliberately slow down the downloads.
Click the Xubuntu start button and select Internet -> Transmission.
In the Transmission menu select Edit -> Preferences.
Select the Downloading tab and change the Save to Location to a folder on your hard drive.
Change Maximum active downloads to 1 or 2.
Select the Speed tab and check the Download Speed Limit. Set it between 10-20kB/s.
Close the Preferences window and go to http://thepiratebay.sx/browse in Firefox.
Find a large file with over 50 seeders (the SE number in the torrent list) and click the link.
On the torrent page click the "GET THIS TORRENT" link with the magnet icon.
When the Launch Application window opens, click the Choose button and browse to File System -> usr -> bin
Select the transmission-gtk file and click Open.
Check "Remember my choice for magnet links" and click OK to close the Launch Application window.
If a Torrent Options window pops up, click Open.
The torrent should now be visible in the Transmission window and start downloading after a minute.
You can add more torrents to Transmission by clicking the "GET THIS TORRENT" links on various torrent pages on The Pirate Bay.
When one torrent download is finished the next download will start.
You may want to start Transmission automatically when the desktop starts.
Click the Xubuntu start button -> Settings -> Settings Manager and click the Session and Startup icon.
Select the Application Autostart tab and click the Add button.
Enter Transmission as name and enter "/usr/bin/transmission-gtk" as the Command. Click OK to add the application to the Autostart and click Close.
Reboot your system to see if Transmission automatically starts when the desktop starts.
If the torrents in Transmission show errors after rebooting the system that's probably because your hard drive for the torrent downloads wasn't automatically mounted.
In that case simply doubleclick the icon of the hard drive on the Xubuntu desktop to mount it.
In the transmission window select the torrent with the error message and click the Start torrent button.
If the download doesn't start after a minute, close Transmission and start it again from the Xubuntu start button menu.
You should always wait for the download to start before starting Whonix.
You should also always have active downloads in Transmission. Once a torrent has finished downloading you can delete it from the hard drive and start it again.
Congratulations. You are now a Tor ninja.
10. Using the system
10.1. Booting
To use the system, boot from the USB stick and start TrueCrypt.
Select Slot 1 and click Select File, if the file isn't selected already. Open the Krypton folder and select the kryptonite file.
Click the Mount button and enter the password.
Start VirtualBox and start the Whonix-Gateway. Wait until it's booted, then start the Whonix-Workstation.
10.2. Tor Browser
There are 2 versions of the Tor Browser on the Whonix desktop. It is recommended that you start it with the "Tor Browser Recommended..." icon.
You may want to disable Javascript by clicking the S icon after starting Tor Browser for the first time.
10.3. Tor status monitor
Whonix does not include Vidalia, but the Whonix-Gateway includes ARM (anonymizing relay monitor).
In the Whonix-Gateway window enter "sudo arm" and enter your user password when prompted.
You can press "n" to get a new identity, or press "m" for a menu which can be navigated with the cursor keys.
10.4. XChat
The IRC program XChat is already installed and preconfigured to use with Tor.
If you want to chat in the OFTC #tor channel, doubleclick the XChat icon and select XChat -> Network List in the Xchat menu.
Click the Connect button to connect with the IRC server, enter #tor in the text box and click OK to join the channel.
You can change your nickname by entering "/nick something" in the text box on the bottom of the XChat window.
To get a list of more channels on the OFTC server, select Server -> List of Channels in the XChat menu and click the Search button.
Doubleclick a channel to join it. You can also enter "/join #channelname" in the text box on the bottom of the XChat window to join existing channels or create your own.
10.5. Using KGpg
Doubleclick the KGpg icon on the Whonix desktop.
If you use the standard Whonix desktop, click the small arrow on the right side of the Whonix task bar and select KGpg.
If you installed Xfce4 desktop, click the lock icon on the top right of the desktop task bar.
10.5.1. Adding keys
Copy the PGP key to the clipboard and select Keys -> Import Key in the KGpg window.
Select Clipboard and click OK.
10.5.2. Encrypting a message
In the KGpg menu select File -> Open Editor and type your message.
Click the Encrypt button on the bottom of the KGpg text editor window, select a key and click OK.
10.5.3. Decrypting a message
In the KGpg menu select File -> Open Editor and paste the encrypted message from the clipboard.
Click the Decrypt button on the bottom of the KGpg text editor window and enter your passphrase.
10.6. Other apps
If you want to install any other programs like Pidgin, doubleclick the Apper icon on the desktop.
See the Whonix documentation for further details:
http://zo7fksnun4b4v4jv.onion/wiki/Documentation
or
https://www.whonix.org/wiki/Documentation
This is a step-by-step tutorial explaining how to create a bootable USB stick with VirtualBox and encrypted Whonix.
If you've never used Linux before you should be able to complete the tutorial anyway, as every necessary step is mentioned.
With this system you have the portability of a persistent Tails with the additional security of Tor entry guards and virtual machines.
The tutorial also explains how to optionally tunnel Tor through a OpenVPN connection in ninja mode (cover traffic through torrents).
You can boot the USB stick on any modern computer with AMD or Intel processor, including Macs (if they support booting from USB sticks).
The host OS (Xubuntu) will not be encrypted, so make sure you don't use Xubuntu for storing sensitive data or browsing subversive websites.
Only use the encrypted Whonix virtual machines for that. Xubuntu will not hide that you were using TrueCrypt and VirtualBox with Whonix, so there is no plausible deniability.
There can be better performance than with this type of Whonix installation on a USB stick, however this is the most portable one. You can also easily throw it away without leaving any traces on your main OS.
You must use a quality USB stick with decent speed. Cheap CNMemory USB sticks will most likely not always work reliably and will be annoyingly slow.
The Whonix installation process may fail or freeze a lot with low quality USB sticks.
However even if the installation to the USB stick freezes, the usability of the system may later be acceptable.
You could also use a USB hard drive.
The tutorial works with Whonix 0.5.6, it's uncertain whether it will work properly with a new Whonix version on a 8GB USB stick.
System requirements:
* Computer with modern AMD or Intel CPU (recommended: 64-bit with multiple cores)
* 4GB RAM
* 8GB quality USB stick (recommended: USB3, if your computer has USB3 ports)
Time needed: 3+ hours
Skill needed: being able to use a keyboard and mouse
CC-BY Bernd Liefert, 02.09.2013
Updated 08.09.2013
1. Downloads
CLEARNET WARNING!! Multiple sites are linked in this article and have not been verified by SR staff.
For this tutorial we use Xubuntu 12.04, because the size is smaller than Xubuntu 13.04.
You might as well use Lubuntu, but you shouldn't use anything else than Xubuntu or Lubuntu if you only have 4GB RAM and 8GB USB stick.
If you have a 64bit Intel or AMD CPU download this image:
http://se.archive.ubuntu.com/mirror/cdi ... -amd64.iso
If you have a 32bit CPU download this image:
http://se.archive.ubuntu.com/mirror/cdi ... p-i386.iso
If the above images are not available any longer, you can download the latest Xubuntu images from here:
http://se.archive.ubuntu.com/mirror/cdi ... 4/release/
Download UNetBootin for your OS, this tutorial will most likely not work with Pendrive Linux USB Installer.
UNetbootin - Homepage and Downloads
If you use Windows, download EaseUS Partition Master:
Free Partition Magic alternative. Best Free Partition Manager Freeware for Windows 2000/XP/Vista/7/8 32 bit & 64 bit - EaseUS Partition Master Free Edition.
Download the latest version of Whonix-Gateway.ova and Whonix-Workstation.ova:
https://www.whonix.org/wiki/Download
Note that if you download Whonix over the clearnet, some secret service may know that you downloaded it. That could be seen as suspicious. You may want to use a VPN, Tor or an internet cafe to download it.
https://www.whonix.org/wiki/Hide_Tor_an ... m_your_ISP
http://zo7fksnun4b4v4jv.onion/wiki/Hide ... m_your_ISP
2. Preparing the USB stick
First we need to partition the USB stick. You can do this with GParted under Linux or EaseUS Partition Master under Windows. If you use a Mac, find a partitioning tool which can deal with USB sticks.
We will delete the partition(s) on the USB stick and create 2 new partitions.
This part of the manual describes how to do prepare the USB stick with EaseUS PM, it's not much different with other partition tools however.
Select the partitions to delete (if you have one hard drive in your system you would have to select Disk 3 in EaseUS PM) and click the Delete button.
Now the entire space of the USB stick should display "Unallocated".
Click the "Apply" button to write the changes to the USB stick. All data on the USB stick will be lost after clicking the Apply button.
Select the Unallocated space on the USB stick and click the "Create" button.
Change "Logical" to "Primary" and change the file system to FAT32.
Change the size of the partition to about 1350MB and click OK. You can make it 2000MB if you use a 16GB USB stick, but that's not really necessary, unless you want to use Xubuntu for more than just starting TrueCrypt and VirtualBox.
Select the Unallocated space on the USB stick and click the "Create" button.
If there is a warning about Windows not recognizing stuff, click Yes.
The partition will use the rest of your USB stick, about 6300MB on a 8GB USB stick.
Give the new partition a descriptive label, e.g. Krypton.
Change "Logical" to "Primary", change the file system to NTFS and click OK.
Click the "Apply" button to write the changes to the USB stick. Close the partitioning program when done.
3. Using UNetBootin to install Xubuntu to the USB stick
Start UNetBootin and click the "..." button to select the Xubuntu*.iso you've downloaded.
Change the amount of persistent Ubuntu storage to 500MB. You can make it 1000MB if you use a 16GB USB stick, but that's not really necessary.
Make sure the right USB stick is selected, then click OK.
When the installation is done, you can reboot the computer and boot from the USB stick. It is assumed that you already know how boot from USB. Use Google or ask in this thread if you don't.
4. Setting up Xubuntu
Boot from the USB stick and press Enter at UNetBootin boot menu to start Xubuntu.
4.1. (Optional) Change keyboard layout
If you're not from the USA you may have to change the keyboard layout.
Click the start button on the upper left on the Xubuntu desktop and go to
Settings -> Settings Manager -> Keyboard
Select the Layout tab and uncheck "Use system defaults".
Click the "Add" button, select your keyboard layout (optionally select a variant) and click OK.
Select "English(US)", click the "Delete" button and "Close".
4.2. Install VirtualBox
Click the start button on the upper left on the Xubuntu desktop and start Ubuntu Software Center.
In the search box enter "virtualbox".
Select the "VirtualBox" icon and click the now visible Install button.
When the installation is done, close the Ubuntu Software Center window and proceed to the next step.
4.3. Install TrueCrypt
Click the Xubuntu start button and start the Web Browser.
Go to TrueCrypt - Downloads and download the appropriate Linux version of TrueCrypt.
If you are using the amd64 version of Xubuntu, select the "Standard 64-bit" version, otherwise select the 32-bit version.
On the Xubuntu desktop, doubleclick the Home -> Downloads folder.
Click the truecrypt archive icon with the right mouse button and select Extract Here.
Doubleclick the truecrypt-*-setup icon, click Install TrueCrypt, agree with the license agreement and click OK.
Press Enter to exit when prompted.
Delete the files from the Downloads folder.
5. Setting up TrueCrypt
We are using TrueCrypt for encryption because it's easier to setup for Linux novices.
We are using a TrueCrypt container because this is easier to backup later.
To increase the performance during the installation you could create the TrueCrypt container on your hard drive instead, and copy it to the Krypton folder later.
Writing data (installing) to the USB stick is slower than reading data (booting, running programs).
You do need to know how much space is left in the Krypton folder however, so the TrueCrypt container won't be too large.
5.1. Creating the TrueCrypt container
Click the Xubuntu start button and start Accessories -> TrueCrypt.
Click "Create Volume" and click Next to create an encrypted file container.
Click Next to create a standard TrueCrypt volume.
Uncheck "Never save history" and click the Select File button.
On the right side of the window, select the Krypton folder, enter a name on the top of the window, e.g. kryptonite, and click Save.
Click Next to get to the encryption algorithm selection.
Select either AES-Twofish (fastest, double encryption), Serpent-AES (slower, stronger double encryption) or AES-Twofish-Serpent (slowest but triple encryption) as Encryption Algorithm.
Select Whirlpool as Hash Algorithm.
If you have a slow computer you may want to use AES and RIPEMD, but those can be cracked faster. Police won't be able to crack it in reasonable time, but the NSA may be able to.
Try the benchmark to see how fast they are on your computer. 100mb/s should be enough, as USB2 sticks are way slower than that anyway. So encryption is still faster than your USB stick.
Click Next and enter the size of the TrueCrypt volume to be created.
On an 8GB USB stick it should show about 6.2 GB available, enter 6200 (MB). If there is more space on
your USB stick, make it larger.
Enter a strong password for the volume. The password should have more than 20 characters and numbers and the words shouldn't be found in a dictionary.
Click Next and select "I will store files larger than 4GB on the volume".
Click Next and select Linux Ext2 as filesystem type.
Click Next because we may want to mount the volume on another OS in future.
Move your mouse around randomly for 30 seconds over the TrueCrypt window, then click Format.
This can take a while, depending on the quality of your USB stick.
TrueCrypt may freeze when the format is done 100%. If it freezes for longer than a few minutes, simply reboot the system by clicking the
Xubuntu start button -> Log Out -> Restart
5.2. Mounting the TrueCrypt container
Start Accessories -> TrueCrypt again, if you had to reboot in the last step.
If you didn't have to reboot, click Dismount All in the TrueCrypt window.
Select Slot 1 in the TrueCrypt window and click the Select File button.
Select Krypton -> kryptonite and click Open.
Click the Mount button and enter the encryption password.
6. Setting up VirtualBox
Click the Xubuntu start button -> Accessories -> VirtualBox.
In the VirtualBox Manager, click File -> Preferences.
Click the Default Machine Folder selector and select Other...
On the right side of the window select the "truecrypt1" folder and click Open.
Click OK to close the VirtualBox Settings window.
6.1. Importing Whonix
In the VirtualBox Manager, click File -> Import Appliance.
Click Choose and find the Whonix-Gateway.ova file you've downloaded.
Click Next, in the next window click Import.
This can take a few minutes, depending on the quality of your USB stick. It shouldn't take more than 3-4 minutes.
In the VirtualBox Manager, click File -> Import Appliance.
Click Choose and find the Whonix-Workstation.ova file you've downloaded.
Click Next, in the next window click Import.
This can take 10+ minutes, depending on the quality of your USB stick. If it takes much longer than 10 minutes than your USB stick sucks.
6.2. Setting up Whonix
To increase the speed on multicore CPU's the virtual machine settings have to be changed.
In the VirtualBox Manager, select Whonix-Workstation and click the Settings button.
Go to System -> Processor and increase the number of Processors to the number of cores your CPU has.
Click OK to close the settings window and increase the number of processors of the Whonix-Gateway.
It is not recommended to change any other virtual machine settings. E.g. don't increase the memory size.
6.2.1. Whonix Gateway
In the VirtualBox Manager, select Whonix-Gateway and click the Start arrow.
Click OK to dismiss any popup windows.
You should see a command prompt (user@host:~$) after the gateway is booted.
Wait 60 seconds until whonixcheck starts and tests the network connection.
You should see the messages "You are successfully using Tor" and "Checking for operating system updates...".
If instead there is an error message after 2 minutes, enter "whonixcheck" at the command prompt.
If you see an error message again you have to repeat this, until you are successfully using Tor and Whonix is checking for operating system updates.
The update check can take 10+ minutes to complete, depending on the current speed of the Tor circuit.
Wait until you see the "Last run .... of Network Time Synchronization..." message.
6.2.1.1. (Optional) Change keyboard layout
If you are not from the USA, you may have to change the keyboard layout.
At the command prompt enter
Code: [Select]
sudo dpkg-reconfigure console-data
You may have to use your numpads "-" key, depending on your keyboard.
Enter the password "changeme" when prompted.
Use the cursor keys to select "Select keymap from arch list" and press Enter.
Select the appropriate keyboard layout family for your country, then select the keyboard layout and a keyboard variant.
6.2.2.2. Update Whonix-Gateway software packages
At the command prompt enter
Code: [Select]
sudo apt-get update && sudo apt-get dist-upgrade
Enter the password "changeme" if prompted.
Enter "y" to continue the software update when prompted.
Updated packages will get downloaded now. This can take 10+ minutes, depending on the speed of the current Tor circuit.
When the downloads are finished you will probably get prompted about configuration file updates. Just press Enter when there are any questions.
When the installation process is finished and you see the command prompt (user@host:~$) again, proceed to the next step.
6.2.2. Whonix Workstation
In the VirtualBox Manager, select Whonix-Workstation and click the Start arrow.
Click OK to dismiss any popup windows.
When the Whonix desktop is booted you should see the whonixcheck time synchronization window.
You may want to wait 3+ minutes until the whonixcheck time synchronization window disappears, otherwise the desktop may be a little unresponsive.
The speed of this process depends on the quality of your USB stick and the current Tor circuit speed.
When the larger whonixcheck window appear, click OK to close it.
When the mouse pointer gets captured by the virtual machine you can uncapture it again by clicking the right CTRL key on the keyboard.
6.2.2.1. (Optional) Change keyboard layout
If you are not from the USA, you may have to change the keyboard layout.
Click the K(DE) start button on the lower left and select System Settings.
Click the Input Devices icon and select the Layouts tab.
Check "Configure layouts" and click the Add button.
Click the "Limit selection by language" selector and choose your language.
Click the "Layout" selector and choose your language.
Click OK to close the selection window, select "us English (US)" and click the Remove button.
Click the Apply button and close the keyboard settings window.
6.2.2.2. Update Whonix-Workstation software packages
Doubleclick the Konsole icon on the Whonix desktop and enter
Code: [Select]
sudo apt-get update && sudo apt-get dist-upgrade
Enter the password "changeme" when prompted and enter "y" when prompted to start the package downloads.
Updated packages will get downloaded now. This can take 45+ minutes, depending on the speed of the current Tor circuit.
When the downloads are finished you will probably get prompted about configuration file updates. Just press Enter when there are any questions.
When the installation process is finished (this can take 30+ minutes) and you see the command prompt (user@host:~$) again,
enter "sudo reboot" in the Konsole window to reboot the Whonix workstation.
6.2.2.3. (Optional) VirtualBox Guest Additions
To be able to use Whonix in full screen resolution or simply resize the virtual machine window we need to install the VirtualBox Guest Additions.
This will also stop the mouse pointer from getting captured by the virtual machine and enables you to turn on clipboard sharing (not recommended)
and shared folders (not recommended).
Note that the installation of the guest additions is not recommended by the Whonix developer.
Have a look at this page and the links to see why, do not follow the instructions on that page however:
http://zo7fksnun4b4v4jv.onion/wiki/Virt ... _Additions
or
https://www.whonix.org/wiki/VirtualBox_Guest_Additions
Those issues are probably neglectable, and some users may find it a lot more convenient to be able to resize the Whonix desktop.
Click the Xubuntu start button and start the Ubuntu Software Center.
Enter "virtualbox-guest-additions" in the search box and select
"Transitional package for virtualbox-guest-additions-iso / virtualbox-guest-additions".
Click Install and close the Ubuntu Software Center window when the installation is complete.
In the Whonix-Workstation virtual machine window, select Devices -> Install Guest Additions.
On the Whonix desktop, doubleclick the Konsole icon.
Enter this line and enter your password when prommpted:
Code: [Select]
sudo apt-get install build-essential linux-headers-$(uname -r)
Enter "y" and wait for the downloads and installation to be completed.
When you see the command prompt again, enter these case sensitive lines:
Code: [Select]
sudo mkdir /media/cdrom
sudo mount /dev/sr0 /media/cdrom
sudo /media/cdrom/VBoxLinuxAdditions.run
When this is done and you see the command prompt again, enter "sudo reboot" to reboot the Whonix virtual machine.
After rebooting Whonix-Workstation you should be able to resize the Whonix desktop and use full screen resolution and other guest addition features.
7. Finishing the installation and cleaning up
7.1. Update Tor Browser
On the Whonix desktop, doubleclick the Update Tor Browser icon.
Click Yes to start the update when prompted.
Note that using this method to update the Tor Browser will discard your old bookmarks. They will be backed up in the Home folder however.
7.2. (Optional, recommended) Install Xfce4
If you prefer the look and feel of the Xubuntu desktop over the Whonix (KDE) desktop you can install Xfce4 to make Whonix look more like Xubuntu.
This should also speed up boot up times a little.
Doubleclick the Konsole icon and enter these lines:
Code: [Select]
sudo apt-get install xfce4
sudo reboot
Enter your user password when prompted. Downloading and installation should take less than 10 minutes.
If you need to change your keyboard layout after rebooting, see step 4.1. how to do it.
7.3. Cleaning up
On the Whonix desktop, doubleclick the Konsole icon and enter:
Code: [Select]
sudo rm /var/cache/apt/archives/*deb
Enter the password "changeme" when prompted.
Enter the same line in the Whonix-Gateway window.
Click the Xubuntu start button, start Accessories -> Terminal Emulator and enter the same line.
7.4. Change passwords
This doesn't really add much security, but it is recommended that you change the default password in both Whonix-Workstation and Whonix-Gateway.
On the Whonix desktop, start Konsole and enter "passwd".
Enter the current password ("changeme"), then enter the new password two times. The password doesn't need to be overly strong.
This is the user password.
Enter "sudo su" and enter the password.
Again, enter "passwd" and enter the new password two times. You can use the same password as before, as this doesn't add much security.
This is the root (admin) password.
On the Whonix gateway, enter "passwd".
Enter the current password ("changeme"), then enter the new password two times. You can use the same password you used on the Whonix workstation.
Enter "sudo su" and enter the password.
Again, enter "passwd" and enter the new password two times.
7.5. Create a PGP key
Click the KGpg icon on the Whonix desktop.
Click the small arrow on the right side of the Whonix task bar and select KGpg.
In the KGpg window, select Keys -> Generate Key Pair
Enter a fake name and fake email address.
Set key size to 4096 and click OK.
Enter a strong password (20+ characters) and click OK.
Click OK when the key generation is finished.
7.6 Disable automatic updates
We don't need automatic Xubuntu updates on a persistent live system with only little space left.
Click the Xubuntu start button -> Ubuntu Software Center
In the Edit -> Software Source select the Updates tab and set Automatically check for updates to Never.
Close and Software Sources window and the Ubuntu Software Center
7.7. Backup the TrueCrypt container
Shutdown both Whonix virtual machines.
On the Whonix desktop, click the KDE start button and select Leave -> Shutdown. Click Turn Off Computer and OK.
On the Whonix gateway, enter "sudo halt" and enter the user password when prompted.
On the Xubuntu desktop, open the Krypton folder, click the kryptonite file with the right mouse button and select Copy.
Select a destination from the panel on the right side, e.g. another USB stick, click the folder display on the right side with the right mouse button and select Paste.
If the USB stick ever breaks, simply repeat steps 1-4 to create a new persistent Xubuntu with VirtualBox and TrueCrypt. Instead of creating a new TrueCrypt
container, copy the kryptonite file to the Krypton folder and mount it in TrueCrypt. That way you can create copies of the bootable USB stick within less then 15 minutes.
8. Tor configuration
These steps are not really necessary for Tor to function properly in most cases. It will already use entry guards, one of the main advantages over Tails.
You can skip steps 8.* if you don't want to use specific fast entry nodes or bridges and you don't want to block relays in certain countries from becoming the exit node.
Selecting public entry guards in your own country (step 8.2.1.) is recommended, if you don't need to hide that you are using Tor.
Not hiding that you are using Tor is to be prefered over not hiding it properly. If you try to hide using Tor and don't do it properly, then this will just make you more suspcicious.
8.1. Common Tor configuration
In the Whonix-Gateway window, enter this line at the command prompt:
Code: [Select]
sudo nano /etc/tor/torrc
Press enter and enter your Whonix-Gateway user password when prompted.
Scroll down to the bottom of the text by using the cursor keys or the Page Down key on your keyboard and enter these lines:
Code: [Select]
AvoidDiskWrites 1
ClientOnly 1
StrictNodes 1
Press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
8.2. Optional Tor configuration (entry nodes, bridges, blocking exit nodes)
To be able to copy+paste something into the Whonix-Gateway it's necessary to use SSH. You probably don't want to type fingerprints or list of bridges by hand.
Shutdown the Whonix-Gateway by entering "sudo halt".
Select Whonix-Gateway in the VirtualBox manager and click it with the right mousebutton.
Select Settings and click Network and Advanced.
Click the Port Forwarding button and click "+" (Insert new rule)
Enter these values by doubleclicking the empty fields:
Host IP: 127.0.0.1
Host Port: 2200
Guest Port: 22
Click OK to save the settings, click OK again to close the settings window
Boot the Whonix-Gateway virtual machine again.
On the Xubuntu desktop, Start Accessories -> Terminal Emulator and enter
Code: [Select]
ssh user@localhost -p 2200
Enter the Whonix-Gateway user password when prompted.
At the command prompt, start the nano text editor by entering
Code: [Select]
sudo nano /etc/tor/torrc
8.2.1. (Optional) Entry Nodes
Instead of using random Tor entry nodes you may want to use a little selection of trusted or fast entry nodes in your own country.
If you prefer to use obfuscated bridges instead you can skip this step.
Go to http://torstatus.blutmagie.de/index.php (TorStatus - Tor Network Status) ... th&SO=Desc and search for 5-10 of the fastest relays in your country (top of the list = fastest relays).
Click the relay name to get more informations about the relay and copy the fingerprint line.
The fingerprint looks like this:
CFA4 8FC3 E843 DFF0 1AA0 26EC 7701 0AB5 7E8C 2FF0
Copy it to the clipboard and scroll down to the bottom of the text file in the nano text editor which is running in the Terminal Emulator window.
Enter a new line and paste the fingerprint.
Remove the spaces in the fingerprint and add a $ to the beginning, so it will look like this:
$CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0
Do this with at least 3 relays, 5 or more are better.
Add commas between each fingerprint and put them all into one line, then add "EntryNodes " to the beginning of the line like this:
EntryNodes $CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0,$CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0,$CFA48FC3E843DFF01AA026EC77010AB57E8C2FF0
Unless you want to further change the Tor configuration, press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
8.2.2. (Optional) Bridges
Some users may want to use obfuscated bridges. If someone is sniffing your internet connection it will be harder for them to find out that you are using Tor.
However bridges are less reliable and tend to have lower performance than normal entry nodes. Right now Whonix only supports obfs2 and non-obfuscated bridges by default.
Using normal non-obfuscated bridges is pretty much useless, if someone with enough resources (China, Five Eyes, ...) is doing deep packet inspection.
If getting a list of obfuscated bridges is too much hassle for you, but you do need to hide the fact that you are using Tor, then you should use a VPN instead.
See step 9. how to set up a OpenVPN connection.
8.2.2.1. (Optional) Obfuscated bridges
Find the "## Using obfuscated bridges #" section in the nano text editor which is running in the Terminal Emulator window.
Find the line "#UseBridges 1" and remove the "#" at the beginning of the line.
Find the line "#ClientTransportPlugin obfs2 exec /usr/bin/obfsproxy --managed" and remove the "#" at the beginning of the line.
Create a new line and enter your obfs2 bridges like this:
Bridge obfs2 111.22.33.44:1234
Bridge obfs2 44.33.22.111:1234
You should use at least enter 3 bridges, each in a seperate line.
Go to this page and write an email to get help with obfuscated bridges:
https://bridges.torproject.org/
8.2.2.2. (Optional) Normal public bridges
If you have to use normal bridges because your ISP is blocking Tor, scroll down to the bottom of the text file in the nano text editor which is running in the Terminal Emulator window,
and add this line:
UseBridges 1
Below that line enter the bridges like this, each in a seperate line:
Bridge 111.22.33.44:1234
Bridge 44.33.22.111:1234
You can get a list of normal bridges from here: https://bridges.torproject.org/bridges
Unless you want to further change the Tor configuration, press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
8.2.3. (Optional) Block countries from becoming the clearnet exit node
It's possible to block certain countries from becoming the exit node. This is mostly useless, but in some rare cases it may actually be useful.
To block exit nodes in Five Eyes & friends countries from becoming your exit node, scroll down to the bottom of the text file in the nano editor and enter this line:
Code: [Select]
ExcludeExitNodes {us},{gb},{ca},{au},{nz},{ie},{sg},{??},{a1},{a2},{o1}
You can find a list of more country codes here (these are not always the same as internet top level domains)
ISO 3166-1 alpha-2 - Wikipedia, the free encyclopedia
Do not add too many countries to the list however, as this may reduce anonymity.
Press CTRL + x and enter "y" when prompted. Press Enter to save the text file.
9. (Optional) VPN
If you need to hide that you are using Tor you may want to use a VPN instead of obfuscated bridges.
Do not use PPTP VPN's. The PPTP protocol was developed by Microsoft and can most likely easily be decrypted by Five Eyes countries.
That's why this tutorial only covers the installation and usage of OpenVPN.
Using VPN's in Sweden (or Singapore) may also offer no protection against the Five Eyes knowing about your Tor usage, as the Swedish government submissively lets the USA
do anything they want with Swedish internet cables. So tunneling Tor through a VPN in Sweden may make you even more interesting to the Five Eyes adversaries than simply using Tor alone.
If you do use a VPN in a "safe" country (that country should also have neighbouring "safe" countries), then you should set up Tor to use entry guards in that country or its
neighbours, and make sure the traffic between the VPN and the entry guard does not pass through sea cables which have been compromised by the Five Eyes and their submissive friends.
Note that even when using a VPN to conceal that you are using Tor, the Five Eyes may under certain circumstances still detect that you are using Tor by using time/size correlation resp. end-to-end correlation attacks.
To make this harder you could install a Bittorrent client and download copyrighted torrents from The Pirate Bay while using the VPN.
Do NOT download torrents through Whonix/Tor however, because that would make deanonymization even easier. Use Xubuntu to download torrents.
9.1. Installing OpenVPN
Start the Terminal Emulator and enter
Code: [Select]
sudo apt-get install -y openvpn network-manager-openvpn-gnome
9.2. Preparing the system for OpenVPN usage
Normally you would simply import the .ovpn file in Xubuntu start button -> Settings -> Network Connections -> VPN, but that does not work properly in current versions of Xubuntu.
Open the Home folder on the desktop and create a new folder named "vpn".
Open the vpn folder and copy the .ovpn file you've downloaded from your VPN provider into it.
Click the background of the folder with the right mouse button and select Create Document -> Empty File.
Enter "credentials" as name.
Doubleclick the credentials file and enter your VPN username and password in the text editor, each in a seperate line.
Example:
Code: [Select]
snowden
r1s3.uP.4Nd.74k3.7H3.p0w3r.b4cK,17s.71m3.7H3.f47.c47s.h4d.4.h34R7.4774cK
Save the file and close the text editor.
Click the background of the folder with the right mouse button and select Create Document -> Empty File.
Enter "startvpn.sh" as name.
Doubleclick the startvpn.sh file and enter these lines:
Code: [Select]
cd /home/xubuntu/vpn
xterm -e "sudo openvpn --config CHANGEME.ovpn --auth-user-pass credentials"
xterm -e "echo ATTENTION! The VPN has been disconnected or failed. Whonix will connect to Tor with your real IP; sleep 30"
Replace CHANGEME.ovpn with the filename of the .ovpn file you've downloaded from your VPN provider.
Save the file and close the text editor.
Click the startvpn.sh file with the right mousebutton and select Properties.
Select the Permissions tab and check "Allow this file to run as a program" and close the Properties window.
You can now test the VPN connection by clicking the startvpn.sh icon on the desktop.
If you want to disconnect from the VPN, select the VPN window and press CTRL + C.
If you ever see the message "ATTENTION! The VPN has been disconnected or failed" you should pause or shutdown the Whonix virtual machines immediately.
9.2. (Optional) Create a link on the desktop
The recommended way to start the VPN is by making it start when the Xubuntu desktop starts.
If instead you want to start the VPN manually by doubleclicking it, then you can create a link on the desktop.
Note that if you forget starting the VPN before starting Whonix then your Tor usage may get detected by adversaries from secret services.
If you want to prevent that anyone except the VPN provider (and the secret service in the country which hosts the VPN) knows that you are using Tor you can skip this step and proceed to step 9.3.
Click the startvpn.sh file with the right mouse button and select Send To -> Desktop (Create Link).
You can now start the VPN connection by doubleclicking the startvpn.sh icon on the Xubuntu desktop.
9.3. (Optional) Start the VPN with the desktop
Instead of manually starting the VPN you may want to start the VPN when the Xubuntu desktop starts.
Click the Xubuntu start button -> Settings -> Settings Manager.
Doubleclick the Session and Startup icon and select the Application Autostart tab.
Click the Add button and enter VPN as name.
Enter /home/xubuntu/vpn/startvpn.sh in the Command text box and click OK.
Click Close to close the Session and Startup window.
Reboot Xubuntu to see if the VPN starts up when booting.
Start the web browser and go to ip-check.info to see if your IP is concealed.
9.4. (Optional, recommended) Cover traffic with Bittorrent
Xubuntu already comes with the Transmission Bittorrent client pre-installed, so we only have to configure it properly.
As we use an 8GB USB stick we don't want to download torrents to it, but to our hard drive instead.
As we don't want to select a new torrent once per hour we deliberately slow down the downloads.
Click the Xubuntu start button and select Internet -> Transmission.
In the Transmission menu select Edit -> Preferences.
Select the Downloading tab and change the Save to Location to a folder on your hard drive.
Change Maximum active downloads to 1 or 2.
Select the Speed tab and check the Download Speed Limit. Set it between 10-20kB/s.
Close the Preferences window and go to http://thepiratebay.sx/browse in Firefox.
Find a large file with over 50 seeders (the SE number in the torrent list) and click the link.
On the torrent page click the "GET THIS TORRENT" link with the magnet icon.
When the Launch Application window opens, click the Choose button and browse to File System -> usr -> bin
Select the transmission-gtk file and click Open.
Check "Remember my choice for magnet links" and click OK to close the Launch Application window.
If a Torrent Options window pops up, click Open.
The torrent should now be visible in the Transmission window and start downloading after a minute.
You can add more torrents to Transmission by clicking the "GET THIS TORRENT" links on various torrent pages on The Pirate Bay.
When one torrent download is finished the next download will start.
You may want to start Transmission automatically when the desktop starts.
Click the Xubuntu start button -> Settings -> Settings Manager and click the Session and Startup icon.
Select the Application Autostart tab and click the Add button.
Enter Transmission as name and enter "/usr/bin/transmission-gtk" as the Command. Click OK to add the application to the Autostart and click Close.
Reboot your system to see if Transmission automatically starts when the desktop starts.
If the torrents in Transmission show errors after rebooting the system that's probably because your hard drive for the torrent downloads wasn't automatically mounted.
In that case simply doubleclick the icon of the hard drive on the Xubuntu desktop to mount it.
In the transmission window select the torrent with the error message and click the Start torrent button.
If the download doesn't start after a minute, close Transmission and start it again from the Xubuntu start button menu.
You should always wait for the download to start before starting Whonix.
You should also always have active downloads in Transmission. Once a torrent has finished downloading you can delete it from the hard drive and start it again.
Congratulations. You are now a Tor ninja.
10. Using the system
10.1. Booting
To use the system, boot from the USB stick and start TrueCrypt.
Select Slot 1 and click Select File, if the file isn't selected already. Open the Krypton folder and select the kryptonite file.
Click the Mount button and enter the password.
Start VirtualBox and start the Whonix-Gateway. Wait until it's booted, then start the Whonix-Workstation.
10.2. Tor Browser
There are 2 versions of the Tor Browser on the Whonix desktop. It is recommended that you start it with the "Tor Browser Recommended..." icon.
You may want to disable Javascript by clicking the S icon after starting Tor Browser for the first time.
10.3. Tor status monitor
Whonix does not include Vidalia, but the Whonix-Gateway includes ARM (anonymizing relay monitor).
In the Whonix-Gateway window enter "sudo arm" and enter your user password when prompted.
You can press "n" to get a new identity, or press "m" for a menu which can be navigated with the cursor keys.
10.4. XChat
The IRC program XChat is already installed and preconfigured to use with Tor.
If you want to chat in the OFTC #tor channel, doubleclick the XChat icon and select XChat -> Network List in the Xchat menu.
Click the Connect button to connect with the IRC server, enter #tor in the text box and click OK to join the channel.
You can change your nickname by entering "/nick something" in the text box on the bottom of the XChat window.
To get a list of more channels on the OFTC server, select Server -> List of Channels in the XChat menu and click the Search button.
Doubleclick a channel to join it. You can also enter "/join #channelname" in the text box on the bottom of the XChat window to join existing channels or create your own.
10.5. Using KGpg
Doubleclick the KGpg icon on the Whonix desktop.
If you use the standard Whonix desktop, click the small arrow on the right side of the Whonix task bar and select KGpg.
If you installed Xfce4 desktop, click the lock icon on the top right of the desktop task bar.
10.5.1. Adding keys
Copy the PGP key to the clipboard and select Keys -> Import Key in the KGpg window.
Select Clipboard and click OK.
10.5.2. Encrypting a message
In the KGpg menu select File -> Open Editor and type your message.
Click the Encrypt button on the bottom of the KGpg text editor window, select a key and click OK.
10.5.3. Decrypting a message
In the KGpg menu select File -> Open Editor and paste the encrypted message from the clipboard.
Click the Decrypt button on the bottom of the KGpg text editor window and enter your passphrase.
10.6. Other apps
If you want to install any other programs like Pidgin, doubleclick the Apper icon on the desktop.
See the Whonix documentation for further details:
http://zo7fksnun4b4v4jv.onion/wiki/Documentation
or
https://www.whonix.org/wiki/Documentation
