How to make Whonix really user friendly? Looking for your suggestions!

Discussion in 'privacy technology' started by adrelanos, Mar 26, 2014.

Thread Status:
Not open for further replies.
  1. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    56
    TLDR:

    Future Directions – Where Whonix wants to be in 2 or 5 years?

    Do we want Whonix to be for average users or just for those with unix knowledge?

    Whonix is a useful tool for some already, got many fans. How can we make Whonix really user friendly to allow mass adaption by regular people who need anonymity most?

    Long:

    It seems, Whonix limits itself by its two machines design. It’s not exactly simple and user friendly to say “you first need to get VirtualBox, then import these two VMs, then start Whonix-Gateway, then start Whonix-Workstation or use physical isolation“. How could that be improved while keeping Whonix’s design?

    In the last days many had great ideas. One was to create a hardware appliance. Whonix running as physically isolated gateway running on devices such as Raspberry PI or OpenWRT or creating a Tor WiFi Hotspot (a WiFi hotspot once using it, torifying the whole connection). The issue is, having a “route everything through Tor” approach alone doesn’t make it anymore nowadays. If someone would run their usual applications, such as their Firefox or Internet Explorer browser they used for non-anonymous stuff beforehand over Tor, they wouldn’t be anonymous at all due to (flash) cookies, browser fingerpriting and so forth. Saying “plug this hardware appliance between your router and your computer AND install this client package” also doesn’t sound exactly simple.

    Another idea was to create a Whonix Live DVD. But even if we managed to create one, it would still be clumsy to say “you have to burn this iso to DVD, then boot it, then start Whonix-Gateway, then start Whonix-Workstation”.

    Jason Ayala suggested to create an Whonix USB installer. It would still be clumsy (as above), but installing Whonix would get simpler and more encouraging to use a non-Windows, separate operating system. We then would have to support lots of different hardware, but additional support by funding this would be possible. Users still would have to figure out how to boot from USB, which is not entirely trivial due to different BIOS implementations. Also “secure boot” won’t make this simpler.

    Cerberus raised the idea to make Whonix fully managed. Perhaps he meant to enable automatic updates for the host, Whonix-Gateway and Whonix-Workstation. Whonix-Gateway could then be fully managed and hidden from non-advanced users. However, there are some settings that need to be set up on Whonix-Gateway, such as settings for Tor bridges. Maybe a Whonix-Host operating system could ssh into Whonix-Gateway to manage it.

    Or maybe while we’re at discussing a Whonix-Host operating system, we should revive the OneVM concept? In essence, we’re shipping Whonix-Gateway as VM package, because it is a simpler and more robust implementation to support a variety of different host operating systems and configurations. As long as Whonix doesn’t provide a host operating system, the two VM solution is more robust. But if Whonix is enters the next stage of evolution, i.e. by shipping a host operating system, the OneVM concept may work better.

    The idea to add Whonix to the usual app stores, such as Windows / Mac app store as well as “sudo apt-get install whonix” has been raised as well. This wouldn’t make Whonix less clumsy (still two VMs), but it would make installation simpler and more secure.

    In summary, we’re not sure yet where the journey should go to. We’d appreciate the input of the community. Please share ideas on how Whonix could become really usable while not sacrificing security.
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I finally installed it in a truecrypt container so I can run it portable. The Tor browser can't update. I tried many times on different days. So I had to manually download the latest version and extract it in the folder /home/user and rename the old tor folder to something else. Now I can't use the TBB icon on the desktop. I have to go into that new folder. It's a little inconvenient.

    I also get this message when I do updates:

    Is this normal?

    I think more thorough instructions would be good for a new user. For instance, while installing, it asked for me to make choices for the keyboard. I didn't understand hat it was talking about so I had to guess, but evidently I made the right choice because it works.

    But there was also another question that popped up:

    I chose to keep the version currently installed. But I have no idea if that was the right choice.

    Lastly, I wish the screen size was larger. I can't even view a full web page. But I guess that is a virtualbox limitation. Oh well.
     
  3. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    56
    Sorry for the delay in response.

    Tor Browser Update issues:
    Do you use Whonix 8 or 8.1 already? If not, please update. It is indeed broken in Whonix 7.

    If you are using Whonix 8 already, try
    torbrowser --clearnet
    and see if that works better. Please report back, so this can be sorted out.

    And if all cords break, installing Tor Browser in Whonix got as simple as downloading, (verifiying), extracting and starting TBB from torproject.org (without Tor over Tor, of course). (detailed instructions)

    Some index files failed to download. They have been ignored, or old ones used instead.

    It's not normal. Could be using old Whonix 7 or a slow Tor circuit. Changing Tor circuit should do the trick.

    Config Files
    For keyboard language, just choose yours or for being extra paranoid, get a en-US keyboard (but then you have the physical keyboard around, non-ideal).

    About wheter to install new config files or not, this has been documented:
    https://www.whonix.org/wiki/Securit...nstall_latest_security_updates_on_all_systems

    Desktop resolution

    Yeah, this is really nasty.

    There is one solution we're not sure about:
    https://www.whonix.org/wiki/VirtualBox_Guest_Additions

    And another one, that isn't ideal either:
    https://www.whonix.org/wiki/Higher_Screen_Resolution

    Thanks!
    For your feedback. Looks like we got to sort out a few basics things first before going for the big shots.
     
  4. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    Maybe best is have 2 kind of Whonix. One kind very simple for average user. Push one button, it all work - no matter if just software or become a hardware product also.
    Other kind for more sophisticated user who can study more and use more features.
     
  5. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    When I read Whonix help wiki last time, still confusing about VPN over Tor versus Tor over VPN.
    Before you make plans for how Whonix looking in 5 years I hope you sorting out this more simple question and make answer easier for user who is not so sophisticated.
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Hi adrelanos,

    With regard to the following in post #1:

    The issue is, having a “route everything through Tor” approach alone doesn’t make it anymore nowadays. If someone would run their usual applications, such as their Firefox or Internet Explorer browser they used for non-anonymous stuff beforehand over Tor, they wouldn’t be anonymous at all due to (flash) cookies, browser fingerpriting and so forth. Saying “plug this hardware appliance between your router and your computer AND install this client package” also doesn’t sound exactly simple.

    The notion of cookies, etc. is fully contained within a user's profile. For example, in my Ubuntu 12.04.4 LTS USB instantiation, I always save my Firefox 28.0 profile which is in ~ubuntu/.mozilla with a tar command, and on bootup the next day refresh the profile again with the tar command.

    Perhaps the solution is to have a physically completely separate entirely different anonymous profile for typical user non-anonymity vs. an anonymous profile and be able to switch between them with a tool aka browser profile switcher that keeps the user advised of which profile they are using via some visually noticeable information at the top of the browser.

    -- Tom
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I'd still rather have non-anonymous activities and various sorts of more-or-less anonymous activities in different VMs (at least).

    Edit: So I'm finally checking out Whonix 8.1, and I find that it's much improved :thumb: Thank you, adrelanos et alia.

    Also, I must say, installing TBB at first run of the workstation is trivial if you just follow the prompts.
     
    Last edited: Apr 17, 2014
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Hi mirimir,

    Yes, that makes the best sense!

    -- Tom
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    The process of installing VirtualBox and importing the two Whonix VM appliances seems very easy. The Whonix team has done all of the hard work, after all. And it's arguable that users who find that complicated shouldn't be playing around with Tor ;)

    Upon reflection, I've moved the rest of this post to its own thread, because it's largely off-topic here.
     
    Last edited: Apr 19, 2014
  10. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    56
    Hi Tom,

    sorry for the delay, somehow I missed this one.

    I am afraid that won't work. Even with browser profiles newly created from scratch. There are multiple identifiers, which will still (almost) uniquely identify a browser. These include the number and list of installed fonts, time zone, resolution, and more. See https://panopticlick.eff.org and https://www.torproject.org/projects/torbrowser/design/.
     
  11. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Hi Adrelanos. I have the latest Whonix installed now and the TBB updates just fine. And I no longer get any error messages. But I do have a question.

    I had assumed that if I enabled a VPN beofe starting Whonix that the Tor connection would travel through the VPN first and then on out into the Tor network. A friend of mine explained that this isn't so and that Whonix would bypass the VPN and my ISP could see my Tor connection. I guess this is not so bad but I have read that using Tor makes it look like you are up to no good in many people's eyes. That is why I fire up a VPN before running the TBB. So I now understand that Whonix will not travel through the VPN on my host machine. But what if I had one of those Torguard routers? Would a Torguard router force Whonix to travel through the VPN network first?

    http://torguard.net/store/
     
  12. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    This your friend say is a surprise to me! I thought if you start the VPN on your host machine first, Whonix's Tor connection will be forced through it.
    https://www.whonix.org/wiki/Tunnel_Tor_through_proxy_or_VPN_or_SSH#How

    So I too want to hear what Adrelanos say on this.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    If the VPN client is running on the host machine, the Tor client in the Whonix gateway VM will connect through the VPN. It's VirtualBox that handles that, and the Whonix gateway VM doesn't have any choice in the matter.

    It would also be possible to route Tor via the VPN by running the VPN client in the Whonix gateway VM. But that would probably require some reconfiguration of routing and iptables in the Whonix gateway VM. And anyway, it's better to have the VPN running on the host machine.
     
  14. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    56
    No idea how your friend came to that conclusion. Documentation is correct.

    VPN active on the host = VPN connects first. Everything else must go through the VPN. No other way. Whonix VMs do you whatever the operating system provides. It won't attempt special stuff such as not using the VPN.

    Just make sure you're using something like VPN-Firewall (https://github.com/adrelanos/VPN-Firewall).
     
  15. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    56
    Correct.

    Also correct. Small addition, VPN-Firewall meets Whonix-Gateway. Installing VPN inside Whonix-Gateway is simplified since Whonix 8.3 (currently testers-only version). Announcement here:
    https://www.whonix.org/blog/testers-wanted-vpn-firewall

    Probably. There are some interesting differences, though. See:
    https://www.whonix.org/wiki/FAQ#Wha...e_host_versus_installing_on_Whonix-Gateway.3F
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, good point. With the VPN client in the Whonix gateway VM, apps on the host machine don't use the VPN.

    You could also run a client for one VPN service on the host, and a client for a different VPN service in the Whonix gateway VM. That way, a given VPN provider doesn't see both your host traffic and the Tor connection from the Whonix gateway VM. And you'll be using Tor through a nested chain of two VPNs.
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    So I was correct initially when I thought that Whonix would be forced through my host VPN first, and then on to the Tor network? For instance, I have PIA and Mullvad on my host machine. If I connect either of those first, and then start Whonix, The Tor connection goes through the VPN and my ISP does not see Tor? If so then that is really cool!:)

    I have another question. Are there any tutorials for installing Truecrypt and Winrar on Whonix? Is there a video player in Whonix? I think there is something similar to OpenOffice already on there. I guess I just need to spend some more time getting use to it. Thanks so much for making this available! It's a really cool piece of work!:thumb:
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, you were correct :) And yes, Whonix will use whatever VPN is running on the host.

    For TrueCrypt, use the AuditProject/truecrypt-verified-mirror on GitHub. You can either download https://github.com/AuditProject/truecrypt-verified-mirror/archive/master.zip or "git clone https://github.com/AuditProject/truecrypt-verified-mirror". Extract ".../truecrypt-verified-mirror/Linux/truecrypt-7.1a-linux-x86.tar.gz" to a temp folder, and then execute truecrypt-7.1a-setup-x86 to install.

    For rar, just run these commands:
    Code:
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo apt-get install rar
     
  19. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Okay I got winrar. But what do you mean "extract to a temp folder"? I don't understand "temp folder." Thanks so much for your help!
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    By "temp folder" I just mean a working folder. I usually create a folder like "/home/user/tmp" to use for extracting archives during installs etc. The system temp folder (/tmp) requires root rights to use, and you don't want to run the TrueCrypt installer as root.
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Okay. I already shut it down and have something else going on so I will try this a little later. Just so I understand, I create a folder in the location "/home/user/tmp" and extract to there. The right click on the setup file and install?
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes. In Debian with KDE desktop, just single click to execute. That can be dangerous, by the way, and so you may want to change the setting to require double clicking to execute.
     
  23. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    56
    That stuff is all possible. Libre office, vlc, unrar, etc. all is available, thanks to Debian.

    The addition to mirimir's answer is: if it works in Debian/Ubuntu, it will work in Whonix as well. Try replacing "Whonix" with "Debian" or "Ubuntu" in your mind and you get much better search results. See also:
    https://www.whonix.org/wiki/About#Based_on_Debian
     
  24. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Oh, sorry. I left out a step. You need to extract the archive "truecrypt-7.1a-linux-x86.tar.gz" and then execute the file "truecrypt-7.1a-setup-x86".
     
Loading...
Thread Status:
Not open for further replies.