What's needed is a LiveDVD like Tails, with Tor isolation like Whonix, and VPN clients too

Status

This started out as a post in <https://www.wilderssecurity.com/thr...friendly-looking-for-your-suggestions.361930/>, but it became mostly off-topic there. Also, I'd like to add a VPN client in the host, and perhaps an additional VPN client in a pfSense VM. Given that VPN credentials would be hard-coded, this would require at least some cooperation from VPN providers. It might well be necessary to customize this for each VPN provider, and perhaps (for versions with two VPNs) cooperating VPN providers.

Until someone replies to this post, I'll be editing it as I learn more, and test possibilities. This is the first substantial edit. So far, I have a host machine (i5 x4 with 8 GB RAM and 80 GB SSD) running Debian 7.4 x86. Using the stock network install CD, and adding only "basic utilities" during install, the total OS was 0.97 GB (based on "df -ah"). After installing xorg, xbase-clients, gksu, ldm and fluxbox, it was 1.39 GB. I found that x11-common was already the newest version.

After installing virtualbox using "virtualbox-4.3_4.3.10-93012~Debian~wheezy_i386.deb", the total was 1.61 GB. There were many errors about missing dependencies. After running "apt-get install -f" to fix that, the total was 1.66 GB. I then created "~/VirtualBox_VMs" and added pfS21x86TorGW (0.22 GB) and Whonix81Workstation (3.00 GB) from another host. That brought the system total to 4.88 GB, which is unfortunately too big for a LiveDVD that could run on this box

I then started fluxbox by running "startx". It's crude so far, but it works After starting VirtualBox, I changed the default VM folder to "~/VirtualBox_VMs", and added the two VMs. Both VMs started, and I verified that the Tor Browser in Whonix81Workstation was using Tor.

At this point, the two VMs share an internal network, pfS21x86TorGW LAN being 192.168.0.10 and Whonix81Workstation being 192.168.0.11 (Whonix defaults). However, in order to test remote X11 with the host as XServer and the Whonix81Workstation VM as XClient, they need network connectivity. As a crude hack, which in practice would be a huge security risk, I created a host-only network (192.168.0.0/24) and added the host (192.168.0.1) and both VMs.

After installing openssh-server on the Whonix81Workstation VM, I connected from a terminal in the host by running "ssh -q -X user@192.168.0.11". Then I opened the Tor Browser by running "torbrowser" in the "remote" host. And it worked. However, I haven't yet figured out how to get the complete desktop using ldp

I'm not there yet, but it's promising I need to cut another GB from the Whonix workstation, get ldp working, and generally improve aesthetics and usability. Comments, warnings, etc are appreciated

Edit: Yet again, I am amazed at the incredible body of code and documentation that's available at < https://www.whonix.org/ >. I want to start with a basic terminal-only Whonix workstation VM with no default apps. And there are step-by-step instructions for that at < http://whonix.org/wiki/Dev/Build_Documentation/8_full >. Having never used GitHub before, I had no idea how easy it was (to use, I mean, not to create).

Issues Around Using Whonix VMs in Such a LiveDVD

In<https://www.wilderssecurity.com/threads/how-to-make-whonix-really-user-friendly-looking-for-your-suggestions.361930/> adrelanos mentions the possibility of a "Whonix Live DVD". The idea of a Tails-like version is indeed appealing. Users would just boot a LiveDVD, and be presented with the desktop of the Whonix workstation VM. The host desktop and Tor gateway VM would be (at least somewhat) hidden, accessible only as an advanced option. They would have a Debian desktop with many apps pre-configured to use Tor properly. They would need to download the TBB, but that's already well scripted in the Whonix 8.1 release.

There's a large problem, however, that makes this idea unworkable. Given the design of VirtualBox, both the host OS (Debian, let's say) and the Whonix workstation VM must have GUI desktops. And Debian with a modern GUI desktop needs ~3 GB disk. With the Fluxbox window manager, only ~1.4 GB is needed. And with no GUI desktop, only ~1 GB is needed.

That's a problem because optical drives are much slower than HDDs, so LiveDVDs must load completely into physical RAM. And there's an additional problem. By default, LiveDVDs create two ramdisks at boot, one for the uncompressed contents of the DVD, and the other for various temporary files. And also by default, each of those two ramdisks uses half of the machine's physical RAM.

The implications are challenging. With the current Whonix VMs and a standard Debian host OS, ~10 GB total disk space is needed. Even if that would compress enough to fit on a 4.7 GB DVD, ~20 GB RAM would be needed to boot it Even now, most consumer-grade computers don't have that much RAM.

It would be trivial (for adrelanos etc) to trim the gateway VM down to ~1 GB. That would cut the total to ~7.5 GB, and the RAM requirement to ~15 GB. If it were possible to change the default ramdisk sizes, ~7.5 GB would be required for the LiveDVD content, and 2-3 GB for temporary stuff. So we'd need about 10-15 GB physical RAM. That's still way too much. Even replacing the Debian gateway VM with an equivalent pfSense version (~250 MB) would only cut another 750 MB from the total.

The host OS shouldn't be used for anything except basic stuff, so many utilities and apps could be omitted. Other than providing basic services, the host OS just runs VirtualBox and displays VM console windows. Also, I don't see why the host OS and the workstation VM OS both need all GUI desktop components. Indeed, it seems like the GUI desktop could be split between the host OS and the workstation VM OS, with the host running XServer and a window manager, and the Whonix workstation VM running XClient and necessary utilities.

If such a GUI desktop split were possible, disk space for the host and workstation VM could perhaps be cut to ~4 GB total. The Whonix gateway VM (with all GUI etc removed) would add another ~1 GB, bringing the total to ~5 GB. That would require ~5 GB physical RAM for LiveDVD content, plus another 2-5 GB (depending on ramdisk setup) for temporary stuff, making the total about 7-10 GB. That's still too much, unless ramdisk setup can be tweaked, but it's getting close

If we shaved total disk space for the host and workstation VM some, and used a pfSense Tor gateway VM, we could perhaps get the total just under 4 GB. That would require ~4 GB physical RAM for LiveDVD content, plus another 2-4 GB (depending on ramdisk setup) for temporary stuff, making the total about 6-8 GB. Although that's still a lot, machines with 8 GB RAM are not uncommon.

If the default LiveDVD ramdisk setup can't be altered, total LiveDVD content must be under 4 GB. Using a pfSense VM (~250 MB) as a Tor gateway, that leaves ~3.7 GB for the host OS and a workstation VM. That's feasible as long as a GUI desktop can be largely split between the host OS and a workstation VM. With a more complete GUI desktop split, using a ~1 GB Debian Tor gateway might be feasible.

Thoughts on Splitting GUI desktop Between Host and Workstation VM

Well, can a Debian GUI desktop be largely split between the host OS and a workstation VM? And if so, how? The X Window System is covered in Chapter 7 of the Debian Reference <https://www.debian.org/doc/manuals/debian-reference/ch07.en.html>. Table 7.2. summarizes the terminology for servers and clients (X and application):

• X server: a program run on a local host connected to the user's display and input devices.
• X client: a program run on a remote host that processes data and talks to the X server.
• application server: a program run on a remote host that processes data and talks to the clients.
• application client: a program run on a local host connected to the user's display and input devices.

Given that, the host should be running VirtualBox, the VMs, an X server, and application clients. And the Whonix workstation VM should be running an X client, and application servers. To be clear, relevant applications here are (for the most part) not those running in the host (including VirtualBox). Rather, they are applications running in the Whonix workstation VM. Using pfSense as the Tor gateway, we would need no application clients for it, because it has a WebGUI that we could access via a browser in the Whonix workstation VM.

Considering the VirtualBox host, I see in Table 7.1. ["List of key (meta)packages for X Window]:

• xorg: X libraries, an X server, a set of fonts, and a group of basic X clients and utilities (metapackage)
• xserver-xorg: full suits of the X server and its configuration
• xbase-clients: miscellaneous assortment of X clients
• x11-common: filesystem infrastructure for the X Window System
• gksu: Gtk+ frontend to su(1) or sudo("eight")
• fluxbox: package for highly configurable and low resource X window manager
• [plus ldm: starts X server and presents user with login screen (for "remote" system)]

I added ldm, per comments below, and didn't include "xorg-docs", because we can live without it. The host machine also needs some utilities, plus VirtualBox and its dependencies, and of course the VMs.

For the workstation VM, I believe that at least these would be required:

• menu: generate the Debian menu for all menu-aware applications
• menu-xdg: convert the Debian menu structure to the freedesktop.org xdg menu structure
• xdg-utils: utilities to integrate desktop environment provided by the freedesktop.org

At the top of Section 7.5. ("Starting the X Window System") I see "The X Window System is usually started as an X session which is the combination of an X server and connecting X clients. For the normal desktop system, both of them are executed on a workstation." In subsection 7.5.4. ("Connecting a remote X client via SSH") I see that one can start the X server on the host, SSH to the remote site (here, the Whonix workstation VM) and then start applications there. It says: "This method can display the output from a remote X client as if it were locally connected through a local UNIX domain socket." As described above, that works with the Whonix workstation VM.

Doing that for each application would be tedious. But in subsection 7.5.5. ("Secure X terminal via the Internet") I see: "Secure X terminal via the Internet, which displays remotely run entire X desktop environment, can easily achieved by using specialized package such as ldm. Your local machine becomes a secure thin client to the remote application server connected via SSH." In "man ldm" I see: "ldm(1) starts an X server and presents the user with a login screen, similar to the gdm(1) login prompt. Instead of using the XDMCP protocol, ldm(1) uses ssh(1) connect to remote servers, then starts an Xsession either via ssh(1) X forwarding, or direct TCP/IP connection." But, as noted above, it's not working for me yet

To be continued ...

 

The scripts for configuring a build machine and building Whonix VMs worked perfectly. I've built a minimal Whonix 8.1 Workstation, terminal-only with no default apps. The VMDK is just 1.35 GB. Adding xorg, xbase-clients, gksu, fluxbox and TBB increases that to 1.76 GB. Running "startx" opens fluxbox, and TBB seems to work properly.

I've created a LiveDVD using bootcd that contains:

• Debian 7.4 x86 with fluxbox desktop as VM host (1.66 GB)
• pfSense 2.1 x86 VM as Tor gateway (0.22 GB)
• custom Whonix 8.1 Workstation VM (1.76 GB so far)

The total is 3.64 GB total. So far, I've verified that it boots in the build machine, and also in a ThinkPad T420. Both have 8 GB RAM, but it's only using about 7 GB at maximum.

The Whonix Workstation VM only has TBB, so I need to add some essential apps. I also need to clean up fluxbox a little, and get ControlPort working in the pfSense Tor VM. It's a permissions issue, I think, in that Tor drops from root to _tor too soon, and _tor doesn't have the necessary rights. Anyway, it'll still be crude, but it works.

I will be adding a VPN client in the host, probably hard coded for iVPN.

What additional apps would be best to add? There's about 300 MB available.

Who's interested in testing?

 

A live cd of a minimal debian 7 install created with remastersys has a size of ~ 315 mb. After installation of the gnome desktop it is ~ 850 mb. After installation of virtualbox it is 917 mb. A long time ago I also created a whonix (5) gateway live cd which was some hundred mb iirc. So a combination of 1x debian host + 1x whonix gateway + 1x debian vm would be maybe 2.5 GB. 4 GB RAM would be enough in this case. If you use the toram option to get a faster system when booting from a DVD you probably need more RAM. A general problem of the live system approach is updating the system(s). You need to burn a new DVD everytime (security) updates are released. Instead of a DVD you could also use an (write protected) USB stick which is imho fast enough.

 

Thanks. The total size of my first version (LiveDVD_0.1.iso) is 3.6 GB, but the compressed size on DVD is 2.6 GB. With bootcdwrite, the default is loading everything in RAM. It takes longer (~9 minutes) to boot, but it's quite responsive (better than Tails) once booted. I've also started a thread on the Whonix forum at < https://www.whonix.org/forum/index.php/topic,262.0.html >.

Yes, that is an issue for DVDs. I don't trust USB flash, even with hardware write protection. I'd rather have a system that cannot be written to. And even using USB flash, it's still necessary to write a new image. Is that much faster than writing a new DVD?

 

I'm just posting to say this is interesting. You know your stuff, man.

 

How is this project going? It sounded very interesting and I'd love to test it out for myself!

 

I have a DVD image that I can provide. So far, it's been tested by one friend, who found that it worked as expected. It's still rather crude, however. I'll post a followup soon with a link and some background.

Thanks for your interest

 

I've created a LiveDVD using bootcd that contains:

Debian 7.4 x86 with fluxbox desktop as VM host (1.66 GB)
pfSense 2.1 x86 VM as Tor gateway (0.22 GB)
custom Whonix 8.1 Workstation VM with Tor browser (1.76 GB so far)

The total is 3.64 GB total. So far, I've verified that the DVD boots in the build machine, and also in a ThinkPad T420. Both have 8 GB RAM, and it uses about 7 GB at maximum. It's also worked for a friend on comparable hardware, but only as a DVD, and not on a USB flash drive. Maybe that's fixable, but I haven't worked on it lately.

The LiveDVD takes about six minutes to load into RAM. Login as "user" with password "drowssap". There's a glitch in the host machine startup. It should start fluxbox after login, but that doesn't work on the LiveDVD. And so you need to execute "startx" at the "user@host:~$" prompt.

It automatically starts the pfSense Tor-gateway VM (running headless) and then the minimal Whonix workstation VM. The workstation starts full-screen, automatically starts the Tor Browser, and goes to <http://check.torproject.org/>. That takes 3-4 minutes to complete after executing "startx".

If you're curious about the pfSense setup, you can browse its WebGUI at <192.168.0.10>. The WebGUI user is "admin" and the password is "drowssap".

I added "Shutdown" to the fluxbox menus in both the host and minimal Whonix workstation VM. I also added VirtualBox and k3b (for writing DVDs) to the workstation menu (both under "Virtualization"). Once you shutdown the workstation, and start VirtualBox, you have a "normal" host setup. If you like, you can ACPI shutdown the pfSense VM, and start it normally with a console window. The root password for the host is also "drowssap".

The Whonix Workstation VM only has TBB. Also, Torbutton is broken, because I didn't manage to get ControlPort working in the pfSense Tor VM. It's a permissions issue, I think, in that Tor drops from root to user _tor too soon, and user _tor doesn't have the necessary rights.

"LiveDVD_0.1.iso" is available on 4shared. Given 4shared's upload size limitation for free accounts, there are two files:

http://www.4shared.com/zip/YgjSjdVOce/one.html
http://www.4shared.com/zip/GK27b5Igce/two.html

There are download limitations. Just 3.0 GB download traffic (one copy) is allowed per day, and 30 GB (~11 copies) is allowed per month. If 4shared isn't working, try the hidden service:

http://lwcl5doqq2uzjmom.onion

It's up 24/7. PM me if it's down. It's VM is on a good host with a 100 Mbps uplink, but it may crash if load spikes too much.

"LiveDVD_0.1.iso" is signed with my key (fingerprint BF24 D19E 7B33 536E 7512 BA47 620D 6551 17C2 E43E) and encrypted. It's then tarred, split and zipped. Follow these steps to recover the ISO:

unzip one.zip and two.zip [with passphrase "H9T1za4M0xQ39"]
put enclosed foo.tar.00 and foo.tar.01 in some folder and cd there
cat foo.tar.* > foo.tar
tar -xvj foo.tar
gpg -d LiveDVD_0.1.iso.gpg [with passphrase "9TLhcyPvSpHa1"]

 

You da man!

 

You've probably already thought about this; but would a bootable blu-ray disk be a way to go? Obviously you wouldn't need the full 25gb, but I get where a standard dvd would be cutting it close. I know not too many people have blu-ray drives, but, if you ever found yourself being held back by what you'd want to include I think it'd be justified.

 

No, I hadn't thought of that

The problem isn't space on DVD. The current version just takes 2.6 GB after compression. The problem is RAM requirement. Optical drives are very slow, so everything needs to go into RAM. And I haven't figured out how to change the default ramdisk setup, which uses 50% of RAM for loading CD/DVD and 50% for dynamic stuff and swap. With 3.6 GB after decompression, that means 8 GB RAM is needed. DVDs hold 4.7 GB, but that would require 14 GB RAM.

 

Thanks

I just had to see if it was doable.

 

That's not too bad. I mean, it's WAY above average but if people wanted to invest into a machine then it's doable. I think boards today can max out at 64gb (with DDR3). Though very few laptops support 14gb+ now, and people are going to want their privacy mobile (especially journalist). If people wanted to go all out now in 2014 they can do a gaming grade laptop with a ton of ram and then a USB blu-ray drive (if the laptop didn't have a disk drive). If it's needed and it's for the sake of their privacy I think people would consider it.

Maybe in the next 2-4 years when we start seeing DDR4 out it might be more of an option to consider. Again, you know, if you ever did run into a case where you really couldn't fit everything.

 

@Veeshush

There's another problem. With a static DVD, there's no way to update anything. And so, as with Tails, frequent updates are necessary. Tor (or even nested VPN chains) are too slow for more than a few GB.

 

Hi mirimir,

For anyone interested in using GIT for source code control you can find out the particulars by reading the web page Using Git for Source Control.

-- Tom