In this tutorial we're going to take a look at how to manage your online Anonymity.
DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling
source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
regarding wear leveling:
"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
This tutorial is based on my previous explanation on OPSEC make sure that you take it into account before proceeding.
So, we basically want 3 ways to access websites. The first being while using tor, for complete anonymity, to do that we'll use whonix. The second is to do the same but to masquerade it with a non-KYC VPN which will also be acquired anonymously to be used only in the case of a website blocking tor exit nodes, and the last one is without any protection, for websites you cannot use without KYC.
As a safety measure for Anonymity, there will be a veracrypt hidden partition in use for plausible deniability.
To prepare the computer for those tasks, we will rely on opensource software to avoid any tracking, we'll remove logs from linux.
And lastly, we're going to take a look at how to keep track of your accesses to the websites you access anonymously
First let's make sure all logs get erased upon system shutdown as described in my previous tutorial on host OS hardening (by piping all logs to go to the /tmp/ folder):
We also make sure that the script to remove logs also includes shutting down the VMs and closes the veracrypt volume just like the emergency shutdown script we detailed in the previous tutorial on homeserver physical security:
[ mainpc ] [ /dev/pts/2 ] [~/logremover]
→ cat /etc/systemd/system/reboot_logremover.service
[Unit]
Description=Shutdown Anti forensics
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
[Service]
Type=oneshot
ExecStart=/root/shutdown.sh
TimeoutStartSec=0
[Install]
WantedBy=shutdown.target reboot.target halt.target
[ mainpc ] [ /dev/pts/2 ] [~/logremover]
→ cat shutdown.sh
#!/bin/bash
#remove VMs
sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-External
#then unmount veracrypt volumes
sudo veracrypt -d -f
# then cleanup logs
sudo rm -rf /dev/shm/*
sudo rm -rf /var/log/*
sudo dmesg -c
In the shutdown.sh script we also make sure that the VMs are removed, and that the veracrypt volumes are unmounted, before clearing up the logs.
Next we're going to install libvirt as seen in our previous tutorial on host os hardeninghere:
sudo pacman -S libvirt qemu-full virt-manager dnsmasq bridge-utils
sudo systemctl enable --now libvirtd
#####################vault.sh:#######################################
#!/bin/bash
echo "[+] MOUNTING VAULTS..."
sudo cryptsetup luksOpen /dev/nvme1n1p1 VAULT
sudo mkdir /run/media/nihilist/VAULT 2>/dev/null
sudo mount /dev/mapper/VAULT /run/media/nihilist/VAULT
echo "[+] VAULTS MOUNTED"
###################################################################
usermod -a -G libvirt nihilist
usermod -a -G kvm nihilist
[root@nowhere ~]# vim /etc/libvirt/libvirtd.conf
[root@nowhere ~]# cat /etc/libvirt/libvirtd.conf | grep sock_group
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
sudo chmod 770 -R VMs
sudo chown nihilist:libvirt -R VMs
cat /etc/libvirt/qemu.conf
group = "libvirt"
user = "nihilist"
systemctl restart libvirtd.service
virt-manager
Next step we create the veracrypt drives, so use the /dev/sdb harddrive for it:
[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
→ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 1.8T 0 disk
└─sda1 8:1 0 1.8T 0 part
sdb 8:16 0 447.1G 0 disk
sdc 8:32 0 3.6T 0 disk
└─VAULTBACKUP 253:1 0 3.6T 0 crypt /mnt/VAULTBACKUP
zram0 254:0 0 4G 0 disk [SWAP]
nvme1n1 259:0 0 1.8T 0 disk
└─nvme1n1p1 259:1 0 1.8T 0 part
└─VAULT 253:0 0 1.8T 0 crypt /mnt/VAULT
nvme0n1 259:2 0 465.8G 0 disk
├─nvme0n1p1 259:3 0 511M 0 part /boot
└─nvme0n1p2 259:4 0 465.3G 0 part /
Be aware that the 3 VMs we need to place in a veracrypt container all weigh 100GB each so you need 300Gb for all 3 VMs, so you need at least 2x300Gb to replicate the setup in the decoy partition, so pick a 1.2TB harddrive instead, with some additional space so preferably a 1.8TB one just to be safe, unlike as shown below (a 500gb disk which is not enough!)
So let's now setup the hidden partition there:
[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
→ sudo pacman -S veracrypt
Now that's done, let's setup the whonix and workstations templates, we will then copy them in the veracrypt harddrive afterward to edit them. So let's go here to download whonix for QEMU:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ mv ~/Downloads/Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz .
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ tar -xvf Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
WHONIX_BINARY_LICENSE_AGREEMENT
WHONIX_DISCLAIMER
Whonix-Gateway-Xfce-17.0.3.0.xml
Whonix-Workstation-Xfce-17.0.3.0.xml
Whonix_external_network-17.0.3.0.xml
Whonix_internal_network-17.0.3.0.xml
Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
Next we edit the XML files to have the working VMs, for which we will give 2GB of ram for the gateway, and 4GB of ram for the workstation while also specifying the path to their .qcow2 volumes:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep GiB
<memory dumpCore='off' unit='GiB'>4
<currentMemory unit='GiB'>4
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat Whonix-Workstation-Xfce-17.0.3.0.xml| grep source
<source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat Whonix-Gateway-Xfce-17.0.3.0.xml | grep GiB
<memory dumpCore='off' unit='GiB'>2
<currentMemory unit='GiB'>2
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
<source file='/mnt/VAULT/ISOs/whonix/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
and now to make things easier let's put a refreshvms.sh script in there to remove and restart the VMs:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ vim refreshvms.sh
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat refreshvms.sh
#!/bin/bash
#remove VMs
sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-External
echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
read
#install VMs
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ chmod +x refreshvms.sh
then run it:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ ./refreshvms.sh
error: Failed to destroy domain 'Whonix-Gateway'
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation'
error: Requested operation is not valid: domain is not running
Domain 'Whonix-Gateway' has been undefined
Domain 'Whonix-Workstation' has been undefined
Network Whonix-External destroyed
Network Whonix-Internal destroyed
Network Whonix-External has been undefined
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
error: Failed to define network from Whonix_internal_network-17.0.3.0.xml
error: operation failed: network 'Whonix-Internal' already exists with uuid 48298ccf-9352-4b21-b6c4-17ad13ad1d6d
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
Then launch the VMs from virt-manager:
let's start with the Gateway:
Now that's done you can also finish the initial setup for the workstation:
So from here you can use whonix regularly to browse with the tor browser, don't forget to disable javascript and to always keep the browser up to date like so:
As suggested above, we'll also upgrade the VMs, and to go further we'll install unattended upgrades (note whonix's default system credentials are user:changeme:
$ passwd
$ sudo -i
# apt update -y ; apt upgrade -y ; apt autoremove -y
# apt install unattended-upgrades apt-listchanges -y
# dpkg-reconfigure -plow unattended-upgrades
^ select yes there
Next step is to have the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ ls
refreshvms.sh Whonix_external_network-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.xml
WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
WHONIX_DISCLAIMER Whonix_internal_network-17.0.3.0.xml
10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cp Whonix-Workstation-Xfce-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cp Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
Then edit the new xml file to match the new VM name:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep Workstation2
<name>Whonix-Workstation2</name>
<source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
Then we include it in the refreshVMs.sh script:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cat refreshvms.sh
#!/bin/bash
#remove VMs
sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system destroy Whonix-Workstation2
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Workstation2
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-Internal
echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
read
#install VMs
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation2*.xml
sudo virsh -c qemu:///system define Whonix-Workstation-*.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ ./refreshvms.sh
error: Failed to destroy domain 'Whonix-Gateway'
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation'
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation2'
error: Requested operation is not valid: domain is not running
Domain 'Whonix-Gateway' has been undefined
Domain 'Whonix-Workstation' has been undefined
Domain 'Whonix-Workstation2' has been undefined
Network Whonix-External destroyed
Network Whonix-Internal destroyed
Network Whonix-External has been undefined
Network Whonix-Internal has been undefined
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip):
Now that our VM templates are done, let's put them on our veracrypt harddrive:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ ./refreshvms.sh
[sudo] password for nothing:
Domain 'Whonix-Gateway' destroyed
Domain 'Whonix-Workstation' destroyed
Domain 'Whonix-Workstation2' destroyed
Domain 'Whonix-Gateway' has been undefined
Domain 'Whonix-Workstation' has been undefined
Domain 'Whonix-Workstation2' has been undefined
Network Whonix-External destroyed
Network Whonix-Internal destroyed
Network Whonix-External has been undefined
Network Whonix-Internal has been undefined
[+] VMs removed, re-install them ? (ctrl+c to exit)
^C
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ ls
refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
Once mounted, let's copy them here and launch them:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
→ cd /media/veracrypt1
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cp /mnt/VAULT/ISOs/whonix/* .
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ ls -lash
total 21G
4.0K drwxr-xr-x 2 nothing nothing 4.0K Oct 8 13:35 .
4.0K drwxr-xr-x 3 root root 4.0K Oct 8 13:34 ..
4.0K -rwxr-xr-x 1 nothing nothing 1.2K Oct 8 13:35 refreshvms.sh
40K -rw-r--r-- 1 nothing nothing 39K Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT
0 -rw-r--r-- 1 nothing nothing 0 Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 8 13:35 WHONIX_DISCLAIMER
4.0K -rw-r--r-- 1 nothing nothing 172 Oct 8 13:35 Whonix_external_network-17.0.3.0.xml
5.2G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
4.0K -rw-r--r-- 1 nothing nothing 2.4K Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.xml
4.0K -rw-r--r-- 1 nothing nothing 97 Oct 8 13:35 Whonix_internal_network-17.0.3.0.xml
6.9G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.xml
7.0G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.xml
1.3G -rw-r--r-- 1 nothing nothing 1.3G Oct 8 13:35 Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
Now that's done, you need to edit each XML to make sure it has the correct path in it:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
<source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
<source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
<source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
Then you can use the VMs using the refreshvms.sh script:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ ./refreshvms.sh
[sudo] password for nothing:
error: failed to get domain 'Whonix-Gateway'
error: failed to get domain 'Whonix-Workstation'
error: failed to get domain 'Whonix-Workstation2'
error: failed to get domain 'Whonix-Gateway'
error: failed to get domain 'Whonix-Workstation'
error: failed to get domain 'Whonix-Workstation2'
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
Now with this if you are forced to give away the password for that harddrive, you can give them this decoy partition, and they'll find the whonix VMs you've copied there.
So now dismount the veracrypt partition, to do that you need to first remove the VMs with the script, and then you need to EXIT the folder, otherwise it'll complain and tell you that the target drive is busy and can't be unmounted:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ ./refreshvms.sh
error: Failed to destroy domain 'Whonix-Gateway'
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation'
error: Requested operation is not valid: domain is not running
error: Failed to destroy domain 'Whonix-Workstation2'
error: Requested operation is not valid: domain is not running
Domain 'Whonix-Gateway' has been undefined
Domain 'Whonix-Workstation' has been undefined
Domain 'Whonix-Workstation2' has been undefined
Network Whonix-External destroyed
Network Whonix-Internal destroyed
Network Whonix-External has been undefined
Network Whonix-Internal has been undefined
[+] VMs removed, re-install them ? (ctrl+c to exit)
^C
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cd ..
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
→
Now that's done for the decoy partition, we do the same for the hidden partition:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
→ cd veracrypt1
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cp /mnt/VAULT/ISOs/whonix/* .
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ ls
refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
Then edit the paths again:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
<source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
<source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
<source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
Then start the VMs:
[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
→ ./refreshvms.sh
[sudo] password for nothing:
error: failed to get domain 'Whonix-Gateway'
error: failed to get domain 'Whonix-Workstation'
error: failed to get domain 'Whonix-Workstation2'
error: failed to get domain 'Whonix-Gateway'
error: failed to get domain 'Whonix-Workstation'
error: failed to get domain 'Whonix-Workstation2'
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'
error: failed to get network 'Whonix-Internal'
error: Network not found: no network with matching name 'Whonix-Internal'
[+] VMs removed, re-install them ? (ctrl+c to exit)
Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.
Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider here, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them):
now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.
Now let's add time to our account, and of course we will pay with the only cryptocurrency that's used:
To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.
Once it finishes installing, create your monero wallet:
Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones here:
Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created:
Once you've paid, download the .ovpn file to connect via vpn:
Then unzip and let's now make sure the vpn goes through tor:
To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:
before we launch it keep in mind this:
DISCLAIMER: While on a VPN, DO NOT use the tor browser, this will make the entire tor browsing visible from the VPN server. In this particular setup you need to use Firefox while the VPN connection is active!!! Make sure that all tor-related applications are shutdown before starting the VPN. I suggest to close everything, and then only have the terminal and firefox open before launching the VPN.Then launch the VPN and you can then see that you no longer have a tor exit node IP:
Now check your ip from Firefox, not the tor browser:
You can also check if there are any DNS leaks:
here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:
We can also check if there are any WebRTC leaks:
and there we see that there are no webRTC leaks either, so it's all good.
To make sure the vpn is started automatically we can make it a systemd service:
root@workstation:~# cat /etc/systemd/system/vpn.service
[Unit]
Description=VPN
After=network-online.target
Wants=network-online.target
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
WorkingDirectory=/home/user/Desktop/mullvad_config_linux_nl_ams/
ExecStart=/usr/sbin/openvpn /home/user/Desktop/mullvad_config_linux_nl_ams/mullvad_nl_ams.conf
ExecStop=kill -9 $(pidof openvpn)
Restart=always
root@workstation:~# systemctl daemon-reload ; systemctl enable --now vpn.service ; systemctl restart vpn.service
Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes.
To implement Anonymity Management, simply ask yourselves the following questions:
First question to answer is "Is the activity Sensitive, and will I need to be able to deny it's existence ?" If the answer is no, then we have the following questions:
If the website requires you to give it your home address like Amazon for example, you can forget trying to be anonymous because you'll anyway need to de-anonymize yourself with your actions, no matter how you accessed the website.
If the website doesn't block tor exit nodes, browse it via the Whonix VMs. But if it does, then use the VPN through Tor setup to circumvent the blockage.
And lastly, for all websites you browsed to anonymously, make sure you log it to have an global view of your online anonymity.
If your activities are sensitive enough that you need to be able to deny their existence, then we make use of veracrypt's plausible deniability features, and we open the whonix VMs from inside the hidden partition.
And there the same questions apply, but you better remain anonymous while you conduct said sensitive activities.
Until there is Nothing left.
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nowhere.moe (PGP)