Install option -Sys-Whonix/AnonWhomix

After installing with Sys-Whonix and Anon-Whonix options, I get a message asking about Tor routing.

If that option is deselected on installation, is it still possible to use Tor ?

Question: Is there a way to chose when and for what you want to use Tor, Deb or Fedora templates to use clearnet routing but whonix only through tor ?

Want to get this right to avoid having to do too many changes post install, please let me know. Thanks.

If you select disable, it will open a new window saying how to re-enable it

Yes, but if you decline to have the installer create the Whonix qubes for you, they will need to be created later before you’ll be able to use them. The Whonix docs have instructions for this:

Yes. For templates, that’s handled through RPC policies. For example, you could create the file /etc/qubes/policy.d/30-user.policy in dom0 with content similar to the following:

# HTTP proxy for downloading updates
## Update Whonix templates through sys-whonix
qubes.UpdatesProxy      *       @tag:whonix-updatevm    @default                allow target=sys-whonix
## Deny Whonix templates from using any other qube to update
qubes.UpdatesProxy      *       @tag:whonix-updatevm    @anyvm                  deny
## Update all other templates through sys-firewall and deny everything else
qubes.UpdatesProxy      *       @type:TemplateVM        @default                allow target=sys-firewall
qubes.UpdatesProxy      *       @anyvm                  @anyvm                  deny

Whonix-ws-16 is the work station. Whonix-gw-16 is the gateway. The gateway is the template for sys-whonix. The gw works as a routing qube. The network would normally look like this: appqube → sys-whonix → sys-firewall → sys-net.

If you want to decide what qubes get torified, all you have to do is select their network qube to be sys-whonix when you make the appqube. Or you can go into the settings later and change it. It’s a simple drop down on the first page.

It’s recommended that you use Whonix workstation qubes through the Whonix gateway. That’s what the Whonix devs recommend anyway. But if you want to use a standard Fedora or Debian through the gateway, that’s fine. But know that your traffic will be passing through the same place that your updates do (if you decide to update through sys-whonix).

I personally like having sys-whonix and using it with a whonix work station when I want tor. When I want clearnet or VPN’d traffic, I can use a Fedora or Debian qube.

As stated in another response, if you already installed and didn’t select it, it’s pretty easy to install both whonix-gw-16 and whonix-ws-16. Again, the Whonix devs don’t recommend using other OS’s through the gw. But their threatmodeling is pretty strict for the best possible privacy you can get. If you don’t care so much about that, do what you want.

I highly recommend reading the Whonix documentation for more details. They are pretty in depth when it comes to privacy practices and general use stuff. They also have a lot of recommendations specifically for Qubes-Whonix, which the Qubes docs don’t go into even in the parts where they mention Whonix.

Thanks for that explanation.
Ideally I want to:
-Remeber wifi pass on reboot
-Route clearnet/vpn on all deb & fed templates or qubes generated from them
-Route tor only for Whonix qubes
-Not have a message pop up asking me to configure network on each boot
-Not having to manually enter credentials on each boot

What is the best installation and post install configuration options to achieve above ?

Installation is pretty straight forward. I don’t know if you can do much of that on install except for checking sys-whonix will be setup.

Post install, what you’ll want to do is when you make a deb or fed qube, set the network provider (which is on the screen in the GUI for making a qube (It’s the forth option and says “Networking”) to your VPN. And whenever making a whonix work station, set Network to sys-whonix.

As for saving your wifi, there are two options depending on what you want from your sys qubes. You can go with an actual appqube or you can have disposables (from the install menu or later on). If you want a static sys-net, all you need to do is type in the password and it should save it.

If you want to go with a disposable sys-net, then it’s a bit more complicated but arguably more secure from some attacks. If you want to do that, there’s some reading to do and I would recommend going in once everything’s set up and immediately make a separate template (by copying either the debian-11 or fedora-37 template) and making that the one you use for your sys-qubes. It’s not that hard to do.

Then the next piece is to make a new disposable template (based on the template you just made) to then use for your sys-qubes. disposable templates are actually appqubes based on a template. So there’s two steps to this. How to make a disposable template is here: Disposable customization | Qubes OS

None the less, once you have done that, or opted not to and will just use the pre-installed template and disposable template for your sys-qubes, you’ll want to go into that template (another reason to make the sys-qube templeate seperate, since all your other app qubes are based on the standard template. If any of those get compromised, the data you put in for your WiFi can be gathered by the attacker. But with a separate template, that’s not an issue).

A couple of ways to get it to remember the WiFi are talked about here: [qubes-users] Disposable sys-net >> wifi login

1 Like

You want to install with Whonix, and not have sys-net as disposable.

On the Configuration pane after install and reboot, select:
Create default system qubes
Create default application qubes
Create Whonix gateway and Workstation

Do not select Enable system and template updates over Tor option

Create USB qube if required/possible.

When you start up you will find that sys-net is a disposable, which is
why you have to re-enter wifi passwords.
The simplest thing is to change the qube you use to connect to networks to not be a disposable.

Shutdown all qubes.
Change the net qube for sys-firewall to none.
Create a new sys-net-2, with these settings in GUI Settings:
Basic->Start qube automatically on boot
Advanced →
Mode hvm
memory 400
Dselect “Include in memory balancing”
Provides network
Devices → select the networking devices and move to RHS
Services → enable clock sync

Try to start sys-net-2 - if there’s an error re “rest” you may need to
go to devices tab and Configure strict reset off for the networking

Once sys-net-2 is started, change the net qube for sys-firewall to
Open settings for sys-net and Dselect “Start qube automatically on boot”
Open Qubes Global Settings and change every place sys-net to sys-net-2.

That should give you all you ask for.

BUT I don’t know what “Not having to manually enter credentials on each
boot” means if it is not solved by this.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I neglected to say that for sys-net-2 you must set on Basic Tab,
“net qube” NONE

This set-up means that for “home” you can use sys-net-2 with
persistence, and when travelling, switch to sys-net for the disposable
You can make this change using command line tools in a simple script
if you travel often.

1 Like

Thank you! May ask questions if stuck.

To “Create a new sys-net-2” do I clone the original default disposable sys-net from install and change the options of sys-net-2 as you indicated ?

What exactly is configured in a default sys-net, what does it do for security and how do I make sure sys-net-2 has that same functionality?

No, if you clone it you will get another disposable, which is not what
we want.
Create the new sys-net-2 using the “Create Qubes VM” tool.

There is no specific security configuration for the default sys-net.
Creating the new sys-net-2 using the same template that the disposable
template for sys-net uses will give you the same functionality.

If you want to harden sys-net I suggest cloning the template and making
those changes in the cloned template, used for sys-net-2.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I m not sure what you mean about making sys-net-2, the template used for sys-net is just deb-11-dvm isnt it ?

If I simply make a deb11 standalone how would it have the propoer programs and configuration that sys-net does ?

I am sure there is something I am not getting here, would you please let me know where I am going wrong in my thinking ?

(I think part of the problem is that I do not understand what sys-net does, has inside of it, how it is configured or even why sys-net exits)

Every disposable is based on a “disposable template” - a standard
template-based qube with the template_for_dispvms property set. That
qube is based on a template.
I’m suggesting you create sys-net-2 using the template that deb-11-dvm
uses - debian-11

sys-net exists because you need a qube that will have networking devices
attached. It should contain the drivers needed to make those devices
work, and the software to allow for network configuration.
It also “provides network” so that you can attach other qubes to it, so
that they have network access. It does not support the qubes-firewall.
It also captures DNS traffic using the default addresses,
and routes it to the DNS server given by the external network.

Is that clearer?

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.