Yes, but if you decline to have the installer create the Whonix qubes for you, they will need to be created later before you’ll be able to use them. The Whonix docs have instructions for this:
Yes. For templates, that’s handled through RPC policies. For example, you could create the file /etc/qubes/policy.d/30-user.policy in dom0 with content similar to the following:
# HTTP proxy for downloading updates
## Update Whonix templates through sys-whonix
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
## Deny Whonix templates from using any other qube to update
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
## Update all other templates through sys-firewall and deny everything else
qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-firewall
qubes.UpdatesProxy * @anyvm @anyvm deny
Whonix-ws-16 is the work station. Whonix-gw-16 is the gateway. The gateway is the template for sys-whonix. The gw works as a routing qube. The network would normally look like this: appqube → sys-whonix → sys-firewall → sys-net.
If you want to decide what qubes get torified, all you have to do is select their network qube to be sys-whonix when you make the appqube. Or you can go into the settings later and change it. It’s a simple drop down on the first page.
It’s recommended that you use Whonix workstation qubes through the Whonix gateway. That’s what the Whonix devs recommend anyway. But if you want to use a standard Fedora or Debian through the gateway, that’s fine. But know that your traffic will be passing through the same place that your updates do (if you decide to update through sys-whonix).
I personally like having sys-whonix and using it with a whonix work station when I want tor. When I want clearnet or VPN’d traffic, I can use a Fedora or Debian qube.
As stated in another response, if you already installed and didn’t select it, it’s pretty easy to install both whonix-gw-16 and whonix-ws-16. Again, the Whonix devs don’t recommend using other OS’s through the gw. But their threatmodeling is pretty strict for the best possible privacy you can get. If you don’t care so much about that, do what you want.
I highly recommend reading the Whonix documentation for more details. They are pretty in depth when it comes to privacy practices and general use stuff. They also have a lot of recommendations specifically for Qubes-Whonix, which the Qubes docs don’t go into even in the parts where they mention Whonix.
Thanks for that explanation.
Ideally I want to:
-Remeber wifi pass on reboot
-Route clearnet/vpn on all deb & fed templates or qubes generated from them
-Route tor only for Whonix qubes
-Not have a message pop up asking me to configure network on each boot
-Not having to manually enter credentials on each boot
What is the best installation and post install configuration options to achieve above ?
Installation is pretty straight forward. I don’t know if you can do much of that on install except for checking sys-whonix will be setup.
Post install, what you’ll want to do is when you make a deb or fed qube, set the network provider (which is on the screen in the GUI for making a qube (It’s the forth option and says “Networking”) to your VPN. And whenever making a whonix work station, set Network to sys-whonix.
As for saving your wifi, there are two options depending on what you want from your sys qubes. You can go with an actual appqube or you can have disposables (from the install menu or later on). If you want a static sys-net, all you need to do is type in the password and it should save it.
If you want to go with a disposable sys-net, then it’s a bit more complicated but arguably more secure from some attacks. If you want to do that, there’s some reading to do and I would recommend going in once everything’s set up and immediately make a separate template (by copying either the debian-11 or fedora-37 template) and making that the one you use for your sys-qubes. It’s not that hard to do.
Then the next piece is to make a new disposable template (based on the template you just made) to then use for your sys-qubes. disposable templates are actually appqubes based on a template. So there’s two steps to this. How to make a disposable template is here: Disposable customization | Qubes OS
None the less, once you have done that, or opted not to and will just use the pre-installed template and disposable template for your sys-qubes, you’ll want to go into that template (another reason to make the sys-qube templeate seperate, since all your other app qubes are based on the standard template. If any of those get compromised, the data you put in for your WiFi can be gathered by the attacker. But with a separate template, that’s not an issue).
You want to install with Whonix, and not have sys-net as disposable.
On the Configuration pane after install and reboot, select:
Create default system qubes
Create default application qubes
Create Whonix gateway and Workstation
Do not select Enable system and template updates over Tor option
Create USB qube if required/possible.
When you start up you will find that sys-net is a disposable, which is
why you have to re-enter wifi passwords.
The simplest thing is to change the qube you use to connect to networks to not be a disposable.
Shutdown all qubes.
Change the net qube for sys-firewall to none.
Create a new sys-net-2, with these settings in GUI Settings:
Basic->Start qube automatically on boot
Advanced →
Mode hvm
memory 400
Dselect “Include in memory balancing”
Provides network
Devices → select the networking devices and move to RHS
Services → enable clock sync
Try to start sys-net-2 - if there’s an error re “rest” you may need to
go to devices tab and Configure strict reset off for the networking
devices.
Once sys-net-2 is started, change the net qube for sys-firewall to
sys-net-2.
Open settings for sys-net and Dselect “Start qube automatically on boot”
Open Qubes Global Settings and change every place sys-net to sys-net-2.
That should give you all you ask for.
BUT I don’t know what “Not having to manually enter credentials on each
boot” means if it is not solved by this.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
I neglected to say that for sys-net-2 you must set on Basic Tab,
“net qube” NONE
This set-up means that for “home” you can use sys-net-2 with
persistence, and when travelling, switch to sys-net for the disposable
experience.
You can make this change using command line tools in a simple script
if you travel often.
No, if you clone it you will get another disposable, which is not what
we want.
Create the new sys-net-2 using the “Create Qubes VM” tool.
There is no specific security configuration for the default sys-net.
Creating the new sys-net-2 using the same template that the disposable
template for sys-net uses will give you the same functionality.
If you want to harden sys-net I suggest cloning the template and making
those changes in the cloned template, used for sys-net-2.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
Every disposable is based on a “disposable template” - a standard
template-based qube with the template_for_dispvms property set. That
qube is based on a template.
I’m suggesting you create sys-net-2 using the template that deb-11-dvm
uses - debian-11
sys-net exists because you need a qube that will have networking devices
attached. It should contain the drivers needed to make those devices
work, and the software to allow for network configuration.
It also “provides network” so that you can attach other qubes to it, so
that they have network access. It does not support the qubes-firewall.
It also captures DNS traffic using the default 10.139.1.1-2 addresses,
and routes it to the DNS server given by the external network.
Is that clearer?
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.