Is there a better way to run offline Whonix AppVMs?

If I run a Whonix AppVM without setting a net qube, the clock time becomes out of sync. I assume this is because Whonix uses sdwdate to determine the time, which requires access to Tor. Even if I disable sdwdate, the “qubes sync time service” doesn’t activate for Whonix VMs.

To fix this, I’ve added this to /rw/config/rc.local

rm /usr/lib/systemd/system/qubes-sync-time.service.d/40_*.conf
systemctl stop sdwdate sdwdate-pre
systemctl daemon-reload

And this to the dom0 crontab, since the anon-vm tag keeps getting reapplied to the AppVM.

*/30 * * * * qvm-tags APPVM del anon-vm

Has anyone else achieved something similar?

1 Like

I run a few whonix qubes without a sys-net. Haven’t recognized a problem so far about this. What problems does this cause? What problems do you observe?

1 Like

In all earnest, I am a bit puzzled as to the point of running Whonix without a network connection. The purpose of Whonix as I understand it is to make you anonymous on the net. In doing so it is slow, imposes restrictions (like a ridiculously small browser window–you can expand it but they beg you not to), etc. etc. If I’m not on the internet, why deal with this?

1 Like

The VM time gets updated by sdwdate, which can’t function without access to the internet. This causes the program to fail and the icon in the status tray changes to reflect that. Eventually the VM clock drifts by a few minutes over the course of days, which leads to inaccurate times and prevents 2FA codes from working.

Slightly related is that Standalone Whonix VMs don’t copy over the anon-vm tag, which I have to apply manually. Otherwise I get Denied: whonix.NewStatus which I believe is also related to sdwdate.

2 Likes

Whonix is based on Kicksecure which isn’t provided as a downloadable template yet. The template size is smaller then others and I’m using the template cloned for both online (anonymous) and offline use. Awkward, but simpler (except for syncing the time)

3 Likes

In using whonix without a sys-net, I believe I essentially get a kicksecureOS (a hardened version of debian).

2 Likes

Correct:

Related: