I’ve set up a split wallet for Monero using the guide:
{% assign version = '2.0.0' | split: '.' %}
{% include disclaimer.html translated="true" version=page.version %}
# Wallet/Daemon Isolation with Qubes + Whonix
With [Qubes](https://qubes-os.org) + [Whonix](https://whonix.org) you can have a Monero wallet that has no network connection, and runs on a virtually isolated system from the daemon which has all of its traffic forced over [Tor](https://torproject.org).
Qubes gives the flexibility to easily create separate VMs for different purposes. First you will create a Whonix workstation for the daemon which will use a Whonix gateway for networking. Next, another Whonix workstation for the wallet with no connection to the network. For communication between the wallet and daemon you can make use of Qubes [`qrexec`](https://www.qubes-os.org/doc/qrexec3/).
This is safer than other approaches which route the wallet's rpc over a Tor hidden service, or that use physical isolation but still have networking to connect to the daemon. In this way you don't need any network connection on the wallet, you preserve resources of the Tor network, and you incur less latency.
## Table of contents:
1. **[Create the TemplateVM and AppVMs](#1-create-templatevm-and-appvms)**
+ 1.1. [Create TemplateVM: `whonix-ws-14-monero`](#11-create-templatevm-whonix-ws-14-monero)
+ 1.2. [Create daemon's AppVM: `monerod-ws`](#12-create-daemons-appvm-monerod-ws)
+ 1.3. [Create wallet's AppVM: `monero-wallet-ws`](#13-create-wallets-appvm-monero-wallet-ws)
+ 1.4. [Create `qrexec` policy](#14-create-qrexec-policy)
2. **[Set Up the TemplateVM](#2-set-up-the-templatevm)**
+ 2.1. [Create system user](#21-create-system-user)
+ 2.2. [Create `systemd` unit](#22-create-systemd-unit)
3. **[Set Up the Daemon's AppVM](#3-set-up-the-daemons-appvm)**
+ 3.1. [Get Monero software](#31-get-monero-software)
+ 3.1.1. [Install command-line only tools](#311-install-command-line-only-tools)
show original
Had to redo it recently after my qube proved corrupt. I’m having an issue I can’t figure out. See the file:
/lib/systemd/system/monerod-mainnet.service
and the line in it:
ConditionPathExists=/var/run/qubes-service/monerod-mainnet
My service doesn’t start automatically because /var/run/qubes-service/monerod-mainnet is misspelled. I can rename it and it works fine. But I’ve gone through the guide a few times and can’t figure out how that file is created so I can change the name.
Not sure if my issue is Qubes specific, but hoping someone can provide an answer easily.
There must have been a typo during this step:
[user@dom0 ~]$ qvm-service --enable monerod-ws monerod-mainnet
Just rerun that.
The misspelled one can be removed with qvm-service --unset ... or in the Qube Settings → Services GUI.
It will take effect when the qube is restarted.
1 Like
Thank You!
I thought it had to do with enabling the service, but only redid it in the monerod-ws (with systemctl). Somehow I missed the dom0 service enable. I used the Qube Settings GUI to remove the misspelled one. Then reran the command in dom0 you posted.
Now it’s working as it should.