Monero Wallet/Daemon Isolation with Qubes + Whonix

MrA · October 3, 2021, 5:50pm

UPDATE

For those members who are unfamiliar and find they need to upgrade their isolation to the latest Whonix 16:

Assumptions:

You’re upgrading from the Whonix 15 template you have to Whonix 16 released a few days back (rather than installing the isolation from scratch with Whonix 16).
You originally used the guide linked in the OP.
You’ve already upgraded your Whonix template to 16.
You’ve named your Wallet and Daemon VMs as in the guide above.
Both these VMs are not running in your Qubes Manager.

In Dom0 terminal

Clone your whonix-ws-16 template:
qvm-clone whonix-ws-16 whonix-ws-16-monero
Move your wallet and daemon VMs to the clone:
qvm-prefs monerod-ws template whonix-ws-16-monero

and

qvm-prefs monero-wallet-ws template whonix-ws-16-monero

Complete the section 2.1 to 2.4.

Note:
In 2.2.1 and 2.2.2 change kwrite to nano and once you’ve pasted the script in each of the files, save/close them with CTRL+x.

Fire up your daemon to sync and you should be good to go.

Edit: and while you’re at it, increase the monerod-ws volume to 120Gb

qubes-kernel-5.8 · January 1, 2022, 7:16pm

I had @helge’s problem as well:

I followed the Qubes documentation for opening a single TCP port to another qube, which ended up working.

Steps:

Follow all the steps linked in the above github guide
Do not add the socat TCP-LISTEN command to /rw/config/rc.local in the wallet VM. Instead, add qvm-connect-tcp ::18081 to rc.local (you can’t have both qvm-connect-tcp and socat bind to the same port, so I choose to forgo socat)
Create a TCP connect policy in dom0: /etc/qubes-rpc/policy/qubes.ConnectTCP:

monero-wallet-ws @default allow,target=monerod-ws

Run qvm-connect-tcp ::18081 in monero-wallet-ws or restart the wallet VM and let rc.local handle it

My monero wallet VM then connected to the monero daemon VM.

Please test this method to see if it works. I’m also not entirely sure why this worked, and what parts of the github guide are strictly necessary to make the qvm-connect-tcp method work. I imagine this would preserve the split-* security model because of the policy because the TCP port is only available to be used from monero-wallet-ws to monerod-ws?

Exploringqubes · January 23, 2022, 5:36am

Did a fresh install of 4.1rc3 last week and had to do the tcp port like qubes-kernel-5.8 suggested.

Monerod and wallet are showing syncing, how when checking the Active: status of monerod-mainnet it shows as failed “start request repeated too quickly”. Not sure if this is the right thread but not sure what’s going on or how to troubleshoot it.

MrA · February 6, 2022, 10:33pm

I planned to sit down and upgrade in the coming days. Did you find a cause/solution to what you mention?

freewebwithme777 · February 20, 2022, 7:36pm

Hi I just finished installing monerod-ws monero-wallet-ws and syncing blockchain.
But How can I my existing wallet? where should I put wallet file in monero-wallet-ws?
Do I have to put it under same directory with monero-wallet-cli which is in /usr/local/bin?

qubesn00b · February 26, 2022, 3:55pm

Do you mean /etc/qubes-rpc/policy/qubes.ConnectTCP or /etc/qubes-rpc/qubes.ConnectTCP?

I already have a /etc/qubes-rpc/qubes.ConnectTCP` and it says inside

"PORT="$1"
[[  -z  "$PORT"...

exit 1
fi

didn’ type whole thing, can’t paste into qube of anything now for a reason

This also does not work and when did create /etc/qubes-rpc/policy/qubes.ConnectTCP then USB does not connect. Had to delete this to get USB work.

qubes-kernel-5.8 · February 26, 2022, 4:03pm

As I wrote, you want to add instructions to allow the wallet VM to talk to the daemon VM in dom0 in /etc/qubes-rpc/policy/qubes.ConnectTCP.

qubes-kernel-5.8 · February 26, 2022, 4:12pm

The wallet is accessed using two files (at least that’s what’s on my system): your private key and your wallet file. You need both to access the wallet.

The easiest way to access the wallet is to keep your wallet file and key file in the same directory. Then you can run monero-wallet-cli from anywhere in the wallet VM and if you give it the absolute path to your wallet, it will find the keys in that directory as well and load the wallet.

In the case of an AppVM, you want to make sure your wallet survives reboot, so put it in any persistent directory.

qubesn00b · February 26, 2022, 8:00pm

I didn’t have that directory or that file and when I created it I could no longer access USB qube after system boot

should use “sudo nano” and then create file in that directory or is this done wrong?

Exploringqubes · March 6, 2022, 1:28pm

What does it mean/is the issue if monerod is connected, monero wallet is connected to monerod, but monerod-mainnet is not starting?

Going to attempt to install again using tcp method.

BEBF738VD · April 18, 2022, 3:10pm

I followed the various tips here and got everything to work, however space is somewhat limited and I’m unable to fit the entire blockchain on my drive so I was thinking of running a pruned node.

I edited the monerod-mainnet.service to include --prune-blockchain and created a new daemon qube, however it still seems to be downloading the entire blockchain.

If I run sudo monerod --prune-blockchain I get two errors:

F Error starting server: Failed to bind IPv4 (set to required)
E Exception in main! Failed to initialize p2p server.

Furthermore sudo monero-blockhain-prune shows the following, despite the daemon is attempting to sync the whole blockchain.

E Blockchain is already pruned, use --copy-pruned-database to copy it anyway

Suggestions? Thanks in advance

BearQub · May 14, 2022, 3:45pm

Hi guys, have had this working for a while now, although now I’m going to have to update with the newer version wallet software in the monerod and wallet VMs, how easy is it to do that?

Is it just a case of rerunning the install command and installing the newer monerod over the old one in the same location and then copying the new wallet file to the wallet VM and installing?

Do I have to worry about it trying to re-download the node?

Thanks

tzwcfq · May 14, 2022, 3:50pm

Yes.

The wallet and config files won’t be changed / moved so there should be no need to do it.

No, it should work as it is.

BearQub · May 15, 2022, 10:43am

Thanks for the reply

just tried to update via command line in my monerod-vm and got;

user@host:~$ monerod update download
2022-05-15 13:45:06.662	I Monero 'Oxygen Orion' (v0.17.3.0-release)
Error: Problem fetching info-- rpc_request:

probably something I’m not allowing due to the way it wrote my config during setup I guess?

Would you recommend temporarily changing my config file paramenters to allow update via command line or just doing it exactly the same way I set it up the first time and installing the new monerod right over the top of the old?

This is what I used the first time

sudo install -g staff -m 0755 -o root ~/monero-<VERSION NUMBER>/monero-blockchain-* ~/monero-<VERSION NUMBER>/monerod -t /usr/local/bin/

The wallet and config files won’t be changed / moved so there should be no need to do it.

Just to clarify a few things;

You are saying in my separate wallet VM I don’t need to replace my old wallet with the updated wallet file?

Wouldn’t my wallet version in my separate wallet VM then be outdated/insecure?
Finally, if I update one but not the other, is there any danger of some sort of version mismatch with my monerod in monerod-VM being a different version to my wallet in wallet-VM?

Thanks again

tzwcfq · May 15, 2022, 11:34am

I’d just download the new monero wallet manually. But you can try to comment out the restricted-rpc=true in your config if you have it then try to download monero wallet with monerod and return your config back afterwards.

Clarify what you mean by:

updated wallet file

Do you mean as it says - wallet file wallet.dat in ~/Monero/... directory or you mean updating your monero wallet software?
You need to update monero wallet software in both monerod-ws and in monero-wallet-ws.

BearQub · May 16, 2022, 12:34pm

OK, don’t like the idea of the rpc hack around, looks a bit risky, I’ll just download it manually and then just install it over the top using the same command I used for the original setup if you don’t see a problem with that

sudo install -g staff -m 0755 -o root ~/monero-<VERSION NUMBER>/monero-blockchain-* ~/monero-<VERSION NUMBER>/monerod -t /usr/local/bin/

Sorry, I meant updating the ‘actual’ wallet program in my monero-wallet-ws VM by just copying the new wallet binaries over

Thanks for all of your help

tzwcfq · May 16, 2022, 12:39pm

That should work just fine.

Brainhack · August 4, 2022, 5:15am

Worked out of the box using the Whonix template & standard disposable VM here last week

Make sure you’ve updated to 0.18.0.0-release for the wallet now, significant upgrade with added ring signature & speed when it comes to syncing

Exploringqubes · September 15, 2022, 7:29pm

Do you mean you use the already installed Monero app? create 2, one for node and one for wallet and connect them?

If so, could you share how?

MrA · December 12, 2022, 12:25am

When I upgraded to 4.1, I had some issues using the original setup method I posted here (and the really helpful tweaks posted on this thread), so I thought to make a working method clear since @Mdogg had issues with his.

The setup here is using this method with a fix for 4.1 here and confirmed here:

We need to create wallet and daemon VMs and get them talking to each other. Just get your copy/paste mojo going:

In this example they are named:
monerod - this will be online to allow sync the blockchain.
monero-wallet - this will be isolated with no network.

1. Creating VMs:

In dom0 terminal:
qvm-create --label purple --property netvm=sys-whonix --template whonix-ws-16 monerod

qvm-create --label black --property netvm='' --template whonix-ws-16 monero-wallet

2. In monerod terminal:

Increase volume size to allow for 150Gb (Dec '22) blockchain:
qvm-volume extend monerod:private 175G

Create a systemd file.
sudo nano /home/user/monerod.service

Paste the following contents:

[Unit] 
Description=Monero Full Node 
After=network.target 

[Service] 
User=user 
Group=user 

Type=forking 
PIDFile=/home/user/.bitmonero/monerod.pid 

ExecStart=/usr/bin/monerod --detach --data-dir=/home/user/.bitmonero \ 
    --no-igd --pidfile=/home/user/.bitmonero/monerod.pid \ 
    --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 

Restart=always 
PrivateTmp=true 

[Install] 
WantedBy=multi-user.target

Tip:
Editing a nano file:
Ctrl+o = save
ENTER
Ctrl+x = close

Make monerod daemon run on startup by editing the file /rw/config/rc.local:
sudo nano /rw/config/rc.local

Add these lines to the bottom:
cp/home/user/monerod.service /lib/systemd/system/
systemctl start monerod.service

Make file executable:
sudo chmod +x /rw/config/rc.local

Create rpc action file:
sudo mkdir /rw/usrlocal/etc/qubes-rpc
sudo nano /rw/usrlocal/etc/qubes-rpc/user.monerod

Add the line:
socat STDIO TCP:localhost:18081

Shutdown monerod:
sudo shutdown now

3. In monero-wallet terminal:

Edit the file /rw/config/rc.local.
sudo nano /rw/config/rc.local

Add the line:
qvm-connect-tcp ::18081 to rc.local

Make file executable:
sudo chmod +x /rw/config/rc.local

Shutdown monero-wallet:
sudo shutdown now

4. In dom0 terminal:

Create a TCP connect policy file:
sudo nano /etc/qubes-rpc/policy/qubes.ConnectTCP

Add the following line:
monero-wallet @default allow,target=monerod

RESTART your system for good luck

Note:
you’ll have to wait for the 150Gb+ blockchain (as of Dec '22) to sync on your system. If you start your wallet before then, you’ll get errors and your brain may melt. But believe me, it’s worth the wait.