Tails stands for The Amnesic Incognito Live System. It is a live operating system that aims to preserve your privacy and anonymity. Tails is intended to be booted off of a live CD and leave no trace on the computer it is run on, but using Tails this way requires the user to restart their computer every time they want to switch from their installed OS to Tails. Despite this, in case that method becomes cumbersome, Tails can be used inside virtualization software and Qubes.

Preamble

• MAC address randomization must be disabled because it totally breaks networking on Qubes OS as netvm are filtering on MAC addresses for security reasons. Your MAC address never leave your Qubes OS computer. See [SOLVED] fix the internet issues for Tails HVM in Qubes - #6 by solene
• Desktop in tails will shows a notification that running Tails in a virtual machine can be insecure, this is a warning in case you run Tails on an hypervisor you should not trust, if you trust your Qubes OS system, it is fine. While the Qubes security model mitigates most of the risks identified, traces of the Tails session may remain on the disk. Live booting Tails, though less convenient, is always more secure than using it inside virtualization software or Qubes, because you don’t run the added risk of the virtualization software or Host OS being compromised. Depending on your threat model, this might induce too much risk.

Setup

• Read about creating and using HVM qubes
• Download and verify Tails ISO file from https://tails.boum.org in a qube, (saved as /home/user/Downloads/tails.iso on qube isoVM for purposes of this guide).
• Create a standalone qube named “Tails”, choose the netvm you want for it, and open its settings:
  • In “Advanced” tab:
    • Set memory to at least 2048 MB
    • Set type “HVM”

You are done with creating the qube.

Run Tails

• Start Tails from dom0 terminal: qvm-start Tails --cdrom=isoVM:/home/user/Downloads/tails.iso, if you prefer, this could be done from the qube settings using “Boot qube from DISC or block device” in the advanced tab
• Once the Tails qube has started, wait for the welcome screen:
  • Click on “+” in additional settings
  • Click on “MAC randomization”
  • Choose “Don’t anonymize MAC addresses”
  • Click on “Add”
  • Click on “Start Tails”
• Configure networking in the qube:
  • Check the IP address allocated to the qube: either from qube settings GUI on the right of the “Basic” tab, or by running qvm-ls -n Tails in dom0 terminal. (E.g. 10.137.1.101 with gateway 10.137.1.1)
  • In Tails qube, open system menu in top-right corner. Select “Wired Settings”, and change IPv4 configuration from “Automatic (DHCP)” to “Manual”.
    • Enter the Address: 10.137.1.101 in our example.
    • Enter the Netmask: 32
    • Enter the Gateway: 10.137.1.1 in our example.
    • Click “Apply”.

Tails should connect to the Tor network.

Qubes OS specific issues

• The screen resolution can be changed, but not really large
• The persistent storage feature does not work, this is due to a bug preventing booting Tails from a disk image (.img), no solution found so far, if someone wants to work on it, you need to figure how to make Tails boot after you created the qube using the .img as a root disk: qvm-create --property=virt_mode=hvm --property=memory=4096 --property=kernel='' --label red --standalone --root-copy-from tails-amd64-6.19.img Tails
• Using this trick requiring an USB memory stick, you could “install” Tails in a qube and benefit from persistency, or even create disposable Tails qubes

Security

You will probably want to implement MAC spoofing in sys-net, or any qube exposed directly to a physical / remote network.

Troubleshooting

See the Tails Troubleshooting guide.

Adding the below for those who have a preexisting Persistent Tails USB and who wish to convert to a HVM: Running Tails with a persistent volume in Qubes · freedomofpress/securedrop Wiki · GitHub

I entirely reworked the guide.

Is it possible to create a sys‑tails setup to use webtunnel in Tails and route webtunnel + Tor to other VMs? If yes, solene, could you please write a guide? I don’t see any other way to work with Tor and webtunnel for routing to other VMs

I really don’t know sorry, networking in Tails is really complicated because it prevents anything but Tor to works.

Whonix developer do not plan to add support for webtunnel: Adding webtunel bridges to whonix - #3 by Patrick - Support - Whonix Forum

I stumbled upon this guide to setup webtunnel in a fedora qube: Qubes OS Tor Configuration (Very Helpful When Using WebTunnel) - Rebel Zhang's Blog

I tried Qubes OS Tor Configuration (Very Helpful When Using WebTunnel) - Rebel Zhang's Blog, but I didn’t have a connection to Tor . I did everything exactly as written in the guide. Please try this guide if you have free time for it. If it works for you, I will try again.

Thank you for your support and guides

This may result in changing packet headers slightly. I would be concerned that this would look different from other Tails users. As a non-computer scientists, I do not know if surveillance capitalist companies (ie big tech/government) can detect that but I’d be surprised if they can’t.