Basic Configuration: Host, VPN, VirtualBox, and Workspace VMs

In this basic setup, the host machine connects to the internet through a VPN service, with firewall rules in place to prevent leaks. VirtualBox is installed on the host, and multiple Linux workspace VMs are used for separation and isolation of activities. Each Linux workspace VM initially accesses the internet via the host’s VPN service, then connects to the internet through another VPN service or the Tor network. Firewall rules are set up to prevent leaks. For connecting to Tor, this guide uses Whonix, which consists of a Tor gateway VM and a Linux (Debian-based) workstation VM.

By default, VirtualBox isolates the resources (storage, memory, processing) used by each VM from both the host and other VMs. Although all Linux workstation VMs (and the Whonix gateway VM) use the host’s VPN connection via NAT (Network Address Translation), VirtualBox does not allow traffic between VMs in this mode. The Linux workspace VMs (and Whonix workstation VM) are also isolated from each other on the internet, as they have different IP addresses and network latencies.

Since Whonix separates the workspace and network into different VMs, it resists attacks that compromise or bypass Tor and/or firewall rules. However, a VPN client running inside each Linux workspace VM is vulnerable to such attacks. Even so, the VPN client running on the host is isolated, so any damage is limited. In advanced setups, all workspaces and networks (VPN and Tor clients) are isolated in separate VMs.

Setting Up a VPN on the Host Machine

If you already use a VPN service, you can skip to the next step. If not, choose a VPN provider and install their client following the provider’s instructions. For Linux, you can use the instructions below.

If you haven’t set up firewall rules to prevent leaks, it’s wise to do so. All traffic (including DNS requests) should go through the VPN tunnel, and if the VPN connection drops, there should be no internet access. Also, use your VPN provider’s DNS servers or trusted third-party DNS servers, not your ISP’s DNS servers.

Below are instructions for setting up the UFW firewall on Linux. For Windows, you can use tools like Comodo or simplewall; for macOS, use LuLu.

It’s also a good idea to check for leaks. Instructions for leak testing on Linux are provided below. The same approach applies to Windows or macOS, except for installing and configuring Wireshark.

Installing VirtualBox

This step is straightforward. Download the VirtualBox version for your host OS from https://www.virtualbox.org/wiki/Downloads. For Windows hosts, run the downloaded installer. For macOS, double-click the downloaded file and drag the app to the “Applications” folder. On Ubuntu, open the downloaded package with the Application Manager and install it. On Debian, use dpkg in the terminal. After installing VirtualBox, download the “Extension Pack” and open it in VirtualBox to install. Pressing “F1” in VirtualBox opens the comprehensive user manual.

Creating a Linux Workspace VM

Creating virtual machines is easy, and section 1.7 of the VirtualBox manual (press F1) explains the process well. There are two steps: first, set up a new VM in VirtualBox; second, start the VM and install the OS as you would on a physical machine.

Linux is the best choice for a secure and private VM. It’s open source and free, so there’s no money trail linking you to a product ID. Ubuntu is a good choice for Linux beginners. This guide assumes you’re using Ubuntu 22.04 LTS. More advanced distributions will be covered elsewhere.

First, download the ISO file for your chosen Linux distribution. Open VirtualBox and click “New.” Enter the desired VM name, select the directory, specify the ISO file, click “Skip Unattended Installation,” then “Next.” Check “Guest Additions.” Allocate the desired amount of RAM and CPU resources.

Use the default values for the virtual hard disk type and location, but set a maximum size of at least 100–200 GB. The initial disk size will be about 5–6 GB, but a large maximum size allows for easy, unplanned growth. Review the summary and click “Finish.”

Next, configure the new VM’s settings. In “General/Advanced,” set “Shared Clipboard” and “Drag’n’Drop” to “Disabled” (for security). In “System/Processor,” enable “PAE/NX” (if supported by your host). In “Display/Screen,” increase video memory to 128 MB (if your host has enough RAM). In “USB,” uncheck “Enable USB controller” (for security).

Double-click the new VM and complete the OS installation. You can read more about installation here. You may choose automatic disk setup with encryption. While encrypted VMs may leave plaintext on the host, it’s better than nothing if the host is compromised during use. After installation, when the VM reboots, click “Devices” in the main menu, select “CD/DVD Devices,” and choose “Remove disk from virtual drive.”

For better VM performance, install VirtualBox Guest Additions (custom kernel modules). Guest Additions also improve display and mouse integration and allow mounting host folders (shared folders) in the VM. However, some kernel settings and shared folders reduce isolation between guest and host. This is a typical trade-off between convenience and security. Ubuntu may offer to install the “kernel-module guest-additions” as additional drivers. If not, use the Settings menu. You can also install Guest Additions via “Devices” > “Install Guest Additions” in VirtualBox, but don’t use both methods.

Use the update manager to download and install updates, then reboot the system.

Setting Up a VPN on the Linux Workstation

These instructions are for OpenVPN and WireGuard-based VPNs. Recently, there have been issues with these protocols in some places, but they’re still widely used. To prevent traffic leaks, set up a firewall that blocks all connections if the VPN drops. This basic guide shows how to do this on a regular VM, but in advanced setups, you’ll do this on the host running the Whonix Gateway VM. Officially, Whonix only supports OpenVPN for this purpose, so we’ll use OpenVPN as an example.

In future materials, we’ll cover how to professionally mask OpenVPN and WireGuard to bypass advanced blocks.

Check your VPN credentials—usually a *.ovpn file. Configurations should be downloaded via HTTPS and stored securely. Avoid providers that don’t use HTTPS. You may also need a username and password for the VPN connection, which may differ from your account credentials on the VPN provider’s website. Some low-quality services send connection credentials by email; if so, change your password immediately on the provider’s site.

Almost all VPN services provide a ca.crt (certificate authority) file. These certificates let clients verify VPN servers before connecting. Client certificates let VPN servers verify clients. Some high-end VPNs also provide a ta.key for TLS authentication, which improves connection security.

You’ll also need other info from your OpenVPN config file. First, choose a VPN server to connect to. Avoid the US, UK, France, Eastern Europe, and China. Germany, Finland, Estonia, Georgia, and the Netherlands are good choices. For UFW to work correctly (see below), you’ll need the server’s IP address, not its hostname.

To connect to a server (in Ubuntu), go to “Settings” > “Network,” click “+” next to “VPN,” then “Import from file…” and select your *.ovpn config file. Click “Add.” Then toggle the switch to activate the connection. When VPN is active, you’ll see a “VPN” icon in the top right of the screen.

After connecting, verify it works by visiting https://whatismyipaddress.com. If the connection fails or you see your real IP, double-check your configuration.

Setting Up UFW

UFW is a simple and popular firewall, which we’ll use to set up a kill switch.

1. Update your system and install UFW:
   sudo apt update && sudo apt upgrade -y && sudo apt install ufw
2. Enable the firewall:
   sudo ufw enable
3. Block all incoming and outgoing traffic by default:
   sudo ufw default deny outgoing && sudo ufw default deny incoming
4. Allow outgoing traffic on tun0 (assuming you use TUN as the network adapter):
   sudo ufw allow out on tun0 from any to any
5. Optionally, allow incoming traffic on tun0 (e.g., for torrenting):
   sudo ufw allow in on tun0 from any to any
6. Allow traffic only to your VPN server:
   sudo ufw allow out to [VPN_SERVER_IP] port [PORT] proto udp
   Replace [VPN_SERVER_IP] and [PORT] with the values from your *.ovpn config.
7. Add exceptions for port 53 (DNS), or you won’t be able to access websites:
   sudo ufw allow out 53
sudo ufw allow in 53
8. Ensure UFW starts with the system:
   sudo systemctl enable ufw
9. Reboot and check if the firewall is working:
   sudo ufw status
10. To disable the VPN, run:
    sudo ufw disable

Check your DNS servers by running a standard DNS test at https://www.grc.com/dns/. It should only show DNS servers used by your VPN service, not your ISP or local router. If it does, your VPN setup has issues.

Checking for Leaks with Wireshark

You can also check for leaks using Wireshark. To install Wireshark, open a terminal in your VM and run:

sudo apt update && sudo apt install wireshark

Reboot the VM and establish your VPN connection. Then open Wireshark with:

sudo wireshark

Start a capture on eth0. Use Firefox to check https://whatismyipaddress.com and run the DNS test at https://www.grc.com/dns/. Stop the capture and go to “Statistics > Endpoints.” You should see only one non-private, public IP address—your VPN server’s IP.

Now kill the openvpn process (sudo killall openvpn in the terminal) and start a new capture on eth0. Make sure Firefox can’t access anything. Stop the capture and check “Statistics > Endpoints.” You should see only local private IP traffic and reconnection attempts from the VPN server you were connected to.

Finally, restore your VPN connection and verify it’s working.

Installing Whonix

Whonix consists of a pair of Debian VMs: a gateway VM (Whonix Gateway) that connects to the Tor network, and a workstation VM (Whonix Workstation) that connects through the gateway. Installing Whonix is simple. Start by downloading Whonix to your host machine using your VPN. It’s best to verify the downloaded files using OpenPGP signatures and the Whonix signing key. If you can’t do this, download via BitTorrent.

Import the gateway and workstation VMs. If VirtualBox is already installed, just click the downloaded OS image and follow the instructions. If you’ll use only one Whonix instance, start the Whonix gateway, then the workstation. Download and install updates as instructed. After rebooting both VMs, you’re ready to go.

If you’ll use multiple Whonix instances (e.g., to separate internet activities), each gateway and workstation VM must have a unique name (which determines its folder name). After importing the first pair, edit their names in the VirtualBox GUI, adding a unique suffix to distinguish them from others you’ll import later.

Additionally, the gateway and workstation VMs of each Whonix instance must share a unique internal network name. First, edit the adapter 2 settings of the gateway VM (under “Network”). Change the name from “Whonix” to “Whonix-1” or any other unique name. Don’t change adapter 1 settings; by default (NAT), it connects via the host’s VPN. Then edit adapter 1 settings of the workstation VM, changing the value to match the name you just used for the gateway’s adapter 2.

Now start the first Whonix gateway, then the workstation. Download and install updates as instructed. After rebooting both VMs, you’re all set.

Diversity of Operating Systems Is Critical for Security

VPNs, Tor, and WebGL fingerprints pose serious risks when using VMs for separation. WebGL fingerprints are especially risky: WebGL uses the GPU via the OS graphics driver. On the host, all VMs using the same graphics driver will have the same WebGL fingerprint, since they all use the same virtual GPU. For example, if you have a Debian VM connecting through a nested VPN chain and an Ubuntu VM connecting directly or through another chain, Firefox by default on both VMs will have the same WebGL fingerprint! This can link both VMs and break separation.

You can easily disable WebGL in browsers. Take the VM offline by setting Adapter 1 to “Not attached” in VirtualBox network settings. Then launch Firefox in the VM, type about:config in the address bar, accept the risk, and set webgl.disabled to true. Now set Adapter 1 back to NAT. You can also install NoScript and check “Forbid WebGL” under the “Embeddings” tab in settings.

However, mistakes can happen. You might install a new browser and forget to disable WebGL. Any sites you visit while WebGL is enabled can “fingerprint” the VM, potentially linking it to other VMs using the same graphics driver.

Given this, it’s best to separate VMs with different graphics drivers. Browsers in all distributions using the Debian graphics driver (Debian, Ubuntu, Lubuntu, Mint, Xubuntu, etc.) will have the same WebGL fingerprint. But VMs using different graphics drivers will have different WebGL fingerprints. Options include: Arch, Fedora, BSD, Windows.

Onion Market – a free P2P exchange on Telegram.