How to run Tails from a Qubes live cd

In this article we are going to show you how to run a Tails live cd from a Qubes live cd.

Warning:
This is for experimental purposes only. Don’t use this in a production environment. Right now this is just a rough sketch how one could setup Tails on a Qubes live environment. There is still a lot that needs to be done to lock it down properly.

Why would you want to run Tails from a Qubes live cd?

There are two main reasons for this:

1. By default Tails obscures a lot of uniquely identifying bits about the system and the user. However Tails is mostly run on bare metal. This is a recommended approach for good reasons. But this makes it relatively easy to get access to uniquely identifying parts from the hardware of the system. This can include (unique) serial numbers from: the motherboard, cpu, videocard, memory, network card and bios. It can even include the unique service tags from the original equipment manufacturer (woops). Sophisticated attackers can use this information to de-anonymize users. With virtualization you can obscure and anonymize this information even more to minimize information leaks.
2. Tails does not protect against a compromised endpoint. If attackers can gain root access to a Tails system they can shutdown or circumvent Tor to de-anonymize the user. One solution for this problem is to separate the ‘workstation’ from the ‘Tor proxy’. With virtualization it is easy to create such a setup. Whonix is a project that already implements this idea and it is available for Qubes! So why not switch to Whonix? Well because Whonix is mainly aimed at persistent installations, whilst Tails is not. We would argue that, on top of all the security and privacy technologies, Tails’ main strength is the fact that it is amnesiac or non-persistent. A reboot should clean up all records of its use. In order to keep this important property and get the benefits of virtualization you would need to run Tails from a virtual environment which in itself is also not persistent. One such virtual environment is the Qubes live cd.

Problems with live cd’s and virtual environments

Running Tails from a virtual environment does introduce its own set of problems:

• Extra complexity – “Complexity is the enemy of security”.
• Lack of cryptographic entropy.

Live cd’s are notoriously bad at creating entropy. Virtual environments have issues with this as well. And if you combine the two, ehm well… that could be a recipe for a disaster.

We currently lack sufficient data on the creation of entropy for this kind of setup. We ask the community for input on this issue. We are looking for good sources on this subject and recommendations on how to generate entropy for this setup.

This is our current -unqualified- recommendation to alleviate the entropy problem. Take this with a grain of salt:
We recommend that you boot Qubes. Leave it alone for at least 15 minutes. After 15 minutes make some random mouse movements for at least 15 seconds and then start using the system. We recommend the same exercise for the virtual machines that are run on Qubes. Hopefully this will generate ‘enough’ entropy for the entire setup. However we need more data on this topic. Again we would like some input on whether this is good enough or not.

How to configure a Tails VM on a Qubes live cd

We begin with a basic setup of running a single Tails VM on a Qubes live cd. This setup will not protect against a compromised endpoint. But it will obscure more information about the system compared to running Tails on a non-virtualized system. The instructions for how to configure a separate Tails workstation and Tails gateway setup are in the next section.

Prerequisites:

• A system that runs Qubes
• Enough memory to run Qubes and one Tails VM
• Latest Tails iso (2.2.1 or later)
• Latest Qubes live cd iso (3.1 alpha or later)

Instructions:

1. Disconnect the system from the network
2. Boot the Qubes live cd
3. Generate enough entropy (see notes above)
4. Plug in the medium with the Tails iso – Qubes notifies you about the newly connected device
5. Mount the medium with the Tails iso – Use the information from the notification to mount the correct device


sudo mount /dev/XXX /mnt

Examples:
sudo mount /dev/sdb1 /mnt
sudo mount /dev/sr1 /mnt


6. Copy the Tails iso to the Qubes live system


rsync -avP /mnt/path/to/iso /home/qubes/

Example:
rsync -avP /mnt/tails-i386-2.2.1.iso /home/qubes/


7. Unmount and eject the medium with the Tails iso


sudo eject /mnt


8. Create a Tails VM with 1GB memory (use more memory if available)


qvm-create tails --hvm --label red --mem 1024


9. Start the Tails VM – use the full path to the iso


qvm-start tails --cdrom=/full/path/to/iso

Example:
qvm-start tails --cdrom=/home/qubes/tails-i386-2.2.1.iso


10. The Tails VM should startup in a new screen
11. Login to the Tails VM – you don’t need “More options” for this setup
12. Generate enough entropy (see notes above)
13. Configure the Tor Browser to the desired “Privacy and Security Settings”
• Open the Tor Browser.
• You will receive a popup with a warning: “Tor is not ready. Start Tor Browser anyway?”. Click on “Start Tor Browser”.
• You can find the “Privacy and Security Settings” under the green onion symbol in the top left corner.
• For maximum privacy and security it is recommended to set it to the highest security level: “High”.
• Click on “OK” to close the window.
14. Get the network configuration from Qubes for the eth0 interface of the tails VM
• Open the “Qubes VM Manager”.
• Right click on the “tails” VM and click on “VM settings”.
• Make sure you are on the tab called “Basic”.
• Look for section called “Networking”. This should list an: “IP”, “Netmask” and “Gateway”.
• You need to configure this information in the tails VM in the following step.
• Click on “OK” to close the menu.
15. Configure the network configuration of the eth0 interface of the tails VM
• Go to the tails VM and click in the upper right corner on the shutdown button.
• Then click on “Wired”.
• A drop down menu will appear. Click on “Wired Settings”.
• A menu will popup. Make sure that “Wired” is selected.
• Click on the gear symbol at the bottom on the right.
• Select “IPv4”.
• Click on “Automatic (DHCP)” and switch it to “Manual”.
• Use the “Networking” information you have gathered from a step earlier to fill in the following information:

Address: “IP”
Netmask: “Netmask”
Gateway: “Gateway”

Default values:
Address: 10.137.2.11
Netmask: 255.255.255.0
Gateway: 10.137.2.1

• Click on “Apply”
16. That completes the Tails configuration
17. You can now connect the Qubes system to your local network. Connect a network cable or setup a wireless connection. Qubes will automatically configure a network configuration via DHCP once it is connected to the local network.
18. This should complete the configuration. You should now wait for a functional Tor circuit in the tails VM. When Tor is ready on the tails VM you should be able to browse the web.

How to configure a Tails workstation with Tails gateway setup

In this section we explain how to create a setup where the Tails workstation is separated from the Tails Tor proxy. We refer to the ‘Tails Tor proxy’ as the ‘Tails gateway’. With this setup we will create two Tails virtual machines. One virtual machine is used to perform all the usual tasks, like: web browsing, chat, text editing, etc. This is the Tails workstation VM. The other VM, the Tails gateway VM, is used to route all the traffic from the Tails workstation through the Tor network. This setup could protect your anonymity even if the Tails workstation VM is compromised.

Prerequisites:

• A system that runs Qubes
• Enough memory to run Qubes and two Tails VM’s
• Latest Tails iso (2.2.1 or later)
• Latest Qubes live cd iso (3.1 alpha or later)

Instructions:

1. Disconnect the system from the network
2. Boot the Qubes live cd
3. Generate enough entropy (see notes above)
4. Plug in the medium with the Tails iso – Qubes notifies you about the newly connected device
5. Mount the medium with the Tails iso – Use the information from the notification to mount the correct device


sudo mount /dev/XXX /mnt

Examples:
sudo mount /dev/sdb1 /mnt
sudo mount /dev/sr1 /mnt


6. Copy the Tails iso to the Qubes live system


rsync -avP /mnt/path/to/iso /home/qubes/

Example:
rsync -avP /mnt/tails-i386-2.2.1.iso /home/qubes/


7. Unmount and eject the medium with the Tails iso


sudo eject /mnt


8. Create 2 Tails VM’s with 1GB memory each (use more memory if available)


qvm-create tails_gateway --hvm --label red --mem 1024
qvm-create tails_workstation --hvm --label green --mem 1024


9. Remove the default netVM connection from tails_workstation VM
• Open the “Qubes VM Manager”.
• Right click on the “tails_workstation” VM.
• Select “VM Settings”.
• Make sure you are on the tab called “Basic”.
• Set NetVM to “none”.
• Click on “OK” to close the menu.
10. Start both VM’s – use the full path to the iso


qvm-start tails_gateway --cdrom=/full/path/to/iso
qvm-start tails_workstation --cdrom=/full/path/to/iso

Example:
qvm-start tails_gateway --cdrom=/home/qubes/tails-i386-2.2.1.iso
qvm-start tails_workstation --cdrom=/home/qubes/tails-i386-2.2.1.iso


11. The Tails VM’s should startup in new screens
12. Add a network connection between tails_gateway and tails_workstation – type in Qubes terminal


xl network-attach tails_workstation script=/etc/xen/scripts/vif-route-qubes backend=tails_gateway


13. Login to the Tails VM’s
• When asked for “More options” you need to select “Yes” on both VM’s
• Click on “Forward”
• Fill in “Password” and “Verify Password”
• Select “Login”
14. Generate enough entropy (see notes above)
15. Configure the network configuration of the vifX.X interface of the tails_gateway VM – replace X.X with numbers from your VM
• Go to the tails_gateway VM and click in the upper right corner on the shutdown button.
• Then click on “Ethernet (vifX.X)”.
• A drop down menu will appear. Click on “Wired Settings”.
• A menu will popup. Make sure that “Ethernet (vifX.X)” is selected.
• Click on the gear symbol at the bottom on the right.
• Select “IPv4”.
• Click on “Automatic (DHCP)” and switch it to “Manual”.
• Fill in the following information:

Address: 192.168.199.1
Netmask: 255.255.255.252
Gateway: (leave empty)

• Click on “Apply”
16. Get the network configuration from Qubes for the eth0 interface of the tails_gateway VM.
• Open the “Qubes VM Manager”.
• Right click on the “tails_gateway” VM and click on “VM settings”.
• Make sure you are on the tab called “Basic”.
• Look for section called “Networking”. This should list an: “IP”, “Netmask” and “Gateway”.
• You need to configure this information in the tails_gateway VM in the following step.
• Click on “OK” to close the menu.
17. Configure the network configuration of the eth0 interface of the tails_gateway VM
• Go to the tails_gateway VM and click in the upper right corner on the shutdown button.
• Then click on “Ethernet (eth0)”.
• A drop down menu will appear. Click on “Wired Settings”.
• A menu will popup. Make sure that “Ethernet (eth0)” is selected.
• Click on the gear symbol at the bottom on the right.
• Select “IPv4”.
• Click on “Automatic (DHCP)” and switch it to “Manual”.
• Use the “Networking” information you have gathered from a step earlier to fill in the following information:

Address: “IP”
Netmask: “Netmask”
Gateway: “Gateway”

Default values:
Address: 10.137.2.11
Netmask: 255.255.255.0
Gateway: 10.137.2.1

• Click on “Apply”
18. Save the firewall configuration on tails_gateway – type in tails_gateway terminal


sudo iptables-save > iptables.rules


19. Edit tails_gateway iptables ruleset to allow incoming connections from tails_workstation – type in tails_gateway terminal


sudo nano iptables.rules


Add the following line after the line: “-A INPUT -i lo -j ACCEPT”

-A INPUT -i vif+ -s 192.168.199.2 -d 192.168.199.1 -p tcp -m multiport --dports 9050,9061,9062,9150 -m state --state NEW -j ACCEPT


20. Load new iptables configuration – type in tails_gateway terminal


sudo iptables-restore < iptables.rules


21. Configure Tor on tails_gateway to accept traffic from the tails_workstation – type in tails_gateway terminal


sudo sed -i 's/127.0.0.1/192.168.199.1/' /etc/tor/torrc
sudo service tor restart


22. Configure the network configuration of the eth0 interface of the tails_workstation VM
• Go to the tails_workstation VM and click in the upper right corner on the shutdown button.
• Then click on “Wired”.
• A drop down menu will appear. Click on “Wired Settings”.
• A menu will popup. Make sure that “Wired” is selected.
• Click on the gear symbol at the bottom on the right.
• Select “IPv4”.
• Click on “Automatic (DHCP)” and switch it to “Manual”.
• Fill in the following information:

Address: 192.168.199.2
Netmask: 255.255.255.252
Gateway: (leave empty)

• Click on “Apply”

23. Disable Tor on tails_workstation – type in tails_workstation terminal


sudo sh -c 'echo "DisableNetwork 1" >> /etc/tor/torrc'
sudo service tor stop


24. Configure the Tor Browser to the desired “Privacy and Security Settings” on the tails_workstation. Changing this setting resets the proxy settings.
• Open the Tor Browser.
• You will receive a popup with a warning: “Tor is not ready. Start Tor Browser anyway?”. Click on “Start Tor Browser”.
• You can find the “Privacy and Security Settings” under the green onion symbol in the top left corner.
• For maximum privacy and security it is recommended to set it to the highest security level: “High”.
• Click on “OK” to close the window.
25. Configure the proxy settings on the Tor Browser on the tails_workstation VM.
• Open the Tor Browser.
• Type: about:config in Tor Browser address bar and hit enter.
• Click on: “I’ll be careful, I promise!”
• After the “Search” bar type: 127.0.0.1
• Change the 127.0.0.1 value to 192.168.199.1 of the following “Preference Names”

extensions.torbutton.custom.socks_host
extensions.torbutton.socks_host
network.proxy_socks

• Double click on the “Preference Name” to change the value. A popup will appear. Change 127.0.0.1 to 192.168.199.1 and click “OK”.
• Open a new Tor Browser tab and close the “about:config” tab. This will prevent the Tor Browser from shutting down and resetting some of the values.
• The Tor Browser is now configured to use the tails_gateway.
26. Configure torsocks and torify on tails_workstation – type in tails_workstation terminal

sudo nano /etc/tor/torsocks.conf

Change:
TorAddress 127.0.0.1

To:
TorAddress 192.168.199.1


Torsocks and torify are now configured to use the tails_gateway.


27. You can now connect the Qubes system to your local network. Connect a network cable or setup a wireless connection. Qubes will automatically configure a network configuration via DHCP once it is connected to the local network.
28. This should complete the configuration. You should now wait for a functional Tor circuit in the tails_gateway VM. When Tor is ready on the tails_gateway you should be able to browse the web via the tails_workstation VM.

What remains to be done

• The current version of the Qubes live cd is outdated. In order to benefit from the latest updates we would need a new version. So we would have to ask the Qubes developers politely whether they can help out. They could help by releasing a new version or by providing instructions how to create a Qubes live cd. And it would be really nice if they could do both.
• Configure all network applications on the Tails workstation to use the Tails gateway as a proxy. Examples: gpg, chat, email and DNS.
• Properly secure the Tails VM’s. For example stricter firewall and Tor configurations. We want to prevent users from accidentally using the tails_gateway to browse the web.
• Secure the entire setup with Qubes’ own firewall.
• Create a plug-and-play version just like Tails works right now. To do this we could start with small steps. By first providing a Qubes live cd with the Tails image on board. This can be done in 5 minutes. We could see how this works out and then proceed to create the more complex Tails workstation and Tails gateway setup. Technically this is all possible. The question is who is going to do this? And would we trust them? For instance: should the Tails developers do this? The Qubes developers? Or can a third party do this without sacrificing security? So that complicates the issue. And to really make it plug-and-play we would have to integrate all the previous steps into the image. However before we dive into these questions it is important to first establish whether there is enough interest in such a project. Are there people interested in using a Tails from a virtual environment? And are they also interested in the separate tails_workstation and tails_gateway setup? Are there people who are willing to (financially) support such a project? Please let us know if you are interested.
• More research into the (in)security of running Tails from a virtualized environment.
• Create a separate, hardened, simple, plug-and-play, Tor proxy/gateway live cd. Preferably based on another operating system or Linux distribution then Tails. For example: OpenBSD, FreeBSD or Tor Ramdisk.
• Create a separate, hardened, simple, plug-and-play, VPN gateway live cd. This can be run before and/or after the Tor gateway VM. Preferably based on another operating system or Linux distribution then Tails. For example: OpenBSD, FreeBSD or Tor Ramdisk.

We are interested in feedback. Let us know what you think in the comment section. Or send us an (encrypted) email.

Support this project by donating to:

Bitcoin:
183x37Wc3jfduKGa5umqHt2gW7tgqWcbWh

Monero:
463DQj1ebHSWrsyuFTfHSTDaACx3WZtmMFMwb6QEX7asGyUBaRe2fHbhMchpZnaQ6XKXcHZLq8Vt1BRSLpbqdr283QinCRK

Advertisements