2 sperate gateways and workstations on the same host, Specifically using KVM. Any particular setup process required? Or is it straightforward?
With VirtualBox it’s possible and not that difficult. See:
We don’t have KVM specific documentation for that topic yet. Nevertheless the existing documentation should should be useful, even though it’s not yet 100% step-by-step for KVM.
Whonix_network.xml at time of writing https://github.com/Whonix/Whonix/blob/master/libvirt/Whonix_network.xml:
<network>
<name>Whonix</name>
<bridge name='virbr1' stp='on' delay='0'/>
<ip address='10.0.0.1' netmask='255.255.255.0'>
</ip>
</network>I imagine a Whonix2_network.xml would be required, which maybe would look like this.
<network>
<name>Whonix2</name>
<bridge name='virbr2' stp='on' delay='0'/>
<ip address='10.0.0.1' netmask='255.255.255.0'>
</ip>
</network>Then you need to repeat KVM instructions (Whonix ™ for KVM) with Whonix2_network.xml.
Untested. Feel free to try.
Patrick the second network would need its subnet changed to something different than the first. Being a 255.255.255.0 subnet mask means you can use: 10.0.1.1
I don’t know if this means that they can see eachother’s traffic at some point since its this conflict I resolve implies that the Host virtual switch deals with them that way.
nmap but what do I look for?
gh0st I want to thank you for drawing my attention to a very serious misconfiguration in the network xml
Because of about half a dozen different pages on the libvirt site talking about networking commands and settings, almost all of them are missing a crucial piece of information on configuration that left us open to attack.
I always imagined Isolated network to be just that… Isolated, but thats not the case:
Isolated network configThis variant provides a completely isolated private network for guests. The guests can talk to each other, and the host OS, but cannot reach any other machines on the LAN, due to the omission of the forward element in the XML description.
<network> <name>private</name> <bridge name="virbr2" /> <ip address="192.168.152.1" netmask="255.255.255.0"> <dhcp> <range start="192.168.152.2" end="192.168.152.254" /> </dhcp> </ip> <ip family="ipv6" address="2001:db8:ca2:3::1" prefix="64" /> </network>
That leads to ugly consequences.
The very last configuration they describe gives us what we are looking for. A completely Isolated network.
Network config with no gateway addressesA valid network definition can contain no IPv4 or IPv6 addresses. Such a definition can be used for a “very private” or “very isolated” network since it will not be possible to communicate with the virtualization host via this network. However, this virtual network interface can be used for communication between virtual guest systems. This works for IPv4 and (Since 1.0.1) IPv6. However, the new ipv6=‘yes’ must be added for guest-to-guest IPv6 communication.
[code]<network ipv6='yes'> <name>nogw</name> <uuid>7a3b7497-1ec7-8aef-6d5c-38dff9109e93</uuid> <bridge name="virbr2" stp="on" delay="0" /> <mac address='00:16:3E:5D:C7:9E'/> </network>[/code]
I’ll take care of it in Git.
You can just create another xml file with that configuration and import it instead.
<name>Whonix</name>
<bridge name="virbr2" stp="on" delay="0" />
</network>
All you have to do then to create another isolated network is change the name to Whonix2, 3 and so on.
wow, good catch!! glad to help
Does it matter that when I select the new Whonix network now, within virt-manager, it says "error selecting network: unsupported data type: <type ‘NoneType’>
(keep in mind this isn’t an updated virt-manager as I am using debian stable). Everything seems to work fine with the VM’s though, so just curious if this message even matters.
Oh my bad. I forgot to add the tag in the example I posted. Add it and try again
Remove any defined network first then import a text file renamed with an xml ending containing:
<network>
<name>Whonix</name>
<bridge name="virbr2" stp="on" delay="0" />
</network>
No that’s not it, I already added the other network tag and redefined. keep in mind the network seems to start fine, this error could probably be due to the lower version of virt-manager (as it’s not in wheezy backports)
Also, on an unrelated note, would it be safe to switch to cirrus instead of using qxl for display?
As part of QEMU the QXL is restricted by Apparmor just like any other video adapter you choose.