Attempt at Physical GW failed: no connectivity


I made sure /etc/network/interfaces has this line:
source-directory /etc/network/interfaces.d
and /etc/network/interfaces.d/30_non-qubes-whonix is as it should be.

When I’m trying to ping the router ip I get Destination Host Unreachable, and for every other ip I tried I get Packet filtered.
Obviously Tor isn’t connecting.

What could be wrong?



I’m trying to ping from within the Gateway, not to it.
Tor doesn’t connect (no route to host) and it definitely doesn’t get an internal ip from dhcp.



I’m trying to ping from within the Gateway, not to it.

Still applies. Whonix-Gateway firewall is preventing it.

Try as user clearnet.

sudo su clearnet

Note, by default there is no DNS resolving for Whonix-Gateway’s own DNS
requests (because… See:
https://www.whonix.org/wiki/Whonix-Gateway_System_DNS )


Thanks Patrick, but I still get Network is unreachable when I ping ip’s, even internal ones like the router’s. It doesn’t even get an ip from DHCP.
My question then is how can I isolate the problem? Everything looks right and after running dozens of commands by trial and error at some point I could ping … could be something in Whonix ?


Setting up networking in a Physical GW is non-trivial, especially if one of your adapters is wireless.

Essential step in build process: https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation#Network_Verification

If you’re not familiar with network troubleshooting, it’s probably advised to use the pre-built images instead.

At a minimum, configure /network/interfaces, use ifconfig, route, check drivers, etc. You might just have adapters reversed.


Hi entr0py
I reinstalled the GW from scratch, after doing the required changes in /etc/network/interfaces I can ping the gateway, but I keep getting “tor.pid does not exist”.
For debugging I removed the second NIC and minimized the config file /interfaces.d/30_non-qubes-whonix for to only include:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp

I still get tor.pid doesn’t exist.
I installed it from source because I didn’t see a pre-built image download option.

Since the documentation page says physical GW isn’t being maintained and the project focus moved to Qubes, would it be possible to do a similar physical isolation using qubes-whonix for the physical gw?


Most likely Tor fails to start because it can’t bind. It needs a second interface for that as this is Whonix configuration.


There is no pre-build image for physical isolation.

In theory yes, in practice no one has time to work on it.


@claudi8b6: re:images, sorry i meant non-physical options.
see if this changes your mind about qubes:


now that I inserted the NIC back the tor.pid error message is gone. I changed the “non virtualizer unsupported” flag to true, and now it’s working!

I don’t have the HW to support virtualization compartmentalization for Qubes. Thought using BOTH a physical Gateway and Qubes-Whonix (in non supporting HW) will be a good compromise.


Strange that was required. What is the output of

sudo systemd-detect-virt ; echo $?



The output is:


Grats on getting it working!

Where is this even documented? Built a Whonix 12 GW without this.


Of course the WS isn’t working…
tried both dhcp (No DHCPOFFERS received) and static ip. Not sure how to debug that…



Then “same as it were Debian”.


I’m not sure what it has to do with what I’m dealing with, physical GW is connected to Tor, and the host machine is a fresh default linux install without anything including Whonix installed in it.
PS does it achieve stream isolation similarly to Whonix in in the same host?


It’s directions on how to debug this.


Patrick, you’re spending too much time in the forums. Get back to work! :grin:

@claudi8b6 Gotta go static. Gateway does not have a DHCP server. (optional why: https://phabricator.whonix.org/T239)

Patrick is saying to remove whonix-specific features from gateway (like firewall) so you can test connectivity without complicating factors. (for example, to ping).

If you had to flip interfaces around at build time, then you might have missed some config files. grep for those. Otherwise, it’s just a standard network config in ws-host. use debian GUI. also, make sure internal network eth has proper settings in gateway.

IIUC it can but not by default. There are no uwt wrapped applications or pre-configured socks proxies in a ws-host. Host traffic will travel through transPort by default.


OK, the GW doesn’t have networking again and it’s getting frustrating. Is there a command which will effectively torify eth1 through a Tor service ? I hope I’m explaining this properly, I want to make my own Gateway of sorts by tunneling eth1 to the Tor’s socks port.


You can get some ideas by searching “How to build a Tor Router”.
Not sure that building your own is going to be any easier, and probably not as secure as Whonix.

I know you said you don’t have VT-d capable hardware but even without that, Qubes is still one of the most secure platforms out there. You’ll be vulnerable to DMA attacks but realistically, how high does that rank on your threat model? So many other benefits to using Qubes…

If you absolutely must have physical isolation, you might consider https://www.whonix.org/wiki/Support#Professional_Support.