Attempt at Physical GW failed: no connectivity


I’m looking for a secure yet as close as possible to an out of the box solution, I can’t spend a year studying security.
I found two projects which could satisfy my requirements: “Onion Pi”, and “Safeplug”, for the Raspberry Pi. I’ll try to set it up on a PC running Debian. Will it be secure though?

EDIT: I tried to debug the Gateway some more and looks like the NIC for eth1 was causing the troubles. I replaced it and now the new NIC appears as eth2 in ifconfig though. Anyway looks like it’s working… :smiley:


Just glanced at the tutorials you linked. They list the bare minimum steps required to get client traffic over Tor so I wouldn’t expect them to be as secure as Whonix. I don’t know all of Gateway’s customizations to vanilla Debian but off the top of my head here are some reasons those DIY projects are less secure than Gateway:

  • uses DHCP
  • no stream isolation
  • looser iptables rules
  • no clock defenses

Qubes TorVM is probably the best candidate to use for comparison in this chart (minus the Qubes OS specific stuff): https://www.whonix.org/wiki/Comparison_with_Others. Some additional reasons from there:

  • tor-gateway not torrified
  • no prevention of tor-over-tor
  • no apparmor

Good to hear! You can grep all the eth1’s to eth2 or fiddle with udev rules to assign eth2 back to eth1.


I can’t do without a physical gateway since the OS I’d like to torify fails to start in Qubes (I tried, assumed it’s due to no VT-d).

[quote=“entr0py, post:22, topic:2221”]
Good to hear! You can grep all the eth1’s to eth2 or fiddle with udev rules to assign eth2 back to eth1.
[/quote]GW is working, but WS isn’t, which might be due to the change in ethernet name. In GW ifconfig doesn’t show anything to indicate the eth2 is connected to anything…
What should I grep? I tried dmesg | eth1 but it provides with nothing of value.


VT-d is not an absolute requirement for any OS. VT-x is required for HVM’s, like Windows. https://www.qubes-os.org/doc/system-requirements/

eth0 is auto-configured. The Internal Network adapter (here eth2) must be manually configured.


The scripts are well-commented. Read them and change what makes sense. To be honest, best idea might be to re-build the whole thing now that your adapters are working.

I know this isn’t what you want to hear but from my first post in this thread:

Physical Isolation at this point is really a DIY / experimental project and https://www.whonix.org/wiki/Support#Free_Support_Principle surely applies. Snowden, the noob, used Tails so you could do worse than going with one of the other Whonix platforms. :wink:

If you are willing to invest time & energy to make Physical GW work, you might want to take a step back and read a bit about linux networking in general. Debian wiki & doc is a great resource:

Good luck!

PS: Rebuild one-more time paying very very special attention to the networking verfication step I linked. If your cards are lined up properly, it all might work without touching a thing.


Hi entr0py,
before I reinstall the GW, do I have to make sure the NIC going to the router is called eth0? Currently it’s named eth1.


Yes. You save a lot trouble by sticking to the defaults.


Any idea why neare the end of the build script I get all sort of messges such as:
EXT4-fs unable to read superblock
FAT-fs bogus number of FAT structure
ntfs: read_ntfs_boot_sector primary boot sector is invalid
qnx4 no qnx4 filesystem no root dir