Hello. Can I connect another virtual machine to the same NAT subnet of the Whonix Gateway (Whonix External)?
I have a proxy client on the host that Whonix Gateway connects to through socks5, and then it is already transferred to my server using a different protocol. For security reasons, I decided to isolate the proxy client in the virtual machine. Initially, I planned to add an additional router for Whonix Gateway, blocking unnecessary traffic from Gateway and making it work through a proxy, but I ran into many problems with this implementation. For some reason, the connection was constantly interrupted, possibly due to the length of the tunnel or routing. In addition, due to the long wait for a connection to the TOR network, I decided to use other ideas.
- Added virtual machine on the same subnet as Whonix Gateway
- Assigned a static IP address (10.0.2.16) to the proxy virtual machine and opened incoming traffic only through TCP PORT 1080, and outgoing traffic only to the proxy server.
- Added network filter (Libvirt NWFILTER) for VM Whonix Gateway
With such rules.
<filter name='whonix-gateway' chain='root'> <uuid>6ef53069-ba34-94a0-d33d-17751b9b8cb1</uuid> <! - enable connection with Proxy VM -> <rule action='accept' direction='out'> <tcp dstipaddr='10.0.2.16 'dstportstart='1080'/> </Rule> <! - drop all other traffic -> <rule action='drop' direction='inout'> <all/> </Rule> </Filter>
Now I have two virtual machines on the external Whonix subnet.
Whonix Gateway does not have access to the Internet, except for connecting socks5 to ProxyVM through IP 10.0.2.16 and port 1080.
If hack a Whonix Workstation, it will not know about Proxy Vm. If the Whonix Gateway is hacked, it learns about the proxy VM, but does not recognize my external IP address, but only the existence of the proxy VM. Yes, I understand that there are many ways to attack, but my question is more about implementing the use of Proxy VM.
Is this design safe? Can I connect a Proxy VM to the same subnet as the Whonix Gateway?