Connecting another virtual machine to the same NAT subnet of the Whonix gateway (Whonix External)

Hello. Can I connect another virtual machine to the same NAT subnet of the Whonix Gateway (Whonix External)?

I have a proxy client on the host that Whonix Gateway connects to through socks5, and then it is already transferred to my server using a different protocol. For security reasons, I decided to isolate the proxy client in the virtual machine. Initially, I planned to add an additional router for Whonix Gateway, blocking unnecessary traffic from Gateway and making it work through a proxy, but I ran into many problems with this implementation. For some reason, the connection was constantly interrupted, possibly due to the length of the tunnel or routing. In addition, due to the long wait for a connection to the TOR network, I decided to use other ideas.

My decision.

1. Added virtual machine on the same subnet as Whonix Gateway
2. Assigned a static IP address (10.0.2.16) to the proxy virtual machine and opened incoming traffic only through TCP PORT 1080, and outgoing traffic only to the proxy server.
3. Added network filter (Libvirt NWFILTER) for VM Whonix Gateway

<filterref filter='whonix-gateway'/>

With such rules.

<filter name='whonix-gateway' chain='root'>
<uuid>6ef53069-ba34-94a0-d33d-17751b9b8cb1</uuid>
<! - enable connection with Proxy VM ->
<rule action='accept' direction='out'>
<tcp dstipaddr='10.0.2.16 'dstportstart='1080'/>
</Rule>

<! - drop all other traffic ->
<rule action='drop' direction='inout'>
<all/>
</Rule>

</Filter>

Now I have two virtual machines on the external Whonix subnet.
Whonix Gateway does not have access to the Internet, except for connecting socks5 to ProxyVM through IP 10.0.2.16 and port 1080.

If hack a Whonix Workstation, it will not know about Proxy Vm. If the Whonix Gateway is hacked, it learns about the proxy VM, but does not recognize my external IP address, but only the existence of the proxy VM. Yes, I understand that there are many ways to attack, but my question is more about implementing the use of Proxy VM.

Question:
Is this design safe? Can I connect a Proxy VM to the same subnet as the Whonix Gateway?

While filters are a clever way of implementing this they may not be foolproof for leaks, I recommend turning the whonix external network into another internal type network by editing the settings to resemble whonix internal (don’t worry about IP static assignment ti shouldn’t matter). Then you can place the proxy vm in front of it into this chain with eth1 facing whonix GW and eth0 outside on network "default " for instance.

This may be harder to implement but it should be the safest option. Whonix is modifiable in principle to support any proxy in place of Tor however it will depend on how much time @Patrick can spare if you’d be interested in paying for support.

Thanks for your recommendations.
By “default” the network did you mean the standard NAT that libvirt creates during installation? If I understood your recommendations correctly, I tried to reproduce your words.

My actions:

1. An additional internal interface based on Whonix-internal was created. Added it to the Whonix Gateway network as eth0, and for ProxyVM - as eth1.

2. Added a “default” NAT network, and the configured the eth1 interface in ProxyVM. It is directed to the internal network - enp2s0 (eth1).

   auto lo
   iface lo inet loopback

   allow-hotplug enp1s0
   iface enp1s0 inet dhcp

   allow-hotplug enp2s0
   iface enp2s0 inet static
   address 10.0.2.2
   netmask 255.255.255.0

3. All incoming are closed - only incoming connections from 10.0.2.15 (Whonix Gateway) to port 1080 are allowed. All outgoing are allowed.

   sudo ufw prohibits incoming by default
   sudo ufw by default allows outgoing
   sudo ufw allow from 10.0.2.15 to any port 1080

4. I configured the proxy client to listen on - ip 10.0.2.2 port 1080.

5. In the settings of the Tor control panel, the connection through the sock5 IP gateway and the internal interface ProxyVM 10.0.2.2, port 1080 are indicated

Everything works. If I try to connect to the Tor network without a proxy server, there will be no network. Since I do not need connections outside the proxy, it is reasonable not to configure routing on ProxyVM. Is it necessary to configure something additionally or is everything normal in this configuration?

I am worried about one thing that I added, following your advice, in the network “default” NAT for eth0 ProxyVM. Since on this network I have many other virtual machines. If this does not affect security, then I do not understand the point of creating a separate external Whonix network, why not add it to standard NAT and get, for example, an address through dhcp?

Whonix is modifiable in principle to support any proxy in place of Tor.
@HulaHoop

Sorry, but I don’t quite understand what you mean.

A local proxy that does analysis or filtering such as privoxy or a proxy that connects to remote computers and increases tunnel length?

You want to replace Tor with another proxy software?

Well, if you want to use a proxy similar to Tor which connects to remote servers such as JonDonym then I don’t see how your other ideas would relief connection interrupting or slow connection issues?

In theory it may be possible (depends on proxy software) but undocumented / unsupported.

Indeed. At this time it’s unlikely that I would work on something like a Proxy-Gateway VM that can be chained with Whonix-Gateway unless paid.

In principle, in theory this is possible:

• Whonix-Workstation ™ → Whonix-Gateway ™ → Proxy-Gateway
• User → Tor → Proxy → Internet

Also this is possible:

• Whonix-Workstation ™ → Proxy-Gateway
• User→ Proxy → Internet

My notes on that subject might be outdated:
Dev/Inspiration - Whonix

Because of attack surface and potential leaks.

Anonymize Other Operating Systems a similar topic but related:

Whonix ™ maintainers have not researched yet, if there is any feature in DHCP servers that would be problematic in the use case of anonymity distributions that use a two machine isolation approach. (Help welcome!) [archive] Maybe there is such a feature, maybe not. If it exists, maybe it could be easily disabled, maybe not. What is the attack surface here: once an attacker has compromised Whonix-Workstation ™, an attempt to exploit the DHCP server on Whonix-Gateway ™ could be tried. Worse, maybe DHCP has a feature such as “please tell me the IP address of your upstream router”, and that would be your real external IP address and DHCP would answer. To find out if this is actually the case, one would have to read the whole DHCP protocol [archive]. Forum discussion [archive]. If you are interested anyway, please click on expand on the right side.

Better to use static networking without DHCP.

A local proxy that does analysis or filtering such as privoxy or a proxy that connects to remote computers and increases tunnel length?

No. The delay occurs when an additional VM router is added in front of the Whonix gateway. At least during my testing, this happened. Lost connection and long connection to the Tor network.

You want to replace Tor with another proxy software?

I am not trying to replace Tor or influence the Whonix design. My task is to direct traffic first to my local proxy client. After that, my client wraps the traffic in tls and sends it via websocket via Cdn to the proxy server. This helps me get around firewall and dpi with active zondes. I decided to isolate the proxy client in the virtual machine. Therefore, this topic was created.

In theory it may be possible (depends on proxy software) but undocumented / unsupported.

I am using a normal connection using the Tor control panel. The connection goes with my local proxy. My local proxy encapsulates TOR traffic in TLS and sends it to the proxy server, the server is already redirecting TOR traffic to the Tor RELAY server.
Therefore, I need to use a proxy client on an isolated machine. In order not to do port forwarding on the host. I decided to host my local proxy on the same network as Whonix. I also set up nwfilter rules to block all traffic from Whonix Gateway, except for connecting to a local proxy. I need to connect only through my local proxy.

Because of attack surface and potential leaks.
Anonymize Other Operating Systems a similar topic but related:
Better to use static networking without DHCP.

Then you can place the proxy vm in front of it into this chain with eth1 facing whonix GW and eth0 outside on network "default " for instance.

@HulaHoop Why then advises when adding a proxy Vm that you can use the “default” network. As far as I understand, the default network is the standard NAT network, which is formed when installing libvirt qemu-kvm (bridge-utils).

This is what my network looks like.
Whonix Gateway connects to the local socks5 or http / s proxy server (depends on the settings of the receiving proxy, I can configure it on another receiving proxy) ---------> The local proxy receives traffic from the Whonix Gateway and is encapsulated in TLS and sends through websocket or http2 to the proxy server -----------> The nginx server receives traffic and redirects to the local port - the server proxy, and it already sends traffic to the relay (TOr) server.

Can I connect another virtual machine to the same NAT subnet of the Whonix Gateway ( Whonix External )?

In theory it may be possible (depends on proxy software) but undocumented / unsupported.

What does it mean - depends on proxy software? I can configure the machine myself and redirect traffic through it. My first post describes my actions, and as the second post after @ Hulahop’s answer, I took his advice and also successfully redirected traffic to my local proxy. He only recommended that you should not use an isolated proxy on the same subnet as the Whonix gateway, replacing the external whonix network with the internal one. And connect the Whonix gateway to the ProxyVM gateway. I followed this advice, as @Hulahoop said that the nwfilter filter is unreliable. Using (nwfilter) I isolated standard traffic without connecting to a local proxy.

It seems to me that @HulaHoop better understood my settings =)

One example from Combining Whonix with JonDonym

Free accounts can connect only to ports 80 and 443 and provide only a https proxy interface, no socks. [11] Premium accounts to any port and support socks. Full comparison: https://anonymous-proxy-servers.net/en/premium.html [archive]

And Dev/Inspiration - Whonix

Depending on your threat model (see Design), JonDonym [archive] can be potentially used as a replacement for Tor. Prefer the console version [archive] of ‘JonDo – the IP changer’, otherwise you would have to install a desktop environment, which needs a lot more RAM, CPU and disc space (not possible on most embedded devices).

Free users can [only use port 80 (http) and 443 (https) [archive]]. Socks is only available for paying premium users [archive]. Therefore free users can only reach services listening on remote port 80 or 443. Normal browsing will work, other stuff, for example IRC on port 6667 will not work. Paying premium users can use all services.

In comparison to Tor, JonDo does not offer a TransPort or DnsPort. For that reason, transocks_ev (download here [archive]) is needed. Note, that you can not use the firewall rules provided under transocks_ev [archive]. You need to adjust the whonix firewall (/usr/bin/whonix_firewall).

Quote:

“proxy types”
http
https
socks4
socks4a
socks5
CGI
I2P
JonDo
Tor

“proxy features”
http
https
TransPort
UDP
Remote DNS
Hides IP
user-to-proxy encryption

Not all “proxy types” have all “proxy features”.

For example transparent proxying with a Proxy-Gateway using a “normal” socks5 proxy in configuration Whonix-Workstation ™ → Whonix-Gateway ™ → Proxy-Gateway is not possible

Quote Dev/Inspiration - Whonix

Transparent Proxying (like Whonix ™ with Tor’s TransPort) is, due to technical limitations, not fully supported by proxies. Proxies do not offer a DnsPort and also do not act as a DNS server. While it is possible to relay TCP and UDP traffic through the proxy on the IP level (using iptables), you would still always require known (you know the IP) DNS server. (i.e. public DNS server such as OpenDNS, Google, httpsdnsd) DNS resolution would look like: Proxy-Workstation → Proxy-Gateway → Proxy → DNS server. It is technically not possible to let the proxy transparently (!) do the DNS resolution (no tools available) - at least not that we know after extended research know of. This is because proxies offer hostname resolution, but not DNS.

Future: This technical limitation may be lifted if redsocks Feature Request: fake DNS resolver [archive] gets implemented.

Due to the DNS issue, you can’t completely hide behind the proxy (using it transparently). You always would have to reveal, that you are using a public (or private) extra DNS resolver. Of course, you would also not only have to trust the proxy, but also the extra DNS server, which can see, log and correlate all your DNS queries.

Though, transparent proxying may not be required.

Tor on Whonix-Gateway might talk directly to a http / https / socks4(a)/5 proxy running on the Proxy-Gateway.

Then use Tor’s proxy settings and point it to that proxy.

Connecting to a Proxy before Tor

This might - depending on the proxy - not work (out of the box). Some proxies are blocking connections to the Tor network or blocking some ports.

IP forwarding is probably not required and even discouraged.

Though, transparent proxying may not be required.

Tor on Whonix-Gateway might talk directly to a http / https / socks4(a)/5 proxy running on the Proxy-Gateway.

Then use Tor’s proxy settings and point it to that proxy.

Connecting to a Proxy before Tor

This might - depending on the proxy - not work (out of the box). Some proxies are blocking connections to the Tor network or blocking some ports.

IP forwarding is probably not required and even discouraged.

Ehhh. I know that Whonix can directly interact with Proxy Gateway, in my setup it does this. My first two posts about this and narrate. There are several options for using Proxy Gateway.

1. Launch the proxy gateway on a different NAT network other than Whonix External. In this case, you must forward the ports using the rules on the host. Otherwise, Whonix Gateway will not be able to connect to the Proxy Gateway. I don’t want to forward ports, it creates a lot of problems, and for me it is inconvenient.
2. Launch the proxy gateway on the same NAT network as the Whonix gateway. Here forwarding, etc. Not required. The first post describes this particular construction. I also blocked all traffic on the Whonix gateway using nwfilter. All traffic must go through the local proxy. This is what happens, but with extra protection, I decided to introduce traffic filtering using nwfilter. I described everything in detail in my posts. If this is not clear, then I will try to rephrase. Perhaps my translation of a technical text is complicated?
3. Suggestion @Hulahoop. Launch ProxyVM in front of the Whonix gateway. A similar situation is the use of a router as a gateway. I have done it. The second post describes my specific steps in this direction. And also at the end of each of my posts (first and second) there are questions regarding these settings.
4. Using a local proxy on the host. The easiest option, but not safe. Therefore, I transferred everything to a virtual machine.

My task is to understand which of these options is safer. For this, I described all my steps taken in each of these post(1,2). I also repeat that after all the steps described in the first and second post - I left questions regarding my actions.

Ideally Whonix-Gateway’s external network card eth0 would connect to Proxy-Gateway on an internal network. The proxy software would run Proxy-Gateway eth1 and only communicate with Whonix-Gateway. External connections of Proxy-Gateway would happen through Proxy-Gateway eth0. A similar setup as Whonix-Gateway itself.

Whonix-Gateway not use a NAT network.

This should not be used anymore by Whonix-Gateway.

https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-External.xml

Something like https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-External.xml should be used by Proxy-Gateway.

Whonix-Gateway rather should use something similar to this:

https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Internal.xml

You mean that Whonix Gateway does not use NAT for the internal interface through which Whonix Worsktation connects? If so, then I know that traffic routing is not used for the workstation. But the whonix gateway is in the NAT network, as the XML configuration itself indicates. Its eth0 interface exits through the NAT the host system.

<name>Whonix-External</name>
<forward mode='nat'/>

Means that my actions are as follows:

1. Enable Whonix-external as eth0 for ProxyVM. Let’s say this is the virbr1 interface.
2. I am creating a second internal interface based on Whonix-Internal. This will be the Virbr2 interface. And Virbr3 is used to connect Worsktation to the Whonix gateway.
3. The virbr2 interface is eth1 for ProxyVM and eth0 for Whonix Gateway.

What IP address and NetMask should I assign for the virbr2 interface? Which is used as eth1 for ProxyVM and eth0 for Whonix Gatewa

No. It doesn’t. Uses this:

https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Internal.xml

Yes.

https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-External.xml

But it shouldn’t be in your setup.

Not sure I’d call that Whonix-external but basically yes.

Yes.

Not sure about the vibr numbering. Not easy to explain in text. Would need to have to look at a set of config files.

Not sure. Haven’t thought much about that yet.

In theory, but not good idea:

• Gateway internal IP is 10.152.152.10 / netmask 255.255.192.0
• Workstation internal IP is 10.152.152.11 / netmask 255.255.192.0

I guess since multiple workstations are counted upwards 10.152.152.11, 10.152.152.12 etc in documentation it might make sense to count gateway after Whonix-Gateway downwards. Maybe 10.152.152.09.

On the other hand it might make much more sense (less likely to have leaks) to use a different netmask.

Whonix-Gateway as per Whonix default:

eth0
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2

eth1
address 10.152.152.10
netmask 255.255.192.0

As you can see, eth0 and eth1 are using a different netmask.

Therefore Whonix-Gateway eth0 settings should be changed. Set to use any different address/netmask that works. Probably not using a gateway setting in file /etc/network/interfaces.d/30_non-qubes-whonix. (Whonix-Gateway would be “more similar to a workstation”.)

Proxy-Gateway eth0 should use (what Whonix-Gateway is now using for eth0):

eth0
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2

Proxy-Gateway eth1 could use anything that works (but probably using netmask 255.255.192.0 / 255.255.255.0) to be able to communicate with to Whonix-Gateway eth1.

1. These settings now use ProxyVM as eth0.

<network>
  <name>Proxy-External</name>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='10.0.2.2' netmask='255.255.255.0'/>
</network>

2. This is for eth1 ProxyVM and eth0 Whonix Gateway

<network>
  <name>Whonix-Internal-Proxy</name>
  <bridge name='virbr2' stp='on' delay='0'/>
</network>

3. For eth1 Whonix Gateway and eth0 Whonix Workstation.

<network>
  <name>Whonix-Internal</name>
  <bridge name='virbr3' stp='on' delay='0'/>
</network>

1. ProxyVM - edit interfaces

eth0
address 10.0.2.15
netmask 255.255.255.0
gateway 10.0.2.2

eth1
address 10.152.152.8
netmask 255.255.192.0

2. Whonix Gateway

eth0
address 10.152.152.9
netmask 255.255.192.0
gateway 10.152.152.8

eth1
address 10.152.152.10
netmask 255.255.192.0

3. Whonix Workstation has default settings.

Is this correct overall? Should I also find advice on the correct IP and NetMask or is it possible to leave it that way?

On the other hand it might make much more sense (less likely to have leaks) to use a different netmask.

I have one more question regarding:

> <driver name="qemu"/>

I noticed this option only in xml Whonix (Ws / Gt). Could not find information on adding this. Where could I read about this and should I add this argument when creating the ProxyVM network? I did not see it in the original xml configuration, but after creating the network it appears. When creating other non-Whonix-based virtual machines, these settings are missing.

Yes

I was only gone for half a day and this thread has really ballooned

Let me elucidate.

WS → INTERNAL → GW → EXTERNAL (Network settings edited to not specify an IP range to make absolutely sure it is isolated) → PROXYVM → DEFAULT NAT Network (should be safe to use even without a dhcp client on proxyvm provided you set a static IP for egress that falls in 192.168.122.0/24)

Reading what you want to accomplish with proxyvm, I have to ask if you tried Tor bridges or the Tunnel Tor thru VPN feature on WHonix GW.

This goes into VM settings not networks. I wouldn;t play with it though as it is between using virtio or vhost - the later would give better performance but increases risks in case a vulnerability is found because it is a kernel module and not a userspace implementation like virtio

I was only gone for half a day and this thread has really ballooned

Yes, that’s for sure; wink: Actually, I appreciate your time for your support. Although not immediately, but we kind of found understanding with @Patrick, it was difficult for me to explain what exactly I want to implement. Thank you for such valuable help on your part.

WS → INTERNAL → GW → EXTERNAL (Network settings edited to not specify an IP range to make absolutely sure it is isolated) → PROXYVM → DEFAULT NAT Network (should be safe to use even without a dhcp client on proxyvm provided you set a static IP for egress that falls in 192.168.122.0/24)

Essentially, I followed this recommendation and always tried to set up a static IP. The key fact is that Whonix developers did not just configure the network in this way. And since the developers set it up way, it means that I also have to go this way. But after you pointed out that I can use NAT by default, I hesitated a bit. In fact, I pointed this out in a second post that I’m not sure of such an implementation using dhcp.

DEFAULT NAT network (should be safe to use even without the dhcp client on the provided proxyvm, you set a static IP for the output, which drops in 192.168.122.0/24)

But if you put the WHONIX virtual machine in a separate NAT network, then in this case it will not be on the same network as other virtual machines using NAT by default. Even if a static IP address is assigned to the Whonix gateway, but “default” NAT is still used by other home machines and if they are hacked. Will this create a vector for an attack by the Whonix gateway, as well as for other virtual machines? A hacked virtual machine will know that it is not alone in this subnet.

Reading what you want to accomplish with proxyvm, I have to ask if you tried Tor bridges or the Tunnel Tor thru VPN feature on WHonix GW.

The problem is that DPI blocks Tor. And OBFS after a certain time. Apparently classifies traffic. I used vpn. It is also often blocked. Therefore, the goal does not justify the money spent on its purchase or launch of my server. At the same time, VPN is difficult to configure on a personal server, and then on a computer, so as not to route all traffic - I do not want vpn to encrypt all traffic, but for this you need to dig into the settings. On the whonix gateway, to be honest, I could not get vpn to work. Also noticed that DPI checks my connections before using certain protocols, while simultaneously studying what exactly is behind the server and what services are hanging on the ports. Therefore, I redirect my traffic through the TLS http2 capsule, and it receives traffic to the nginx server and sends it to the local port. Therefore, DPI does not know about the existence of a proxy. I recently switched to websocket via cdn to minimize possible blocking of my server.

Can you diagram this for me to understand better?

Interesting. I think you should let the Tor Project know this as they are interested in tracking the progress of the censorship war and take appropriate measures to circumvent.
I presume you tried meek too.

Can you diagram this for me to understand better?

I was just trying to understand why a separate Whonix NAT network is being created. Hence my questions about whether it is safe to add Whonix to “default” NAT. Now I am more inclined to believe that a separate network for whonix is ​​created solely from a technical point of view, and not from a security point of view, right? For example, for one reason, if you add Whonix to “default” NAT, then if the host has many virtual machines and, for example, the IP address used by Whonix Gateway is already in use by another virtual machine. Since the IP address of the new virtual machine will be automatically assigned from the DHCP range, if it matches the IP Whonix Gateway, it will create an IP address conflict? That is actually all.

Interesting. I think you should let the Tor Project know this as they are interested in tracking the progress of the censorship war and take appropriate measures to circumvent.
I presume you tried meek too.

I think this is not so critical for my location. The Tor project is unlikely to make any decisions in this situation. Such problems are observed mainly in large Internet providers, in connection with new censorship laws. For example, I did not encounter this problem with some of my friends. At work, for example, I also have access to the Tor network, although only through obfs4 bridges. With the help of the “meek,” I could not gain access. I always thought that the “Meek” server was blocking access from my location.) Even when the network itself was not censored.

The Tor project has its own analytics of connections to Tor, and there are also many posts on the network screaming about Tor locks. There are several famous countries where there is no freedom for Thor. I’m sure Tor developers are working on solutions to bypass locks. I also believe that everything that is publicly accessible and uncontrolled is always censored in totalitarian countries, etc. They first blocked the Tor bridges, and then the obfs3-4 bridges. Somewhere it partially blocks, but where everything is completely. The same thing will happen with a new type of encryption or protocol that will be designed to bypass locks. This will also work for a while. Once they learn to classify it, locks will begin. This is actually an endless war.

There’s no separate one it is the default NAT I’m talking about for proxyvm egress.

Perhaps we are talking about different things. For me, NAT by default is the network that is automatically created when installing libvirt qemu-kvm bridge-utils.

Has the following characteristics:

<network>
  <name> default </name>
  <uuid> ............................................ </ uuid >
  <forward mode = "nat">
    <nat>
      <port start = "1024" end = "65535" />
    </nat>
  </forward>
  <bridge name = "virbr0" stp = "on" delay = "0" />
  <mac address = "......................................" />
  <ip address = "192.168.122.1" netmask = "255.255.255.0">
    <dhcp>
      <range start = "192.168.122.2" end = "192.168.122.254" />
    </dhcp>
  </ip>
</network>

When we install Whonix, we add a separate NAT network. She already has such characteristics.

<network>
  <name> Whonix-External </name>
  <uuid> ......................................... </uuid>
  <forward mode = "nat">
    <nat>
      <port start = "1024" end = "65535" />
    </nat>
  </forward>
  <bridge name = "virbr1" stp = "on" delay = "0" />
  <mac address = "........................." />
  <ip address = "10.0.2.2" netmask = "255.255.255.0">
  </ip>
</network>

Do you mean by default the network that is added during the installation of Whonix? I personally understand that this is the first, not Whonix. Because of this, incomplete understanding arises.