Connections between two different Whonix-Workstations

apsynote · October 23, 2023, 7:13pm

I’m running VirtualBox on a Debian host. I have the default Whonix-Workstation and Whonix-Gateway VM’s as well as 2 Whonix-Custom-Workstation VM’s. One of the custom VM’s is running Debian and the other one is running Windows. I’m trying to test internal networking between the VMs. I run a simple Python file server with the python -m http.server command on both machines. The server is accessible from within the same machine it’s run from on both localhost and its internally assigned IP address. However, when I try to access it from any other VM, be it another custom VM or the default workstation VM the connection times out / errors out. I looked through the docs at (/wiki/Whonix-Workstation_to_Whonix-Workstation_Connections) but it looks like my setup should work just fine. What am I doing wrong? I remember being able to access other VM’s server between 2 regular VirtualBox Debian VM’s without configuring anything.

user@debian:~$ curl 10.152.152.12:8000
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
...
</body>
</html>

user@debian:~$ curl 10.152.152.50:8000
curl: (7) Failed to connect to 10.152.152.50 port 8000 after 0 ms: Couldn't connect to server

PS C:\Users\user> curl 10.152.152.12:8000
curl : Unable to connect to the remote server
At line:1 char:1
+ curl 10.152.152.12:8000
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

PS C:\Users\user> curl 10.152.152.50:8000


StatusCode        : 200
StatusDescription : OK
Content           : <!DOCTYPE HTML>
                    <html lang="en">
                    <head>
                    <meta charset="utf-8">
                    <title>Directory listing for /</title>
                    </head>
                    <body>
                    <h1>Directory listing for /</h1>
                    <hr>
                    <ul>
                    <li><a href=".venv/">.venv/</a></li>
                    <li...
RawContent        : HTTP/1.0 200 OK
                    Content-Length: 756
                    Content-Type: text/html; charset=utf-8
                    Date: Mon, 23 Oct 2023 19:25:33 GMT
                    Server: SimpleHTTP/0.6 Python/3.12.0

                    <!DOCTYPE HTML>
                    <html lang="en">
                    <head>
                    <meta...
Forms             : {}
...

[workstation user ~]% curl.anondist-orig 10.152.152.12:8000           
curl: (28) Failed to connect to 10.152.152.12 port 8000 after 131126 ms: Couldn't connect to server
zsh: exit 28    curl.anondist-orig 10.152.152.12:8000

[workstation user ~]% curl.anondist-orig 10.152.152.50:8000
curl: (28) Failed to connect to 10.152.152.50 port 8000 after 129361 ms: Couldn't connect to server
zsh: exit 28    curl.anondist-orig 10.152.152.50:8000

extraextra · October 24, 2023, 12:49am

Need to open port in workstation firewall.

apsynote · October 24, 2023, 8:46am

Thank you for your suggestion! However, if the Whonix-Workstation firewall was the problem then there would be no issues in connecting between the 2 Whonix-Custom-Workstation VMs and based on the docs the firewall has to be only reconfigured if the Whonix-Workstation VM acts as a server which it does not in my setup.

I just created another setup with 2 regular VirtualBox Ubuntu and Windows VMs connected through an internal network with a DHCP server attached and they seem to be able to talk between each-other just fine without me having to do anything on both guests. Could it be that the problem lies in Whonix-Gateway VM?

Patrick · October 24, 2023, 9:50am

This looks like Windows. Windows firewall blocking stuff?

Probably easier to use Debian first as operating system in a custom operating system for testing purposes as it does not come with a firewall by default at time of writing.

Following this theory, you can shut it down then it shouldn’t be able to interfere but I don’t see how it could interfere.

Host virtualizer settings could make a difference.

You could use a normal Whonix-Workstation VM A) and another Whonix-Workstation VM B). Then re-install Debian (for simplicity, not Windows) (since it does not come with a firewall by default which complicates things) in these VMs. And check if that works.

Or you could look in how far the VM settings are different. Documented just now:
Dev/VirtualBox - Kicksecure chapter Compare VM Settings in Kicksecure wiki

apsynote · November 2, 2023, 11:42am

I’ve set up another Debian Whonix Custom Workstation VM and they could make successful requests to each other, while the Windows or the default Whonix Workstation VMs couldn’t connect to either Debian server. Thank you for your suggestions! I’ll look into their firewall settings.

apsynote · November 2, 2023, 11:56am

Gee… It was an active VPN connection the whole time (at least for Windows). Turning VPN off made the Windows VM successfully make requests and serve requests on the internal network as well. Still didn’t fix the default Whonix Workstation VM not being able to make requests to either machine, though the docs specify that no changes have to be made to Whonix Workstation if it acts as a client.

Patrick · November 2, 2023, 6:02pm

related wiki page:

Added hint for that in the wiki just now.

For debugging, try:

Disable Whonix-Workstation Firewall Until Reboot

Or:

Permanently Disable Whonix-Workstation Firewall