Do Multiple-Whonix-Gateways Require Different Whonix-External Virtual NIC's?

anon-ee · June 2, 2024, 4:38am

When setting up Multiple-Whonix-Gateways following the whonix docs (KVM) it recommends only changing the internal network to route packets from Workstation to the correct Gateway. Is there no problems with having two Gateways using the same NAT Virtual adapter to send traffic?

It might be something else but when I run more than one Gateway at the same time one seems to block the other’s traffic.

Any advice on how to test if this is happening would be appreciated.

HulaHoop · June 28, 2024, 8:31am

I assume you paired each workstation with its own gateway in a ratio of 1:1. The external network lacks dhcp so the multiple gateways use the same hardcoded IP which causes the conflict you’re seeing. You must create a separate external network too for this to be resolved.

Patrick · June 29, 2024, 11:06am

This means documentation is currently incomplete?

HulaHoop · July 2, 2024, 7:02am

Indeed, added now

JasonPo · May 24, 2025, 6:04pm

so I can’t configure another Whonix-External virtual NIC because it asks for IP but it is already used in first External NIC(10.0.2.2).

Do you have a solution?

hoek · June 27, 2025, 3:34pm

Here are the steps that are missing on Wiki for multiple Gateways:

Clone Whonix-Gateway virtual machine in virt-manager. For the purposes of this guide, call it Whonix-Gateway2

Then export current Whonix networks:

sudo virsh net-dumpxml Whonix-Internal > Whonix-Internal2.xml
sudo virsh net-dumpxml Whonix-External > Whonix-External2.xml

Edit both files, starting from Whonix-Internal2.xml

<network>
  <name>Whonix-Internal2</name>
  <bridge name='virbr4' stp='on' delay='0'/>
  <dns enable='no'/>
</network>

then Whonix-External2.xml

<network>
  <name>Whonix-External2</name>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr3' stp='on' delay='0'/>
  <dns enable='no'/>
  <ip address='10.0.3.2' netmask='255.255.255.0'>
  </ip>
</network>

In the external one, I also changed the IP address to avoid a collision with the network configured in the original Whonix-External.

Import both networks:

virsh -c qemu:///system net-define Whonix-Internal2.xml
virsh -c qemu:///system net-autostart Whonix-Internal2
virsh -c qemu:///system net-start Whonix-Internal2
virsh -c qemu:///system net-define Whonix-External2.xml
virsh -c qemu:///system net-autostart Whonix-External2
virsh -c qemu:///system net-start Whonix-External2

In the cloned Whonix-Gateway2 machine, change the network card settings from Whonix-Internal to Whonix-Internal2 and from Whonix-External to Whonix-External2.

Now, you need to change the network settings inside the Whonix-Gateway2 machine. You can modify the 30_non-qubes-whonix file, but to avoid interfering with the official Whonix files, which may be overwritten during updates, you can create a new 50_custom-whonix file. This will partially overwrite the 30_non-qubes-whonix file.

Boot the Whonix-Gatewa2 machine and create a new file.

nano /etc/network/interfaces.d/50_custom-whonix

put inside

# Custom Whonix Gateway overrides (loaded after 30_non-qubes-whonix)
auto eth0
iface eth0 inet static
	pre-up ip addr flush dev eth0
    address 10.0.3.15
    netmask 255.255.255.0
    gateway 10.0.3.2

Restart network interface (or whole machine):

sudo ifdown eth0 && sudo ifup eth0

Everything should be working now. To test this, run the updates on Whonix-Gateway2 using the command upgrade-nonroot.

Now on your other machines you can choose Whonix-Internal2 network and it will use Whonix-Gateway2 as gateway

I also described it in my last blog article. There are some other cool things related to my Whonix configuration on KVM there, too. (Whonix for KVM)

Patrick · June 28, 2025, 10:02am

Possible to edit the wiki and add any missing steps?

hoek · June 29, 2025, 10:38am

Oh, it has been added cool, thank you, I am glad I could help

Patrick · June 29, 2025, 2:47pm

No edit was made since my last post in this forum thread.

nurmagoz · July 8, 2025, 4:09pm

Worked but you forgot major step, which is changing Whonix-Gateway2 interfaces to use Internal2/External2

sudo virsh edit Whonix-Gateway2

Then search for <interface type='network'>

There are 2 of them, beneath each one has

<source network='Whonix-External'..

and

<source network='Whonix-Internal'..

add 2 to them to match the early created sources.

Then it should work.

Thanks for that, will update the wiki accordingly.

hoek · July 8, 2025, 5:22pm

thanks, I wrote
“In the cloned Whonix-Gateway2 machine, change the network card settings from Whonix-Internal to Whonix-Internal2 and from Whonix-External to Whonix-External2 .”

I did it in GUI and just mentioned it, but yeah it is worth to show the commands and how to change it in CLI.

Patrick · July 12, 2025, 6:14am

How to use Multiple Whonix-Gateway for KVM has been updated by @nurmagoz.

Please review if this looks good now.