Exploring Inter-VM Networking Methods

FYI:

I just posted the following topic to the Dev/Qubes wiki page:

Inter-VM Networking:

Current Qubes + Whonix implementation has both the Whonix-Gateway and Whonix-Workstation connected to the same backend FirewallVM and iptables forwarding is manually established between the Whonix IP addresses. This current method is really just an efficient hack for our initial Qubes + Whonix implementation. The native/proper way to network VMs in Qubes is via chaining their networking “backend” together, which is part of Xen networking structure. This is how other VMs in Qubes are networked, including TorVM. According to Qubes devs, these Xen backends provide simple point-to-point networking between VMs. So this would be advantageous for further isolation of inter-VM Whonix traffic, since, currently, all inter-VM traffic is routed through the internet-facing FirewallVM, which can also be shared by other VMs. This current implementation with a shared FirewallVM could be somewhat of a security concern for inter-VM traffic, and a reason to move to native/proper isolated point-to-point “backend” networking. Also, in the future, it is desirable to leverage full ProxyVM/ServiceVM networking between Whonix-Gateway and Whonix-Workstation, as the TorVM does. ProxyVM utilizes Xen “backend” networking but automates it with transparent Qubes GUI networking, making use of dynamically created virtual networking interfaces. Whonix may need to add onto or adjust its internal networking setup to be compatible with such native Qubes networking.

Discussions related to this topic:

• https://groups.google.com/d/topic/qubes-users/RFXoZ3zt-PE
• https://groups.google.com/d/msg/qubes-users/GhgWH5mHf2E/0LU35M6GPecJ
• https://groups.google.com/d/msg/qubes-users/GhgWH5mHf2E/96odaNoBVRwJ

When I build the Whonix appvm template as indicated in https://www.whonix.org/forum/index.php/topic,537.0.html and then create a ProxyVM from that template does it not create all the required hooks into the XEN backend? I am assuming it does since when I select the ‘whonix-proxy’ as the netvm of choice in another appvm, the ‘whonix-proxy’ does automatically create the vifx.0 interfaces within ‘whonix-proxy’.

Just looking for confirmation since I am in process of configuring the ‘whonix-proxy’ to work within this network structure (no eth1)

[quote=“nrgaway, post:2, topic:511”]When I build the Whonix appvm template as indicated in https://www.whonix.org/forum/index.php/topic,537.0.html and then create a ProxyVM from that template does it not create all the required hooks into the XEN backend? I am assuming it does since when I select the ‘whonix-proxy’ as the netvm of choice in another appvm, the ‘whonix-proxy’ does automatically create the vifx.0 interfaces within ‘whonix-proxy’.

Just looking for confirmation since I am in process of configuring the ‘whonix-proxy’ to work within this network structure (no eth1)[/quote]

Good question… I’m not sure about that.

You mentioned building a custom Debian Wheezy Template for Qubes to use for the ProxyVM.

My comparable experiences so far are with the official Qubes Debian Jessie Community Template, which currently does not have ProxyVM support built into it.

Although, Qubes developers have mentioned to me that it would be “easy” to add that to their Debian Jessie template.

Reference discussion: https://groups.google.com/d/topic/qubes-devel/fuB64BGq1so

So based on the fact that their Debian Jessie template doesn’t seem to automatically work as a ProxyVM, it might not automatically do what is needed in your custom Debian Wheezy Template without you developing that.

However, the Qubes devs are helpful on the mailing lists and could probably point out exactly what you would need with this, if it doesn’t automatically work.

If I run in to problems with the whonix-proxy, I will look into it further.

For the present I will assume its supported since when an appvm is instructed to use the ‘whonix-proxy’ as its netvm, the appvm does receive a proper IP address and the ‘whonix-proxy’ does automatically add the interface for the appvm.

Guess I should check the ‘whonix-proxy’ logs to see if its receiving traffic from the appvm

[quote=“nrgaway, post:4, topic:511”]If I run in to problems with the whonix-proxy, I will look into it further.

For the present I will assume its supported since when an appvm is instructed to use the ‘whonix-proxy’ as its netvm, the appvm does receive a proper IP address and the ‘whonix-proxy’ does automatically add the interface for the appvm.

Guess I should check the ‘whonix-proxy’ logs to see if its receiving traffic from the appvm[/quote]

Yeah, since it automatically adds the corresponding vif interface in the ProxyVM, then maybe it already is completely working. Hopefully the traffic is flowing. Looking forward to hearing more of your exciting progress. Will be jumping in for some testing soon.

More recent thread on this topic: