Guide: Easy Fix for Whonix Firewall Kill Switch

Hi devs, you’re all doing an incredible job and I’ve donated twice already. Thank you!. :upside_down_face: (I’m alex_tanner but forgot my pw)

There has been a lot of debate about a fail-closed mechanism or a kill switch for VPN users on Whonix. (Cutting off all traffic to TOR if the VPN drops).

This recommended script VPN-Firewall by adrelanos on Github is fine, but there is a much quicker, safer and more efficient way to achieve this.

This guide is for VPN that are set up on the host.
Literally all you have to do is modify your Whonix-External.xml to reflect the following:

<network>
  <name>Whonix-External</name>
  <forward dev='tun0' mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='10.0.2.2' netmask='255.255.255.0'>
  </ip>
</network>

This is the key component, specifically telling libvirt to use tun0 for NAT.
<forward dev='tun0' mode='nat'/>

Libvirt will automatically create these iptable rules when the Whonix-External Network is started, only allowing established forwarded traffic between the Whonix Gateway and the tun0 interface.
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -i virbr1 -o tun0 -j ACCEPT

That’s it.

If your VPN connection drops, all Whonix connectivity will die instantly, because tun0 is the only target for NAT.

Thus, incoming traffic can’t reach because the the ESTABLISHED connection rule points to the internal IP of your tun0 interface (which is not assigned if the VPN drops) and outgoing doesn’t work either for the same reason.

Hope this helps. :grinning:

2 Likes

Thank you!

VPN-Firewall covers all host VPN traffic. However, for users who wish to only ensure that traffic originating from Whonix-Gateway goes through a VPN inclusive of a fail-closed mechanism but excluding host traffic from the VPN this seems like a very interesting solution.

I didn’t look into it because I am not maintaining Whonix KVM.

Thanks @alexa_tanner for your guide.

@Patrick I would like to document this. I think it belongs on the VPN page: Whonix → VPN → Tor?

Connecting to a VPN before Tor yes