Hello! I don’t can connect my 3g modem to whonix-gateway. This modem seem ethernet card and does not require install any software in other distributive.
whonix-gateway situation in pictures:
Good day,
You shouldn’t connect a modem of any kind to your Gateway, as it uses your host’s connection. Simply install the modem on your host OS and it should work with Whonix.
Have a nice day,
Ego
1 Like
I shouldn’t connect a modem of any kind to my host OS 
Because of security reasons. I can install the modem only on guest machine.
Fair enough. But now things get complicated.
Options:
-
Complicated and risky: For the same reasons you don’t want to add modem to host, you shouldn’t add it to the gateway. Also requires writing iptables rules yourself and perhaps changing scripts to match up network interfaces.
-
Complicated and safer: Create a third guest VM to interface with your modem. You need to write iptables rules to forward traffic and perhaps add routes.
-
Use QubesOS which is designed to host network devices in Guest VMs. Some learning curve is involved (and hardware requirements are greater) but at least your use case is Supported. And no need to learn iptables.
1 Like
I don’t know why I can’t add the modem to gateway.
Where are risks?
Good day,
Because it goes fundamentally against the design of Whonix and thus the outcome is unknown. Furthermore, due to the nature of virtualization, it’ll always “go” through your host OS, even if you set it up on a guest.
Have a nice day,
Ego
I don’t install the drivers for the modem on the host os. Only driver for virtualbox device. what passes through the host?
3 virtual machine will complicate the configuration and use a lot of resources. the more complex the configuration, the greater the probability of error.
Good day,
Since you connect the modem to hardware running on the host (i.e. your USB-Port) it must pass through it first.
Thus, there is no advantage seperatley emulating your connection. If you want it to be seperate from the rest of your system, your only real option, as @entr0py said, would be Qubes.
Have a nice day,
Ego
2 Likes
@wertusew The issue here is that you have not sufficiently described your threat model (and we have not asked). The result is that we are answering all kinds of questions that you may or may not be interested in.
-
Against an attack to the hypervisor, it won’t matter where you put the network device. Once the hypervisor (ie host) is compromised, it’s game over. (Mitigating solution: physical isolation)
-
(As @Ego said,) against a DMA attack, it also won’t matter where you put the modem. You will be vulnerable unless you use an OS (like Qubes) that enforces IOMMU isolation (given compatible hardware). (Mitigating solution: Qubes)
-
Against “traditional” arbitrary code execution exploits limited to the local OS / VM, it won’t matter whether you put the device in the host or whonix-gateway. A compromise of either will be fatal to your anonymity. (Mitigating solution: use a separate VM for the network device)
-
If you use your Host OS for personal, non-anonymous activity (not-recommended), and you are worried about leakage through your anonymous network device, then it would make sense to put the device in a VM and not in your Host. (Mitigating solution: (best) use a dedicated host for whonix; (better) use VM for network device)
Correct.
It is also true that re-wiring Whonix-Gateway is non-trivial and may be error-prone as well. Whonix-Gateway is hard-coded to use eth0, eth1. It is not designed to be a portable, plug-and-play OS. Additionally, Whonix-Gateway holds “the keys to the kingdom”. If it’s compromised, it’s game-over.
So your best non-technical solution is to buy another machine for non-anonymous use and plug the modem into the anonymous host of your anonymous machine.
Given reasons above, Qubes is your best bet for ease-of-use and security.
2 Likes
ok. but i need connect my 3g modem to whonix-gateway.
how i can make it?
Technically this is not a telecom support forum?
We just documented it as an option for knowledgeable users. I don’t think any of us have a similar setup to help out.