How to connect from a guest (Whonix Gateway) to a proxy client running on a host.

kelman · January 31, 2020, 9:36am

How to connect from a guest (Whonix Gateway) to a proxy client running on a host. The proxy listens for 127.0.0.1:1080 on the host.
I am trying to connect through a gateway to
12.0.2.2:1080 (using the Anon connection wizard socks5) - this IP address is assigned the default gateway (0.0.0.0) on the host.

This is unsuccessful.
Need port forwarding?
Need your help.

Patrick · January 31, 2020, 10:34am

This is probably possible but undocumented.

The following documentation might introduce the proper terminology, connection schemes, to avoid talking past reach other and might fully discourage from whatever you’re trying anyhow.

Since it says.

These configurations are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix ™ users, using Tor in isolation – without a VPN or proxy – is the correct choice.

Probably not. For explanation on port forwarding:

This might be solvable as per Self Support First Policy for Whonix by researching how to make any server running on the host available to VirtualBox VMs. I recommend to exercise this first with a Debian VM before trying this with Whonix-Gateway. Please post an update here if you figure it out. Might be interesting in future for others too.

kelman · January 31, 2020, 8:10pm

My problem is resolved.

History of the decision.
My host is fedora 31, firewalld is enabled by default.
I turned off the firewall and the connection through the proxy worked, but not as it should. For unknown reasons, only obfs4 traffic worked through my proxy, and when I disconnected the connection through the proxy, Tor did not want to connect either through obfs4 or through a simple watchdog node - some kind of error. But now I know in which direction, it seems to me, I should go - since the problem is in the firewall. I turned on the firewall again and after searching on Google I found an article on the official Libvirt website which says that when installing KVM/libvirt it creates its own zone called libvirt. My solution was to add advanced firewall rules.

Here are my steps:

Setting the proxy for listening - 10.0.2.2:1080

10.0.2.2 - ip of the Whonix Gateway virtual interface.
1080 - is the port that the proxy listens on.

Add advanced firewall rules. Allow the connection from the specified ip and port.

firewall-cmd --permanent --zone = libvirt --add-rich-rule = ‘rule family = “ipv4” source address = “10.0.2.15” port protocol = “tcp” port = “1080” accept’

10.0.2.15 - ip of the Whonix Gateway virtual machine
1080 - the port specified for listening in the proxy client.

Connected using the anon connection wizard to my socks5 client through the ip gateway and port -

10.0.2.2:1080

That is actually all. Now everything works.

jeffshead · October 29, 2023, 12:59pm

I want to do the same thing. Connect to a proxy first, then connect to Tor.

On the host, connect to an external proxy. Then the Whonix Gateway VM connects to the external proxy via the local port on the host before using Tor. This can be done by using the Anon Connection Wizard on the Whonix Gateway VM. So does this and adding this firewall rule jeopardize Whonix security in any way?

Patrick · October 30, 2023, 12:21pm

Patrick · October 30, 2023, 12:25pm

The short answer is “no”.

The long answer would not be useful. “Any extra code through which data flows is additional attack surface. But that’s a very general thing and unavoidable. If you must use that, then you don’t have a choice. So not really worth mentioning.” Hence not useful to get into details.