How to direct external gateway traffic to different network interface?

kaktus · July 26, 2019, 12:45am

Hi,

I am trying to make Whonix Gateway use a USB network adapter as an external network, instead of standard eth0 created by VirtualBox.

I have enabled USB controller for the gateway VM and connected the device, so a new network interface appeared in the gateway VM: “usb0”. Now I need to configure gateway to use this interface as an external network, instead of “eth0”. How do I do that?

I tried editing /etc/whonix_firewall.d/50_used.conf (almost a blind guess) – did not work.

Any help is much appreciated, thank you.

Algernon · July 27, 2019, 8:39am

Did you change anything else? Like removing the original network interface (eth0)?
How does /etc/whonix_firewall.d/50_user.conf look like?
Output of ifconfig?
Make sure you have only two interfaces i.e. the USB ethernet adapter and the interface for the internal network. Remove the original external interface from Virtualbox.
Then check the interface names in Whonix. If the adapter still comes up as usb0 then eth1 is now probably eth0 (not sure about that) and networking won’t work. If editing the config file does not work then you can try to rename the interfaces as per https://superuser.com/questions/914646/renaming-network-interface-with-systemd
i.e.
create a file like /etc/systemd/network/80-eth0.link :

[Match]
MACAddress=mac-address-of-usb
[Link]
Name=eth0

and /etc/systemd/network/81-eth1.link :

[Match]
MACAddress=mac-address-eth1
[Link]
Name=eth1

run: update-initramfs -uk all
reboot.

If it still does not work you can try it with udev rules as shown in the link.

Patrick · July 27, 2019, 9:46am

grep Whonix source code for eth0

https://www.whonix.org/wiki/Dev/git#grep_Whonix_source_code

kaktus · July 28, 2019, 12:42am

Thank you for the reply.

When I removed external network interface from the VM, the former ‘eth1’ became ‘eth0’, and the system complained that ‘eth1’ is down.

Editing config files would probably work, the problem is: I do not know which files to edit. I suppose this must be something in TOR configuration, and it must be an easy change. Renaming network interfaces looks like an overkill.

The “50_used.conf” file was initially empty. It is just an override for system firewall config. I added: EXT_IF="usb0" Did not help. I think it is just not the right place to change…

When the original 2 network interfaces are on + I connect the usb one, then ls /sys/class/net shows me: eth0 eth1 lo usb0, but ifconfig does not show the usb interface at all. Maybe this is a clue?..

kaktus · July 28, 2019, 1:06am

I searched the soure code at GitHub for “eth0”. The only seemingly relevant result is in ’ help-steps/grml-debootstrap’:

allow-hotplug eth0
iface eth0 inet dhcp

Searching to live gateway system I found similar lines in /etc/network/interfaces.d/30_non-qubes-whonix
This looks like network bootstrap configuration. I am going to try fiddling with it…

kaktus · July 28, 2019, 1:24am

Ok, I have edited /etc/network/interfaces.d/30_non-qubes-whonix

Commented the following lines:

auto eth0
iface eth0 inet static
*... and all the static config here*

Added following:

allow-hotplug usb0
iface usb0 inet dhcp

Rebooted.

Now I can see my usb0 interface in ifconfig output – one step closer to the win.
But now the system complains that eth0 is down and does not connect to TOR.
There must be something more to change…

Algernon · July 28, 2019, 10:37am

usb0 now gets an IP I guess?
You still need to change at least the user firewall config file. Or if this does not help maybe the config file directly (i.e. 30_whonix_gateway_default.conf), but try /etc/whonix_firewall.d/50_user.conf first.
Then restart the firewall: sudo whonix_firewall
Check the firewall rules with: sudo iptables -vnL
If it loaded succesfully it should show lots of entries.
There might be other files which require a change, however, I can’t (and you probably neither) grep through the whole source code currently because git cloning fails with:
fatal: No url found for submodule path ‘packages/hardened_malloc’ in .gitmodules
@Patrick
You can try to clone each submodule or wait for a fix or use the github search function at https://github.com/Whonix (needs an account at github to see results in the source code)

Patrick · July 28, 2019, 4:37pm

Algernon via Whonix Forum:

fatal: No url found for submodule path ‘packages/hardened_malloc’ in .gitmodules
@Patrick
You can try to clone each submodule or wait for a fix or use the github search function at https://github.com/Whonix (needs an account at github to see results in the source code)

Works for me. Tested just now.

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix

Otherwise please open a separate thread.

Patrick · July 28, 2019, 4:39pm

kaktus via Whonix Forum:

But now the system complains that eth0 is down and does not connect to TOR.

That is whonixcheck. To be found in the source code when grepping for
etih0. A test which hardcodes eth0. Not great, but also not a blocker to
achieve what you want since you could either change this in the script
or disable the test or even just ignore it. The error message from that
test result even comes with instructions how to disable that test.

kaktus · July 31, 2019, 9:57am

I have edited /usr/lib/whonixcheck/check_network_interfaces.bsh, commenting out the lines that check explicitly for eth0 carrier.

Now whonixcheck at the gateway works and even reports that I am connected to TOR! Yay! And I can see the network activity goes through USB. Now my setup seems to work.

Thank you very much for help!