How to redirect traffic from the gateway to another virtual machine KVM.

KVM
1

How to redirect traffic from the whonix (virbr1) gateway to another KVM virtual machine (virbr3)? That the external network was not from the host. I want to separate openvpn + stunnel from host and gateway. By running them in another virtual machine.

Default:
workstation > gateway > host system > internet

I need so:
workstation > gateway > virtual machine(OpenVpn+stunnel) > host system > internet

2

Not really supported. You can try creating a second “internal” nework and connect GW egress to it and hope your stunnel/openvpn VM is configured to correctly redirect the traffic, but it seems pointless to me when GW supports running OpenVPN at the moment. This may change when we move to nftables.

3

The problem is that on the host, I quietly start my openvpn + stunnel configuration, but it doesn’t work out inside the whonix gateway, for various reasons. To begin with, WIKI with the RISEVPN example is only confusing.

Where am I mistaken?
Following the instructions - my actions are as follows:

  1. sudoedit /etc/whonix_firewall.d/50_user.conf
    add - VPN_FIREWALL = 1

  2. reload firewall

  3. sudoedit /etc/sudoers.d/tunnel_unpriv
    tunnel ALL = (ALL) NOPASSWD: /bin/ip
    tunnel ALL = (ALL) NOPASSWD: /usr/sbin/openvpn *
    Defaults: tunnel! Requiretty

  4. Next, I copy my certificates using scp
    scp -P 12222 user@server: “/tmp/ {openvpn-client *, ca.crt, ta.key}” /etc/openvpn/client/

    scp -P 12222 user@server: “/tmp/ {eakj - *, stunnel-server.crt}” /etc/stunnel/
    (had to install openssh-client)

I register the stunnel and openvpn configs
They look like this:

  1. /etc/stunnel/stunnel.conf
    [openvpn]
    client = yes
    accept = 127.0.0.1:1194
    connect = ipserver: 443
    verifyPeer = yes
    CAfile = /etc/stunnel/stunnel-server.crt
    cert = /etc/stunnel/eakj-desktop.crt
    key = /etc/stunnel/eakj-desktop.key
systemctl start stunnel4
systemctl status stunnel4 - very good
systemctl enable stunnel4

  1. /etc/openvpn/client/openvpn-client.conf
    client
    dev tun0
    proto tcp
    remote 127.0.0.1 1194
    resolv-retry infinite
    nobind
    user tunnel
    iproute /usr/bin/ip_unpriv
    persist-key
    persist-tun

    ca ca.crt
    cert openvpn-client.crt
    key openvpn-client.key
    tls-auth ta.key 1

    remote-cert-tls server
    cipher AES-256-GCM
    verb 3

    sudo chown -R tunnel: tunnel /etc/openvpn
    sudo chown -R tunnel: tunnel /var/run/openvpn
    sudo cp /lib/systemd/system/openvpn-client@.service /lib/systemd/system/openvpn-client@openvpn.service

systemctl start openvpn-client@openvpn-client
systemctl status openvpn-client@openvpn-client

Everything starts, but there is no connection via VPN - Tor off. Should TUN0 interface go up? IFCONFIG is silent about this.
Perhaps this is the problem?
Loaded: loaded (/lib/systemd/system/openvpn-client@.service; disabled - off?

Thanks in advance.

Screenshot_Whonix-Gateway_2020-01-25_00%3A27%3A31
Screenshot_Whonix-Gateway_2020-01-25_00:27:31.png1024×768 140 KB

4

On a host used such a config - OPENVPN
Works great.

client
dev tun
proto tcp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun

ca ca.crt
cert openvpn-client.crt
key openvpn-client.key
tls-auth ta.key 1

remote-cert-tls server
cipher AES-256-GCM
verb 3
5

Of course. How else can apps use the vpn interface?

Should be enabled I think.

My advice is to test if normal programs on the system use the VPN before attempting to tunnel Tor thru it. Makes it easier to figure out what’s wrong.

6

No. This is a template. To be copied. Not to be enabled.

7

Follow carefully

see also there

Troubleshooting

and

How to Submit a Support Request