Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

I modified the Whonix-External.xml - Is this OK?


This is the default Whonix-External.xml

  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='' netmask=''/>

Would this be an acceptable modification to ensure all traffic passes through tun0 and won’t leak if it the VPN disconnects?

  <forward dev='tun0' mode='nat'>
    <interface dev='tun0'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <ip address='' netmask=''>

Interesting use case! Try simulating this situation by terminating the VPN connection randomly and see if the GW can still communicate with the outside world. If you want to avoid leaving network fingerprints while testing then try running a VPN server listening on the localhost and assign it tun0 instead. Wireshark may be of use.

I’ve been wondering the exact same thing and figured it out.

Adding the following to the Whonix-External.xml is all you need to achieve fail-closed.

  <forward dev='tun0' mode='nat'>

Once you start the Exernal Network, libvirt automatically generates iptable rules to facilitate traffic between virbr1 (Whonix-External) and the interface tun0.

Among other rules, these are added to the FORWARD chain to set up connectivity between WS, GW and tun0.

Incoming (only for established):
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -s -i virbr1 -o tun0 -j ACCEPT is the IP range of the Internal Network adapter virbr2, that is used by the WS. It is automatically assigned by libvirt because the IP of virbr1 that is linked to it is

Finally, you change your default FOWARD policy to drop.

/sbin/iptables -P FORWARD DROP

That’s it.

If your VPN cuts out or openvpn exits, virbr1 won’t have any matching rules to send or receive packets through any other interface and the FOWARD default drop policy will take effect.

1 Like