As said. If I use iwconfig to connect it looks connected but doesn’t change anything.
PS: Another thing: I can ping from the gateway to the workstation but not from the workstation to the gateway.
Little update. It’s still not working but it now connects wlan at boot without errors. Restarting the network works too without errors. This helped:
sudo ip addr flush dev eth0
sudo ip addr flush dev wlan0
strace iptables-save showed that there was still eth0 & eth1 instead of wlan0 & eth0. Looks like it did not used /etc/whonix_firewall.d/50_user.conf so I just changed the variables in the main script.
ip route
default via 10.0.0.2 dev wlan0 onlink
10.0.2.0/24 dev wlan0 proto kernel scope link src 10.0.2.15
10.136.0.0/15 dev wlan0 proto kernel scope link src 10.136.24.226
10.152.128.0/18 dev eth0 proto kernel scope link src 10.152.152.10
169.254.0.0/16 dev wlan0 scope link metric 1000
Using ping -c4 -I wlan0 ipInTheWild is not permitted.
And pinging the gateway from the workstation is still not working.
Ok. Didn’t know that.
There where some more steps to do…
- the onion-grater config uses eth1 -> needed to change it
- onion-grater service wasn’t running
- tor at all wasn’t running -> executed whonixsetup…
The whonixsetup couldn’t etablish a tor circuit. “No route to host”
I’ll post some more detailed output tomorrow.
Hi. Here is some more output. Maybe someone can verify that at least the firewall is setup correct.
eth0 is the interface that connects to the workstation. wlan0 is the Interface that connects to the internet.
Within the onion-grater config file I changed eth1 to eth0.
ifconfig shows that the interfaces are configured the way they should. At boot or network service restart wlan0 connects automatically to the right essid etc.
ip route
default via 10.0.2.2 dev wlan0 onlink
10.0.2.0/24 dev wlan0 proto kernel scope link src 10.0.2.15
10.136.0.0/15 dev wlan0 proto kernel scope link src 10.136.24.226
10.152.128.0/18 dev eth0 proto kernel scope link src 10.152.152.10 linkdown
169.254.0.0/16 dev wlan0 scope link metric 1000
iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9051 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 9152:9189 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m owner --uid-owner 117 -j ACCEPT
-A OUTPUT -m owner --uid-owner 118 -j ACCEPT
-A OUTPUT -m owner --uid-owner 123 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
netstat -tulpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9123 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9187 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9155 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9123 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9124 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9188 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9156 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9124 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9125 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9189 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9157 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9125 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9158 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 0.0.0.0:3142 0.0.0.0:* LISTEN 1107/apt-cacher-ng
tcp 0 0 10.152.152.10:9159 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9160 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9161 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9162 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9163 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9100 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9164 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9100 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9101 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9165 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9101 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9102 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9166 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9102 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9103 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9167 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9103 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9040 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9104 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9168 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9104 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9041 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9105 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9169 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9105 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9106 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9170 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9106 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9107 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9171 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9107 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9108 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9172 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9108 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9109 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9173 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9109 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9110 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9174 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9110 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9111 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9175 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9111 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9112 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9176 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9112 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9113 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9177 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9113 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9114 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9178 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9114 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9050 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9115 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9179 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9115 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9051 0.0.0.0:* LISTEN 18389/python3
tcp 0 0 127.0.0.1:9116 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9180 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9116 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9117 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9181 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9117 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9150 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9118 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9182 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9150 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9118 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9119 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9183 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9119 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9120 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9184 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9152 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9120 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9121 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9185 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9153 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9121 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 127.0.0.1:9122 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9186 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9154 0.0.0.0:* LISTEN 18477/tor
tcp 0 0 10.152.152.10:9122 0.0.0.0:* LISTEN 18477/tor
tcp6 0 0 :::3142 :::* LISTEN 1107/apt-cacher-ng
udp 0 0 127.0.0.1:5400 0.0.0.0:* 18477/tor
udp 0 0 0.0.0.0:48886 0.0.0.0:* 556/avahi-daemon: r
udp 0 0 0.0.0.0:68 0.0.0.0:* 9699/dhclient
udp 0 0 10.152.152.10:5300 0.0.0.0:* 18477/tor
udp 0 0 0.0.0.0:5353 0.0.0.0:* 556/avahi-daemon: r
udp6 0 0 :::55755 :::* 556/avahi-daemon: r
udp6 0 0 :::5353 :::* 556/avahi-daemon: r
whonixcheck ( no route error repeats )
INFO: Starting whonixcheck...
[INFO] [whonixcheck] Tor Connection Result:
- Connecting for 0 seconds. | 5 % done.
- Tor Circuit: not established.
- Tor reports: WARN BOOTSTRAP PROGRESS=5 TAG=conn_dir SUMMARY="Connecting to directory server" WARNING="No route to host" REASON=NOROUTE COUNT=3 RECOMMENDATION=warn HOSTID="1F6ABD086F40B890A33C93CC4606EE68B31C9556" HOSTADDR="199.184.246.250:443"
- Timesync status: not done.
- sdwdate reports: Prerequisite check not done yet. More more information, see: sdwdate-gui -> right click -> Open sdwdate's logUpdate:
To get a tor connection I had to delete the default route and add a new default route. To get the route, I simply connected the Workmashine with the wireless network and entered:
ip route
This showed the route that works. Don’t know if this is a security risk.
To change the default route on the gateway:
ip route del default
ip route add default via xx.xxx.xxx.xxx dev wlan0 proto dhcp metric 600
After changing it whonixcheck said that the tor connection is ok. apt-get update worked on the gateway. But the iptables are pretty strict.
A connection from the workstation through the gateway was not possible. It looks like the firewall only allows connections to some ports, so I tried using the whonixworkstation within vbox with NAT as network adapter. Didn’t worked.
Update:
According to the Whonixdocs the network configuration within the vbox workmashine needs some changes.
## Whonix-Workstation
## /etc/network/interfaces in a VM
## when using Physical Isolation.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
## end of /etc/network/interfaces
Everything is working. 
Big thanks to Patrick who does a really good job with developing whonix.