KVM | isolated net


Hi again.

Host KVM hypervisor.

virsh domiflist Whonix-Gateway
vnet0 default
vnet1 isolnet
virsh domiflist Whonix-Workstation
vnet2 isolnet 

If in the HOST:
iptables -t nat -A PREROUTING ! -i lo -p tcp -j REDIRECT --to-port 1023
not sent packet to vnet2 -- vnet1 (eth0 -- eth1) | tcpdump -i virbr1 (not tcp packet)
Why not isolate the network stack on the host from the guest ? In this
so-called isolated network. How to solve this problem… VBox
everything works without problems.


Whonix KVM uses a “very private” isolated network that cannot communicate with the host. Note that the internal network is called “Whonix” not isolnet.


A valid network definition can contain no IPv4 or IPv6 addresses. Such a definition can be used for a “very private” or “very isolated” network since it will not be possible to communicate with the virtualization host via this network. However, this virtual network interface can be used for communication between virtual guest systems. This works for IPv4 and (Since 1.0.1) IPv6. However, the new ipv6=‘yes’ must be added for guest-to-guest IPv6 communication.


Thank the reply!
Yes I create isolnet network from xml file (download whonix) .
ifconfig virbr1
virbr1 Link encap:Ethernet HWaddr
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
virbr1 no ip address/ no default getway
But as you can see not working is the isolation of the network stack. What can be the reason?


I could be missing something but I don’t see what the problem is.

The way libvirt networking works is it creates different network types using the host’s iptables/ebtables. What you are seeing is an isolated virtual bridge that only connects VMs assigned to it together.


The problem is that if I need to send traffic from the host and whonix gateway in the proxy.
The network just doesn’t work. Whonix-workstation don’t sent packet (http) to whonix-gateway.


Do you want an open port in Whonix-Gateway that you can reach from the host?


No. 1. I need ( host and W-G) routed all tcp traffic ssh (redsocks). I managed to do that.
2. If
iptables -t nat -A PREROUTING ! -i lo -p tcp -j REDIRECT --to-port 1023
tcpdump -i virbr1 (not tcp packet)
virbr1 – routed traffic on 1023 port / Workstation no internet =) no sent packets vnet2 – vnet1
VBox work fine

WG - Workstation ( no connect )


Torification of host traffic using Non-Qubes-Whonix is unsupported.

We have something related that may help to develop this.

For Whonix VirtualBox we have instructions on how to ssh into Whonix-Workstation from the host through Whonix-Gateway, i.e. host -> Whonix-Gateway -> Whonix-Workstation.


I don’t think we have this documented for Whonix KVM.

As per Free Support Principle, I suggest to create a non-Whonix, plain Debian KVM VM first. Then figure out how to connect from the host to a port inside that Debian VM. Then have second plain Debian (non-Whonix) VM connected through an isolated network (similar to the Whonix configuration) to the first Debian VM. Once that all was figured out, you may be capable to add Whonix into the mix. Adding Whonix into the mix from start would make all of this a lot more difficult since you would have multiple sources of issues (not just figuring out how to do this in the first place but also how to do this while not having Whonix stream isolation and Whonix firewall getting into the way).


The problem is not the implementation of whonix. The problem, why not
isolate the network stack between the host and the guest. traffic
between VM (WG-WK) does not have IP stack in the host to get.