KVM Whonix bypasses host VPN

The original wording of my question was too vague and complicated, so here is my issue:

Whonix in KVM bypasses “leak-proof” VPN that is configured with OpenVPN and firewalled to only allow interface tun0. I see nothing in the docs to address this.

Has anyone else had this issue?

Steps to reproduce:

  1. ping a webserver from host (success)
  2. Start Whonix (whonixcheck passes)
  3. Disable VPN on host
  4. ping a webserver from host (fails due to firewall)
  5. Run whonixcheck on gateway (still passes)

From my understanding, this means:

  1. KVM ignores the VPN, because the gateway is using the network “external”
  2. KVM Whonix can not be routed through a VPN on the host using normal configurations

Or am I misunderstanding completely?

What is your firewall config? This can be gotten with iptables-save if using iptables.

You may be allowing traffic out from the libvirt or kvm group.


To control kvm guest traffic from host firewall,you should add rules that block traffic between virbrN and eth0 on the top of the forward chain in iptables like

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all – eth0 virbr1 anywhere anywhere
2 0 0 DROP all – virbr1 eth0 anywhere anywhere

This is not whonix specific but all other oses as well in kvm guest.
because rule that let all packet through virbN exist in the FORWARD chain.
Usually vpn kill switch affects OUTPUT chain only,so packets through FORWARD chain are ignored.