The original wording of my question was too vague and complicated, so here is my issue:
Whonix in KVM bypasses “leak-proof” VPN that is configured with OpenVPN and firewalled to only allow interface tun0. I see nothing in the docs to address this.
Has anyone else had this issue?
Steps to reproduce:
ping a webserver from host (success)
Start Whonix (whonixcheck passes)
Disable VPN on host
ping a webserver from host (fails due to firewall)
To control kvm guest traffic from host firewall,you should add rules that block traffic between virbrN and eth0 on the top of the forward chain in iptables like
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all – eth0 virbr1 anywhere anywhere
2 0 0 DROP all – virbr1 eth0 anywhere anywhere
.
.
.
This is not whonix specific but all other oses as well in kvm guest.
because rule that let all packet through virbN exist in the FORWARD chain.
Usually vpn kill switch affects OUTPUT chain only,so packets through FORWARD chain are ignored.