[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Muliple Whonix VM's (clones) in KVM?

From that document, for the step described:
"On the host. Clone a clean Whonix-Workstation. This will assign a new MAC address to the newly created Whonix-Workstation. "

Is this as simple as for example, within Virt-manager using the menu option “Clone VM” to make a copy of the main Whonix Workstation? There is no need to do anything else manually like copy the QCOW2 image with some special esoteric terminal command that does something mystical?

Ah okay I see, thanks… so there is in fact a little bit of “command line crap” involved in copying a VM effectively. I was hoping it was as simple as one-click and done, but at least it’s not much more elaborate a procedure.

I have been trying to get this working, and have run into a few issues which I hope can be clarified. Firstly in the section linked above, it initially desacribes the new network confgiration as:

Whonix-11

But then later states

Note that virbr0 is assigned to the default network (NAT NIC), and virbr1 to the Whonix internal network (Whonix NIC), therefore, the network name was changed to [b]Whonix2[/b] and the bridge name to virbr2.

In the first example, the network name is “Whonix-11” but in the next statement it is refered to as “Whonix2”. I assume this is just a typographic inconssitency, and that the same network name should be used uniformly? Namely, “Whonix2” in the case of the example above?

I followeds all the steps, cloned the Workstation, exported the network settings and created a new network interface “Whonix2” set to autostart, all with no issues. In the Workstation clone I set the NIC to use Whonix2 rather than default previous “Whonix” but have no network connectivity from this clone with Gateway is running.

Question: Is this setp described above assuming the existence of a second/cloned Gateway as well, whose internal NIC is set to Whonix2 in order to connect this Workstation clone? If so, is there any way to just have both Workstations use the same Gateway instead? Can a second internal-facing NIC simply be added to the one Gateway, so that it can connect the Workstation clone as well as the original Workstation, all at once?

I had found this thread: https://www.whonix.org/forum/index.php?topic=688.0

But it seems to be geared toward Qubes rather than KVM as a virtualizer. Can this be done in KVM as well, or is it necessary to clone Gateway?

Also, is there any additional step needed to assign different IP address to the cloned Gateway or Workstation? Or is just specifying the newly created interface “Whonix2” in both sufficient to accomplish this?

Thanks…

EDIT: Seems the instructions I was using, do in fact assume cloned Gateway as well as cloned Workstation:

1. Create clones of the Gateway and Workstation VMs rolled back to clean snapshots:

I missed that originally, and only cloned Workstation. Still same question remains, can I just add a second internal-facing NIC to the same one Gateway, so that it can link both Workstations? Currently under Virtual Machine Manager, Gateway still only shows two total NICs, one external facing (default NAT) and the one internal facing “Whonix”. There is no NIC for “Whonix2” available in that Gateway, even though it has been created through Virsh. Or to clarify, there IS an entry selectable for “Whonix2” for the internal-facing NIC, but it can only be set to one or the other. There is no “third” NIC that can use Whonix2, while the original one still stays using “Whonix”. Can I add this third NIC set to use Whonix2?

EDIT 2: I have created a second NIC in Gateway using Virtual Machine Manager, and assigned it to use “Whonix2” instead of “Whonix”. Inside Workstation Clone I have edited /etc/network/interfaces to increment the IP address last octet by one (from 11 to 12) and restarted everything. However, in the Clone Whonixcheck still reports “Unable to reach Tor’s controlport” even though I have done all those things.

What extra step am I still missing?

What do you mean second NIC? When you cloned the original gateway both of its NICs were cloned with it. All you need to do is to point the internal NIC to of the cloned gateway to the Whonix2 Internal network. You have to change the cloned workstation’s NIC too. You don’t have to change the NIC IP addresses at all. Revert to a clean snapshot without these changes.

I never cloned the Gateway, only the Workstation. I am trying to run two different Workstations with only one Gateway, used commonly by both Workstations, simultaneously. How do I accomplish this?

That’s a standard setup already documented somewhere else on the Whonix wiki. You won’t need to create a second internal network. The KVM documentation is only concerned with running workstations completely isolated from one another with different gateways.

I believe the standard setup documentation you mention is here: https://www.whonix.org/wiki/Multiple_Whonix-Workstations#How_to_use_more_than_one_Whonix-Workstation_-_EASY

That is also where it describes changing the IP address of the second Workstation (not the NIC) which I referenced having done above. The confusing part is that near step two of those instructions, it mentions:

"KVM: Creating Multiple Internal Networks "

And that links to the paragraph:

Open Whonix's network XML file and change the name attribute to something different than the internal network you are currently running, for example 'Whonix2' 'Whonix3' and so on. The default name used is 'Whonix'.

…Which apparently pertains more to this independent side-by-side multi-gateway-multi-workstation type of configuration than the “standard” one.

So I think there is a bit of confusing overlap between the instructions for two different kinds of setup. As I now understand it, the only thing necessary for multiple Workstations is to clone the WS, and then change its internal IP address to be different from the original, while still using the same internal network as the first. It is only when using second Gateway as well, that a second internal network is also needed. Correct?

Yes

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]