I am wondering if this kind of topology is possible. A virtual LAN across multiple physical machines? If not, what would be best practice to link them? All these WS instances need to be able to connect to each-other. Only 1 needs to expose a service via the gateway. Maybe openvpn can do it. I wish virtualbox could. I think vmware can surely do it but I want to use open-source.
Non-Qubes-Whonix?
VMs can communicate which each other. Just open the port usually in workstation firewall settings.
This very chapter from this page should work: Opening Ports in Whonix
(Actually it would be better if they couldn’t by default - that works better for everyone not having this specialized use case.)
Qubes / Qubes-Whonix also possible. “google”:
qubes inter-VM networking
See also:
For Openvpn, you could have something like a server set to push a certain common subnet to x number of clients. Each virtual client would have only an internal adapter. Name the internal network whatever you want and make sure all clients and the server use the same one. Each client has a corresponding ovpn client config file. All the clients would be assigned different tun0 interface addresses that the virtual server would administer (you can even make the virtual tun0’s for the clients persistent if you want.) Set your openvpn server to accept a max number of virtual clients that you decide on. The virtual server would have one config file that serves all its clients. Set up a proper PKI with easy rsa or openssl or whatever to have the best security (as opposed to static key encryption)
The openvpn server will have two interfaces: an internal one on the vpn subnet, and an external that is NAT’d to the host machine. Virtualbox can easliy accomodate such a setup. Assign all interfaces manually and forget about dhcp. You can even decide if you want the virtual clients to be able to “see” each other. The clients would all then use the server as both their default gateways and their vpn connection and would not be able to reach the internet at all without being connected actively to the openvpn server. Set some iptables rules on all machines, and you will have what you are looking for. All traffic from all clients will pass through the openvpn server and exit through the host (because of how nat works)
Or maybe just open a port on the host and use vbox nat to route through to physical lan
Non-anonymous when reachable over clearnet.
Connecting host to workstation directly seems like a way to break isolation / add clearnet leaks. Mentioned in the wiki.
Be very careful with opening ports; as @Patrick said, you will compromise your anonymity. Whonix is designed as it is shipped to be a secure closed system. In other words, the host cannot directly communicate with either the Gateway or Workstation and only serves to Nat packets to the internet. If you open ports and now have a conduit where the host can communicate directly with either virtual machine, security suffers.
2 Likes