Thank you so much for this! I’ve written up the solution as a 3-step process at firewall - How to configure Whonix Gateway for communication between two local Workstations in Qubes? - Tor Stack Exchange .
2 Likes
@xloem Thanks for the writeup! I had no idea how to do that. Might help with my problem.
entr0py, what’s this other problem you speak of?
@xloem Thanks for your interest. Problem is a very low priority pet project: Physical Isolation is back! Qubes-Whonix style - #2 by entr0py. I haven’t begun investigating yet. A good start would be learning how physical switches preserve source IP’s without masquerading an intermediary IP. Don’t know enough about networking in general - perhaps it’s done with ARP tables? The trivial, messy solution would be to assign a separate proxyVM to each WS.
In the past, I’ve used a configuration that is relevant to your original question and also affected by my issue:
Whonix-GW ^^ || || LAN proxyVM ^^ ^ || +---+--------+---------+ || | | | WS-A WS-B WS-C WS-D
Here, A has internet access via Whonix-GW and also LAN access. B,C,D are restricted to LAN-only. Luckily, I only had one client connect to Whonix-GW. [Disclaimer: B,C,D should not be considered non-networked or air-gapped because leaks can happen through a compromised proxyVM or by exploiting WS-A via the LAN to leak through the proxyVM.]
1 Like
I think that’s called Network Address Translation? The linux kernel can do it. ARP tables are for mapping MAC addresses to and from IP addresses.
An important question here is whether Whonix-GW separates streams based on virtual interface or based on IP address. If it’s the former, you’ll need separate internal netvms for each client.
The qrexec solution could be briefly messy if these are different physical boxes. You’d need to invent your own channel to send the process streams over.
1 Like
Talked to Marek at 33c3. In Qubes-Whonix (as opposed to Non-Qubes-Whonix) using direct IP is impossible to have inter VM communication without enabling IP forwarding. However, enabling IP forwarding is strongly discouraged. Therefore use the qrexec based solution.
Ok, this qrexec method is great, but how can I use it for something other than ssh? ssh seems luck to have a ProxyCommand option, but most situations are not so lucky.
For instance say bitcoind is listening on 127.0.0.1:8332 in a dedicated workstation. How can I have curl from another workstation use this qrexec method? The only thing I could come up with so far is using this qrexec + ssh method from and then setting up an ssh listener in /rw/config/rc.local. However this seems hacky.
Qubes specific question. Should be asked at Qubes support as per:
https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not
Kicksecure Forums Usage Instructions, Best Practices and FAQ
Well, whonix-gw TemplateVM is the default TemplateVM for sys-whonix which is a TemplateBased ProxyVM.
I did not use whonix-ws TemplateVM as ProxyVM. whonixcheck might complain but you could ignore that. Feel free to experiment with it.
We have that documented.
Connecting to Tor before a VPN
Dangerous? → Combining Tunnels with Tor applies.
Qubes specific. → https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not