I need a service running in whonix-ws to connect to another local VM that is using sys-firewall as NetVM
There are networking instructions in the docs when both qubes use the same NetVM, but with whonix that is not the case
whonix-ws uses > sys-whonix which on its turn uses > sys-firewall
so we have double forwarding here
im iptables noob, how to do it?
A. Not easy: Redirecting…
sys-net ---- sys-firewall ------ not-whonix
| | QubesRPC
anon-sys ---------- anon-whonix
B. Not easy & more dangerous: have both anon-whonix & not-whonix VM connect to an intermediate proxyVM and use routing / iptables rules to selectively send traffic to destinations
sys-net ---- sys-firewall -----| |----- not-whonix
| | |
| | |
anon-sys --------| |----- anon-whonix
You might get more help from qubes-users mailing list. Tip: Generalize the question: “How to set up networking between 2 VMs using Qubes RPC?”
Prior discussion: Allow Networking between Qubes and Whonix Workstation
Better than any answer I could have come up with.
Actually they have instructions at Firewall | Qubes OS to make two qubes talk to each other, which is rather straightforward, but that is if they use the same net VM.
In my case the second qube uses whonix-sys which on its turn uses the net VM (firewall VM)
Correct. I updated my previous post with diagrams. You can use the Qubes instructions to implement Option B but that is not recommended since the possibility of user error or damage from compromise (edit: on second thought, maybe similar damage) is so high.
Option A requires learning about Qubes’ internals.
It does indeed look like more trouble than it’s worth.
My alternative approach is to switch the pure debian qube to use “sys-whonix” instead of “sys-net”
do you see a security issue with that?