Networking whonix-WS to normal qube

I need a service running in whonix-ws to connect to another local VM that is using sys-firewall as NetVM

There are networking instructions in the docs when both qubes use the same NetVM, but with whonix that is not the case
whonix-ws uses > sys-whonix which on its turn uses > sys-firewall

so we have double forwarding here

im iptables noob, how to do it?

A. Not easy: Redirecting…

  sys-net ---- sys-firewall ------ not-whonix               
                  |                    ^                    
                  |                    | QubesRPC           
                  |                    v                    
               anon-sys ---------- anon-whonix 

B. Not easy & more dangerous: have both anon-whonix & not-whonix VM connect to an intermediate proxyVM and use routing / iptables rules to selectively send traffic to destinations

   sys-net ---- sys-firewall -----|      |----- not-whonix 
                    |             |      |                 
                    |             routerVM                 
                    |             |      |                 
                anon-sys  --------|      |----- anon-whonix

You might get more help from qubes-users mailing list. Tip: Generalize the question: “How to set up networking between 2 VMs using Qubes RPC?”

Prior discussion: Allow Networking between Qubes and Whonix Workstation

1 Like

Better than any answer I could have come up with. :slight_smile:

Actually they have instructions at Firewall | Qubes OS to make two qubes talk to each other, which is rather straightforward, but that is if they use the same net VM.

In my case the second qube uses whonix-sys which on its turn uses the net VM (firewall VM)

Correct. I updated my previous post with diagrams. You can use the Qubes instructions to implement Option B but that is not recommended since the possibility of user error or damage from compromise (edit: on second thought, maybe similar damage) is so high.

Option A requires learning about Qubes’ internals.

Thank you!
It does indeed look like more trouble than it’s worth.

My alternative approach is to switch the pure debian qube to use “sys-whonix” instead of “sys-net”

do you see a security issue with that?

Not necessarily, but

Using a default workstation is easier and provides more Security out of the box! It is your responsibility to get the same security features for a Whonix-Custom-Workstation,