IIts an option that might be useful to people who want strong isolation in a multi-ws environment by assigning each to its own internal isolated network while using the same single gateway vm because of RAM constraints.
Test result: all vms except the original (eth1 vm) don’t get internet access.
Questions:
-
Is this even something worth supporting at all? Its much easier to just tell people to run a gateway for each extra ws they want to isolate.
-
How difficult is it to do this so that all firewall rules for eth1 are auto-duplicated for any n number of internal network interfaces that the gateway auto-detects has been added to it - while maintaining complete separation between workstations on different internal networks?
Related, non-perfectly step through documentation:
Is this even something worth supporting at all?
Define worth. Providing better instructions that help a few advanced users? Has always value to me. Patches certainly welcome.
I’d like to make Multiple Whonix-Workstation easier in a sane way. Maybe some kind of auto configuration. Or wizard. Eventually using (alternative to) dhcp + whonixadvsetup to not use it - needs a lot work - low priority compared to stuff in my mind. Until I get to even think that through more and discuss it, could be a long time. And at that point it might not matter anymore. [Either because virtualizers support this use case better such as Qubes or because Qubes hosts are more widespread by then and Qubes magically isolates them better anyhow.] In meanwhile, help welcome (real difficult).
Its much easier to just tell people to run a gateway for each extra ws they want to isolate.
But then you're back to the RAM issue.
Perhaps that’s “medium difficulty”.
Easiest for multiple Whonix-Workstations:
How difficult is it to do this so that all firewall rules for eth1 are auto-duplicated for any [b]n[/b] number of internal network interfaces that the gateway auto-detects has been added to it - while maintaining complete separation between workstations on different internal networks?
Define difficult. Oh no. :) Perhaps not. :) Let's perhaps use this reference for comparison?
https://www.whonix.org/wiki/FAQ#How_difficult_is_it_to_develop_Whonix.3F
****
of
**********
From a quick approximation, it’ll probably take several hours assuming the devil is not in the details what I find more likely here.
Automating this is not my goal, was really trying to find out if its possible without major firewall rule changes or similar big changes. Although if you wanted to automate it one day it is much safer to avoid dhcp (or server based solutions) running on the gw. dhcp uses shell environment variables by design and so was affected by shellshock.
I didn’t know you had it documented, I gave it a try but it doesn’t work: Multiple Whonix-Workstation ™
It works. Using it every day.
I see. Could be something different how KVM handles networking. One more thing I noticed was gw reports Whonix2 as “not connected” rather than un-managed like the other 2 interfaces already there. Does this give any sign of what’s wrong?
I think we should make a separate topic for that.
Looks like the KVM thread now is this one: