Physical Isolation is back! Qubes-Whonix style

      |                                           |            
WAN --|-- NetVM-Ext --- Whonix-GW --- NetVM-Int --|-- ClientBox
      |                                           |            

Really excited to see this work. Very preliminary tests so far. Will do a full writeup in time.

For now, the broad steps:

  1. Get 2nd network adapter working in Qubes
  2. No changes to Whonix-GW are necessary.
  3. NetVM-Int: setup static network, forward DNS to GW, add appropriate FORWARD rule
  4. ClientBox: depends

Test #1: ClientBox = plain Debian on bare-metal

  • setup static network, DNS
  • working!

Test #2: ClientBox = Whonix-WS in VirtualBox on Debian host

  • follow steps from Test #1
  • set Whonix-WS to NAT (! please don’t do this unless you know what you are doing !)
  • set eth0 to DHCP
  • set DNS to NetVM-Int IP
  • working! (stream isolation too. SocksPorts are working)

Test #3: ClientBox = Whonix-WS in QubesOS

  • given #2 is working, not expecting many issues here
  • will pause here; need to complete other Whonix tasks; and would be nice to have some new hardware too :slight_smile:


! Warning !: Only use ONE client per NetVM-Int. IsolateClientAddr has no effect because of MASQUERADE IPs. Whonix-GW sees all traffic as coming from NetVM-Int, and can’t see multiple clients.

Multiple Whonix workstations that can communicate with each other.