Prevent clearnet leaks on custom workstation

I am using multiple workstation VMs with different Linux OSs. Is there a way from workstation side to make sure there will be no clearnet or VM1-VM2 leaks in case when gateway has been compromised or misconfigured ? If the traffic is not going through the tor network => drop the connection. Is whonix-firewall on workstation doing that thing ?

Hi sve

Whonix-Gateway forces all traffic through the Tor network or blocks it. Whonix-Workstation does not. Whonix-Workstation does not block clearnet leaks if Whonix-Gateway is compromised of misconfigured. Its important that you don’t change any settings in Whonix-Gateway unless you know what you are doing.

Keep in mind if Whonix-Gateway is compromised the Whonix security model is broken.

If this is a concern you could further compartmentalize by using Multiple Whonix-Gateways

1 Like


Whonix is divided into two VMs: Whonix-Workstation for work activities and Whonix-Gateway to enforce all Internet traffic routing via the Tor network. [3] This security by isolation configuration averts many threats posed by malware, misbehaving applications, and user error.

Yes, compromised GW = game over. See also (if this is a realistic targeted threat, how boned your are)


1 Like

I understand that, but I am curious if an extra layer foolproof protection to the custom workstation can be added since I cannot install whonix-check and whonix-firewall on it

Hi sev

No such thing as foolproof protection. If you are using a Debian/Linux Workstation most (all?) of the Security/hardening can be applied. You would have to do a little research. The Free Support Principle applies.

1 Like