[RESOLVED] Workstation -> Workstation communication


I have the following setup:

  • Whonix Gateway (
  • Whonix Workstation 1 listening to a port in the local network (
  • Whonix Workstation 2 (

They all run in the same internal network. Whonix Workstation 2 needs to access a service on port X at

I have opened an external port on Whonix Workstation 1 and confirmed that the rule was added to iptables. However, the service seems inaccessible from Whonix Workstation 2.

I have confirmed that Whonix Workstation 2 is actually in the same network as Whonix Workstation 1.

I think this is due to the fact that workstation outbound communication is limited to gateway by default. I have seen the wiki page about opening internal ports but there’s a big warning saying unsupported.

How do I fix this in a good manner? I’d rather not bypass the Whonix firewall but I am not sure if there’s another option if opening internal ports is unsupported.

Thank you in advance.

Internal port? Warning? Would really help to declare where you’ve read that.

For ws to ws communications you’ll need open internal ports. You’ll need to open a ws port.

Here’s how:

Also stream isolation might get into the way depending on which application is used.


In short: in case of curl, wget don’t use





I can’t post links yet but

In the link you posted, the Open an Outgoing Port it says:

“This is Unsupported Always follow Firewall Refactoring steps before and after making configuration changes to check if the firewall rules actually changed.”

Kicksecure ™ Forums Usage Instructions, Best Practices and FAQ chapter Posting Links for New Users in Kicksecure wiki


Appreciate your help. It looks like internal open ports are being used in that one loop only to reject traffic going to localhost?

One thing I found interesting is if TUNNEL_FIREWALL_ENABLE is set to True, then there is TUNNEL_FIREWALL_ALLOW_LOCAL_NET option which looks like it would allow local connections.

I only need a single port open, not access the whole local network.

Documentation seems wrong.

INTERNAL_OPEN_PORTS doesn’t seem relevant.

You will only need EXTERNAL_OPEN_PORTS in workstation firewall settings.

1 Like

I have EXTERNAL_OPEN_PORTS set in Workstation 1 which provides the service. However, Workstation 2 can only see open ports of the Gateway.

Surely I do not need to set EXTERNAL_OPEN_PORTS in Workstation 2 too if it’s only for incoming connections?

The issue has been resolved.

Setting EXTERNAL_OPEN_PORTS in Workstation 1 that provides the service was enough. No configuration was needed on Workstation 2.

The issue was that the service that I had set to start when Workstation 1 starts cannot bind on port X when it’s starting for some reason. It binds just fine if I manually start the service a while after startup.

Documented just now:

Could you check please if it is complete?

Any documentation improvements required?

1 Like

Awesome. In my case no further configuration was reguired regarding to stream isolation but may be an issue for others, indeed.

I might add a note regarding the fact that the workstations need to be in the same internal network and the implications that come with that. As well as the fact that both Workstations need their own IP that is set up in the network settings of the Workstations.

A link here might suffice:

I have a small question regarding the security of this setup. I understand that a Workstation in the same internal network could act as the gateway or another Workstation which may pose some risk. I thought that the risk of running the server as well as client in the same Workstation would be a bigger risk. Considering the fact that the client handles sensitive information which, even if the server was compromised, should not be at risk even if they are in the same internal network.

1 Like

Done. Added.

1 Like

I have the same problem but between 2 Whonix-Custom-Workstation VMs. The Whonix-Workstation firewall then is not an issue. You can find more info in my last post (Connections between two different Whonix-Workstations).