Route all traffic from Whonix Gateway through another host on my LAN?

Support
1

Hi,

I’ve got both Whonix hosts set up on my host Windows workstation (would use a dedicated machine if I could afford it) and I’ve also got a secondary router on my LAN which has a “more anonymous” way to access the Internet, than my private ISP connection. I would like all traffic from Whonix Gateway to be routed through that router, rather than through my residential ISP connection.

This is how the relevant parts of my L3-topology looks today:

[pre]
(6.6.6.1) Internet
|
(6.6.6.10) Residential gateway (NAT) (10.100.10.1/24) - (10.100.10.10/24) Windows workstation (10.0.2.2) - (10.0.2.15/24) Whonix Gateway (10.152.152.10/18) - (10.152.152.11/18) Whonix Workstation
|
— (10.100.10.100/24) Secondary router with NAT inside on 10.100.10.100 and NAT outside on a public IP (5.5.5.10/x) - (5.5.5.1) Internet[/pre]

I’ve got the secondary router able to route traffic to and from the Internet, back to my internal network. So if I ping a public address from my Windows workstation it will pass through my RGW to the internet and then back again. If I set its default gateway to 10.100.10.100, it will work just fine too, but the traffic will pass through my secondary router and never touch my RGW.

So I want the Whonix Gateway to use 10.100.10.100 as its default gateway, instead of 10.100.10.1 which the Windows workstation uses. Since the Windows workstation (which I host Whonix on) uses NAT to translate the Whonix traffic to the LAN, I can’t just change the default gateway on the Whonix gateway. I suppose I could use a VirtualBox bridge instead of a NAT interface, but what security implications would that have? Also, I could probably set up source routing on the Windows workstation, but I doubt that’s possible. How would you solve this? The best solution would be adding another box with two network interfaces which hosts Whonix gateway, with one interface in my LAN and its default gateway out its public facing interface, but that’s not possible until I can buy another box in the future.

Also, what would I have to do on the Whonix Gateway iptables to get this to work? I would be grateful for any help!

2

I ended up solving this by using a bridged interface on my Whonix Gateway VM instead of a NAT interface, and changing the default route of the Gateway to my secondary router. Except for isolating the gateway traffic behind my host (and making the gateway see my entire LAN) I don’t think it’s enough of a security risk this far. Really, it puts my VM in the same position as it would be if I were running the Gateway on its own physical host.