Not sure if this is a Qubes issue, Whonix issue, or an issue with my networking ignorance…
Setup is Whonix 12 on Qubes as follows:
Whonix-Gateway1 (10.137.1.A)
is netVM for
Whonix-Workstation1 (10.137.2.P)
Whonix-Gateway2 (10.137.1.B)
is netVM for
Whonix-Workstation2 (10.137.3.Q)
Both Gateways have VPN_FIREWALL enabled.
LOCAL_NETs are 127.0.0.0/24 and 10.137.2.0/24 (or 10.137.3.0/24 respectively).
TB running on WS2 with default proxy settings (127.0.0.1:9050) works as expected.
Same TB (on WS2) connected to GW1 (10.137.2.1:9050) also works! This was surprising to me. Is this the intended design?
- GW1 and GW2 are on the same subnet (10.137.1.x) so they should be visible to each other, except for this:
any VM-to-VM traffic, among the VMs connected to the same Net/Proxy VM is blocked by default.
(from http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html)
-
WS2 is not communicating directly with GW1 because if GW2 has VPN disabled or Tor stopped, then TB does not connect. Not sure why VPN or Tor would need to be online for GW2 to send traffic to GW1? All very confusing…
-
This is not TB-specific. Also tested with random app on WS2 routing over proxychains to GW1.