SSH to physically isolated Gateway

Please consider the following setup:

  • Whonix Gateway on bare metal (physically isolated)
  • Debian host + Virtualbox + Workstation VM
  • Gateway + Workstation host LAN cable-connected

Do you see any security implications in connecting via SSH to the Gateway from either the Workstation host or the Workstation VM to manage it? How does SSH-connecting from Workstation host VS Workstation VM compare here from a security perspective? I guess it would be clever :wink: to limit the SSH server to LAN.

Any thoughts on this? Looking forward to run the Gateway headless, most likely with WOL + GNU Screen.


SSH from Workstation VM to Gateway is least secure. Workstation shouldn’t have any control over the Gateway.

SSH from Workstation Host to Gateway is not as insecure as above. Still discouraged to weaken the isolation.

Most secure option is to connect to the Gateway using a non-Whonix computer or using the Gateway itself. Perhaps using a KVM switch.