Hey, I try to tunnel Whonix Gateway through ubuntu vm (vmware/virtualbox) with openvpn connection. So far i set the openvpn adapter 1 to NAT and adapter 2 to a specific internal network same which whonix gateway is connected to (adapter 1).
What changes I have to take now to get the connection to work like in case of whonix gateway - whonix workstation, what changes you took there on the gateway?
Would be great if there’s anyone with advise.
edit: I’ve already tried out Pfsense but didnt worked for me - vpn provider related problem
For stuff related to VPN / Tunneling, do you know Whonix's VPN documentation (https://www.whonix.org/wiki/Features#VPN_.2F_Tunnel_support) already?
Yes, I’d like to (user → VPN → Tor), but instead of run the openvpn client on host or Whonix-Gateway, I was thinking about a extra VM as a Gateway for Whonix-Gateway, so I would be able to chain multiple VPN or could implement a second layer on Tor (user->Tor->VPN) with more security e.g against rootkits and stuff on my Whonix-Workstation.
I need to know now how it is possible to establish a internal network between two VM like you did with Wonix-Gateway and the Workstation, e.g what changes I have to take on my VPN-Gateway and the Whonix-Gateway to tunnel the Whonix traffic through the VPN-Gateway?
Hope you can help and thanks for the answer
So you want to have something like a VPN-Gateway (or same with different term: Whonix-VPN-Gateway).
Good question. Unfortunately, also a big question. It’s like asking “how to make a Tor-only Gateway” or “how to make Whonix”.
Yes, I'd like to (user -> VPN -> Tor), but instead of run the openvpn client on host or Whonix-Gateway, I was thinking about a extra VM as a Gateway for Whonix-Gateway, so I would be able to chain multiple VPN or could implement a second layer on Tor (user->Tor->VPN) with more security e.g against rootkits and stuff on my Whonix-Workstation.
It wouldn' t help against rootkits, at least I am not seeing how at the moment. Nevertheless having pluggable gateways that one can stack in arbitrary orders would be interesting. See also:
https://www.whonix.org/wiki/Advanced_Security_Guide#Chaining_Anonymizing_Gateways
Maybe help / could be to be off the track:
I need to know now how it is possible to establish a internal network between two VM like you did with Wonix-Gateway and the Workstation
My advice for this approach:
1) first, learn how to do without involving Whonix
2) after you figured out, combine this with Whonix
Don't try to start involving Whonix, then it's getting too complex.
Virtual Machines support connections between internal networks. Documentation about virtualizers explains how to set this up. For /etc/network/interfaces examples, have a look at eth1 on Whonix-Gateway as well as Whonix-Workstation eth0. Then you should be able to ping each other. Next step would be make the supposed VPN-Gateway forward traffic for clients. Start with clearnet traffic. If that works, configure the VPN-Gateway to route all traffic through a VPN and use something like VPN-Firewall (GitHub - adrelanos/vpn-firewall: Leak Protection (Fail Safe Mechanism) for (Open)VPN).
Maybe asking on wilderssecurity forum would maybe make mirimir answer and help getting a pfSense based VPN-Gateway up and running in conjunction with Whonix. I’ll also ask mirimir to have a look at this thread.
Although it’s certainly possible to setup Linux VMs as VPN gateways, I recommend using pfSense router/firewall VMs. They’re smaller, and secure setup is much easier. Please see Advanced Privacy and Anonymity Using VMs, VPN’s, Tor – Part 6 for detailed instructions.
Thank you guys, didn’t know that there are already such great tutorials for this.
I’ve tried to setup pfSense Vm once but didn’t worked for me - provider related problem I think, going through your tutorial now mirmir and hope that I’m able to get it to work this time.
Like Patrick said "Chaining Anonymizing Gateways - Experts only! " I’m glad that you guys can help me out and provide great Tutorials for this because I’m not a expert and to be confronted with all that unfiltered stuff gives me headaches.
It wouldn' t help against rootkits, at least I am not seeing how at the moment. Nevertheless having pluggable gateways that one can stack in arbitrary orders would be interesting. See also:
hm, I have little knowledge about that stuff but my idea was that the separation would prevent the vpn from getting circumvented like with tor and Whonix - on the Workstation of course?! I feel it gets embarrassing now for me xD
My advice for this approach:
1) first, learn how to do without involving Whonix
2) after you figured out, combine this with Whonix
Don't try to start involving Whonix, then it's getting too complex.