Use NAT Network instead of NAT + Internal network

From what I gather, default behavior is to have gateway with NAT adapter and Internal network adapter, workstation with just internal network adapter. We now have a fairly new feature in VB called NAT Network. This makes using 2 ifaces on the gateway redundant. In the meantime, how can I successfully set it up this way for myself? I have both VMs set to NAT Network but now workstation can’t connect out.

Maybe if I just mirror the previous IP addresses. Will try again.

Hello, welcome to Whonix forums and thank you for your question!

for reference:

I don’t see the point for that. Two network interfaces is a a feature. Not a bug. No clearnet leak bugs reported ever at this time.

As a general guide on how to make the case, see also:

For learning / experimenting OK but needless to say that in a production setup this could be a good way to introduce clearnet leaks.

I doubt there can be an easy answer in 15 minutes as this would require extensive Whonix firewall changes.

See also:

What I’m wanting to do is administer multiple workstations from the host via SSH. The documentation suggests that to do this, I should hop from the gateway to the workstations. This seems bad to me because you’re opening ports on the one VM that actually is connected to the outside Internet (Though admittedly through Tor but still).

Maximum protection should be on the gateway. I see why it could be bad to use NAT Network on the workstation though.

  • Whonix-Gateway can connect to these open port.
  • Host cannot connect to that open port.
  • Open internet cannot connect to that open port.
  • When using multiple workstations behind same Whonix-Gateway this is an
    issue too.

I came up with workarounds to accomplish it. Basically, port forwarding/hopping through the vbox NAT, to the gate, to each WS, opening local host ports.

For instance, if I map the gateway port 22 to vbox NAT port 2222 then I can:

ssh -L 2121:workstation1:21 user@ -p 2222

where workstation1 is the hostname (Specified in /etc/hosts on gateway) on the virtual network of the machine I want to be able to connect to on port 21 via local port 2121.

SSH into Whonix-Workstation is documented here: