Using Whonix gateway to route a LAN connection not through TOR

trigo_once · September 8, 2022, 8:32pm

Hey,

I set up a Whonix gateway VM, which I want to use to let other VMs (non-Whonix) to communicate over TOR through it. In addition to that, I need my other VMs to be able to access 2 IPs on my LAN not through TOR. I wanted to do that through the Whonix Gateway also. I added the two IPs in 50_user.conf under whonix_firewall.d into the variable NON_TOR_GATEWAY. I additionally added them in the iptables both in OUT and FORWARD:

sudo iptables -I OUTPUT 1 -d <MY_IP> -j ACCPET sudo iptables -I FORWARD 1 -d <MY_IP> -j ACCPET
Still, I was not able to contact those IPs, neither from the gateway itself nor from the other VMs going through the gateway.

Is there another setting that needs to be changed?

Thanks in advance

Patrick · September 8, 2022, 10:45pm

Whonix-Workstation to local LAN?

No. There’s no easy bypass. Why? See:

https://www.whonix.org/wiki/Dev/Technical_Introduction#multiple_security_layers

Won’t work. That’s for connections from Whonix-Gateway. Not for connections from Whonix-Workstation.

trigo_once · September 9, 2022, 12:07pm

Can theoretically enabling IPv4 forwarding solve that?

Patrick · September 9, 2022, 12:23pm

A safer idea in my next forum post (not this one).

Probably. It would be insecure. Much higher risk of IP leaks. IP forwarding is what Whonix avoided. And you’d probably still need to hack Whonix firewall.

Patrick · September 9, 2022, 12:26pm

How this could be implemented in the safest way:

Add an additional internal-only network interface to Whonix-Workstation
Connect it to a separate VM which will act as a firewall.
That VM could have IP forwarding and firewall enabled that only permits connections to a few limited IP addresses.

Unsupported.

trigo_once · September 9, 2022, 2:58pm

OK, Thank you very much.