I want know best way to completely isolate a whonix workstation vm from all network connection. My reason is to download a file that may be malicious. I want download file then I want completely block that workstation VM from any access to gateway or access to host or access to anything else. Then when workstation VM is isolated I want to open the file and feel that it cannot escape the VM or do any telemetry. What best way to do this? I use Whonix KVM. thank you
Go into the VM settings and delete/disable all network adapters for the workstation.
can delete/disable be done in file /etc/network/interfaces.d/30_non-qubes-whonix
No, it’s in the VM settings on the host.
I use KVM with qemu. So I need to alter settings in Whonix_external_network-18.104.22.168.9.xml and Whonix_internal_network-22.214.171.124.9.xml files?
No. If you’re using virt-manager, just press the “i” button, click on the network adapter then click “Remove”.
Thank you for help. I think I get it working. I using virsh not virt-manager. I run this command
$ sudo virsh net-list --all
This shows me names of all networks. For example my special use Workstation VM can have a name like Isolate-Internal.
This separate internal network created when I update the default
Whonix_internal_network-126.96.36.199.9.xml and increment the bridge name from
<bridge name='virb2' to
<bridge name='virb3' and can also change
<name>Isolate-Internal</name>. Then run commands of
$ sudo virsh -c qemu:///system net-define Isolate-Internal.xml and
$ sudo virsh -c qemu:///system net-autostart Isolate-Internal and
$ sudo net-start Isolate-Internal. So in this I am doing multiple workstation.
To isolate this VM I use virsh command
$ sudo virsh net-destroy Isolate-Internal and command
$ sudo virsh net-undefine Isolate-Internal this commands make
virb3-nic disappear when I check on my host.
Then I run command
$ sudo virsh domiflist Isolate. This tell my interface, type, source, model, and MAC of interface connected to my Isolate VM. So I run
sudo virsh detach-interface --domain Isolate --type network --mac MACADDRESS --config
Then I reboot VM and when I run
$ whonixcheck it say:
[ERROR] [whonixcheck] check network interfaces Result: network interface eth0 not up!
So I am thinking that my VM is now isolated but is there way to test this besides run whonixcheck?
Or is this correct for safe VM to open potential malicious file and not have file escape?
Moved this thread to KVM forums just now.
You really know how to use the most complicated way to accomplish the easiest things. To remove the NIC without the GUI you’d have edited the settings ad deleted the network hardware.