Hi
Lastly I was unable to setup Whonix-External as a network interface for a VM machine in QEMU/KVM, I was unable to sort the VM machine connection using it, this is not the first time I do it, so I am not sure what I do wrong or different than in the past here or something changed in Whonix itself.
My steps when i do (also always done in the past): I setup the Guest VM Network as: Virtual network ‘Whonix-External‘ : NAT in KVM NIC tab, then after booting the VM I setup manually its network as: IP: 10.152.152.19, Mask: 255.255.192.0, Gateway: 10.152.152.10, DNS: 10.152.152.10 and it does not work anymore, I have no DNS resolver to navigate the internet.
Whonix Workstaion has no problems, it works as expected.
What I noticed also that Gateway’s clock is 1 hour earlier then the actual time, I never paid too much attention to this in the past as it always worked so I checked whatever I could to sort this out like installed different VM machine, reinstalled whonix on KVM - no luck.
Please let me know if there is any changes I do not know about or give me any clue what this could be.
Thanks, but that page leads to whole Whonix documentation, I created that file following the touchcommand from that page, that did not change anything, for update: after reinstalling Whonix on KVM - I used Gateway GUI as is (in the past I was giving less memory like 512M to Gateway to use it CLI only) and the clock shows correct time but running date command still shows 1 hour earlier.
I still have the same problem on VM machines, so if there is a particular clue you could give - do so, I will not go to read whole Whonix documentation as I do not use it professionally, just amateur.
I see, following it I got a bit confused, I am not expert, but what i understood is that changing timezone breaks anonymity - i get it, even I’ve changed it into the correct one in Whonix Gateway (via GUI clock settings) - did not solve the other VM machine connection problem anyway.
I did not quite understand the creation of that file /etc/noutc point, and if I need to create it or not and if on Gateway or on Workstation or on both for my case.
My problem might not be in the time zones at all - this what I needed to know if it is or not, if using Whonix Gateway network still can be the option for other VMs as a gateway to internet or NOT anymore, so for me to move on.
I apologize if I did not understand it well, so if I messed up just ignore me.
In Whonix terminology, we call the kind of setup you’re making a Whonix-Custom-Workstation. Some documentation on these can be found at:
What you’re doing sounds quite similar to what the documentation describes, but you might want to double-check it to ensure your configuration is correct.
It would be useful to know if all networking is broken, or just DNS. From the custom workstation VM, are you able to ping any IP addresses (i.e. ping 1.1.1.1 or ping 8.8.8.8)? If yes, then the network is technically working and DNS is broken. If not, the network itself is most likely broken.
Right, sorry I didn’t mention about what was broken, it’s not (just) DNS, I can’t ping to IPs like 1.1.1.1 or 9.9.9.9
Thanks for the manual page, I had a look at it and edited /etc/sysctl.conf as the page says adding net.ipv4.conf.*.arp_ignore=1 at the end and rebooted. (page says sudoedit /etc/sysctl.d/99_user.conf, but that file is a link pointing to the file I mentioned above).
VM I am trying to use Gateway via Whonix is Debian based distro, these are the files content of that VM related to network config:
“/etc/resolv.conf”:
# Generated by NetworkManager
nameserver 10.152.152.10
“/etc/network/interfaces.d”:
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
The folder this last file is pointing /etc/network/interfaces.d/ is empty.
I compared this to Whonix Workstation as this one has connection w/o problems and there is one file present in Whonix Workstation: /etc/network/interfaces.d/30 non-qubes-whonix.
I created that file in my VM in case with network important line ignoring commented blocks:
I unintentionally gave you incorrect info, ping is actually intentionally disabled in Whonix-Gateway according to:
Sorry about that. A better test would be to curl 1.1.1.1 > testfile and see if it outputs some HTML into testfile. (1.1.1.1 is Cloudflare’s DNS IP, but also has a web server running on it.)
You cannot use NetworkManager and ifupdown at the same time very easily and I don’t think removing manual configuration in NetworkManager is enough (you’d probably need to make the interface an “unmanaged” interface to make that work). What I’d try is configure your static IP address, netmask, gateway, and DNS using NetworkManager itself. Set the IPv4 configuration to Manual, set the address as 10.152.152.19/18, set the gateway to 10.152.152.10, and add a single DNS server of 10.152.152.10. You probably want to set IPv6 to Disabled for good measure, since Whonix 17 doesn’t support IPv6.
ping 10.152.152.10 doesn’t work, ping is disabled, host and dig also do not give any results even curl 10.152.152.10 > file has no output in the file. How else do I check if the gateway IP 10.152.152.10 is reachable if ping is not working, I need to start troubleshot local connections before get to internet right?
Also I created `unnamed` Ethernet interface w/ configs above, removed the default one to clear it up - the same problem.
I installed nping, ran the command nping 9.9.9.9 on Whonix-Gteway terminal, result:
Starting Nping 0.7.93 ( Nping — Network packet generation tool & ping utility ) at 2025-10-20 xx:xx UTC
SENT (0.0015s) Starting TCP Handshake > 9.9.9.9:80
RCVD (0.0016s) Possible TCP RST received from 9.9.9.9:80 → Connection refused
SENT (1.0030s) Starting TCP Handshake > 9.9.9.9:80
RCVD (1.0032s) Possible TCP RST received from 9.9.9.9:80 → Connection refused
SENT (2.0058s) Starting TCP Handshake > 9.9.9.9:80
RCVD (2.0058s) Possible TCP RST received from 9.9.9.9:80 → Connection refused
SENT (3.0083s) Starting TCP Handshake > 9.9.9.9:80
RCVD (3.0083s) Possible TCP RST received from 9.9.9.9:80 → Connection refused
SENT (4.0109s) Starting TCP Handshake > 9.9.9.9:80
RCVD (4.0109s) Possible TCP RST received from 9.9.9.9:80 → Connection refused
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
TCP connection attempts: 5 | Successful connections: 0 | Failed: 5 (100.00%)
Nping done: 1 IP address pinged in 4.01 seconds
It fails.
I followed the Troubleshooting page you sent me, but did not get any changes.
I followed RELATED state fix (regarding iptables) to set GATEWAY_ALLOW_INCOMING_RELATED_STATE=1 in /etc/whonix_firewall.d/50_user.conf (the page indicates this file’s location at `/usr/local/etc/whonix_firewall.d/50_user.conf`, but it’ not there under Whonix-Gateway GUI on KVM).
I created new VM Debian 13, installed it and did the same as on other VMs to test - no difference, the same connection problems.
I tried to nping to Debian VM from Gateway - the same failure
As I mentioned I already reinstalled Whonix on KVM already. I have no idea what to do more, I guess I need to reinstall whole QEMU/KVM but I doubt it will change things.
I cleared out /etc/whonix_firewall.d/50_user.conf file as was, created /usr/local/etc/whonix_firewall.d/50_user.conf file w/ GATEWAY_ALLOW_INCOMING_RELATED_STATE=1 (I had to create the folder whonix_firewall.d first as it was not present in /usr/local/etc/), reloaded firewall and even rebooted the Gateway - no results.
It works perfectly no issues, by the way I adored the idea creating `sysmaint` and live, disposable sessions for Workstation, like I have QubesOS abilities to create live, temporary session. Like this split, it can prevent more of users making mistakes to upgrade the system in the right way and use the persistent session safety.
I decided to create the same setup on the other PC to replicate and test:
Installed Debian 13 Gnome on that machine
Installed QEMU/KVM on that machine (GUI - Virtual Machine Manager v5.0.0) - following Debian manual and after this page: Whonix for KVM to followup
Imported Whonix-Gateway(Workstation)-Xfce-17.4.4.6.Intel_AMD64.qcow2 following this page: Whonix for KVM - copy/pasting those commands finishing with: safe-rm Whonix* and safe-rm -r WHONIX*
Done all configuration as I usually do before start using Whonix system: launch Gateway, setup user as user, define password, disable autologin, update/upgrade and reboot, test system with whonixcheck
Do the same on Workstaion, set passwords on both sysmaint and user, disable autologin, update/upgrade system, reboot and test.
Created new VM and installed Debian 13 Gnome from net installer (I know it’s bad practice to make VM hit clear net before use on Whonix, but this is test only setup.).
The problem persists, I do not have connection on that Debian 13 VM.
Note: Difference between this machine and LMDE 6 where I started having problems is in Virtual Machine Manager version as on LMDE 6 the version is 4.1.0 and on this machine (Debian 13) is 5.0.0
Note: I did not mention that I use network wide VPN (Wireguard on router), can this be the issue?, if not - Someone needs to test this setup to find out if this is Whonix problem or not, I am wondering that no one posted about this, it can be my local problem, not sure…
All of these distros are Debian based and they use `NetwokManager` (as far as I know). More of the point that I used these setup in the past w/o any problems and not just on KVM but on VirtualBox too.
I do not want to test it on VBox, as I moved to KVM quite a while now and do not want to go back.
I tried use ifdown I followed AI advice explaining that I want to use it instead of NetwokManager, I set all up, even disabled NetwokManager and set all config in /etc/network/interfaces with address, mask, DNS, nemaservers - no luck. I even copared Whonix-Workstaion network settings files, it handles a bit different, but this must not be the issue.
I think easier way to solve this will be, if you could set this up at your place and test it, see what you have. If NetwokManager is untested and undocumented - will be good to mention it for example on download page or somewhere visible place for users to know w/ what to deal . As I said I never had problems in the past w/ this, with NetwokManager or whatever it was, I never needed to do anything, only set all in GUI netwok setting and done. I user several versions of Whonix on VMs.
Please consider testing this and document (or comment at least) for users to know how to set this environment. Thanks
I Installed VirtualBox (v7.2.4) on LMDE 6, installed/imported Whonix system and tested 2 distros on Whonix network: Debian 13 & Kali - all works well on VirtualBox.
The problem is on QEMU/KVM tested on two version 4.1.0 & 5.0.0 of Virtual Machine Manager - GUI.
Please advise or let me know if this is a general problem, which was not tested and/or documented or there is local problem only on my side.
