Whonix Gateway Networking - How does it work?

I would like to better understand how the Whonix Gateway manages the networking. I could not find answers in the Wiki documentation or elsewhere.

So far, this is my understanding of the Gateway’s network organisation (please corrrect me if I am wrong):

The Gateway has two virtual network interfaces: eth0 and eth1.

  • eth0 “gets” the internet from the host machine via the default virtualbox virtual NAT adapter, therefore sudo ifconfig returns 10.0.2.15 as its IP address (default VirtualBox NAT settings)

  • eth1 is another virtualized interface running on the Gateway whose traffic is completly torrified and to which the Workstation (or any other VM) connects, hence the Workstation doesn’t “know” the clearnet address of the Gateway. This network is known as an Internal Network named “Whonix” in the VirtualBox network settings.

What I don’t understand, is how exactly is this configured in the Gateway? The /etc/network/interfaces.d/30_non-qubes-whonix file return a fairly simple configuration, with eth0 being inet dhcp (default Virtualbox setting), and the eth1 showing only

iface eth1 inet static
       address 10.152.152.10
       netmask 255.255.192.0

How does the Gateway act as a router? Does it run a dhcp server? How is the internal network configured?

I am asking to have a depper understanding of how Whonix work and also to be able to reproduce a similar setting as I like the idea of having a virtualized router for other VMs, even for clearnet activities.

1 Like

There is no IP forwarding.

https://github.com/Whonix/ipv4-forward-disable

Tor is running on the gateway. It opens ports. The workstation can talk to these directly. (socksified)

System default traffic from the workstation (non-socksified), called transparent proxying, is redirected by whonix-gw-firewall to Tor’s DnsPort and Tor’s TransPort.

Whonix (previously called TorBOX) was based on TransparentProxy · Wiki · Legacy / Trac · GitLab. That’s how it all started.

No, static networking.

Before you can understand how Whonix networking works, you need to have a basic understanding of Linux networking in general. Your first step should be to find a few basic tutorials on iptables and routes.

Your goal is to understand the output (on Whonix-Gateway) of:

sudo route -n
sudo iptables -nvL -t nat
sudo iptables -nvL

Then you’ll see that Whonix uses iptables redirection and not forwarding.

Qubes OS is a great sandbox for testing virtual routers. You can also look at specialized distributions: List of router and firewall distributions - Wikipedia

Thanks for your answers, really appreciated. You’re right I need to learn more about Linux networking and iptables, but I’d also like to understand how on the software side the two VMs connect to each other, where are the configuration files they look at to establish the connection on the Whonix internal network? How the Gateway and the Workstation “know” that eth1/eth0 correspond to the Whonix internal network?

EDIT: I think I have figured it out. When creating an internal network, VMs automatically see it as a second eth network (enp0s8 in debian 9). I am now looking for information on Whonix iptables rulesests, but so far without much success…

EDIT2: after a few hours of (very interesting read), I could not find a satisfying answer to my question: how do I reliably reproduce the WG/WW networking system and more generally speaking how to reliably forward traffic from one VM to another VM using iptables…

1 Like

onion_knight:

Thanks for your answers, really appreciated. You’re right I need to learn more about Linux networking and iptables, but I’d also like to understand how on the software side the two VMs connect to each other, where are the configuration files they look at to establish the connection on the Whonix internal network?

Settings files: VirtualBox settings files.

These are auto generated from command line during Whonix build:

https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm

Thanks for the link, now I know how to link VMs through internal network and ping/ssh each other, but I still can’t figure out how to use iptables to forward the traffic from VM-Workstation (with only internal network attached) to VM-Gateway (with NAT and internal network attached). I guess it is more a general question about VMs and iptables forwarding, but I don’t see how exactly it is achieved in Whonix either.

onion_knight:

Thanks for the link, now I know how to link VMs through internal network and ping/ssh each other, but I still can’t figure out how to use iptables to forward the traffic from VM-Workstation (with only internal network attached) to VM-Gateway (with NAT and internal network attached). I guess it is more a general question about VMs and iptables forwarding, but I don’t see how exactly it is achieved in Whonix either.

It’s all here.

TransparentProxy · Wiki · Legacy / Trac · GitLab

https://github.com/Whonix/whonix-gw-firewall/blob/master/usr/bin/whonix_firewall

Merry Christmas!

I know that this is a bit off-topic, but I think that it can be of interest for Whonix users. Feel free to close the topic if you think otherwise.

So I have been playing around with iptables and VM networking and I was able to forward traffic from a proxy/gateway VM to another VM with this kind of rules:

sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT

For VPN configuration, I just replace “enp0s3” by “tun0”:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s8 -o tun0 -j ACCEPT

However, this setting requires IP forwarding in order to work:

echo 1 > /proc/sys/net/ipv4/ip_forward

How does the Whonix Gateway achieves this withouth IP forwarding? Is it Tor related? Or is there something else that I am missing?

1 Like

For socksified connections, you don’t need iptables rules at all.

Tor related. Fortunately Tor can be configured to open a DnsPort and a TransPort listening port. Then you can use iptables to redirect traffic to these ports.

See this short very chapter Anonymizing Middlebox:

Thanks for your answer. It makes more sense now.