The diff
between Debian buster
and Whonix related to changes to network configuration.
Whonix Networking Implementation - Developer Documentation was just now updated.
On above page you can find all changes that Whonix applies related to networking:
- Location of the files on the disk in installed Whonix.
- The location of the file in Whonix source code on the disk.
- A link to the web version of the file on github.
- A comment if
- not installed by default
- gateway or workstation only
- Non-Qubes-Whonix or Qubes-Whonix only
- And most importantly, a summary of what that file is supposed to do.
That might give you a pretty good overview how Whonix implements its networking. By following the links to the actual files and reviewing them, you might gather enough information so you could create your own Whonix manually. That may not be necessary but it can never hurt to have more people who understand Whonix well since through this review process, issues might be revealed and fixed.
Feedback Wanted!
Does this wiki page make it easier to understand how networking is implemented in Whonix?
Anything about the formatting that could be improved? Such as should each file get its own chapter or is that too much?
If the first category networking
which got documented here is helpful, also other categories can be documented. And of course, it would also be trivial to have a wiki page “all-in-one” which documents all changes by Whonix to Debian.
Qubes-Whonix (package qubes-whonix) is not yet fully documented on that wiki page but the there are extensive comments in the source code.
This time this will be easier to maintain and keep updated.
There were previous attempts to document how Whonix is implemented. But since source code changes over time (packages are reorganized, source files move around), it was too much effort to keep the design documentation in sync, so that didn’t happen. Also it was too much. Whonix does not only reconfigure the network but also enhances other parts such as security and usability. These pages were too long and therefore not convenient enough. Therefore not too many people were reading it.
The way this works is having a simple markup as comments.
For example /etc/network/interfaces.d/30_non-qubes-whonix contains:
#### meta start
#### project Whonix
#### category networking
#### non_qubes_whonix_only yes
#### gateway_only yes
#### description
## network interfaces configuration eth0 (external network interface) and eth1 (internal network interface)
##
## static network configuration
##
## eth0
#address 10.0.2.15
#netmask 255.255.255.0
#gateway 10.0.2.2
##
## eth1
#address 10.152.152.10
#netmask 255.255.192.0
#### meta end
These comments are then processed by packaging-helper-script function pkg_descr_creator
and pkg_descr_merger
which autogenerates a wiki source code that can simply be copied/pasted to the wiki.
The field #### category
allows to reuse the same documentation for different categories. For example is /etc/sysctl.d/tcp_hardening.conf network configuration or security configuration? It’s both. Therefore it can be mentioned on a wiki page which documents Whonix networking implementation as well as on another wiki page which documents any security related changes by Whonix.