Workstation-Firewall setup

Support
1

Hi,
I tested Whonix Workstation FIrewall but i found nothig it’s changed .
I write this in /etc/whonix_firewall.d/50_user :
VPN_FIREWALL=1
VPN_SERVERS=""

The notation it’s to memory, but I copied the configuration from the website and the file /etc/whonix_firewall.d/30_default .
Then I reloaded the firewall ( sudo whonix_firewall reload ) but the fail closed mechanism doesn’t run .
I launched the vpn from openvpn, the vpn runs correctly but fail closed mechanism not, the browser was configurated like told from the documentation .
In the documentation i didn’t find a clear explanation, I think it’s incomplete, at least for noob like me :smiley: .

2

How to add the VPN in Whonix-Gateway

Explains it all. Change the settings. Reload Whonix firewall. Setup OpenVPN. Make sure Tor is enabled. Done.

fail closed mechanism doesn't run
That's not a very good problem description. See my signature. Actual Result Expected Result ...
3

Sorry, you are confused with whonix gateway .
The chain : device—>vpn—>tor it’s perfect with whonix, also for fail closed mechanism .
I meant the chain : tor—>vpn .
You wrote this :
One of the benefits of Whonix is that when a VPN connection breaks down, you still have the protections provided by Tor. In such an event where the VPN connection breaks down, Whonix-Workstation will seamlessly continue to make “direct” connections through Tor. If you are using the VPN only to circumvent the censorship of Tor, you may not care so much. On the other hand, if you believe a VPN improves your security, you should make sure that when the VPN connection breaks down, all connections with the outside world and your computer cease.

If you want to enforce, that the VPN always gets used:

Whonix-Gateway: Already includes a fail closed (firewall settings VPN_FIREWALL setting) mechanism.
Other operating systems: see: https://github.com/adrelanos/VPN-Firewall

So, I saw that in Whonix Workstation just there’s a vpn fail closed mechanism, or at least a part of this, i didn’t control it .
I enabled it but it doesn’t run, i did what I wrote in the first message .

4

Sorry.
Whonix-Workstation’s Firewall does not yet have a VPN-Firewall feature. Ticket:
https://phabricator.whonix.org/T142

Whonix-Workstation /etc/whonix_firewall.d/30_default (https://github.com/Whonix/whonix-ws-firewall/blob/master/etc/whonix_firewall.d/30_default) has no such setting.

You can try GitHub - adrelanos/vpn-firewall: Leak Protection (Fail Safe Mechanism) for (Open)VPN.

5

I tried to use the Workstation Firewall and it runs very well .
I did thus :

  1. stop networking with : sudo service networking stop . .
  2. sudo whonix_firewall reload .
  3. sudo service networking start . .
  4. sudo openvpn --config ( first edit the file with the correct interface )

Of course, before I did this :

  1. Go to /usr/bin/whonix_firewall and at this point modify like below :

Not in use/defined yet.

INT_IF could be the internal network.

EXT_IF could be an additional virtual network adapter,

such as OnionCat or OpenVPN.

External interface

[ -n “$EXT_IF” ] || EXT_IF=“eth0” # ( here I wrote tun1 )

Internal interface

[ -n “$INT_IF” ] || INT_IF=“eth1” # ( here I wrote eth0 )
[ -n “$GATEWAY_IP” ] || GATEWAY_IP=“10.152.152.10”

The tun1 is the interface of my vpn, so the external interface .
The eth0 is foundamental interface, so the internal interface .

Is it correct ?
Of course, like you told, the fail closed mechanism doesn’t run, but it’s doesn’t matter because I have a good vpn and of course it’s an addition layer of security, not foudamental in the major part of things .

I have another question, if I would use the VPN-FIrewall on the host and I need to surf on the clear net unless Tor, how can I do it ? The normal Browser ( Iceweaseal ) doesn’t connect, only Virtualbox can .
I don’t know iptables very well, so I can’t modify your configuratation to prevent damages, how can I do ? Maybe I can test .
In conclusion, to update my host I always need to launch VPN and Tor in the host, so Tor connection wil pass through the VPN . But sometimes I need to surf unless Tor in the host …
How can I do ?

6

Don’t edit /usr/bin/whonix_firewall directly as changes are lost on
upgrades. For the variables you changed, there is no need to edit the
file directly. Edit the configuration instead. Folder is
/etc/whonix_firewall.d. See also:

I don’t know where you got /usr/bin/whonix_firewall editing directly
from. Just stick to the documentation.

The new link by the way is this one:

the fail closed mechanism doesn’t run, but it’s doesn’t matter because
I have a good vpn

That doesn’t follow. Fault of the VPN going down and continuing to
connect in the clear is not only up to the VPN. Also the internet
connection could go down due to natural causes. In another category of
attacks would be to intentionally disrupt the VPN connection as part of
an active ISP level attack.

and of course it’s an addition layer of security, not foudamental in
the major part of things

If you don’t do it right, then there is no reason to bother at all.

I have another question, if I would use the VPN-FIrewall on the host
and I need to surf on the clear net unless Tor, how can I do it ? The
normal Browser ( Iceweaseal ) doesn’t connect, only Virtualbox can .

When VPN-Firewall and the VPN is running, all host traffic should go
user → VPN → destination.

I don’t know iptables very well, so I can’t modify your
configuratation to prevent damages, how can I do ? Maybe I can test .

Using VPN-Firewall and going user → VPN → destination and then at the
same time making exceptions for user → destination is certainly
possible if you know iptables, but unsupported. (
Frequently Asked Questions - Whonix FAQ )

In conclusion, to update my host I always need to launch VPN and Tor
in the host, so Tor connection wil pass through the VPN . But sometimes
I need to surf unless Tor in the host …
How can I do ?

You don’t need to start Whonix / Tor for user → VPN → destination.

(Technical analogy: From VPN-Firewall / VPN perspective, “they don’t
‘know’ anything about Whonix”.)

7

Maybe I didn’t explain very well .
For updates on the host I have this configuration : VPN-Firewall + VPN account of course .
The problem is that, only if I run Tor on the host, or maybe another proxy system I can do upgrades, other connections doesn’t run when I use your VPN-Firewall . .
If I try to connect on the net with this method ( user -> VPN -> destination ) but the connection doesn’t run .
I tried updates with apt-get, to update with Synaptics, surf with Iceweaseal etc, all this with your VPN-Firewall and all of these failed, this is the problem .
Maybe unless your Firewall the connection wil run, but i need to use your VPN-FIrewall and I think I can’t try now …

The second problem is this, I know the .d directory but I don’t know how to write my configuration, respectively :
[ -n “$EXT_IF” ] || EXT_IF=“eth0” # ( here I wrote tun1 )
Internal interface
[ -n “$INT_IF” ] || INT_IF=“eth1” # ( here I wrote eth0 ) .

So, I understood i should write this configuration on /etc/whonix.firewall.d/50_user but I don’t know the correct nomenclature, maybe is thus :
EXT_IF=“tun1"
INT_IF=“eth0"
VPN_FIREWALL=1 ( I toke this command from VPN-Firewall on gateway and it’s the same of VPN-Firewall on the host )
VPN_SERVERS=”” ( the same above speach )
VPN_INTERFACE=tun1

8

VPN-Firewall (for hosts) has no configuration folder yet. There you
really need to edit the script itself.

EXT_IF=“eth0” most likely. Setting it to tun1 seems totally wrong.

9

###########################

VARIABELS

###########################

Not in use/defined yet.

INT_IF could be the internal network.

EXT_IF could be an additional virtual network adapter,

such as OnionCat or OpenVPN.

External interface

[ -n “$EXT_IF” ] || EXT_IF=“eth0”

Internal interface

[ -n “$INT_IF” ] || INT_IF=“eth1”

if [ -d “/usr/lib/qubes” ]; then

Would fail if netvm is set to ‘none’.

[ -n “$GATEWAY_IP” ] || GATEWAY_IP="$(qubesdb-read /qubes-gateway)"
else
[ -n “$GATEWAY_IP” ] || GATEWAY_IP=“10.152.152.10”

I red this and I supposed was correct, even if I don’t have the VPN in the EXT_IF i can insert eth0, because it will be the single interface to communicate with external resources, this is my meaning from what I red and what I though .

I did it like I wrote over and it runs correctly, the problem is that you advised me to write the changements of course on the dedicated file 50_user, but I don’t know the correct code to write for all my requests .

For the host problem I can’t resolve, I tried all but I didn’t understand why virtualbox can communicate with the VPN and other software not, all software a part Virtualbox .

10

Anyone can help me ?