Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Authenticated / Encrypted Connections between Whonix-Gateway and Whonix-Workstation, ARP spoofing defense, SSH, OpenVPN, Using additional (isolated) network interfaces. Remote Whonix-Gateway.

Introduction[edit]

• This chapter does not apply to Qubes-Whonix^™. ^[1]
• This chapter applies to Non-Qubes-Whonix using Multiple Whonix-Workstation.
• This chapter applies to Physical Isolation (using Multiple Whonix-Workstation).
• Remote Whonix-Gateway: If you want to connect to a Whonix-Gateway over insecure, untrusted, or unknown foreign networks (internet).
• You should read it if using any custom, non-stock, configurations.

Related: Opening ports in Whonix

Essentials[edit]

By default, Whonix assumes that Whonix-Gateway and Whonix-Workstation are connected by (virtual) LAN cable. Wireless technologies are not recommended as a malware compromised Whonix-Workstation could access (other) wireless access points and subsequently connect without Tor or find user's location based on WiFi SSIDs. Using a (virtual) cable enforces that Whonix-Workstation can only connect through Whonix-Gateway. For the same reason, connections to Whonix-Gateway over the internet are also not recommended.

By default, connections between Whonix-Workstation and Whonix-Gateway are neither authenticated nor encrypted. The above (virtual) LAN connection between Whonix-Workstation and Whonix-Gateway is assumed to be secure. ^[2] Adding authentication and/or encryption by default would further increase the complexity of Whonix, which is to be avoided as explained in earlier chapters.

If you want to run Multiple Whonix-Workstation at the same time inside the same (virtual) isolated LAN, authentication should be added:

• Inside virtual LANs:
  • Authentication is enough.
  • Encryption is not required. (When machines cannot be impersonated, MITM attacks are not possible from within the virtual LAN.)
• Inside physical LANs:
  • If your threat model includes the possibility of a MITM attack, encryption is needed .

If you want to connect to a Whonix-Gateway over insecure, untrusted, or unknown foreign networks (internet):

• Both authentication and encryption should be added.
  • Encryption is required to deny MITM eavesdropping.
  • Authentication validates the identity of the connecting machine.
    • Encryption solutions such as OpenVPN and ssh also provide authentication.

Motivation for secure Whonix-Gateway / Whonix-Workstation connections[edit]

Only applies to non-stock configurations: If you run Multiple Whonix-Workstation simultaneously or want to connect to Whonix-Gateway over insecure or untrusted networks (internet):

A compromised Whonix-Workstation can impersonate the Whonix-Gateway, or any other Whonix-Workstation, within the same (virtual) LAN, perform active MITM attacks, or passively eavesdrop.

OpenVPN vs SSH[edit]

Encryption can be added using OpenVPN or SSH. SSH, but not OpenVPN, has the advantage of being able to still easily tunnel a VPN through Tor, later. If you don't plan to do so, OpenVPN is probably easier. SSH has the disadvantage of increased setup complexity in this use case - you are probably better off using OpenVPN.

Authenticated connections between Whonix-Gateway and Whonix-Workstation[edit]

ARP spoofing defense[edit]

This has only been quickly researched: From the Wikipedia article about ARP spoofing, it appears that Static ARP entries could be used to authenticate connections between Whonix-Gateway and Whonix-Workstation.

Using additional (isolated) network interfaces[edit]

Theoretical[edit]

(This chapter is actually not authentication, but solves the threat nonetheless.)

A workaround, when running all vm's on the same VirtualBox host:

• One can enable additional Virtual Network Adapters with uniquely named internal virtual networks, inherently isolating up to 7 Whonix-Workstation per Whonix-Gateway, ^[3]

A workaround, for Whonix with Physical Isolation, where all possible connecting machines are trusted:

• Whonix-Gateway inherently requires two network interfaces - external and internal. Additional physical and/or virtual LAN interfaces could be added. (Ensure no bridging takes place.)

Instructions[edit]

DRAFT! UNFINISHED!

If you would like to see the unfinished documentation, please press on expand on the right.

These instructions explain how to do it using VirtualBox.

For basic setup, see this forum thread:
https://forums.whonix.org/t/running-2-isolated-workstations-on-a-single-gateway/835

The original poster is on a good track already. Some more changes required.

On Whonix-Workstation in an additional isolated network.

Modify the Whonix Network Configuration.

If you are using Qubes-Whonix^™, complete the following steps.

Undocumented

If you are using a graphical Whonix-Gateway^™, complete the following steps.

lxsudo kate /etc/network/interfaces.d/30_non-qubes-whonix

If you are using a terminal-only Whonix-Gateway, complete the following steps. sudo nano /etc/network/interfaces.d/30_non-qubes-whonix

Use these settings.

address 10.152.152.17 netmask 255.255.192.0 gateway 10.152.152.13

On Whonix-Gateway.

Modify the Whonix Network Configuration.

If you are using Qubes-Whonix^™, complete the following steps.

Undocumented

If you are using a graphical Whonix-Gateway^™, complete the following steps.

lxsudo kate /etc/network/interfaces.d/30_non-qubes-whonix

If you are using a terminal-only Whonix-Gateway, complete the following steps. sudo nano /etc/network/interfaces.d/30_non-qubes-whonix

Add this.

auto eth2 iface eth2 inet static address 10.152.152.13 netmask 255.255.192.0

Modify Whonix-Gateway^™ User Firewall Settings.

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix^™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start Menu → Applications → Settings → User Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start Menu → Applications → Settings → Global Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf

And add additional interfaces to the firewall config.

INT_IF="\ eth1 eth2" INT_TIF="$INT_IF"

Reload Whonix firewall (or reboot).

sudo whonix_firewall

Restart networking.

sudo service networking restart

Perhaps NetworkManager is interfering and must be disabled.

Also the file /usr/share/tor/tor-service-defaults-torrc needs some changes. Tor needs to listen on the additional interfaces.

Open file /usr/share/tor/tor-service-defaults-torrc in an editor with root rights.

Non-Qubes-Whonix^™

This box uses sudoedit for better security.

sudoedit /usr/share/tor/tor-service-defaults-torrc

Qubes-Whonix^™

NOTES:

• When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /usr/share/tor/tor-service-defaults-torrc

• After applying this change, shutdown the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and unspecific to Qubes-Whonix^™.

Others and Alternatives

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/share/tor/tor-service-defaults-torrc

Use this file:
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist

^[4]

Restart Tor.

sudo service tor@default restart

It will now loudly complain, that Tor is listening on all IPs that may not be what you want. You can ignore this, because the external network interface is firewalled.

TODO: Explain what happens during upgrades.

Whonix-Workstation whonixcheck / timesync / Tor Browser won't work. (Would need updated IP of the other gateway internal interface.) TODO: Expand.

Whonix-Workstation TransPort access should be functional though. I.e. nslookup check.torproject.org and/or Firefox should work.

Whonix-Custom-Workstation^™ should work.

Libvirt Isolated Ports[edit]

Isolated ports are a Libvirt feature supported since 6.1.0. ^[5]

The port element property isolated, when set to yes (default setting is no) is used to isolate this interface's network traffic from that of other guest interfaces connected to the same network that also have <port isolated='yes'/>. This setting is only supported for emulated interface devices that use a standard tap device to connect to the network via a Linux host bridge. This property can be inherited from a libvirt network, so if all guests that will be connected to the network should be isolated, it is better to put the setting in the network configuration. (NB: this only prevents guests that have isolated='yes' from communicating with each other; if there is a guest on the same bridge that doesn't have isolated='yes', even the isolated guests will be able to communicate with it.)

<devices>
  <interface type='network'>
    <source network='default'/>
    <port isolated='yes'/>
  </interface>
</devices>

Encrypted and authenticated connections between Whonix-Gateway and Whonix-Workstation[edit]

Using SSH (not tested/recommended)[edit]

Each Gateway and Workstation should have its own SSH account and certificate distributed to each machine to which it will connect. ^[6] Each Gateway and Workstations will need ssh installed and the service started. Workstations need to be configured to automatically reconnect - in case Whonix-Workstation starts before the Gateway, or restarts. ^[7] Workstations need to use the tunnel IP to connect to the Gateway. The Whonix-Gateway should only accept certificate authentication, and only forward or answer to Tor over the SSH tunnel. All Workstations must use the established SSH tunnel to the Gateway, redirect such network access to socks via tranSOCKS_ev or similar. The Whonix-Gateway firewall may need corresponding changes. Not impossible to use SSH for this - but intricate.

Do not allow SSH logins! ^[8]

You may be better off using OpenVPN. However - OpenVPN is a full machine to machine connection, while ssh is easily port restricted.

Using OpenVPN[edit]

Remote Whonix-Gateway[edit]

At the time of writing, the Whonix project is primarily designed for the Whonix-Workstation and Whonix-Gateway to be connected over a trusted network using virtual, isolated network cards.

Setting up a Remote Whonix-Gateway, where the Whonix-Gateway is accessed remotely from a different location, is currently not well-documented or and unsupported supported by the Whonix project.

While there are some pointers and references available on on this wiki page, they are insufficient to fully guide users in setting up a remote configuration.

Development considerations.

Setting up a remote Whonix-Gateway would involve the following considerations:

• 1) Authenticated and encrypted connections between Whonix-Gateway and Whonix-Workstation would be necessary. This can be achieved using tools like OpenSSH or WireGuard.
• 2) An open port on the host operating system would need to be forwarded to Whonix-Gateway to make it accessible from the internet. Prior knowledge about ports is required. See Ports.

However, it's important to note that a remote setup would not utilize the (virtual) isolated network that Whonix typically employs when used locally. Therefore this would be less secure.

To address this, it may be more suitable to implement this functionality at the virtualizer level rather than modifying the Whonix VMs extensively. If Whonix is running within a virtualizer that can securely connect two VMs with authentication and encryption, there would be no need for complex modifications to the Whonix configuration.

As of the author's current knowledge:

• VirtualBox does not have a built-in feature that enables encrypted connections between VMs.
• KVM does not have such a feature.
• Xen does not have such a feature.
• Qubes (based on Xen) does not have such a feature.

Other virtualizers might have this feature but Whonix is unavailable for these platforms at the time of writing.

Readers are encouraged to consider submitting a generic feature request to any of these virtualizers. The request should focus on the generic need for encrypted connections between VMs and does not necessarily have to mention Whonix explicitly.

Realistically, it's important to acknowledge that a feature request may not lead to immediate implementation. The realization of such a feature might only get implemented if someone pays for it.

forum discussion: Remote Whonix-Gateway - Access to Whonix-Gateway from an external Computer

See Also[edit]

• Whonix-Workstation Firewall

Footnotes / References[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!