Actions

Access Gateway Port From Host

From Whonix


Access Whonix-Gateway ™ Port From Host[edit]

This is very esoteric and you probably don't need it! Advanced users only!

Not tested since Whonix ™ 0.5.6. May or may not work. Might need changes for later versions.

Example: Make port 9050 accessible from the host.[edit]

Host Setup[edit]

On the host.

In the Whonix-Gateway ™ VM network settings. → Set up Port Forwarding: → within the Adapter 1 tab click Advanced → then Port Forwarding → Insert a new rule as follows.

Name: 9050
Protocol: TCP
Host IP: 127.0.0.1
Host Port: 9050
Guest IP: leave blank
Guest Port: 9050

Or the same as command line. You might have to adjust the name of your Whonix-Gateway.

XFCE:

VBoxManage modifyvm "Whonix-Gateway-XFCE" --natpf1 "9050",tcp,127.0.0.1,9050,,9050

CLI:

VBoxManage modifyvm "Whonix-Gateway-CLI" --natpf1 "9050",tcp,127.0.0.1,9050,,9050

Whonix-Gateway ™ Setup[edit]

Inside Whonix-Gateway ™...

IP 10.0.2.15 is usually obtained from VirtualBox's DHCP server. Hope this always works, otherwise you have to adjust the IP or edit the network config. And use a static virtual LAN IP. (Template:Network_Config)

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add. (The second line is not strictly required, useful for debugging.)

SocksPort 10.0.2.15:9050
SocksPort 127.0.0.1:9050

Save.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

[1]

Modify Whonix-Gateway ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Gateway ™ AppVM. Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ AppVM (commonly called sys-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Gateway ™, complete these steps.

Start MenuApplicationsSettingsUser Firewall Settings

If using a terminal-only Whonix-Gateway ™, complete these steps.

In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.

sudoedit /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-gw-15Whonix Global Firewall Settings

If using a graphical Whonix-Gateway ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using a terminal-only Whonix-Gateway ™, complete these steps.

In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf

Add.

EXTERNAL_OPEN_PORTS+=" 9050 "
EXTERNAL_UDP_OPEN_PORTS+=" 9050 "

Save.

Reload Whonix-Gateway ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Gateway ™, run.

sudo whonix_firewall

Debugging[edit]

Inside Whonix-Gateway ™...

Switch to clearnet user.

sudo -u clearnet bash

cd ~

Test if the port you want to make available on the host is available from inside Whonix-Workstation ™. (If that's not the case, something is fundamentally wrong and you need to fix this first.)

Circumventing uwt curl wrapper.

UWT_DEV_PASSTHROUGH=1 curl --output - 127.0.0.1:9050

It should answer This is a SOCKs proxy, not an HTTP proxy..

Testing[edit]

On the host...

curl 127.0.0.1:9050

It should answer This is a SOCKs proxy, not an HTTP proxy..

If you see that, that indicates that Tor is, which runs inside Whonix-Gateway ™ is accessible on the host as well.

Forwarding that port to LAN[edit]

On the host...

This is untested, but should work.

You can use something like socat or systemd-socket-proxyd to redirect that port 127.0.0.1:9050 to a different network interface. Otherwise you could experiment with the Whonix-Gateway ™ VM network settings.

See Also[edit]



Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.


  1. Open /etc/whonix_firewall.d/30_whonix_gateway_default.conf in an editor as a regular, non-root user.

    If you are using a graphical environment, run.

    mousepad /etc/whonix_firewall.d/30_whonix_gateway_default.conf

    If you are using a terminal, run.

    nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf

    Read information about the following configuration options.

    EXTERNAL_OPEN_PORTS+=" 9050 "
    EXTERNAL_UDP_OPEN_PORTS+=" 9050 "