Access Whonix-Gateway™ Ports from the Host
Donate
Access Whonix-Gateway Port From Host (Esoteric Documentation)
This is very esoteric and you probably do not need it! Advanced users only!
Access Whonix-Gateway Port From Host[edit]
Not tested since Whonix™ 0.5.6. May or may not work. Might need changes for later versions.
Example: Make port 9050 accessible from the host.[edit]
Host Setup[edit]
On the host.
In the Whonix-Gateway VM network settings. → Set up Port Forwarding: → within the Adapter 1 tab click Advanced → then Port Forwarding → Insert a new rule as follows.
Name: 9050 Protocol: TCP Host IP: 127.0.0.1 Host Port: 9050 Guest IP: leave blank Guest Port: 9050
Or the same as command line. You might have to adjust the name of your Whonix-Gateway.
Xfce:
VBoxManage modifyvm "Whonix-Gateway-Xfce" --natpf1 "9050",tcp,127.0.0.1,9050,,9050
CLI:
VBoxManage modifyvm "Whonix-Gateway-CLI" --natpf1 "9050",tcp,127.0.0.1,9050,,9050
Whonix-Gateway Setup[edit]
Inside Whonix-Gateway...
IP 10.0.2.15 is usually obtained from VirtualBox's DHCP server. Hope this always works, otherwise you have to adjust the IP or edit the network config. And use a static virtual LAN IP. (Template:Network_Config)
Open file /usr/local/etc/torrc.d/50_user.conf in a text editor
of your choice with sudoedit.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf
If you are using a terminal-only Whonix-Gateway, complete the following steps. sudoedit /usr/local/etc/torrc.d/50_user.conf
Add. (The second line is not strictly required, useful for debugging.)
+SocksPort 10.0.2.15:9050 +SocksPort 127.0.0.1:9050
Save.
Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix') → Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
Modify Whonix-Gateway™ User Firewall Settings.
Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → User Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.
Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings
If using a graphical Whonix-Gateway, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Gateway, complete these steps.
In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
Add.
EXTERNAL_OPEN_PORTS+=" 9050 " EXTERNAL_UDP_OPEN_PORTS+=" 9050 "
Save.
Reload Whonix-Gateway™ Firewall.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → System → Reload Whonix Firewall
If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall
Debugging[edit]
Inside Whonix-Gateway...
Switch to clearnet user.
sudo -u clearnet bash
cd ~
Test if the port you want to make available on the host is available from inside Whonix-Workstation™. (If that's not the case, something is fundamentally wrong and you need to fix this first.)
Circumventing uwt curl wrapper.
UWT_DEV_PASSTHROUGH=1 curl --output - 127.0.0.1:9050
It should answer This is a SOCKs proxy, not an HTTP proxy..
Testing[edit]
On the host...
curl 127.0.0.1:9050
It should answer This is a SOCKs proxy, not an HTTP proxy..
If you see that, that indicates that Tor is, which runs inside Whonix-Gateway is accessible on the host as well.
Forwarding that port to LAN[edit]
On the host...
This is untested, but should work.
You can use something like socat, systemd-socket-proxyd or SSH port forwarding to redirect that port 127.0.0.1:9050 to a different network interface. Otherwise you could experiment with the Whonix-Gateway VM network settings.
See Also[edit]
- Hosting a (private) (obfuscated) bridge or (exit) relay
- Ports
- Access Whonix-Workstation Ports from the Host
The most watertight privacy operating system in the world.
At Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-2023 ENCRYPTED SUPPORT LP
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!
- ↑
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf
- https://forums.whonix.org/t/redirect-host-traffic-to-whonix-gateway-allow-multiple-incoming-flashproxy-ports/7448
- Look at
/etc/whonix_firewall.d/30_whonix_gateway_default.conf.
/etc/whonix_firewall.d/30_whonix_gateway_default.confin a text editor of your choice as a regular, non-root user.If you are using a graphical environment, run. mousepad /etc/whonix_firewall.d/30_whonix_gateway_default.conf
If you are using a terminal, run. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
Read information about the following configuration options.
EXTERNAL_OPEN_PORTS+=" 9050 " EXTERNAL_UDP_OPEN_PORTS+=" 9050 "
- https://github.com/Whonix/whonix-firewall/blob/master/etc/whonix_firewall.d/30_whonix_gateway_default.conf