Access Local Network, Host or Clearnet Internet from VM

Connections from inside a VM to a service running on the host, inside the local area network (LAN) or clearnet internet. (Esoteric Documentation)
Introduction[edit]
File Transfer might be a far simpler alternative.
Prerequisite Knowledge[edit]
Instructions[edit]
The following example uses ssh
, but it could be replaced with something else.
If ssh
is utilized, its setup on the host (such as public key setup) and related issues are out of scope for this documentation and are considered prerequisite knowledge. This wiki chapter is focused on connectivity and not server configuration details.
- Whonix-Gateway: These instructions only apply to Whonix-Gateway.
- Whonix-Workstation: This is currently undocumented. It would likely require a complex setup and pose a high risk of clearnet leaks; see footnote. [1] Instead of using these instructions it is recommended to consider SSH / SSHFS (ssh file system) into Whonix-Gateway, SSH / SSHFS into Whonix-Workstation, and SSHFS into Whonix-Workstation.
On the Host[edit]
Install the server software. Note: ssh
is used as an example but can be replaced with alternatives.
Install package(s) ssh
.
A. Update the package lists and upgrade the system.
sudo apt update && sudo apt full-upgrade
B. Install the ssh
package(s).
Using apt
command line parameter --no-install-recommends
is in most cases optional.
sudo apt install --no-install-recommends ssh
C. Done.
The procedure of installing package(s) ssh
is complete.
Inside the VM[edit]
Install the client software. Note: openssh-client
is used as an example but can be replaced with alternatives.
1. Install openssh-client
.
Install package(s) openssh-client
.
A. Update the package lists and upgrade the system.
sudo apt update && sudo apt full-upgrade
B. Install the openssh-client
package(s).
Using apt
command line parameter --no-install-recommends
is in most cases optional.
sudo apt install --no-install-recommends openssh-client
C. Done.
The procedure of installing package(s) openssh-client
is complete.
2. Optional: Create a persistent home folder for user clearnet
.
sudo usermod -d /home/clearnet clearnet
sudo mkhomedir_helper clearnet
3. Open a shell under user clearnet
.
sudo -u clearnet bash
4. Permanently disable stream isolation or temporarily circumvent stream isolation.
Syntax:
client-software ip-address
In the following example, note:
- Replace
ssh
with the desired client software. - Replace the IP
192.168.1.0
with the actual local LAN IP of the host. - Drop
.anondist-orig
if the command is not uwt-wrapped by default.
ssh.anondist-orig 192.168.1.0
Troubleshooting[edit]
- A configured host firewall might block connections to the service.
See Also[edit]
Footnotes[edit]
- ↑
It would probably require:
- Less safe: enabling IP forwarding inside Whonix-Gateway; or
- Safer: Opening an Incoming Port on Whonix-Gateway Firewall and running some kind of proxy software in Whonix-Gateway with user
clearnet
that permits forwarding to host, local area network or clearnet Internet.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!