Yes same.;
Are on a custom netvm that will go as described above:
tor [sys-whonix] → vpn → net-firewall
I know if 'll switch to only net-firewall it will work but I want to make this working with this config.
Is it there a way?
I have no idea what you are trying to do.
Before you said:
sys-firewal → vpn → tor
And now you say:
tor [sys-whonix] → vpn → net-firewall
You were asked which netvm the qubes were attached to, and you didnt
answer that question. Answer that question.
I dont recommend changing firewall rules at random, as you seem to have
done. Revert the changes that you have made.
Identify the qube that both qubes are using as their netvm. That is
where you will need to make changes. No where else.
qube a → sys-whonix → sys-vpn → sys-firewall → sys-net
qube b ----^
Right? In which case I thing sys-whonix might be blocking your attempts. An easy way to check is to clone sys-firewall into sys-tor-firewall and set it’s netvm to sys-whonix and connect your qubes a & b to sys-tor-firewall.
That should work then, but you loose the stream isolation of whonix/tor because both qube’s traffic will go through sys-tor-firewall which is the only qube whonix will see.
If you do want stream isolation and the connection between the qubes is a specific port only you could try and use the qubes.ConnectTCP method:
I created a sys-vpnie-tor qube based on whonix-gw-15 template with NetVM sys-vpn-ie
sys-vpn-ie is a vpn qube - based on fedora template with NetVM based on sys-firewall
Qube A and B are based [both] on sys-vpnie-tor
Now, using that connection that you said is not so helpfull because:
Qube A is Kali
Qube B is a lab machine with lots of ports opened for learning [metasploitable right now, as I’m noob on Kali and PenTesting]
and that will mean first add lost of ports there and second to change them when I’ll go to another lab
Undo all firewall changes you previously made in various qubes as @unman recommended
Create a proxy qube based on Fedora and set it’s netvm to sys-vpnie-tor
Connect Qube A and Qube B to the new proxy qube
Configure Qube B to accept connections on all ports from Qube A as described in the documentation
Configure the new proxy qube to allow all connections from Qube A to Qube B
Depending on your use case also:
Configure Qube A to accept connections on all ports from Qube B as described in the documentation
Configure the new proxy qube to allow all connections from Qube B to Qube A
If you don’t mind me asking: since this is “just” a lab, why do you bother to connect them to the internet at all? You can set the new proxy qubes netvm to ‘’ and your lab will still work. It’ll effectively be an internal network without connection to the Internet. What do you hope to achieve by connecting it to TOR?