How to use whonix under proxy vm?

hello everyone,i’m having trouble configuring the proxy for my vm.
i want to use whonix,but i’m under network censorship and i have to use bridges and proxy.
i created a new vm, installed the proxy software in it, and opened the port.then use the whonix gateway to try to connect to the http proxy,such as,but the connection failed. i tried to create other vm and configure the proxy in firefox,but it still failed. i executed the ping command and the output was no route to host. i made sure i enabled the provides network for the proxy software’s vm.
i hope it can be done: whonix workstation → whonix gateway → proxy vm → sys-firewall → sys-net
how do i configure this?
i don’t want to configure fedora because i don’t know how to use it.
this is my first time using qubes os and i’m to trying to get familiar with it.

Try to setup your proxy to work in this setup first:
test vm → proxy vm → sys-firewall → sys-net
What Qubes OS version do you have?
What template do you use for proxy vm and test vm?

You can refer to this part in the documentation: Firewall | Qubes OS

Let’s say, your anti-censorship software runs at in “sys-proxy” qube, and you want tor in sys-whonix to go through that proxy. You can add qubes.ConnectTCP * sys-whonix sys-proxy allow to /etc/qubes/policy.d/30-user-networking.policy in dom0. Then you can run qvm-connect-tcp ::4444 in sys-whonix, and set tor to connect through localhost:4444 in sys-whonix.

i can’t find file"30-user-networking.policy" in dom0’s file system.
and i don’t know how to edit, i can’t find text editor in dom0.
my sys-firewall is disposable vm,how can i retain the modifications after reboot?

That’s unrelated. The port is bridged by qrexec.

sudo nano /etc/qubes/policy.d/30-user-networking.policy. If you can’t find it, then create it.

hello,thanks for replay:)
i’m sorry my English is not very well:(
i try to do this in docs: “Enabling networking between two qubes”
now,it’s work
but when i reboot sys-firewall vm or reboot my qubes os , i need input "sudo iptables…"again in sys-firewall vm. how to set it up permanently?

Unfortunately you chose a different way from what I have posted.

With disposable sys-firewall things get complicated. You’ll need to create an app qube sys-firewall-dvm and make it a template for disposables. Then do what the doc suggests you to do in sys-firewall-dvm, and change your disposable sys-firewall’s template to newly created sys-firewall-dvm.

sorry , i can’t understand what is “-dvm”
but i think, making sys-firewall vm disposable can keep security.i think it’s little more troublesome,but safety is more important.
thanks for you help:)

this is my first day using this was a bit difficult to get used to, but i believe this is a very safe system

It’s the name of that qube, just for reminding you of its disposable template nature. I suggest creating a new app qube, and fiddling around in its settings, then you’ll have a better idea what I’m talking about.

i try to use whonix,but it doesn’t work. when i use debian, it work.
i use obfs4 bridge and socks5 proxy.
Oct 24 13:33… [notice] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
Oct 24 13:33… [notice] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
when i disable bridge , only use socks5 proxy ,it doesn’t work
i’m guessing it’s whonix gateway’s firewall that’s causing it ,but i don’t know how to disable it completely.

I don’t know either, and an educated guess is that disabling whonix’s firewall isn’t a good idea. So the best I can suggest is to try out the way that I proposed, which I’m actively using and serves me well.

hello,i try this but it not work.
i add qubes.ConnectTCP * sys-whonix sys-proxy allow to /etc/qubes/policy.d/30-user-networking.policy in dom0.
then i run qvm-connect-tcp ::xxxx in sys-whonix
then,i use ping in sys-whonix
it said : icmp_seq=2 Packet filtered ping: sendmsg: Operation not permitted

Can tor connect through that port ( not through 10.137.X.X:4444, but rather localhost:4444 )? Maybe an reboot of related qubes can help?

As far as I know, ping cannot be used to check if the port is reachable; telnet should be used instead. And sys-firewall still filters the packages between qubes: only data sent through the specific port are transferred by qrexec ( circumventing the firewall ), so you’ll still not be able to ping sys-proxy from sys-whonix.

I tried other methods and it works.thank you.

1 Like