Template:Configure Gateway arp ignore one
Introduction
Whonix-Gateway uses the sysctl parameter net.ipv4.conf.*.arp_ignore=2 to prevent network information leaks, such as VPN IP address leaks on the local network.[1] This is known to interfere with advanced configurations, such as routing a VPN through Whonix-Gateway or using a Whonix-Custom-Workstation. It might also cause issues in other, yet unknown, cases. Therefore, the configuration must be made more lenient for these use cases.
Changing arp_ignore=2 to arp_ignore=1 will resolve these issues. Doing so may allow some additional data about Whonix-Gateway's network configuration to be leaked to other machines on the local network (or to other VMs on the same Qubes OS machine), but it should not allow leakage of information such as VPN IP addresses to other machines.
Downgrade arp_ignore
To change arp_ignore=2 in Whonix-Gateway to arp_ignore=1: [2]
1. Platform specific notice:
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: Inside Whonix-Gateway Template (commonly
whonix-gateway-18).
2. Launch a terminal in Whonix-Gateway.
3. Open file /etc/sysctl.d/99_user.conf in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights
for details on why using sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/sysctl.d/99_user.conf
2 Notes.
- Sudoedit guidance: See Open File with Root Rights
for details on why using sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Qubes-Whonix, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/sysctl.d/99_user.conf
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence

- General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/sysctl.d/99_user.conf
4. Paste.
net.ipv4.conf.*.arp_ignore=1
5. Save and exit.
6. Reboot.
- Non-Qubes-Whonix: No special notice. Simply reboot Whonix-Gateway.
- Qubes-Whonix: Shut down Whonix-Gateway Template (commonly
whonix-gateway-18) and reboot all Qubes based on that Template.
7. Done.
The process of changing arp_ignore=2 to arp_ignore=1 in Whonix-Gateway is complete.