Template:Configure Gateway arp ignore one

From Whonix
Jump to navigation Jump to search

Introduction

Whonix-Gateway uses the sysctl parameter net.ipv4.conf.*.arp_ignore=2 to prevent network information leaks, such as VPN IP address leaks on the local network.[1] This is known to interfere with advanced configurations, such as routing a VPN through Whonix-Gateway or using a Whonix-Custom-Workstation. It might also cause issues in other, yet unknown, cases. Therefore, the configuration must be made more lenient for these use cases.

Changing arp_ignore=2 to arp_ignore=1 will resolve these issues. Doing so may allow some additional data about Whonix-Gateway's network configuration to be leaked to other machines on the local network (or to other VMs on the same Qubes OS machine), but it should not allow leakage of information such as VPN IP addresses to other machines.

Downgrade arp_ignore

To change arp_ignore=2 in Whonix-Gateway to arp_ignore=1: [2]

1. Platform specific notice:

  • Non-Qubes-Whonix: No special notice.
  • Qubes-Whonix: Inside Whonix-Gateway Template (commonly whonix-gateway-18).

2. Launch a terminal in Whonix-Gateway.

3. Open file /etc/sysctl.d/99_user.conf in an editor with administrative ("root") rights.

1 Select your platform.

Non-Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

3 Open the file with root rights.

sudoedit /etc/sysctl.d/99_user.conf

Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
  • Template requirement: When using Qubes-Whonix, this must be done inside the Template.

3 Open the file with root rights.

sudoedit /etc/sysctl.d/99_user.conf

4 Notes.

  • Shut down Template: After applying this change, shut down the Template.
  • Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
  • Qubes persistence: See also Kicksecure logo Qubes PersistenceOnion network Logo
  • General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.

Others and Alternatives

2 Notes.

  • Example only: This is just an example. Other tools could achieve the same goal.
  • Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.

3 Open the file with root rights.

sudoedit /etc/sysctl.d/99_user.conf

4. Paste.

net.ipv4.conf.*.arp_ignore=1

5. Save and exit.

6. Reboot.

  • Non-Qubes-Whonix: No special notice. Simply reboot Whonix-Gateway.
  • Qubes-Whonix: Shut down Whonix-Gateway Template (commonly whonix-gateway-18) and reboot all Qubes based on that Template.

7. Done.

The process of changing arp_ignore=2 to arp_ignore=1 in Whonix-Gateway is complete.