> Qubes currently do not support such configuration. You can try to do it
> directly using xl command (Xen toolstack). The command would be something
> like:
> xl network-attach VMNAME script=/etc/xen/scripts/vif-route-qubes ip=IP
> backend=BACKEND_VMNAME
>
> BACKEND_VMNAME is normally "firewallvm"
You rock Marek! The xl commands seem to be what I need.
Follow up questions...
For the following "Qubes + Whonix" network architecture:
Qubes netvm -> Qubes firewallvm -> whonix-wateway (HVM) ->
whonix-workstation (HVM)
The "Whonix-Gateway" HVM would have the following network connections, to
basically mimic a ProxyVM in a HVM:
whonix-gateway:
- eth0: standard Qubes NIC -> connecting to Qubes FirewallVM
- eth1: added via Xen xl -> connecting to Whonix-Workstation HVM
The "Whonix-Workstation" HVM would have the following network connection:
whonix-workstation:
- eth0: standard Qubes NIC -> connecting to Whonix-Gateway HVM
To achieve this network architecture with HVMs, I assume that this would
be done with the "backend" option of the Xen "xl" "network-attach"
command, instead of the "NetVM" setting inside the Qubes VM Manager?
Like this...
whonix-gateway:
- eth0 backend = firewallvm
- eth1 backend = whonix-workstation
whonix-workstation:
- eth0 backend = whonix-gateway
firewallvm <--> whonix-gateway (eth0) <--> whonix-gateway (eth1) <-->
whonix-workstation (eth0)
I'm not sure how the NetVM/backends work exactly yet. Maybe they isolate
the network traffic between specified VMs, similar to the concept of
"internal networks" in VirtualBox?
P.S. FYI: There is a currently active project going on in the Whonix
development forums to port Whonix to Qubes. We seem to be getting close to
succeeding.
Thank you for your help!