Network Manager[edit]

This page is out of date.

At time of writing, Qubes(-Whonix ™) does not use ifupdown, but Qubes custom implementation.

It would be desirable to have a graphical network manager installed in Whonix-Workstation ™. There are a few main use cases. Changing Whonix-Workstation ™ internal IP address for Multiple Whonix-Workstation ™, setting up a post-Tor-VPN using a graphical user interface and other kinds of advanced network configurations over Tor which are simpler to set up using a grapical user interface.

At the moment networking still managed by the ordinary ifupdown way. (Template:Network_Config)

If you want to install the KDE Network Manager.

sudo apt install network-manager-kde

Then it can be started from the Start Menu.

Start menu → System Settings → Network Settings

You won't see Whonix ™ internal network interface right away. You could make it visible in Network Manger, by editing /etc/NetworkManager/NetworkManager.conf and setting managed to true.

[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=true

That would be quite useful, if changing settings where possible. However, the NetworkManager.conf man page says, write support for ifupdown managed devices is not planned.

The Fedora wiki has a nice page about Network Manager ^[archive] which is useful for a distro packager perspective.

Quote: "NM is slowly changing from a desktop network connection configurator to a universal network configuration software that could be used as a part of the base system."

Once NM can do everything ifupdown can do (i.e. suitable for all tasks also from command line), ifupdown in Whonix ™ could get completely replaced with NM.

Since IPv6 support in NM is said to be not in a production state yet, I am hesitate to switch to NM. Tor recently added support for IPv6 bridges and full IPv6 support could come in future. If Tor fixes IPv6 support first, there would eventually still (again) need for ifupdown. Therefore I think at the moment it is best to let NM mature.

For running NM on Whonix-Gateway ™ it would be required to check if the pre-up hook to start the firewall works flawless. Having a pre-up hook which fails closed like ifupdown currently provides is desirable, because when there is a tiny syntax error in the firewall, the network won't come up and nothing leaks. Alternatively, an init.d script could be developed, it would have to be researched, if it can provide the same fail closed protections.

Since many people are interested in post-Tor-VPNs (user → Tor → VPN), it is open for debate if network-manager-kde should be pre-installed on Whonix-Workstation ™. Would the user be confused because it won't show the (virtual) wired internal network interface? Would it be less/more confusing if the (virtual) wired internal network interface where shown but impossible to edit? Shouldn't it be pre-installed for these confusion reasons and recommended to be installed manually for users interested in post-Tor-VPNs?

As a footnote, it is also possible to use Gnome applications in Whonix ™ (KDE based), such as Gnome Network Manager chapter on TestVPN page.

Quote ^[archive]:

"Please also understand that currently networkmanager is not a security tool at all. VPN plugins are regarded as connectivity plugins, not security plugins."

Missing auto-reconnect feature: https://bugzilla.gnome.org/show_bug.cgi?id=349151 ^[archive]

So perhaps using NM to set up VPNs for security is not a good idea.

Doesn't look like NM has a fail closed mechanism: VPN-Firewall

Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.