Help to test Whonix. Whonix-Gateway, Whonix-Workstation, browser and application tests.

Introduction[edit]

Advanced users, developers and willing testers only.

Whonix requires a critical mass of users to properly test planned updates by enabling the stable-proposed-updates or testers repository. ^[1] Otherwise, bugs might go undiscovered and be inadvertently introduced into the stable repository.

To ensure a stable Whonix system is available at all times, willing testers should:

Create new Whonix-Workstation^™ and Whonix-Gateway^™ Templates solely for testing.
Enable the stable-proposed-updates or testers repository via the Derivative Repository Tool.
Platform-specific advice:
- Non-Qubes-Whonix: Create a clean snapshot or use Multiple Whonix-Workstation / Multiple Whonix-Gateway.
- Qubes-Whonix^™: Use Multiple Templates and separate sys-whonix-test and anon-whonix-test TemplateBasedVMs.

Then perform normal user activities.

Please only report bugs after first searching relevant Whonix forums and developer portals for the problem. (Please use Search Engines and see Documentation First)

Whonix-Gateway^™ Tests[edit]

After logging in, the Whonix Setup Wizard / Anon Connection Wizard should appear.
Check the Tor version. anon-info
Check Tor config. anon-verify
Check Tor warnings. Some messages can be safely ignored. grep -i warn /var/run/tor/log
Check Tor errors. grep -i error /var/run/tor/log
Check for clock skew. grep -i clock /var/run/tor/log
Test if arm is fully functional. arm
Test obfsproxy bridge connectivity is functional.

Whonix-Workstation Tests[edit]

Basic Tests[edit]

Power off Whonix-Gateway. Try to ping outside or to use the browser in Whonix-Workstation. Obviously this should not work.
Power on Whonix-Gateway again. Visit https://check.torproject.org/ with Tor Browser. You should see a “Congratulations”.
Ping the Whonix-Gateway; this will not work. ^[2] ping 10.152.152.10
Note: Ping commands should NOT work for external addresses from your Whonix-Workstation; ICMP traffic ^[3] is not proxied, and filtered by Whonix Firewall (/usr/bin/whonix_firewall) because Tor does not support UDP. For more information on ping inside Whonix-Workstation, see Whonix-Workstation Firewall, ping.
Use Tor Browser to visit an onion address - try the torproject.org onion service.
Test Tor Button's New Identity Feature.
dig google.com must only return a single IP; compare that with the output on Whonix-Gateway or Host. dig google.com
See if syste gets autostarted.
Setup an Onion Service.
Test the onion service by connecting to its address with Tor Browser.
Run systemcheck leak tests. systemcheck --leak-tests
After downloading the key, the user should verify its authenticity: gpg --keyid-format long --import --import-options show-only --with-fingerprint {{{source_filename}}}
Before importing the key: gpg --import {{{source_filename}}}
Test curl uwt wrapper. curl 2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion
Install lighttpd. sudo apt install lighttpd
Restart lighttpd. sudo service lighttpd restart
Try to download the local index.html. curl 127.0.0.1
Check. cat index.html
Install git. sudo apt install git
Check if regular git servers are reachable. git clone https://github.com/Whonix/derivative-maker
Check if Tor Project git onion service is online.
If yes, try to clone its onion Tor git repository. git clone http://xtlfhaspqtkeeqxk6umggfbr3gyfznvf4jhrge2fujz53433i2fcs3id.onion/tor.git

DNS Test[edit]

Inside Whonix-Workstation.

Run.

nslookup check.torproject.org

Expected output:

116.202.120.181

TCP Test[edit]

Inside Whonix-Workstation.

Run.

UWT_DEV_PASSTHROUGH=1 scurl --resolve check.torproject.org:443:116.202.120.181 https://check.torproject.org/api/ip

Expected output:

{"IsTor":true,"IP":"xxx.xxx.xxx.xxx"}

TCP and DNS Test[edit]

Inside Whonix-Workstation.

Run.

UWT_DEV_PASSTHROUGH=1 scurl https://check.torproject.org/api/ip

Expected output:

{"IsTor":true,"IP":"xxx.xxx.xxx.xxx"}

Port Tests[edit]

SocksPort[edit]

Inside Whonix-Workstation.

Run.

UWT_DEV_PASSTHROUGH=1 curl --head 10.152.152.10:9050

Expected output:

HTTP/1.0 501 Tor is not an HTTP Proxy
Content-Type: text/html; charset=iso-8859-1

ControlPort[edit]

Inside Whonix-Workstation.

Run. ^[4]

UWT_DEV_PASSTHROUGH=1 curl --max-time 2 10.152.152.10:9051

Expected output:

510 Command filtered

510 Command filtered
510 Command filtered
510 Command filtered

curl: (28) Operation timed out after 2001 milliseconds with 88 bytes received

Closed Port[edit]

Inside Whonix-Workstation.

Run. ^[5]

UWT_DEV_PASSTHROUGH=1 curl --head 10.152.152.10:80

Expected output:

curl: (7) Failed to connect to 10.152.152.10 port 80: Connection refused

TransPort[edit]

Inside Whonix-Workstation.

TransPort reachability test. Run.

UWT_DEV_PASSTHROUGH=1 curl --head 10.152.152.10:9040

Expected output:

curl: (56) Recv failure: Connection reset by peer

Or.

curl: (52) Empty reply from server

Default Browser[edit]

Quick Launcher[edit]

Check if the Tor Browser quick launcher (fav icon) next to the start menu button is visible and startable.

Text Links[edit]

1. Open a terminal.

2. Run the following command.

echo http://127.0.0.1

3. Right-click on the echoed http://127.0.0.1 and choose open link.

4. Check it is fully functional.

It should open and ask for confirmation to open that file in Tor Browser. Check that nothing happens when pressing No (which should be the default!) and conversely a new Tor Browser window is opened when pressing Yes.

File Links[edit]

1. Create a file ~/test.html with the following content.

test

2. Open Thunar (default file manager) and double-click on that file.

3. Check if it opens and asks for confirmation to open that file in Tor Browser.

Terminal Tests[edit]

1. Open a terminal.

2. Run the following command.

x-www-browser http://127.0.0.1

3. Check if it asks for confirmation to open that file in Tor Browser.

4. Check the same for.

gnome-www-browser http://127.0.0.1

5. Check the same for.

xdg-open http://127.0.0.1

6. Check the same for.

gnome-open http://127.0.0.1

7. Next, remove open-link-confirmation.

sudo apt purge open-link-confirmation

And repeat the tests above.

Applications[edit]

Test that all the following applications are fully functional:

Metadata
Tor Browser
Manually Downloading Tor Browser
Check if Tor Browser runs in Whonix out of the box -- without use of the torbrowser script -- by running /home/user/.tb/tor-browser/start-tor-browser.

Leak Tests[edit]

See Dev/Leak Tests.

Whonix-Workstation and Whonix-Gateway[edit]

Miscellaneous[edit]

1. Check locale.

locale

2. Check apt config and see if periodic updates are disabled.

apt-config dump

3. Install a new kernel for testing purposes. ^[6]

apt-cache search linux-image

sudo apt install linux-image-flavour

4. Check the content of /etc/network/interfaces

cat /etc/network/interfaces

5. Check the content of /etc/resolv.conf

cat /etc/resolv.conf

6. Check /etc/apt/sources.list

cat /etc/apt/sources.list

7. Check iptables.

sudo iptables-save-deterministic

8. Reboot from terminal while X is running.

Switch to terminal.

Reboot.

sudo reboot

No errors should appear like "failed to kill service".

Extra Tests[edit]

1. Check if aptitude is functional.

sudo aptitude update

See the footnotes if additional manual tests are preferred. ^[7] ^[8]

2. Test the re-installation of x11-common.

sudo apt install --reinstall x11-common

Display Manager[edit]

Non-Qubes-Whonix only.

Check lightdm stops and restarts correctly.

sudo service lightdm stop

sudo service lightdm start

Footnotes[edit]

↑ The developers repository is only recommended for experts or those in touch with Whonix developers.
↑ You will not be able to ping the Whonix-Gateway because ICMP is blocked by the firewall. If you want to test it, you have to adjust the firewall or deactivate it while testing on both, Whonix-Gateway and Whonix-Workstation.
↑ https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
↑ onion-grater, a Tor Control Port Filter Proxy, design documentation
↑ There is nothing running on Whonix-Gateway on port 80.
↑ The latest Debian kernel versions can be found here.
↑ These checks are not as important because relevant messages would probably be shown during sudo systemctl list-units --failed. Check if /var/run/bootclockrandomization/success exists. ls -la /var/run/bootclockrandomization/success Check the boot clock randomization log. cat /var/log/bootclockrandomization.log sudo service bootclockrandomization status echo $? Check if /var/run/timesanitycheck/success exists. ls -la /var/run/timesanitycheck/success Inspect the time sanity check log. cat /var/log/timesanitycheck.log Confirm the time sanity check status. sudo service timesanitycheck status echo $?
↑ These checks are not as important because sdwdate-gui would likely identify any issues beforehand. Check if /var/run/sdwdate/success exists. ls -la /var/run/sdwdate/success Check the sdwdate log. cat /var/log/sdwdate.log Check the sdwdate status. sudo service sdwdate status echo $?

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] The developers repository is only recommended for experts or those in touch with Whonix developers.

[2] You will not be able to ping the Whonix-Gateway because ICMP is blocked by the firewall. If you want to test it, you have to adjust the firewall or deactivate it while testing on both, Whonix-Gateway and Whonix-Workstation.

[3] ttps://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

[4] -grater, a Tor Control Port Filter Proxy, design documentation

[5] There is nothing running on Whonix-Gateway on port 80.

[6] The latest Debian kernel versions can be found here.

[7] These checks are not as important because relevant messages would probably be shown during sudo systemctl list-units --failed. Check if /var/run/bootclockrandomization/success exists. ls -la /var/run/bootclockrandomization/success Check the boot clock randomization log. cat /var/log/bootclockrandomization.log sudo service bootclockrandomization status echo $? Check if /var/run/timesanitycheck/success exists. ls -la /var/run/timesanitycheck/success Inspect the time sanity check log. cat /var/log/timesanitycheck.log Confirm the time sanity check status. sudo service timesanitycheck status echo $?

[8] These checks are not as important because sdwdate-gui would likely identify any issues beforehand. Check if /var/run/sdwdate/success exists. ls -la /var/run/sdwdate/success Check the sdwdate log. cat /var/log/sdwdate.log Check the sdwdate status. sudo service sdwdate status echo $?

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Essential Whonix Functionality Tests

Contents

Introduction[edit]

Whonix-Gateway^™ Tests[edit]

Whonix-Workstation Tests[edit]

Basic Tests[edit]

DNS Test[edit]

TCP Test[edit]

TCP and DNS Test[edit]