Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Using a Tor Controller with Whonix. Onion Circuits. Nyx. View or change your Tor circuits. Monitor Tor and inspect logs.

Introduction[edit]

Nyx is the primary Tor Controller option that comes pre-installed in Whonix.

Note: Vidalia has been deprecated and is no longer packaged in Debian.

Nyx[edit]

Nyx Usage[edit]

Nyx is recommended and comes pre-installed in Whonix-Gateway^™. ^[1]

To receive a new circuit, press:

n

To exit Nyx, press:

q
q

Nyx FAQ[edit]

Message / Question	Response
arm vs nyx?	The software was previously called arm, but the new name is nyx. [2]
Should any of the following nyx messages concern me?	No; see below for reasons why. See also: Indicators of Compromise and Support Request Policy (rationale).
Am I compromised? Does nyx report leaks?	Nyx is not designed to detect serious issues such as possible compromises or leaks. [3] Nyx is listed on the leak tests wiki page in chapter Unsuitable Tests.
Nyx sometimes shows my public IP address and other times the internal 10.0.2.15 and 127.0.0.1 IPs. Is it normal or dangerous? [4]	This is a normal Nyx feature. Whonix utilizes a Tor control port filter proxy (onion-grater) that prevents abuse of the ControlPort, including blocking dangerous commands like GETINFO address. When the real IP address appears, it is only visible locally and cannot be seen by others.
Tor is preventing system utilities like netstat and lsof from working. This means that nyx can't provide you with connection information. You can change this by adding 'DisableDebuggerAttachment 0' to your torrc and restarting tor. For more information see... https://gitlab.torproject.org/legacy/trac/-/issues/3313	If you want to learn about the technical details, read https://gitlab.torproject.org/legacy/trac/-/issues/3313.
DisableDebuggerAttachment even when running as root.	This bug in Nyx has been resolved.
man page (GENERAL OPTIONS and COMMAND-LINE OPTIONS)	This bug in Nyx has been resolved.
[WARN] Socks version 71 not recognized. (Tor is not an http proxy.)	This is caused by the Template:Kicksecurewiki function check_tor_socks_port_reachability, which verifies if a Tor SocksPort is accessible by testing it using curl. [5] If successful, it does not return a response, but it will issue a warning if it fails.
[WARN] Socks version 71 not recognized. (This port is not an HTTP proxy; did you want to use HTTPTunnelPort?)	This occurs for similar reasons to the entry above.
[WARN] Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort. Possible loop in your NAT rules?	This happens, for example, if you run curl 192.168.0.15. By default, when using curl in Whonix, it is not executed directly but rather via a uwt-wrapped (stream-isolated) version of curl. This means it does not attempt a direct connection to 192.168.0.15 but instead tries to connect through Tor, resulting in this Tor message. It indicates that the attempted operation is not feasible. To resolve this, either deactivate the curl stream isolation wrapper or use the non-wrapped version, see Stream Isolation.
[NOTICE] You configured a non-loopback address '10.152.152.10:9179' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted. [1 duplicate hidden] (Or another port number or DnsPort or TransPort.)	Tor is genuinely listening on that IP/port. It belongs to the Whonix-Gateway network interface and is only accessible from Whonix-Workstation™. This restriction is enforced by an internal network between Whonix-Workstation™(s), and Whonix-Gateway is also protected by a firewall. See /usr/bin/whonix_firewall or the Whonix source code for further details.
[NOTICE] New control connection opened. [2 duplicates hidden] (Or more duplicates.)	This is caused by Template:Kicksecurewiki's Tor Bootstrap Status Test, which utilizes Tor's ControlPort or onion-grater.
[NOTICE][NYX_WARN] The torrc differs from what Tor is using. You can issue a sighup to reload the torrc values by pressing x. Configuration value is missing from the torrc: RunAsDaemon	This is a Nyx usability bug. [6] [7]
"192.168.0.1 UNKNOWN 1 / Guard" in circuit information	This indicates that you are connecting to the Tor network using a Tor Bridge. If you are connecting directly to the public Tor network without a Tor Bridge, the real IP and Nickname of the Guard should be visible instead. [8]

Nyx Autostart[edit]

Optional.

1. Platform specific notice:

• Non-Qubes-Whonix: No special notice.
• Qubes-Whonix: Inside Template.

2. Symlink start menu entry to autostart.

sudo ln -s /usr/share/applications/gateway-nyx.desktop /etc/xdg/autostart/gateway-nyx.desktop

3. Done.

Nyx should now autostart after the next reboot.

Onion Circuits[edit]

Onion Circuits is a GTK+ application to display Tor circuits and streams. It allows the user to inspect the circuits the locally running Tor daemon has built, along with some metadata for each node.

^[9]

Onion Circuits is installed by default but is not a full Tor controller; it only displays Tor circuits. It can be launched from the start menu.

New Identity and Tor Circuits[edit]

The behavior of "New Identity" in the context of Tor Browser and nyx is often misunderstood. First, there are various ways to issue a "New Identity" (this list is not exhaustive):

• Tor Browser New Identity Function
• nyx
• tor-ctrl
• netcat

In all cases, the "New Identity" function sends the protocol command SIGNAL newnym to Tor's ControlPort.

Tor Browser's new identity function additionally clears the browser state, closes tabs, and obtains a fresh Tor circuit for future requests. ^[10]

Other Tor controllers, such as nyx, run only SIGNAL newnym.

The impact of "signal newnym" on Tor circuit lifetimes is often misunderstood. "signal newnym" ensures a fresh circuit for new connections. However, sometimes Tor only replaces the middle relay while keeping the same Tor exit relay. This behavior is by design and follows the Tor default settings. Additionally, "signal newnym" does not interfere with long-lived connections such as file downloads, website downloads, SSH, or IRC connections.

Interested readers can verify the effect of "signal newnym" as follows:

1. Open https://check.torproject.org in Tor Browser.
2. Issue "signal newnym" using nyx.
3. Reload https://check.torproject.org.
4. In some cases, it will still show the same IP address, probably because the browser did not close the connection to https://check.torproject.org in the first place.

Now, repeat this experiment with a small modification, which should result in a new Tor exit IP address:

1. Open https://check.torproject.org in Tor Browser.
2. Issue "signal newnym" using nyx.
3. Close Tor Browser, then restart it.
4. Open https://check.torproject.org again. A new Tor exit relay IP address is (likely) visible.

New identity is not an IP selection or cycling feature; it is a circuit changer, not an IP changer. Tor replaces your real external IP address with a Tor IP, but it does not easily let users pick any specific IP. Tor determines the exit IP, and Whonix does not influence this. This is unspecific to Whonix.

Forcing an IP change might be possible, but this is discouraged as per Tor Routing Algorithm. Changing the Tor configuration to select specific IPs might be possible, but this is unsupported. Users attempting this must edit the Tor configuration themselves. The exact settings required would need to be researched by the user as per the Self Support First Policy, rather than asking in Whonix forums.

tor-ctrl[edit]

tor-ctrl is installed by default.

For example, to get a new circuit, run:

tor-ctrl signal NEWNYM

The output should show:

250 OK

Repeat this command each time a new circuit is desired.

See also:

man tor-ctrl

Alternatives[edit]

Talking to the Real Tor Controller[edit]

To communicate directly with the Tor Controller, run the commands on Whonix-Gateway. If executed on Whonix-Workstation, the connection passes through the onion-grater controller proxy, which may filter some commands.

On Whonix-Gateway, test is the example password. Use a different, stronger password if desired.

tor --hash-password test

This will return an output similar to:

16:1CEAF6E6A08E0CF460AFD71772461C5F56BD9738FA8824B882FCA4A785

Open file /usr/local/etc/torrc.d/50_user.conf in a text editor of your choice, with administrative rights. Select your platform.

Add the following:

HashedControlPassword 16:1CEAF6E6A08E0CF460AFD71772461C5F56BD9738FA8824B882FCA4A785

Reload Tor.

Active: active (running) since ...

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

sudo service tor reload

To connect to Tor's Controller:

sudo -n -u debian-tor socat - UNIX-CONNECT:/var/run/tor/control

Authenticate:

authenticate "test"

A successful authentication returns:

250 OK

Test commands, such as starting logging stream events:

setevents stream

Initially, this does nothing. However, when Tor is used (e.g., running Tor Browser, APT, etc.), stream events similar to the following appear:

650 STREAM 211 NEW 0 pop.riseup.net:995 SOURCE_ADDR=10.152.152.11:47036 PURPOSE=USER
...

Whonix includes tor-ctrl, a wrapper for direct communication with Tor's controller. This simplifies authentication, socket connection, and cookie conversion to base32. While this section explains direct communication without external programs, users can accomplish the same task with:

tor-ctrl -w setevents stream

netcat[edit]

netcat is no longer required. tor-ctrl is recommended instead.

netcat provides an easy way to send Tor protocol commands to Tor's ControlPort from within Whonix-Workstation. However, for security reasons, commands are processed through onion-grater (Tor Control Protocol Filter Proxy).

250 OK

tor-prompt[edit]

On Whonix-Gateway, run:

Example of tor-prompt in non-interactive mode:

tor-prompt --no-color --run "getinfo consensus/valid-until"

Example of tor-prompt in interactive mode:

tor-prompt

This will display an introduction similar to:

Welcome to Stem's interpreter prompt. This provides you with direct access to
Tor's control interface.

This acts like a standard python interpreter with a Tor connection available
via your 'controller' variable...

  >>> controller.get_info('version')
  '0.2.5.1-alpha-dev (git-245ecfff36c0cecc)'

You can also issue requests directly to Tor...

  >>> GETINFO version
  250-version=0.2.5.1-alpha-dev (git-245ecfff36c0cecc)
  250 OK

For more information run '/help'.

>>>

To run a Tor control protocol command, such as GETINFO version, enter:

Note: Replace GETINFO version with the actual command intended to run.

GETINFO version

Expected output:

250-version=0.2.5.1-alpha-dev (git-245ecfff36c0cecc)
250 OK

Deprecated[edit]

Vidalia[edit]

Vidalia is no longer recommended because development has ceased. As a result, it has been removed from all Debian variants (stretch, sid, etc.) and was also dropped from Tor Browser Bundle v3.5 by The Tor Project. ^{[12] [13]}

Vidalia had several limitations, such as the inability to fully control Tor. For example:

• It could not stop Tor when installed via the Debian package, as Tor runs under the user "debian-tor."
• It was unable to edit /usr/local/etc/torrc.d/50_user.conf. ^[14]
• It did not support obfuscated bridges.

Since Vidalia has been deprecated and provides a poor and confusing user experience, it is best to use nyx instead. ^[15]

See Also[edit]

• tor-ctrl-observer - Tor Connection Destination Viewer

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!