Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Troubleshooting Installation and Network Issues with Whonix.

Introduction[edit]

• On this page you will find help for various troubleshooting topics, including general troubleshooting, connectivity troubleshooting
• You will also learn about virtual machine bug analysis, system logs and other related topics
• Please be aware that some very specific, individual problems can take a long time to research and solve. Don't expect a "magic solution" for most of these issues
• We will help you with a lot of common problems here, but also be sure to check out our Documentation and related pages.

Connectivity Troubleshooting[edit]

This chapter covers connectivity issues that you may encounter.

Introduction[edit]

• There is no general network problem analysis tool. While there are many tools and commands available for specific aspects of network diagnostics, there isn't a single built-in command for any operating system that performs a fully comprehensive, automated network analysis with one execution.
• Shortcut? There is no shortcut: Network diagnostics require a systematic approach, where each potential issue must be carefully examined and ruled out one by one. Unlike other processes that may offer quick fixes or automated solutions, network troubleshooting involves methodically testing different aspects of the network to identify the root cause of a problem. This process is inherently time-consuming. Attempting to rush through diagnostics or skipping steps can lead to incomplete or inaccurate conclusions, making the resolution process even longer. Therefore, persistence and attention to detail are essential when working through network issues, as there is no single tool or command that can automatically solve all potential problems.
  • Is there really no shortcut? There is not. While a theoretical "shortcut" might exist, it would be economically infeasible. See the footnote for details. ^[1]
• How to proceed: Please run the following checklist in the next chapter. Please ensure that you have completed all steps in this checklist. The results of each step should be included in your support request. Omitting these steps, failing to provide this information result will most likely result in unresolved connectivity issues.

```wiki

Essential Connectivity Troubleshooting Steps[edit]

In case of connectivity issues, please complete the following checklist:

Information pertaining to these points should be included in any support request or bug report. ```

RELATED state fix (regarding iptables)[edit]

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

related:

• https://forums.whonix.org/t/have-firewall-accept-icmp-fragmentation-needed/10233
• https://forums.whonix.org/t/tor-is-not-yet-fully-bootstrapped-30-done/8792/6

ICMP Fix[edit]

Using a dial-up connection? Or is Tor bootstrapping stuck at 45%?

ICMP is disabled in Whonix by default for security reasons because only a minority of users require it.

Try allowing incoming ICMP on Whonix-Gateway.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

There might be a more restricted ICMP permission but it is not implemented. Contributions welcome!

Also see this related forum discussion.

Advanced Connectivity Troubleshooting Steps[edit]

Clock Fix[edit]

Broken internet connectivity is to be expected if the clock is incorrect. At all times it is recommended to have a host clock with accuracy of up to ± 30 minutes.

Quote Whonix Post Install Advice:

To protect against time zone leaks, the system clock inside Whonix is set to UTC. This means it may be a few hours before or ahead of your host system clock. Do not change this setting!

See Manually Set Clock Time and Date.

Clearnet Connectivity Test[edit]

It is possible to check if a non-torified, non-anonyomus, direct connection to check.torproject.org is functional. <sup>[6]</sup>

On Whonix-Gateway<sup>™</sup>, run.

sudo -u clearnet UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 -H 'Host: check.torproject.org' -k https://116.202.120.181

General Virtualizer Connectivity Test[edit]

If networking is unavailable inside Whonix, start by testing the virtualizer host software as if you've never encountered Whonix. This will give you a baseline. This can be done by trying the following steps:

1 Install a Standard Virtual Machine: Install a non-Whonix operating system. This means to install an operating system in a virtual machine that does not run Whonix. A good candidate would be Debian bookworm.

2 Test Network Functionality: Test the network functionality in this freshly downloaded or created standard virtual machine.

3 DONE.

If Networking is Non-Functional:

If networking is still not functional in these standard virtual machines, then Whonix will not work either. It indicates that the problem isn't caused by to Whonix. Such issues that are unspecific to Whonix should be tackled according to these guidelines:

• In case of VirtualBox: VirtualBox Generic Bug Reproduction
• Self Support First Policy
• Generic Bug Reproduction

The user must first resolve this issue, which might require:

• Re-installation of the virtualizer.
• Rebooting the system.
• Conducting further connectivity tests.

If Networking is Functional:

If networking is functional in the standard virtual machines, then users should:

• Note that networking is working in non-Whonix VMs.
• Include this information as part of the support request or bug report for Whonix.

These steps will help ensure that the underlying network infrastructure is working correctly before troubleshooting Whonix specific issues.

Unsuitable Connectivity Troubleshooting Tools[edit]

The following tools have limited usefulness when attempting to fix connectivity issues.

• Tor Control Panel
• Anon Connection Wizard
• Others listed further below.

These tools can offer assistance for Tor configuration, either by simply enabling access to the public Tor network or by configuring Tor to use Bridges. If an internet service provider (ISP) prevents access to the public Tor network, then using these tools to configure bridges might help. If the ISP prevents access to one type of bridges or specific (such as built-in) bridges, then choosing another type and/or different bridge might help.

However, these are simple utilities that create a Tor configuration file, restart Tor, and report what the Tor software is saying about the Tor bootstrap (connection) status. These tools do not have sophisticated features to debug complex connectivity issues; they are designed to:

1. Ask for user input.
2. Create Tor configuration file.
3. Restart Tor.
4. Show Tor bootstrap status.

Constant monitoring of network issues is not implemented. For example, after the initial setup is done -- such as using Tor Control Panel for Anon Connection Wizard -- these tools do not keep supervising Tor or other parts of the system. Therefore, the Tor Control Panel message stating "Connected to the Tor network" could be stale. That was true when the tool was started, but it is not constantly monitored.

From the perspective of the Tor software, these are high-level level programming language tools developed by a third party. <sup>[7]</sup> These tools have a limited "understanding" of Tor's internals, let alone other aspects of the system configuration that might be broken. <sup>[8]</sup> When attempting to debug connectivity issues, the "lower" level must be inspected which is closer to the system, virtualizer and Tor.

sdwdate, sdwdate logs and sdwdate-gui have limited usefulness for connectivity troubleshooting. These tools might point out issues with the system time but other than that sdwdate requires an already functional Tor to be able to fetch the time from onions.

Other unsuitable connectivity troubleshooting tools include:

• Mostly: Using ping inside Whonix-Workstation<sup>™</sup>.

Other recommended steps mentioned on this page are far more promising.

Why can't I Ping the Whonix-Gateway?[edit]

The Whonix-Gateway does not respond to ping or similar commands because it is firewalled for security reasons; see /usr/bin/whonix_firewall or refer to the Whonix source code. In most cases it is unnecessary to ping the Whonix-Gateway anyhow.

If you insist on pinging the Whonix-Gateway or have a unique setup that requires it, then this can be tested by clearing all firewall rules with the dev_clearnet script. Alternatively, a script can be run to try and unload / remove every iptables rule, or the Whonix firewall can be hacked to not load at all. The latter method is only for experts and it is necessary to comment out exit 0 at the beginning.

General Troubleshooting[edit]

This chapter covers general issues that you may encounter and solution approaches.

Introduction[edit]

Troubleshooting issues can be time intensive and success cannot be guaranteed. Some users expect Whonix to provide an easy experience similar to a Windows machine. While the Whonix developers make every effort to meet user expectations, limited funding and human resources makes meeting these expectations impossible.

Even though problems emerge when using Whonix, the cause is most often unrelated to Whonix code. For example, users often report the same Whonix release worked on different hardware and/or with a different host operating system. Most software such as the host operating system or the virtualizer is developed by independent entities; this is the norm in Linux distributions. See Linux User Experience versus Commercial Operating Systems to learn more about these relationships, as well as organizational and funding issues in the Open Source ecosystem.

Essential General Troubleshooting Steps[edit]

Low RAM Issues[edit]

If insufficient RAM is available for Whonix VMs they might become unusable. Low RAM issues in Whonix are commonly caused by:

• Unnecessary processes running and/or multi-tasking on the host OS.
• Multiple, open browser tabs.
• Unnecessary processes running in the Whonix VM(s).
• Allocating more RAM to the Whonix VM than is available; this prevents the VM from booting.
• Insufficient RAM allocated to the Whonix VM(s).
• Other non-Whonix VMs running in parallel.

Insufficient RAM can cause multiple issues, but the most common effects include:

• Slow or unresponsive applications.
• The VM, mouse and/or keyboard freeze.
• Scrolling causes window staggers or jumps.
• Issues become worse when additional browser tabs or processes are spawned.
• Overall performance is poor.

To add additional RAM to the Whonix VM(s), follow the platform-specific advice below.

See also: Advice for Systems with Low RAM.

Free up Additional Memory Resources[edit]

If a VM needs additional memory, then free up resources and/or add more RAM to the VM:

• Terminate any non-essential processes on the host.
• Shut down any non-essential VMs.
• Shut down and/or close non-essential processes and browser tabs in Whonix VMs.
• Non-Qubes-Whonix only: If low memory issues emerge in Whonix-Workstation, additional resources can be freed by reducing RAM in Whonix-Gateway with rads.

Virtualizer Generic Bug Reproduction[edit]

This chapter teaches you how check virtual machines for generic bugs that have nothing to do with Whonix.

Check if other VMs are functional, such as newly created ones or those from a different vendor. If an issue is happen inside Whonix, start by testing the virtualizer host software as if you've never encountered Whonix. "Forget" about Whonix for a moment and imagine you had never heard of the platform. This will give you a baseline. This can be done by trying the following steps:

1. Install a Standard Virtual Machine: Install a non-Whonix operating system. This means to install an operating system in a virtual machine that does not run Whonix. A good candidate would be Debian bookworm.
2. Test the Feature: Test the functionality in this freshly downloaded or created standard virtual machine.

If the Feature is Non-Functional:

If the feature is still not functional in these standard virtual machines, then Whonix will not work either. It indicates that the problem isn't caused by to Whonix. Such issues that are unspecific to Whonix should be tackled according to these guidelines:

• In case of VirtualBox: VirtualBox Generic Bug Reproduction
• Self Support First Policy
• Generic Bug Reproduction

The user must first resolve this issue, which might require:

• Re-installation of the virtualizer.
• Rebooting the system.
• Conducting further tests.
• Reading upstream documentation.
• Contacting upstream support.

If the Feature is Functional:

If feature is functional in the standard virtual machines, then users should:

• Note that the feature is working in non-Whonix VMs.
• Include this information as part of the support request or bug report for Whonix.

These steps will help ensure that the underlying feature is working correctly before troubleshooting Whonix specific issues.

System Logs[edit]

Use the system logs to your advantage.

<sup>[10]</sup>

Check Systemd Journal Log of Current Boot[edit]

To inspect the systemd journal log of the current boot, run.

sudo journalctl -b

This command requires pressing arrow keys like ↑, ↓, ←, →, as well as PgUp and PgDn for scrolling.

For convenient reading of the log (until the command is issued), the log can be dumped to file. For example, the following command would write the log to file ~/systemd-log.

sudo journalctl -b > ~/systemd-log

Use any available editor to read the log file, such as mousepad.

mousepad ~/systemd-log

Watch Systemd Journal Log of Current Boot[edit]

It is possible to to watch the systemd journal log as it is written.

sudo journalctl -b -f

Check Systemd Journal Log of Previous Boot[edit]

sudo journalctl -b -1

This command requires pressing arrow keys like ↑, ↓, ←, →, as well as PgUp and PgDn for scrolling.

For convenient reading of the log (until the command is issued), the log can be dumped to file. For example, the following command would write the log to file ~/systemd-log-previous.

sudo journalctl -b -1 > ~/systemd-log-previous

Use any available editor to read the log file, such as mousepad.

mousepad ~/systemd-log-previous

View List of Systemd Journal Logs[edit]

sudo journalctl --list-boots

Daemon Log View[edit]

To view the log of a specific systemd unit. Syntax:

(Replace unit-name with the actual name of the systemd unit.)

sudo journalctl -b --no-pager -u unit-name

Example:

sudo journalctl -b --no-pager -u sdwdate

Daemon Log Follow[edit]

To follow the log of a specific systemd unit. Syntax:

(Replace unit-name with the actual name of the systemd unit.)

sudo journalctl -f -b --no-pager -u unit-name

Example:

sudo journalctl -f -b --no-pager -u sdwdate

Daemon Status[edit]

To view the status of a specific systemd unit. Syntax:

(Replace unit-name with the actual name of the systemd unit.)

sudo systemctl status --no-pager unit-name

Example:

sudo systemctl status --no-pager sdwdate

Check Systemd Journal Log of Failed Boot[edit]

An alternative to recovery mode might be virtual consoles, since they are an easier and more lightweight solution. A virtual console login might still be possible when the graphical user interface no longer starts.

Prerequisite knowledge: Virtual Consoles. Try to log in to a virtual console in a functional VM as an exercise. If that works, try a virtual console login in the broken VM.

If a virtual console is unavailable:

1. Boot into Recovery Mode.
2. Reboot into normal mode so a log for the failed boot will be written (if not previously enabled).
3. Boot into recovery mode again.
4. Check Systemd Journal Log of Previous Boot.

Permission Fix[edit]

Fix permissions that might not be set correctly.

Open a terminal.

sudo chown --recursive user:user /home/user

Hardware Issues[edit]

These are hardware issue that you may encouter.

General Recommendations[edit]

Rhetorical questions:

• When was the last time a qualified person disassembled your computer/notebook and removed dust from the fan and checked the cooling system of the CPU?
• How often should maintenance be performed?
• What is your CPU temperature under heavy system load?
• What is the room temperature where the computer is operating?
• What is your hard drive's health status?

Recommendations:

• Ensure your computer or notebook has regular, proper maintenance.
• Monitor CPU temperature by utilizing relevant host operating system tools.
• Consider cooling the room where computers/notebooks operate.
• Better placement (more air space) around computers or notebooks can help.
• Consider a passive or active (notebook) cooling pad. <sup>[11]</sup>
• Run memtest86+ to rule out RAM problems.
• Run gsmartcontrol to rule out hard drive defects.

None of these issues are related to Whonix. Therefore, please do not ask these questions in Whonix support channels (until there is a Whonix-Host operating system) as per Self Support First Policy.

memtest86+[edit]

gsmartcontrol[edit]

See Also[edit]

• Advice for Systems with Low RAM
• VirtualBox Troubleshooting
• KVM Troubleshooting
• Qubes-Whonix<sup>™</sup> Troubleshooting
• Recovery Mode
• System Recovery using SysRq Key
• Core Dumps

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!