Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information


Controlling and Monitoring Tor

(Redirected from Arm)


Tor Controller[edit]

Arm Tor Controller

Users have two options: Arm or tor-ctrl. Both programs come pre-installed in Whonix, but Arm is recommended.

Note: Vidalia has been deprecated and is no longer packaged in Debian.


Arm Usage[edit]

Arm is recommended. It is already pre-installed on Whonix-Gateway. [1]

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Arm

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> System -> Arm

If you are using a terminal Whonix-Gateway, type.


To receive a new circuit, press:


To exit arm, press:


Arm FAQ[edit]

Message / Question Response
arm vs nyx? Previously called arm. New name will be nyx. [2]
Should any of the following Arm messages concern me? No, and below is explained why not. See also FAQ entry, Should I be concerned about... ?.
Am I compromised? Does Arm report leaks? Arm is conceptually not a tool to find out about serious issues such as compromise or leaks. [3]
Tor is preventing system utilities like netstat and lsof from working. This means that arm can't provide you with connection information. You can change this by adding 'DisableDebuggerAttachment 0' to your torrc and restarting tor. For more information see... If you want to learn about the technical details, read
DisableDebuggerAttachment even when running as root. This is a bug in arm.
man page (GENERAL OPTIONS and COMMAND-LINE OPTIONS) This is a bug in arm.
[WARN] Socks version 71 not recognized. (Tor is not an http proxy.)

This is caused by whonixcheck (by function check_tor_socks_port_reachability). It checks if a Tor SocksPort is reachable by trying to fetch it using curl. [4] It will not report anything if it worked, but would complain if it failed.

[WARN] Socks version 71 not recognized. (This port is not an HTTP proxy; did you want to use HTTPTunnelPort?) Similar to above.
[WARN] Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort. Possible loop in your NAT rules? This happens for example if you run "curl", because when you type "curl", by default in Whonix, you are not directly using curl, but a uwt wrapped (stream isolated) Stream Isolation curl. It would not try to directly connect to, but to connect to through Tor and this is what Tor is mentioning. It only means, that you attempted something, that will not work that way. Deactivate the curl stream isolation wrapper or use the non-wrapped version (see Stream Isolation).
[NOTICE] You configured a non-loopback address '' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted. [1 duplicate hidden] (Or other port number or DnsPort or TransPort.) Tor really listens on that IP/port. It is Whonix-Gateway's network interface, that is only available to Whonix-Workstations, because it is an internal network with Whonix-Workstation and because Whonix-Gateway is firewalled (see /usr/bin/whonix_firewall or in Whonix source code).
[NOTICE] New control connection opened. [2 duplicates hidden] (Or more duplicates.) This is caused by whonixcheck's Tor Bootstrap Status Test, which uses Tor's ControlPort or CPFP.
[NOTICE][ARM_WARN] The torrc differ from what tor's using. You can issue a sighup to reload the torrc values by pressing x. Configuration value is missing from the torrc: RunAsDaemon Arm usability bug. [5]
" UNKNOWN 1 / Guard" in circuit information This indicates that you are connecting to the Tor network with a Tor Bridge.

If you are directly connecting to the public Tor network (without using a Tor Bridge), you should see the real IP and Nickname of the Guard instead. [6]

Arm Footnotes[edit]

  1. Since #Vidalia is recommended against.
  3. Arm works on a different level. It is a Tor Controller. It talks to Tor using Tor's ControlPort. It is an interface to show what Tor thinks. Neither Tor nor Arm implement anything such as virus detection, compromise detection, leak detection etc. Messages by Arm are interesting and useful but usually no reason for grave concern. For leak testing, see leak tests.



On Whonix-Gateway[edit]

tor-ctrl [1] comes with Whonix by default.

Example usage to get a new circuit, on Whonix-Gateway:

tor-ctrl -a /var/run/tor/control.authcookie -c "signal newnym"

tor-ctrl -v -a /var/run/tor/control.authcookie -c "signal newnym"

See also:

man tor-ctrl

On Whonix-Workstation[edit]

Example: Get a New Identity using Whonix-Workstation Terminal[edit]

Do this every time you want a new circuit. Run tor-ctrl (installed by default) with signal newnym.

bash -x tor-ctrl -p notrequired -c "signal newnym"

If you see at the bottom of the output.

+ sendcmd signal newnym
+ echo signal newnym
+ sleep 1
+ sendcmd QUIT
+ echo QUIT
+ sleep 1
+ STR='Trying
Connected to
Escape character is '\''^]'\''.
250 OK
250 OK'
+ vecho 'Trying
Connected to
Escape character is '\''^]'\''.
250 OK
250 OK'
+ '[' 0 -ge 1 ']'
+ echo 'Trying
Connected to
Escape character is '\''^]'\''.
250 OK
250 OK'
++ grep -c '^250 '
+ '[' 2 = 3 ']'
+ exit 1

Then it succeeded. (exit 1 is a bug in tor-ctrl, because it doesn't understand the double 250 OK.)


On Whonix-Gateway.

For advanced users.

Welcome to Stem's interpreter prompt. This provides you with direct access to
Tor's control interface.

This acts like a standard python interpreter with a Tor connection available
via your 'controller' variable...

  >>> controller.get_info('version')
  ' (git-245ecfff36c0cecc)'

You can also issue requests directly to Tor...
  >>> GETINFO version                                                                                                                                                               
  250-version= (git-245ecfff36c0cecc)                                                                                                                              
  250 OK                                                                                                                                                                            
For more information run '/help'.                                                                                                                                                   


For advanced users.

A handy way to send Tor ControlPort protocol commands to Tor's ControlPort. [2]

Do once. Install netcat.

sudo apt-get install netcat-openbsd

On Whonix-Gateway or Whonix-Workstation. Connect to Tor's ControlPort. [3]

nc 9051

Example command to change your Tor circuit.

signal newnym

Should reply.

250 OK


Recommended against. Vidalia is recommended against because:

  • Vidalia is unmaintained (no one is working on it anymore).
    • Vidalia was removed from Tor Browser Bundle 3.5 by The Tor Project. [4] [5]
    • Vidalia was removed from all Debian variants (stretch, sid etc.) by Debian developers.
    • Therefore this project has ceased.
  • Vidalia has issues with controlling Tor, i.e. Vidalia can't stop the Tor which comes from the Debian package, which is started as user "debian-tor". It also can not edit /usr/local/etc/torrc.d/50_user.conf. Not sure if control commands such as New Identity are correctly processed (easy to find out).
  • Vidalia does not understand obfuscated bridges.
  • Which overall makes a pretty bad and confusing user experience. Therefore recommended against.
  • However, if it is Vidalia's nice network map you're after, that will work.

Better use #Arm.

(If you want to use Vidalia anyhow, see Vidalia.)


  2. Or depending on if you are doing this from Whonix-Workstation only to Control Port Filter Proxy.
  3. This works also on Whonix-Workstation, because the anon-ws-disable-stacked-tor package has set up rinetd listening for connections on localhost and forwarding them Tor Whonix-Gateway's, where Control Port Filter Proxy is listening.
  5. As noted by Tor developer Roger Dingledine:

    Cammy is right -- we've removed the bridge/relay/exit bundles from the download page too, since Vidalia has been unmaintained for years and pointing people to unmaintained software is dangerous. I'd love to have enough developers to do everything at once, but we don't.

This was the alternative version of this page. For the recommend version, see recommended.


Thanks to for the arm screenshot, which is under Creative Commons Attribution 3.0 United States License.; Other screenshots of Arm; Arm project page

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Please help in testing new features and bug fixes in Whonix.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.