Leak Tests

From Whonix

< Dev


In past Whonix ™ documentation stated "in your own interest you should do the leak tests". That was from a time, where Whonix ™ was only useful for very advanced end users, because only textual instructions existed; there were no scripts, no source code and the Whonix ™ concept was brand new. It is unrealistic, that all download users do and understand the leak tests. That's why it was removed from the Readme.

You are still invited and encouraged to do the leak tests, in fact, at the moment, there are probably not many people auditing Whonix ™ security.

Unfortunately, leak testing is as complicated as programming. You can not learn it overnight and you won't find someone online, willing to teach you for free. That's really something you have to do on your own. We continue to list and document all leak tests we are aware of, but we can not educate everyone in the depths of networking.

Knowledge assumed[edit]

Leak Testing Websites[edit]

Read first! → Browser Tests

There are too many websites for leak testing. (Some are offline.)

None of the Leak Testing Websites running inside Whonix-Workstation ™ is able to find out the real external clearnet IP address, no matter if plugins, flash and/or java are activated.

DNS Leak Tests[edit]


Deactivate host DNS[edit]

Deactivating the DNS on your host should result in not being be able to nslookup anymore, but Whonix-Workstation ™ nslookup should still be functional.

Theoretical background: Whonix-Workstation ™ requests should always be resolved by Whonix-Gateway ™. In the case of a DNS leak, the host operating system is resolving DNS queries for the Whonix-Workstation ™. Deactivating the host's DNS would make Whonix-Workstation ™ DNS queries non-functional, breaking functionality. This is confirmation of a DNS leak.

Deactivate Whonix-Gateway ™ DNS[edit]

On the Whonix-Gateway ™.

Open file /etc/resolv.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

comment out everything (# before every line so everything is ignored).


As a test's result the DNS requests in the Whonix-Workstation ™ should still work while the DNS requests in the Whonix-Gateway ™ no longer work.

Using dig[edit]

Another very poor manish leak test: Because Tor's DNS resolver does not handle AAAA records this will not return any google hostnames if run on Whonix-Workstation ™ and DNS requests aren't leaking. Running.

dig AAAA

Should reply.

; <<>> DiG 9.8.1-P1 <<>> AAAA
;; global options: +cmd
;; Got answer:
;; →>HEADER<<- opcode: QUERY, status: NOTIMP, id: 42383
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;          IN      AAAA

;; Query time: 0 msec
;; WHEN: [date]
;; MSG SIZE  rcvd: 38

Tor also does not support DNSSEC yet. Running.

dig +multiline . DNSKEY

It should now show DNS cryptographic keys. See example output from here.

Using nslookup[edit]


nslookup -type=mx

Should reply.


** server can't find NOTIMP


nslookup -type=AAAA

Should reply.


** server can't find NOTIMP

Leaks through the host or VM[edit]

Shut down the Whonix-Gateway ™ and start the Whonix-Workstation ™. The Whonix-Workstation ™ shouldn't be able to exchange data with any outside target.

Ping Test[edit]

First, make sure both VMs are online. Since ICMP is not supported by Tor and filtered by Whonix ™ firewall, you should not be able to ping any servers.

FIN ACK / RST ACK - Leak Test[edit]

Credit for FIN ACK / RST ACK - Leak Test (coined by Whonix ™): Originally written by Mike Perry on the tor-talk mailing list, he found a transparent proxy leak without references to Whonix ™. (source [archive]) The test has been adapted for Whonix ™.

Note, the following IP points to and should be seen as an example.

On the host.

Close your browser and cease all other non-Whonix ™ online activity to avoid contaminating the following test.

Install tcpdump.

sudo apt-get update
sudo apt-get install tcpdump

Run tcpdump. Replace -i wlan0 with your network interface. If you use -i any, you will also see transproxied packets (which are not normally leaked).

sudo tcpdump -n -i wlan0 host and tcp port 80

For testing/learning, connect to (ping, open in a browser, use curl, scurl or similar) and see how it looks like when a connection to that IP is being made.

Close the connection. Stop tcpdump. Start tcpdump again.

In Whonix-Workstation ™.

Create a socket connection.


import socket

s = socket.create_connection(("", 80))

On Whonix-Gateway ™.

Stop Tor.

sudo service tor@default stop

In Whonix-Workstation ™.

Close the socket connection.


On the host.

Check, that you can not see any connections to in tcpdump.

Variations of this test:

Forum discussion:

Integrated tshark leaktest[edit]

On Whonix-Gateway ™ start looking for leaks.

You need to install the anon-gw-leaktest package.

## Login as user, open a shell as user or su user.
## /usr/bin/leaktest
sudo leaktest

On Whonix-Workstation ™ try to produce a leak.

You need to install the anon-ws-leaktest package.

## Login as user, open a shell as user or su user.
## /usr/bin/leaktest
sudo leaktest

If you are wondering, how this works and what that does, the old article, Dev/Leak Tests Old is still being kept.

  • Original article.
  • As copy and paste tutorial.
  • For better understanding with more comments.
  • Perhaps useful for similar projects.
  • Optional additional tests.

Integreated whonixcheck leaktest[edit]

Please also run whonixcheck on Whonix-Gateway ™ and Whonix-Workstation ™. whonixcheck's Tor SocksPort and Tor TransPort test (the latter only on Whonix-Workstation ™ [1]) are also doing leak testing. If whonixcheck would report a big warning, if couldn't detect Tor.

whonixcheck --leak-tests

Torrent Leak Tests[edit]

UDP Leak Tests[edit]

  • Same as above.
  • Please add more to the list if you know other tests.

Other Leak Tests[edit]

Qubes specific[edit]

TemplateVM Update Proxy Leak Test[edit]

Start a your Whonix-Gateway ™ TemplateVM (commonly called whonix-gw-15). [2]

In your TempalteVM.

Start downloading some big[3] package. [4] Example.

apt-get download firefox-esr

Now switch to your Whonix-Gateway ™ ProxyVM (commonly called sys-whonix) and stop Tor. [5]

sudo service tor@default stop

The expected result in the TemplateVM a functional download, that stops as soon as Tor is stopped.

Get:1 jessie/updates/main firefox-esr amd64 52.5.2esr-1~deb8u1 [44.7 MB]
Err jessie/updates/main firefox-esr amd64 52.5.2esr-1~deb8u1
  500  Unable to connect
E: Failed to fetch amd64 52.5.2esr-1~deb8u1_amd64.deb  500  Unable to connect

You can now start Tor in your Whonix-Gateway ™ ProxyVM again.

sudo service tor@default start

Repeat this test with your Whonix-Workstation ™ TemplateVM (commonly called whonix-ws-15).

See Also[edit]


  1. Because Whonix-Gateway ™ does not have a TransPort by default.
  2. Those are assumed to be torified, i.e. having their NetVM set to sys-whonix.
  3. With a small package you would not have a chance to easily and quickly disable Tor while it is downloading.
  4. Alternatively, you could also run sudo apt-get update instead of downloading a big package and interrupt that. However, it would be less conclusive, because then apt-get updating may only break due to broken DNS. A long running transfer that no longer depends on functional DNS resolution would be far easier to spot. (If the download was non-torified, it should not matter if we stop Tor during the transfer.)
  5. Alternately, although with less conclusive, instead of stopping Tor, you could also stop qubes-updates-proxy during the transfer.
    sudo service qubes-updates-proxy stop

    This should lead to the same expected result.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

LIVE MODE: Host operating system or VM can be booted into Live Mode, using Host Live Mode or VM Live Mode.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.