Jump to: navigation, search

Dev/Leak Tests

< Dev


In past Whonix documentation stated "in your own interest you should do the leak tests". That was from a time, where Whonix was only useful for very advanced end users, because only textual instructions existed; there were no scripts, no source code and the Whonix concept was brand new. It is unrealistic, that all download users do and understand the leak tests. That's why it was removed from the Readme.

You are still invited and encouraged to do the leak tests, in fact, at the moment, there are probably not many people auditing Whonix security.

Unfortunately, leak testing is as complicated as programming. You can not learn it overnight and you won't find someone online, willing to teach you for free. That's really something you have to do on your own. We continue to list and document all leak tests we are aware of, but we can not educate everyone in the depths of networking.

Knowledge assumed[edit]

Leak Testing Websites[edit]

There are too many websites for leak testing. (Some are offline.)

None of the Leak Testing Websites was able to find out the IP of Whonix-Workstation, no matter if plugins, flash and/or java was activated.

DNS Leak Tests[edit]


Defunct host DNS[edit]

Rendering the DNS on your host defunct should result in your not being be able to nslookup anymore, but Whonix-Workstation's DNS should still be functional.

Defunct /etc/resolv.conf[edit]

On the Whonix-Gateway execute 'sudo nano /etc/resolv.conf' and comment out everything (# before every line so everything is ignored).


As a test's result the DNS requests in the Whonix-Workstation should still work while the DNS requests in the Whonix-Gateway no longer work.

Using dig[edit]

Another very poor manish leak test: Because Tor's DNS resolver does not handle AAAA records this will not return any google hostnames if run on Whonix-Workstation and DNS requests aren't leaking. Running.

dig AAAA check.torproject.org

Should reply.

; <<>> DiG 9.8.1-P1 <<>> AAAA check.torproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 42383
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;check.torproject.org.          IN      AAAA

;; Query time: 0 msec
;; WHEN: [date]
;; MSG SIZE  rcvd: 38

Tor also does not support DNSSEC yet. Running.

dig +dnssec check.torproject.org @localhost

Should reply.

; <<>> DiG 9.8.1-P1 <<>> +dnssec check.torproject.org @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

Using nslookup[edit]


nslookup -type=mx check.torproject.org

Should reply.


** server can't find check.torproject.org: NOTIMP


nslookup -type=AAAA check.torproject.org

Should reply.


** server can't find check.torproject.org: NOTIMP

Leaks through the host or VM[edit]

Shut down the Whonix-Gateway and start the Whonix-Workstation. The Whonix-Workstation shouldn't be able to exchange data with any outside target.

Ping Test[edit]

First, make sure both VMs are online. Since ICMP is not supported by Tor and filtered by Whonix firewall, you should not be able to ping any servers.

FIN ACK / RST ACK - Leak Test[edit]

Credit for FIN ACK / RST ACK - Leak Test (coined by Whonix): Originally written by Mike Perry on the tor-talk mailing list, he found a transparent proxy leak without references to Whonix. (source) The test has been adapted for Whonix.

Note, the following IP points to www.google.com and should be seen as an example.

On the host.

Close your browser and cease all other non-Whonix online activity to avoid contaminating the following test.

Install tcpdump.

sudo apt-get update
sudo apt-get install tcpdump

Run tcpdump. Replace -i wlan0 with your network interface. If you use -i any, you will also see transproxied packets (which are not normally leaked).

sudo tcpdump -n -i wlan0 host and tcp port 80

For testing/learning, connect to (ping, open in a browser, use wget or similar) and see how it looks like when a connection to that IP is being made.

Close the connection. Stop tcpdump. Start tcpdump again.

In Whonix-Workstation.

Create a socket connection.


import socket

s = socket.create_connection(("", 80))

On Whonix-Gateway.

Stop Tor.

sudo service tor stop

In Whonix-Workstation.

Close the socket connection.


On the host.

Check, that you can not see any connections to in tcpdump.

Variations of this test:

Forum discussion:

Integrated tshark leaktest[edit]

The necessary scripts for leak testing are now integrated into the Whonix machines.

On Whonix-Gateway start looking for leaks.

## Login as user, open a shell as user or su user.
## /usr/bin/leaktest
sudo leaktest

On Whonix-Workstation try to produce a leak.

## Login as user, open a shell as user or su user.
## /usr/bin/leaktest
sudo leaktest

If you are wondering, how this works and what that does, the old article, Dev/Leak Tests Old is still being kept.

  • Original article.
  • As copy and paste tutorial.
  • For better understanding with more comments.
  • Perhaps useful for similar projects.
  • Optional additional tests.

Integreated whonixcheck leaktest[edit]

Please also run whonixcheck on Whonix-Gateway and Whonix-Workstation. It's Tor SocksPort and Tor TransPort test (the latter only on Whonix-Workstation [1]) are also doing leak testing. If whonixcheck would report a big warning, if check.torproject.org couldn't detect Tor.

Other Leak Tests[edit]

A similar project published another leak test. Read How can I test if there is a leak in the setup respectively all traffic goes through Tor?. Has not been tested with Whonix yet. If you do it, please share your results.

Qubes specific[edit]

TemplateVM Update Proxy Leak Test[edit]

Start a your Whonix-Gateway TemplateVM (commonly called whonix-gw). [2]

In your TempalteVM.

Start downloading some big[3] package. [4] Example.

apt-get download iceweasel

Now switch to your Whonix-Gateway ProxyVM (commonly called sys-whonix) and stop Tor. [5]

sudo service tor stop

The expected result in the TemplateVM a functional download, that stops as soon as Tor is stopped.

Get:1 http://security.debian.org/ jessie/updates/main iceweasel amd64 38.4.0esr-1~deb8u1 [39.3 MB]
Err http://security.debian.org/ jessie/updates/main iceweasel amd64 38.4.0esr-1~deb8u1
  500  Unable to connect
E: Failed to fetch http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_38.4.0esr-1~deb8u1_amd64.deb  500  Unable to connect

You can now start Tor in your Whonix-Gateway ProxyVM again.

sudo service tor start

Repeat this test with your Whonix-Workstation TemplateVM (commonly called whonix-ws.

See Also[edit]


  1. Because Whonix-Gateway does not have a TransPort by default.
  2. Those are assumed to be torified, i.e. having their NetVM set to sys-whonix.
  3. With a small package you would not have a chance to easily and quickly disable Tor while it's downloading.
  4. Alternatively, you could also run sudo apt-get update instead of downloading a big package and interrupt that. However, it would be less conclusive, because then apt-get updating may only break due to broken DNS. A long running transfer that no longer depends on functional DNS resolution would be far easier to spot. (If the download was non-torified, it should not matter if we stop Tor during the transfer.)
  5. Alternately, although with less conclusive, instead of stopping Tor, you could also stop qubes-updates-proxy during the transfer.
    sudo service qubes-updates-proxy stop
    This should lead to the same expected result.

Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss | Investors | Donate

https | Mirror | Mirror | Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.