I think I might have found a leak or something strange.

From Whonix
Jump to navigation Jump to search

This is unlikely. Here is why.

Why this is unlikely?[edit]

  • Summary: When a link to this wiki page is posted by an administrator or moderators in the Whonix forums, then there is likely no evidence your IP was leaked from inside Whonix-Workstation.
  • Fact: 12 provides reliable IP hiding. In over 12 years of history, no leaks have been reported in Whonix.
  • Invalid compromise indicator: See also Kicksecure logo Valid Compromise Indicators versus Invalid Compromise Indicators The Web Archive Onion Version .
  • Lack of required skills: Non-technical users lack the capability to find IP leaks. It requires knowledge of using packet analyzers and understanding their output or using some tool (such as a browser, command line downloader) running inside Whonix-Workstation and showing the user’s real external IP address. This requires being a sysadmin or similar. That’s just the way it is. A non-doctor lacks the capability to perform heart surgery. There is no shame in that.
  • Invalid test results: There are many Unsuitable Tests.
  • Support Request Policy:

    Whonix developers will normally only respond if they are convinced an actual technical, privacy or security-related problem has been identified. Many issues are unfortunately Out of Scope Issues.

  • Policy Rationale: Limited developer time.
  • Purpose of this wiki page: Having a wiki page that allows to quickly reply to a similar support request.
  • Lack of other reports: If this were an issue, technical users performing Leak Tests (or Security Reviews and Feedback) would have reported this already. Multiple users, among years long users, would report the same issue.
  • Research community: It seems rational to assume that there is an active research community. See anonbibarchive.org for a collection about research papers about Tor and other anonymity networks. The Full Disclosure Mailing Listarchive.org is highly active. Presumably, security researchers would be happy to collect a proverbial trophy by finding a leak in Whonix. Nowadays, security researchers like to create websites for security issues with nice descriptions and cute logos. Examples include Milk Sadarchive.org, Meltdown and Spectrearchive.org, and many others.
  • Trust based:

Realistically, users can only Trust that software works as described and intended, develop skills to undertake audits and/or pay someone to perform that task.

How to prove that there is a leak?[edit]

  • A) Use one of the available leak tests
  • B) Create your own test.

1. Find out your own external IP address.

2. Host your own leak testing server.

3. Connect to your leak testing server over clearnet (or a VM that does not use Tor).

4. Confirm from the server logs the time and IP address when you connected to your own server.

5. Run an application inside Whonix-Workstation that connects to your own server.

6.. Check if you can find a new log entry with the time and your own external IP address.

Proper Report[edit]

Unless someone can demonstrate to run a command inside Whonix-Workstation that results in showing the user’s real external IP address, there is no anonymity / routing related bug. [1]

User Alternatives[edit]

If the user believes there is an IP leak bug in Whonix, there is not much the user can do:

  • A) Become a sysadmin: Learn Linux networking.
  • B) Paid investigation: Pay a third party to investigate this issue.
  • C) Paid full security audit: Pay a third party to perform a full security audit of Whonix.
  • D) Paid conceptual review: Pay a third party to review and explain the technical design summary to the user.
  • E) Stop: Stop using Whonix.

Example Forum Threads[edit]


  1. Excluding security bugs such as a hypothetical vulnerability that breaks the virtualizer, the kernel.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!