Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information




Whonix requires a critical mass of users to properly test planned updates by enabling the stable-proposed-updates or testers repository. [1] Otherwise, bugs might go undiscovered and be inadvertently introduced into the stable repository.

To ensure a stable Whonix system is available at all times, willing testers should:

Please only report bugs after first searching relevant Whonix forums and developer portals for the problem.

Whonix-Gateway and Whonix-Workstation[edit]


Check for systemd ordering cycles. There should be none.

sudo journalctl | cat | grep -i "ordering cycle"

Check locale.


Check if there are any DENIED messages from AppArmor inside /var/log/syslog

sudo cat /var/log/audit/audit.log | grep DENIED

Install dpkg-dev, which is required for dpkg-vendor.

sudo apt-get install --no-install-recommends dpkg-dev

Run dpkg-vendor --query vendor.

dpkg-vendor --query vendor

The output must be "Whonix".

Check apt config and see if periodic updates are disabled.

apt-config dump

Install a new kernel for testing purposes.


Check the content of /etc/network/interfaces

cat /etc/network/interfaces

Check the content of /etc/resolv.conf

cat /etc/resolv.conf
Check /etc/apt/sources.list

cat /etc/apt/sources.list

Check iptables.

sudo iptables --list


sudo iptables-save-deterministic

Reboot from terminal while X is running.

Switch to terminal.


sudo reboot

No errors should appear like "failed to kill service".

Extra Tests[edit]

Check if aptitude is functional.

sudo aptitude update

See the footnotes if additional manual tests are preferred. [2] [3]

Test the re-installation of x11-common.

sudo apt-get install --reinstall x11-common


Non-Qubes-Whonix only:

Check kdm stops and restarts correctly.

sudo service kdm stop

sudo service kdm start

Whonix-Gateway Tests[edit]

Tor Tests[edit]

Check the Tor version.


Check the obfsproxy version; it must include obfs4. [4]

obfsproxy -h

Check Tor logs.

less /var/log/tor/log

Check Tor warnings.

grep warn /var/log/tor/log

The message [warn] Socks version 71 not recognized. (Tor is not an http proxy.) can be safely ignored.

Clock Skew[edit]

Check for clock skew.

grep clock /var/log/tor/log


Test if arm is fully functional.


Test if arm's New Identity function is working.



After logging in, the Whonix help/welcome/disclaimer message should appear.


Test obfsproxy bridge connectivity is functional.


Check /var/log/syslog for AppArmor error messages.

grep DENIED /var/log/syslog

Whonix-Workstation Tests[edit]

Basic Tests[edit]

Ping the Whonix-Gateway; this will not work.

# You will not be able to ping the Whonix-Gateway,
# because ICMP is blocked by the firewall.
# If you want to test it, you have to adjust the firewall,
# or to deactivate the firewall while testing.


Power off Whonix-Gateway. Try to ping outside or to use the browser in Whonix-Workstation. Obviously, should NOT work.


Power on Whonix-Gateway again. Visit with Tor Browser. You should see a “Congratulations”.


Use a Tor Browser to visit a .onion address (Try the onion service)


Test Tor Button's New Identity Feature.


Note: Ping commands should NOT work for external addresses from your Whonix-Workstation, ICMP traffic[5] is not proxied, and filtered by Whonix's Firewall (/usr/bin/whonix_firewall), because Tor does not support UDP.


dig must only return a single IP, compare with the output on Whonix-Gateway or Host.


Test gpg. Example.

gpg --keyserver --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

Test curl uwt wrapper.

curl http://idnxcnkne4qt76tg.onion

whonixcheck --leak-tests


Setup an onion service on Whonix-Gateway and test if it works. You can access your own test onion service using Tor Browser.


See if whonixcheck gets autostarted.


Test HexChat, connect to a an SSL protected IRC server.


test HexChat, connect to a hidden IRC server.


Install lighttpd.

sudo apt-get install lighttpd

Restart lighttpd.

sudo service lighttpd restart

Try to download the local index.html.



cat index.html

Let's check if git is working. A good testing target would be a hidden git server. Therefore, check if Gittor is online by visiting its list of public Gittor repositories. Test it.

git clone http://wzrtr6gpencksu3d.onion/gitlab/w00t/pgp-auth.git

Check if regular git servers are reachable as well.

git clone

Default Browser[edit]

Quick Launcher[edit]

Check if the Tor Browser quick launcher (fav icon) next to the start menu button is visible and startable.

Text Links[edit]

1. Open Konsole.

2. Run the following command.


3. Right click on the echoed and choose open link.

4. Check if it opens asks for confirmation to open that file in Tor Browser. Check if nothing happens, when pressing No (which should be the default!) and check if it opens a new Tor Browser window when pressing Yes.

File Links[edit]

1. Create a file ~/test.html with the following content.


2. Open Dolphin (default file manager) and double click on that file.

3. Check if it opens asks for confirmation to open that file in Tor Browser.

Terminal Tests[edit]

1. Open Konsole.

2. Run the following command.


3. Check if it asks for confirmation to open that file in Tor Browser.

4. Check the same for.


5. Check the same for.


6. Check the same for.


7. Next, remove open-link-confirmation.

sudo apt-get remove open-link-confirmation

And repeat the tests above.


Leak Tests[edit]

See Dev/Leak Tests.


  1. The developers repository is only recommended for experts or those in touch with Whonix developers.
  2. These checks are not as important because relevant messages would probably be shown during sudo systemctl list-units --failed. Check if /var/run/bootclockrandomization/success exists.
    ls -la /var/run/bootclockrandomization/success
    Check the boot clock randomization log.
    cat /var/log/bootclockrandomization.log
    sudo service bootclockrandomization status
    echo $?
    Check if /var/run/timesanitycheck/success exists.
    ls -la /var/run/timesanitycheck/success
    Inspect the time sanity check log.
    cat /var/log/timesanitycheck.log
    Confirm the time sanity check status.
    sudo service timesanitycheck status
    echo $?
  3. These checks are not as important because sdwdate-gui would likely identify any issues beforehand. Check if /var/run/sdwdate/success exists.
    ls -la /var/run/sdwdate/success
    Check the sdwdate log.
    cat /var/log/sdwdate.log
    Check the sdwdate status.
    sudo service sdwdate status
    echo $?
  6. Obsolete because of whonixcheck --leak-tests. Test curl through TransPort.
    UWT_DEV_PASSTHROUGH=1 curl http://idnxcnkne4qt76tg.onion

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

We are looking for help in managing our social media accounts. Are you interested?

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.