Jump to: navigation, search

Tor Controller

Controlling and Monitoring Tor


Tor Controller[edit]

arm, Tor Controller

There are three options: #Arm, #tor-ctrl or #Vidalia. #Arm and #tor-ctrl are already pre-installed on Whonix.

#Arm is recommended.


Arm Usage[edit]

Arm is recommended. It's already pre-installed on Whonix-Gateway. [1]

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Arm

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Arm

If you are using a terminal Whonix-Gateway, type:


To get a new circuit, press:


To exit arm, press:


Arm FAQ[edit]

message / question answer
arm vs nyx? Previously called arm. New name will be nyx. [2]
Should any of the following Arm messages concern me? No, and below is explained why not. See also FAQ entry, Should I be concerned about... ?.
Am I compromised? Does Arm report leaks? Arm is conceptually not a tool to find out about serious issues such as compromise or leaks. [3]
Tor is preventing system utilities like netstat and lsof from working. This means that arm can't provide you with connection information. You can change this by adding 'DisableDebuggerAttachment 0' to your torrc and restarting tor. For more information see... https://trac.torproject.org/3313 If you want to learn about the technical details, read https://trac.torproject.org/3313.
DisableDebuggerAttachment even when running as root. This is a bug in arm.
man page (GENERAL OPTIONS and COMMAND-LINE OPTIONS) This is a bug in arm.
[WARN] Socks version 71 not recognized. (Tor is not an http proxy.)

This is caused by whonixcheck (by function check_tor_socks_port_reachability). It checks if a Tor SocksPort is reachable by trying to fetch it using curl. [4] It will not report anything if it worked, but would complain if it failed.

[WARN] Rejecting request for anonymous connection to private address [scrubbed] on a TransPort or NATDPort. Possible loop in your NAT rules? This happens for example if you run "curl", because when you type "curl", by default in Whonix, you are not directly using curl, but a uwt wrapped (stream isolated) Stream Isolation curl. It would not try to directly connect to, but to connect to through Tor and this is what Tor is mentioning. It only means, that you attempted something, that will not work that way. Deactivate the curl stream isolation wrapper or use the non-wrapped version (see Stream Isolation).
[NOTICE] You configured a non-loopback address '' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted. [1 duplicate hidden] (Or other port number or DnsPort or TransPort.) Tor really listens on that IP/port. It is Whonix-Gateway's network interface, that is only available to Whonix-Workstations, because it is an internal network with Whonix-Workstation and because Whonix-Gateway is firewalled (see /usr/bin/whonix_firewall or in Whonix source code).
[NOTICE] New control connection opened. [2 duplicates hidden] (Or more duplicates.) This is caused by whonixcheck's Tor Bootstrap Status Test, which uses Tor's ControlPort or CPFP.
[NOTICE][ARM_WARN] The torrc differ from what tor's using. You can issue a sighup to reload the torrc values by pressing x. Configuration value is missing from the torrc: RunAsDaemon Arm usability bug. [5]

This was the recommended version of this page. For more, see alternatives.



On Whonix-Gateway[edit]

tor-ctrl [6] comes with Whonix by default.

Example usage to get a new circuit, on Whonix-Gateway:

tor-ctrl -a /var/run/tor/control.authcookie -c "signal newnym"

tor-ctrl -v -a /var/run/tor/control.authcookie -c "signal newnym"

See also:

man tor-ctrl

On Whonix-Workstation[edit]

Example: Get a New Identity using Whonix-Workstation Terminal[edit]

Do this every time you want a new circuit. Run tor-ctrl (installed by default) with signal newnym.

bash -x tor-ctrl -p notrequired -c "signal newnym"

If you see at the bottom of the output.

+ sendcmd signal newnym
+ echo signal newnym
+ sleep 1
+ sendcmd QUIT
+ echo QUIT
+ sleep 1
+ STR='Trying
Connected to
Escape character is '\''^]'\''.
250 OK
250 OK'
+ vecho 'Trying
Connected to
Escape character is '\''^]'\''.
250 OK
250 OK'
+ '[' 0 -ge 1 ']'
+ echo 'Trying
Connected to
Escape character is '\''^]'\''.
250 OK
250 OK'
++ grep -c '^250 '
+ '[' 2 = 3 ']'
+ exit 1

Then it succeeded. (exit 1 is a bug in tor-ctrl, because it doesn't understand the double 250 OK.)


On Whonix-Gateway.

For advanced users.

Welcome to Stem's interpreter prompt. This provides you with direct access to
Tor's control interface.

This acts like a standard python interpreter with a Tor connection available
via your 'controller' variable...

  >>> controller.get_info('version')
  ' (git-245ecfff36c0cecc)'

You can also issue requests directly to Tor...
  >>> GETINFO version                                                                                                                                                               
  250-version= (git-245ecfff36c0cecc)                                                                                                                              
  250 OK                                                                                                                                                                            
For more information run '/help'.                                                                                                                                                   


For advanced users.

A handy way to send Tor ControlPort protocol commands to Tor's ControlPort. [7]

Do once. Install netcat.

sudo apt-get install netcat-openbsd

On Whonix-Gateway or Whonix-Workstation. Connect to Tor's ControlPort. [8]

nc 9051

Example command to change your Tor circuit.

signal newnym

Should reply.

250 OK


Recommended against.[9] Better use #Arm.

(If you want to use Vidalia anyhow, see Vidalia.)


  1. Since #Vidalia is recommended against.
  2. http://tor.stackexchange.com/tags/nyx/info
  3. Arm works on a different level. It's a Tor Controller. It talks to Tor using Tor's ControlPort. It's an interface to show what Tor thinks. Neither Tor nor Arm implement anything such as virus detection, compromise detection, leak detection etc. Messages by Arm are interesting and useful but usually no reason for grave concern. For leak testing, see leak tests.
  5. https://trac.torproject.org/projects/tor/ticket/16459
  6. https://github.com/Whonix/tor-ctrl
  7. Or depending on if you are doing this from Whonix-Workstation only to Control Port Filter Proxy.
  8. This works also on Whonix-Workstation, because the anon-ws-disable-stacked-tor package has set up rinetd listening for connections on localhost and forwarding them Tor Whonix-Gateway's, where Control Port Filter Proxy is listening.
  9. Vidalia is recommended against, because:
    • Vidalia is unmaintained (no one is working on it anymore).
      • Vidalia has been removed from Tor Browser Bundle 3.x by The Tor Project.
      • Vidalia has been removed from Debian jessie by the Debian developers.
      • So this project is dead.
    • Vidalia has issues with controlling Tor, i.e. Vidalia can't stop the Tor which comes from the Debian package, which is started as user "debian-tor". It also can not edit /etc/tor/torrc. Not sure if control commands such as New Identity are correctly processed (easy to find out).
    • Vidalia does not understand obfuscated bridges.
    • Which overall makes a pretty bad and confusing user experience. Therefore recommended against.
    • However, if it's Vidalia's nice network map you're after, that will work.

This was the alternative version of this page. For the recommend version, see recommended.


Thanks to torproject.org for the arm screenshot, which is under Creative Commons Attribution 3.0 United States License.; Other screenshots of Arm; Arm project page

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, the content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.