Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

Can't connect Gateway to tor.

I’m trying to connect Gateway (Qemu/KVM) from Russia. I am using the same bridges that I use for the tor browser on the host machine, other VMs work perfectly fine. I haven’t changed the timezone, it’s set to UTC.
Here’s the output of systemcheck:

[INFO] [systemcheck] Tor Connection Result:

  • Connecting for 70 seconds. | 30 % done.
  • Tor Circuit: not established.
  • Tor reports: WARN BOOTSTRAP PROGRESS=30 TAG=loading_status SUMMARY=“Loading networkstatus consensus” WARNING=“Connection timed out” REASON=TIMEOUT COUNT=148 RECOMMENDATION=warn
  • Timesync status: not done.
  • sdwdate reports: Preparation not done yet.

Sdwdate log:
/usr/bin/whonix-gateway-firewall - OK: Loading Whonix firewall…
/usr/bin/whonix-gateway-firewall - OK: Skipping firewall mode detection since already set to ‘full’.
audit: type=1400 audit(1667227101.376:4): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/sdwdate" pid=253 comm=“apparmor_parser”
audit: type=1400 audit(1667227101.536:6): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“bootclockrandomization” pid=255 comm=“apparmor_parser”
audit: type=1400 audit(1667227101.928:11): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/whonix_firewall" pid=262 comm=“apparmor_parser”
AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/sdwdate" pid=253 comm=“apparmor_parser”
AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“bootclockrandomization” pid=255 comm=“apparmor_parser”
AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/whonix_firewall" pid=262 comm=“apparmor_parser”
AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/libexec/whonix-firewall/**" pid=262 comm=“apparmor_parser”
/usr/bin/whonix-gateway-firewall - OK: (Full torified network access allowed.)
Finished Notify sdwdate-gui on gateway about shutdown…

  • addgroup sdwdate systemd-journal
    The user sdwdate' is already a member of systemd-journal’.
  • gcc /usr/libexec/sdwdate/sclockadj.c -o /usr/libexec/sdwdate/sclockadj -ldl -D_GNU_SOURCE -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -Wl,-z,now
    /usr/bin/whonix-gateway-firewall - OK: Whonix firewall loaded.
    Finished Whonix firewall loader.
    Started Whonix firewall watcher.
    sdwdate - INFO - sdwdate started. PID: 775
    sdwdate - INFO - Tor socks host: [127.0.0.1] Tor socks port: 9108
    sdwdate - INFO - Running sdwdate main loop. iteration: 1 / 10000
    sdwdate - INFO - PREPARATION:
    sdwdate - INFO -
    __ Status: First run after boot. (Creating file ‘/run/sdwdate/onion-time-script-after-boot’.)
    __ anondate_use: Running ‘anondate-set’ (by creating file ‘/run/sdwdate/request_anondate-set’)…
    sdwdate - INFO - PREPARATION RESULT: WAIT.
    sdwdate - INFO -
    ____ ### START: ### /usr/sbin/anondate-set
    ____ INFO: Status file ‘/run/sdwdate/tor_certificate_lifetime_set’ does not yet exist.
    ____ INFO: Running anondate-get…
    ______ ### START: ### /usr/sbin/anondate-get
    ____ INFO: anondate-get returned Tor consensus middle range time or minimum time.
    ____ INFO: The ‘anondate-get’ time_result is earlier than the current system time, ok. Not setting clock backwards.
    ____ ### END: ### Exiting with exit_code ‘3’ indicating ‘Setting time using anondate either not possible or not required.’.
    (the 4 lines above repeat infinitely)

See:

Unsuitable Connectivity Troubleshooting Tools


I read those already and took the recommended steps. Now i ran anon-verify and noticed that there’s an error in the output:
ERROR: invalid file: ‘/etc/torrc.d/*.conf’
Used Tor Configuration Files
2 files are used as Tor configuration files:
/usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc
I didn’t edit anything, I can’t understand why these three files:
/usr/local/etc/torrc.d/40_tor_control_panel.conf; /usr/local/etc/torrc.d/50_user.conf; /etc/torrc.d/95_whonix.conf
aren’t used as configs

Could you please share contents of /etc/tor/torrc? Please redact bridge IPs, ports, fingerprints.

Which Whonix version? Could you please provide steps on how to reproduce this issue using a new Whonix?

/etc/tor/torrc doesn’t have any bridges in it:

## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
 
%include /etc/torrc.d/*.conf

Here’s the contents of /usr/local/etc/torrc.d/40_tor_control_panel.conf:

# This file is generated by and should ONLY be used by anon-connection-wizard.
# User configuration should go to /usr/local/etc/torrc.d/50_user.conf, not here. Because:
#    1. This file can be easily overwritten by anon-connection-wizard.
#    2. Even a single character change in this file may cause error.
# However, deleting this file will be fine since a new plain file will be generated the next time you run anon-connection-wizard.
UseBridges 1
# Custom Bridge is used:
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
Bridge obfs4 x.x.xxx.xxx:xxxx xxxxxxxxxxxx cert=xxxxxx
Bridge obfs4 x.x.xxx.xxx:xxxx xxxxxxxxxxxx cert=xxxxxx
DisableNetwork 0

and /usr/local/etc/torrc.d/50_user.conf only has comments.

(also, i tried using other relays that work on the host machine, they don’t work here either)

I just uninstalled the VM, downloaded and installed it again, following the official KVM guide on whonix org, launched the anon connection wizard, copypasted the bridges, didn’t touch a single file, and still can’t connect. Maybe I’m making some mistake when setting up the VM?

Kicksecure ™ Forums Usage Instructions, Best Practices and FAQ chapter Code Tags in Kicksecure wiki

Which files are in /etc/torrc.d?

ls -la /etc/torrc.d

Please post here and please regard above link.

Did you delete any files in /etc/torrc.d?

Please run:

md5sum /etc/torrc.d/*

Expected output at time of writing (this will likely change in the future, i.e. in a few weeks):

b4b0065341d85d5ac5d0a018bf116299 /etc/torrc.d/60_network.conf
b4e43e40ba3654b147629ecfd6359117 /etc/torrc.d/65_gateway.conf
4931bba29b1fd92de02576e5e0d38488 /etc/torrc.d/65_leak_tests.conf
41994734767226c5f51cdd974377778d /etc/torrc.d/70_workstation.conf
fe8fbc3d3b7c8d7415853249b74ea3e7 /etc/torrc.d/95_whonix.conf

If any checksum is different or any file missing, please report that here.

(Is md5sum insecure here? No. It’s used a a simple integrity check to easily, quickly compare the file on my local Whonix-Gateway versus user local files. It’s not used as part of a signature.)

For how the files should look like, refer to:
anon-gw-anonymizer-config/etc/torrc.d at master · Whonix/anon-gw-anonymizer-config · GitHub
But that should not require any manual user action. That should be the default. If something is different, please report.

$ ls -la /etc/torrc.d
total 32
drwxr-xr-x   2 root root 4096 Jun 21 12:14 .
drwxr-xr-x 106 root root 4096 Nov  3 13:36 ..
-rw-r--r--   1 root root 1102 Oct 21  2015 60_network.conf
-rw-r--r--   1 root root 5694 Oct 21  2015 65_gateway.conf
-rw-r--r--   1 root root 1058 Oct 21  2015 65_leak_tests.conf
-rw-r--r--   1 root root 1927 Oct 21  2015 70_workstation.conf
-rw-r--r--   1 root root  615 Oct 21  2015 95_whonix.conf

I didn’t delete any files, this is a fresh install of the VM.

$ md5sum /etc/torrc.d/*
b4b0065341d85d5ac5d0a018bf116299  /etc/torrc.d/60_network.conf
b4e43e40ba3654b147629ecfd6359117  /etc/torrc.d/65_gateway.conf
4931bba29b1fd92de02576e5e0d38488  /etc/torrc.d/65_leak_tests.conf
41994734767226c5f51cdd974377778d  /etc/torrc.d/70_workstation.conf
fe8fbc3d3b7c8d7415853249b74ea3e7  /etc/torrc.d/95_whonix.conf

Same checksums so all files there seem OK.

I don’t know why this is happening.

Steps to reproduce this issue are required. As per:

Whonix version - 16
Host OS - Linux Mint 21
QEMU emulator version 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.5)
Steps to reproduce: 1) Set up the VM; 2) launch the VM.
All files in the machine’s folder:

hulahoop.asc
WHONIX_BINARY_LICENSE_AGREEMENT
WHONIX_BINARY_LICENSE_AGREEMENT_accepted
WHONIX_DISCLAIMER
Whonix_external_network-16.0.5.3.xml
Whonix-Gateway-XFCE-16.0.5.3.Intel_AMD64.qcow2
Whonix-Gateway-XFCE-16.0.5.3.xml
Whonix_internal_network-16.0.5.3.xml
Whonix-Workstation-XFCE-16.0.5.3.Intel_AMD64.qcow2
Whonix-Workstation-XFCE-16.0.5.3.xml
Whonix-XFCE-16.0.5.3.Intel_AMD64.qcow2.libvirt.xz
Whonix-XFCE-16.0.5.3.Intel_AMD64.qcow2.libvirt.xz.asc

Files in /etc/libvirt/qemu:

networks  Whonix-Gateway.xml  Whonix-Workstation.xml

Files in /etc/libvirt/qemu/networks:

autostart  default.xml  Whonix-External.xml  Whonix-Internal.xml

The machine is given 2 CPUs and 1000 MiB of memory.

So good so far but what after starting Whonix?

This means there was previously no issue starting Tor. Connection didn’t succeed but that’s a very different error from Tor not starting.

This is a very different error. No other users are reporting it. Hence I am asking. Still having that? If so, instructions how to reproduce how you ended up with that issue are required to be able to help further.

It gives me the terms of service, I accept them, the anon connection wizard opens, I choose “configure”, paste the bridges, don’t use proxy, and the connection starts and gets stuck at 20-45%.

Yes, still invalid file error

Also, anon-log returns this error:

NOTICE: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...

output for anon-info:

INFO: /etc/apt/sources.list.d/torproject.list does not exist.
INFO: version of the 'tor' package: 0.4.7.8-1~d11.bullseye+1

Don’t know if this is useful, but here’s the output for systemctl status tor@default

● tor@default.service - Anonymizing overlay network for TCP
     Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; vendor preset: enabled)
    Drop-In: /lib/systemd/system/tor@default.service.d
             └─40_obfs4proxy-workaround.conf, 50_controlsocket-workaround.conf
     Active: active (running) since Fri 2022-11-04 15:52:45 UTC; 19min ago
    Process: 2660 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
    Process: 2661 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemo>
    Process: 2669 ExecStartPost=/bin/kill -HUP ${MAINPID} (code=exited, status=0/SUCCESS)
    Process: 2672 ExecReload=/bin/kill -HUP ${MAINPID} (code=exited, status=0/SUCCESS)
   Main PID: 2662 (tor)
      Tasks: 10 (limit: 1099)
     Memory: 33.6M
        CPU: 40.283s
     CGroup: /system.slice/system-tor.slice/tor@default.service
             ├─2662 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
             └─2663 /usr/bin/obfs4proxy

Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opened HTTP tunnel listener connection (ready) on 10.152.152.10:9227
Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opening HTTP tunnel listener on 10.152.152.10:9228
Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opened HTTP tunnel listener connection (ready) on 10.152.152.10:9228
Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opening HTTP tunnel listener on 10.152.152.10:9229
Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opened HTTP tunnel listener connection (ready) on 10.152.152.10:9229
Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opening Control listener on 127.0.0.1:9052
Nov 04 15:52:44 host tor[2662]: Nov 04 15:52:44.562 [notice] Opened Control listener connection (ready) on 127.0.0.1:9052
Nov 04 15:52:45 host systemd[1]: Started Anonymizing overlay network for TCP.
Nov 04 15:52:45 host systemd[1]: Reloading Anonymizing overlay network for TCP.
Nov 04 15:52:45 host systemd[1]: Reloaded Anonymizing overlay network for TCP.

Ok, so this is progress.

“ERROR: invalid file: ‘/etc/torrc.d/*.conf’” is a much different and more fundamental error.

Also good.

Still got “ERROR: invalid file: ‘/etc/torrc.d/*.conf’” in “sudo anon-log”?

anon-verify results in:

/===================================================================\
|                      Report Summary                               |
\===================================================================/
No error detected in your Tor configuration.
Tor verify exit code: 0
/===================================================================\
|                      Tor Full Report                              |
\===================================================================/
Nov 04 16:38:33.724 [notice] Tor 0.4.7.8 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.31 as libc.
Nov 04 16:38:33.724 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Nov 04 16:38:33.724 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Nov 04 16:38:33.724 [notice] Read configuration file "/etc/tor/torrc".
Nov 04 16:38:33.727 [notice] Processing configuration path "/etc/torrc.d/*.conf" at recursion level 1.
Nov 04 16:38:33.727 [notice] Including configuration file "/etc/torrc.d/60_network.conf".
Nov 04 16:38:33.727 [notice] Including configuration file "/etc/torrc.d/65_gateway.conf".
Nov 04 16:38:33.727 [notice] Including configuration file "/etc/torrc.d/65_leak_tests.conf".
Nov 04 16:38:33.727 [notice] Including configuration file "/etc/torrc.d/70_workstation.conf".
Nov 04 16:38:33.727 [notice] Processing configuration path "/usr/share/tor/tor-service-defaults-torrc.anondist" at recursion level 2.
Nov 04 16:38:33.727 [notice] Including configuration file "/usr/share/tor/tor-service-defaults-torrc.anondist".
Nov 04 16:38:33.727 [notice] Including configuration file "/etc/torrc.d/95_whonix.conf".
Nov 04 16:38:33.727 [notice] Processing configuration path "/usr/local/etc/torrc.d/*.conf" at recursion level 2.
Nov 04 16:38:33.727 [notice] Including configuration file "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Nov 04 16:38:33.728 [notice] Including configuration file "/usr/local/etc/torrc.d/50_user.conf".
Nov 04 16:38:33.731 [warn] Option 'DisableNetwork' used more than once; all but the last value will be ignored.
Nov 04 16:38:33.731 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Nov 04 16:38:33.731 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Configuration was valid
ERROR: invalid file: '/etc/torrc.d/*.conf'
/===================================================================\
|                 Used Tor Configuration Files                      |
\===================================================================/
2 files are used as Tor configuration files: 
/usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc
=====================================================================

anon-log results in:
NOTICE[Fri Nov 04 15:55:02 2022]: Tor needs descriptors: Cannot read /var/lib/tor/cached-microdesc-consensus: [Errno 2] No such file or directory: '/var/lib/tor/cached-microdesc-consensus'. Trying again...

Shot, important part:
Never mind this error.

Technical details:
Now it occurred to me that this might be happening in an old version of Whonix. (16.0.5.3)
This is likely fixed in Whonix 16.0.8.2 and above. But that Whonix build version isn’t available for Whonix KVM yet. I don’t have any ETA (estimated time of arrival) either because I am not a maintainer of Whonix KVM. But that’s just an output/textual issue of anon-info which cannot break connectivity. So this can be safely ignored. There’s no need to wait for Whonix 16.0.8.2. The textual/output issues might be fixed but the connectivity issue would likely still be the same.

In summary, the Tor daemon is running fine.

This is the main issue. A “simple” connectivity issue. Not an issue with the Tor daemon not properly starting.

In that case, not much help can be provided. Why? See:

The only option is to troubleshoot this according to the network troubleshooting instructions here:

Specifically, you could try following the steps under Troubleshooting - Whonix chapter Essential Connectivity Troubleshooting Steps in Whonix wiki.