How did my IP leak?

I’m using VPN on host, then I run whonix and (at the moment) use ssh to connect to my server. Some time ago I connected to VPN and then fired up my whonix gateway, and after 10 seconds or so my workstation, as I normally do.

At that time VPN connection dropped saying my credentials are not valid and to enter them again. Not wanting my ISP to see I’m using TOR I quickly canceled whonixcheck and timesync that were going on in both VM’s at that moment. Took some fiddling (turning on and off etc) with VPN to get it working, it reset to default settings but was on. I then proceeded to run whonixcheck and timesync manually on both gateway and workstation, and after successfully done, connected to my server over ssh. Everything seemed as usual.

Upon logging back to same server today, it showed my last login was from my VPN’s server and not a TOR node (as it normally is).

Never connected to it from anything other than workstation so VPN ip should have never been seen by server. Needless to say it freaked me out. What could be possible reason for this? Had I not used VPN I’m guessing it would have shown my ISP’s IP and thats a no-no as we all know.

Any ideas? Thanks in advance!

The host VPN is irrelevant. Whether active or not, Whonix only generates Tor traffic.


  • user mistake, you used ssh from the host
  • you (also) connected to the VPN from within the workstation?
  • the VPN is hosted on a shared server / shared IP which does not only host a VPN service, but also a Tor service. You can use ExoneraTor to find that out.
  • a Whonix bug, which I find very, very unlikely

Btw Whonix documentation recommends to use a fail closed mechanism so there will be no more traffic once the VPN breaks down. ( Connecting to a VPN before Tor )

Doesn’t help because Tor by The Tor Project defaults is generating Tor traffic independently from whether you are using it or not once Tor is started and setting DisableNetwork 1 is not in effect.

Btw the following documentation also applies to your use case.


First of all, thank You for taking time to reply.

To address your points;

I never use ssh from the host, but still I checked just in case, it’s not in bash history etc.

It’s not on workstation, although I used different VPN provider on workstation for a while, but use ssh to vps only, in last few months.

This is a somewhat known VPN provider and they (as far as I know) don’t run TOR services.

There is no record on ExoneraTor of this specific IP being tor node around the time my issue occurred but it was seen in January and I think October of last year. Their other servers in different countries are seen too. I imagine it’s the VPN users running tor nodes.

So it is possible but it would have been quite a coincidence.

VPN comes with a software that stops connection when it drops, dns protection etc. I was lazy to set it up myself and it seems to work ok. I also set it up to use only tcp. When it failed strange thing was that it kept saying it’s missing my account details (login name etc) but they were there, I even retyped them few times. It also reset to defaults (udp on port 1300 and no connection/dns leak protection).

Doing last -a on vps shows all tor node logins except the instance from OP. It’s a strange situation for sure. I haven’t changed anything on Gateway and on Workstation I installed a few programs, like proxifier, gnumeric… so nothing major.
I don’t touch the host except to update it every month or so. Only thing it has installed is VPN software.

I’m not an expert but I’ll keep digging. Quite paranoid after this though.

Btw. VPN is Mullvad, for what it’s worth.


This is a somewhat known VPN provider and they (as far as I know) don’t run TOR services.

Does the VPN provider support remote port forwarding? With remote port
forwarding any of their clients can host a Tor exit on their IP.

Mullvad does support remote port forwarding. Source:

FAQ - Help | Mullvad VPN

This is worrying.

Leaks are unlikely.

  • even without firewall rules on the gateway at all, since ip forwarding is disabled, and since the workstation can only connect through the gateway, it does not suddenly start to connect in the clear
  • same if the gateway is off
  • no leaks demonstrated in Whonix ever since it exists (year 2012) (when it still was called TorBOX)

With ssh, leaks are even less likely. When you run ssh, you don’t really run plain ssh. It’s uwt wrapper runs it through torsocks.

export UWT_VERBOSE=1

What really happens is.

exec torsocks /usr/bin/ssh.anondist-orig

Even if the gateway was capable to forward clearnet traffic, that would not work. When there is no open SocksPort, torsocks just fails. There is no way it suddenly connects in the clear.

research / document impact for tunnel users if Tor [exit] relays hosted at the same tunnel provider:

Part of the idea behind Whonix is that it doesn’t leak. I tried to “break” it (reasonably) last 2 days and like you said Patrick, it either routes everything through TOR or doesn’t work. One thing I did notice is that even thought bootstrap fails on gateway(whonix check just stops and gives up after 120 sec), workstation still appears to work fine. Usually when whonix check is run second time everything is ok.

This makes sense and is something that could have happened, but chance of this “reverse lottery” seems very low.

One thing to I’d like to point out is VPN default country is A, I never connect to it but use country B. When it failed and reset to A, the login on VPS showed IP from their country A data server. So it’s even more unlikely that it fails and resets + at the same time that specific server (lets call it server 15) in that country is used as a TOR node.

Hmmm re-reading that last sentence, it’s a bit confusing, hope you get what I meant.

One thing I pondered was that someone had physical access to my computer, but it’s encrypted plus I’m not any kind of high value target, just a regular privacy enthusiast. I’m leaning to believe it was either user error on my side or what you mentioned in the part of your post I quoted. If what happened was a Whonix problem it would have been reported/experienced by other people at some point.

Anyway, I think my course of action, to calm my paranoia, is to just redo the whole setup with fresh software/passwords/vpn/vps/whonix images. Would love to give Qubes a try but I think my PC lacks memory for it.

Thanks again for help, and also thank you for creating and maintaining this project, it’s a selfless public service that must take countless hours! I donated in the past and will make sure I do in the future when I can.

By the time the result window is shown the results can already be outdated. There is no live updating of states in the whonixcheck results window.

But then how do you calculate the probabilities… There are not that many Tor exit relays. And protecting your IP while hosting a Tor relay is not unreasonable.

Many exit relays are hosted on cloud servers like EC2 & Azure (40 of each last I checked). showed 5 Tor relays being proxied through Mullvad. Coincidences by definition do happen :slightly_smiling:

IIUC the IP did not appear on Exonerator? I don’t know if any situations exist where exit IPs might not be logged.

To implement the scenario in the OP, host would have to be compromised. Attacker would have to change Workstation VM network settings to use NAT instead of Internal Network ‘Whonix’ and then from within Workstation, attacker would need to call ssh using /usr/bin/ssh.anondist-orig. For what purpose? To reveal your VPN ip?

I think the only definitive lesson (so-far) to be learned here is this:

IIRC the client software is not open-source so hard to figure out what’s going on there. (maybe missing write privileges?) Best option is to use Mullvad’s .conf files with openvpn. Patrick’s fail-closed vpn-firewall is easy to setup in a linux host. (Also, as you probably know, UDP is fine for tunneling Tor through vpn; tunneling vpn through tor requires TCP).

Good day,

All these tools are based on this list: Lists like these are only periodically updated which may lead to some exit nodes, which only existed briefly not beeing logged. And this has happend times before.

Have a nice day,


Recently noticed that my ip address is in a huge ip lists that you can get on websites. Could it be because recently I started to use a new proxy provider to work?

Good day,

Since this question has nothing to do with Whonix, we are unable to provide an answer to your question. Also, I’m not sure how using a Proxy-Provider could correlate to “leaking” your IP when “normal” usage without a proxy would do the same thing. Also, may I recommend using VPNs? The standards upon which proxies were build are ancient and have many security issues.

Have a nice day,


1 Like

Some possibilities. Speculation.

  • False positive.
  • Scam database. Adding arbitrary IPs there to scare users into whatsoever.
  • Windows user? -> Likely compromised. -> Likely being infected by
    malware that makes your computer an open proxy.

Thank you for the answer!)

1 Like