Leak? Strange ICMP packets while Tor bootstraping

When I press on Restart Tor button in tor-control-panel on a Gateway and then open Wireshark to inspect the traffic, I see strange ICMP packets to IP addresses which are not associated with Tor while bootstraping with info “Destination unreachable (Host unreachable)”! Then, I see many TCP packets to all of obsf4 bridges I listed in Tor Config (I think that’s ok). Then, after bootstrap has done and I visit sites through Whonix-Workstation, I see only two IP address of obfs4 bridges in Wireshark so it seems like Tor has chosen two best bridges to connect to as entry nodes.

I use Tor with obfs4 bridges and I didn’t do any modifications to Whonix-Gateway, only custom line of bridges were used.

IP leak?

Well, I completely turned off Whonix-Workstation, left only Gateway turned on and pressed Restart Tor button in tor control panel. Then opened Wireshark and still saw these strange ICMP packets while bootstrap go on. So it seems like it is not Workstation leak, it is about Tor bootstraping itself. Can you confirm that?

What traffic obfs4 generates is most likely unspecific to Whonix.


Do you really think so? Have you ever used obfs4 bridges with Whonix-Gateway? Can you reproduce this scenario and inspect the traffic on your machine? ICMP packets confirmed or not?

Report it to Tor Project, Has nothing to do with whonix.

@anonymousman Have you tried looking up these icmp destination IPs? What are they associated with?