monero in Whonix with torsocks for better stream isolation

I use

DNS_PUBLIC=tcp TORSOCKS_ALLOW_INBOUND=1 torsocks ./monero-wallet-cli --daemon-host [onionurl:port] --restore-height -1

like the above and get a similar error:

libunbound[6560:0] error: outgoing tcp: connect: Connection refused for

shown repeatedly when trying to transfer.

Is it anything to do with whonix firewall and ports blocking? can’t make any transactions, and it takes forever even to receive the errors.

Anyone successfuly using monero-wallet-cli on Whonix 14?

the monero program is (and always been) terrible at handling connection issues. Not only it takes ages (minutes and more) to get an error, it doesn’t respond to CTRL-C as well. One has to close the terminal window to kill the program, then worry about process possibly still running in memory.

Update: I now tried

./monero-wallet-cli --daemon-host [onionurl:port] --restore-height -1

meaning not using torsocks, no stream isolation, and everything works well!

Still something to look into!

I don’t have any problem running monero-cli against a remote node (as suggested in the wiki). However, my connection to remote nodes keep dropping. I sometimes have to refresh several times before the remote node responds. Has anyone experienced this?

I got monerod working like this: DNS_PUBLIC=tcp:// TORSOCKS_ALLOW_INBOUND=1 torsocks ./monerod --p2p-bind-ip --no-igd --hide-my-port --data-dir /mnt/blockchain/monero/. I admit that I don’t understand some of these options. I got it from a tutorial on running monero behind tosocks.

Btw this will be the default in Whonix 15 (perhaps even already is in Whonix 14).


./monerod -h
./monero-cli -h

Monero v0.17.3.0 added a --proxy flag, e.g. monerod --proxy I haven’t audited for proxy leaks, but it does work fine in a Whonix VM that has transproxying disabled. Maybe consider updating the wiki instructions to use this flag instead of torsocks. I would recommend using a SOCKS port that isolates by both destination IP and destination port, to minimize the risk of eclipse attacks (Bitcoin Core does approximately this by default).


As @JeremyRand points out monerod now has the --proxy flag.

I’ve read through the pull request a few times now and my conclusion is that for Whonix users the optimal monerod command is:

monerod --proxy --p2p-bind-ip --no-igd --hide-my-port --tx-proxy tor,,10

The reason for the tx-proxy argument is that, according to the information in the pull request discussion, monerod will use it to establish hidden service connections to broadcast txs. Unless one is transacting frequently this will typically mean each transaction gets its own circuit, as opposed to relying on just the proxy setting which would result in multiple transactions sharing the same circuit.

I could have something wrong, but this is my best understanding of the available information. How can I go about getting this put into the Whonix Monero documentation because the current torsocks commands are dated and barely usable?

At this complexity, perhaps best to create a config file


and then start monerod with



This config could even be added to GitHub - Whonix/anon-apps-config.

The confusing thing would be that monerod by default does not use any config file unless using --config-file. Not sure that’s worth an upstream feature request.

I am also wondering how Whonix once that config file exists could add --config-file=/etc/monerod.conf to monerod and/or monero-wallet-cli / monero-wallet-gui by default.


The daemon by default on Whonix checks /home/user/.bitmonero/bitmonero.conf: monero/command_line_args.h at c5d10a4ac43941fe7f234d487f6dd54996a9aa33 · monero-project/monero · GitHub

Transforming the tutorials (http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Monero_Wallet_Isolation) command line parameters into a config file:




and adding @moneroconfig’s proxy settings:


--pidfile=/home/user/.bitmonero/ and --non-interactive would still be required to be passed as command line parameters in the tutorial systemd setup.

Some questions regarding all of this:

  • port 9180 is a with IsolateDestAddr / with IsolateDestPort port: this creates a circuit per peer for communication right? That seems like a lot - so wouldn’t a without IsolateDestAddr / without IsolateDestPort port in that case be better?

  • port 9152 is a without IsolateDestAddr / without IsolateDestPort port: wouldn’t here then a with IsolateDestAddr / with IsolateDestPort port be better to create a new circuit for every local transaction?

  • in Qubes OS: should/could I use instead of sys-whonix’s IP (

  • hide-my-port: if I understand this parameter this disables “self-propagation” → my nodes’ peers don’t announce my node to their peers - does that create a “Do Not Track” situation (as it is not a default parameter) and increases a fingerprinting possibility?

  • should I consider the parameters
    pad-transactions=1 (protocol: option to pad transaction relay to the next kB by moneromooo-monero · Pull Request #4787 · monero-project/monero · GitHub)



    Disable ZMQ RPC server. You should use this option to limit attack surface and number of unnecessarily open ports (the ZMQ server is unfinished thing and you are unlikely to ever use it).

    for my node?

Sorry for the missing hyperlinks, apparently cannot use them yet.

You can post links now.
(Kicksecure ™ Forums Usage Instructions, Best Practices and FAQ chapter Posting Links for New Users in Kicksecure wiki)
(Whonix is based on Kicksecure.)

1 Like

Thank you, populated my post with the missing hyperlinks.