No Internet Connection inside Whonix-Workstation KVM with NordVPN with Kill-Switch on Host


after successfully using Whonix on my M1 Mac via UTM without a VPN on my Host, I tried connecting my host to a VPN (I’m using NordVPN over OpenVPN), which is causing some unexpected problems:

  • With a VPN on my host, the Whonix Gateway’s internet seems to work without any issues (I did curl requests from the console and they all worked)
  • Even though the Gateway’s connection works, the Whonix Workstation cannot establish any internet connection while using a VPN on the host, even after several restarts of both the Gateway & Workstation and the Host

Running systemcheck on my Workstation shows

Tor Connection Result:
Tor’s Control Port could not be reached. Attempt 1 of 5. Could be temporary due to a Tor restart. Trying again…
(tor_circuit_established_check_exit_code: 255)
(tor_bootstrap_timeout_type: )
(tor_bootstrap_status: )
(check_socks_port_open_test: 56)

Any displayed troubleshooting steps do not help, as systemcheck runs without any issues on my Gateway.

Tor works fine via VPN on my host and I didn’t change any networking settings in UTM, just built Whonix for Silicon Macs as described in the docs and imported the output to UTM directly.

I would appreciate any troubleshooting ideas as I have no idea where the issue could originate from.

Looks weird, Because the WS taking the connection from GW, If GW working then WS will work as well. (i hope you are not trying to route the WS directly to the VPN, Because WS meant to connect only to GW).

Yeah I know, very weird. The VPN is running on my host and all curl requests I tested inside the GW worked.

But if I run a VPN on the host, I assume Whonix doesn’t even “know” about the VPN. That makes me think it has to be an issue on the host, but it’s weird that it works on the GW which on the other hand makes me think it’s something with Whonix.

I unfortunately have no idea how to troubleshoot this at all.

Update: The issue was related to NordVPN’s advanced Kill-Switch, which according to their Desktop app “might interfere with other network applications on your machine”. The same goes for ProtonVPN and many other VPN clients.

For now, I just deactivated the advanced Kill-Switch on the NordVPN client and everything works fine with a basic Kill-Switch still in place.


Thanks for the report! Moved to KVM forums.
Yeah, it makes sense. Since KVM network interfaces are visible on the host operating system, firewalls such as presumably what the NordVPN kill switch is doing can disrupt Whonix KVM.

I doubt this is fixable? @HulaHoop

@maxeth: You’d have to use a VPN kill switch (also called fail-closed mechanism) that is compatible with Whonix KVM. There is vpn-firewall but untested with Whonix KVM, I think. Also as per Avoid Non-Freedom Software I suggest to avoid the presumably non-freedom software NordVPN client and use a Freedom Software VPN client such as OpenVPN.

1 Like

There’s no legitimate excuse by any company to ever claim that it that it can’t support libre clients like OpenVPN.

I think that we support VPN → Tor on the GW to hide it from ISP (though this feature could be dropped in the future if it already isn’t deprecated).

Main issue being, a useful host firewall (without intention / can be Freedom Software) such as:

can break Whonix KVM.



NordVPN seems to support OpenVPN too.
OpenVPN configuration files | NordVPN

In some countries Tor and the TorProject website are blocked by the government, as well as commercial VPN services, and bridges like obfs4/SnowFlake may be very unreliable and slow. In such cases self-hosted VPNs are highly needed to have an ability to use Tor. For example, after installing Whonix-Gateway I have to start OpenVPN client on the host to connect the Gateway to Tor, install Shadowsocks client on it(it is much faster than VPN) and then use it as a proxy in torrc. Yeah, a self-hosted VPS as a Tor bridge might be not a very good solution for privacy, but it might be the only way to normally use Tor for some users. Please, do not drop support for VPN → Tor on the GW.

Sounds dangerous to me. When the kill switch kills the connection, then adversaries can correlate the connection drop from your Mac to VPN with the connection that exits the VPN and is going to TOR entry and TOR exits, so you are de-anonymized every time your VPN connection drops without being a result of lost internet connection.

Without a VPN, that correlation can only be done if your internet connection drops.

Not that simple and the false positive rates would be so high as to render this type of traffic analysis useless.

KVM potential solution: Using hubport to avoid KVM network interfaces being visible on the host operating system