problem with the tunnel ssh in whonix gateway connection refused


i installed recently the open ssh server and client

sudo apt-get install openssh-server openssh-client

but it shows me connection refused

root@host:/home/user# ssh -D 1080
ssh: connect to host port 22: Connection refused

i tried to put this in iptables

sudo iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

but the result doesn’t change…

in sudo iptables -L -n it shows

ACCEPT tcp – tcp dpt:22

systemctl status sshd is running ( active)

i changed the port to 2222

root@host:/home/user# sudo nano /etc/ssh/sshd_config
root@host:/home/user# sudo service ssh force-reload
root@host:/home/user# ssh user@ -p 2222
ssh: connect to host port 2222: Connection refused

i put the ip and the port in the section of port forwanding in the router

and i changed this sudo nano /etc/tor/torrc i put Socks5Proxy ( is it correct?)

i don’t know what i am missing …

Can you copy/paste your ssh_config and sshd_config files? Both should be edited to reflect the port you’re choosing to use, and if you’re trying to log in as root then your configurations have to be such that that is allowed.

Hi @y010

Could be a uwt issue. This thread may be helpful:


thanks for your reply

here we go

This is the ssh client system-wide configuration file. See

ssh_config(5) for more information. This file provides defaults for

users, and the values can be changed in per-user configuration files

or on the command line.

Configuration data is parsed as follows:

1. command line options

2. user-specific file

3. system-wide file

Any configuration value is only changed the first time it is set.

Thus, host-specific definitions should be at the beginning of the

configuration file, and defaults at the end.

Site-wide defaults for some commonly used options. For a comprehensive

list of available options, their meanings and defaults, please see the

ssh_config(5) man page.

Host *

ForwardAgent no

ForwardX11 no

ForwardX11Trusted yes

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

HostbasedAuthentication no

GSSAPIAuthentication no

GSSAPIDelegateCredentials no

GSSAPIKeyExchange no


BatchMode no

CheckHostIP yes

AddressFamily any

ConnectTimeout 0

StrictHostKeyChecking ask

IdentityFile ~/.ssh/identity

IdentityFile ~/.ssh/id_rsa

IdentityFile ~/.ssh/id_dsa

Port 22

Protocol 2,1

Cipher 3des

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

MACs hmac-md5,hmac-sha1,,hmac-ripemd160

EscapeChar ~

Tunnel no

TunnelDevice any:any

PermitLocalCommand no

VisualHostKey no

ProxyCommand ssh -q -W %h:%p

RekeyLimit 1G 1h

SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no

and this is the sshd_config file

Package generated configuration file

See the sshd_config(5) manpage for details

What ports, IPs and protocols we listen for

Port 2222

Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::
Protocol 2

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600
ServerKeyBits 1024


SyslogFacility AUTH
LogLevel INFO


LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

Don’t read the user’s ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication no

Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

do you see anything wrong?


PS: i’m sorry about this , i can’t change the letter size

hi thanks for your reply

i was searching info and i found this too

On the Stream Isolation page, there is a list of applications that are pre-configured to use uwt wrappers. Follow the instructions below in order to disable this.

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt wrapped applications system-wide. Consequently, all uwt wrapped applications revert to the default system networking configuration.

If you want more granular control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.
[select code]
kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run.
[select code]
sudo nano /etc/uwt.d/50_user.conf


[select code]

Save and exit.

in my case i want to create a connection between gateway and workstation vm ( in the gateway i want to create the tunnel ssh)


Something just occurred to me - are you attempting to access Whonix from another VM or from your host machine? Because if you want to SSH to a guest from its host, you’ll have to configure your network a little differently. Someone with more intimate understanding of Whonix will have to chime in and address the potential security concerns of doing this, assuming there are any - I just don’t know enough to say.


Thanks for reply C:

I am trying to connect the gateway and the Workstation with the purpose to redirect the traffic (tunnel ssh+tor )

Both are vm

Well, don’t worry you’re helping me a lot =)

If someone wants to Join the conversation

He/she is welcome

Hi @y010

Unfortunately I can’t offer you much help with this as I do not use SSH with Whonix.

The best advice I can give you would be to remove the Whonix specific part of your question as per .

If you are able to to that you can focus on just getting SSH to connect. You may be able to find more people to help you with that on Unix and Linux Stack Exchange or other Help forums. ; )