"Trouble connecting to Tor" and "Disabling Whonix/Tor for Qube:personal"


I am using Qubes-R4.1.2-x86_64. I am very new to this OS so please bear with me.
In the Installer I chose to install debian-11 and whonix, I did not install fedora.
I just freshly installed today.

  1. My first problem is that Tor will not connect.
    It hangs forever at 5% “Bootstrap phase: Connecting to a relay”.


If I open a shell in the sys-net VM then I can ping the public IP so my internet should be fine.


I shouldn’t need any bridges, because other computers on the same network don’t need bridges to connect to TOR.

Checking the log I get TOR REASON=TIMEOUT and Consensus time sanity check failed even though the system time seems to be set correctly.

How can I debug why TOR in QubesOS is not connecting?

  1. Can I tell QubesOS that certain Qubes such as personal should not use Whonix or Tor, but make direct non-anonymous connections to the internet?

How do I configure/disable this? Thanks in advance!

@kwinz On any new qube that you create you can choose “sys-firewall” for non TOR connections. Go to the Qube Manager, select a qube, click on settings and change the “Net qube” dropdown selection to “sys-firewall”

For TOR connection change it to “sys-whonix”

I think it’s better to use anon-whonix cube with sys-whonix and leave the other qubes to the default “sys firewall”

Hope this helps…

Appreciate the reply! That’s what’s confusing to me: Qube:personal already has NetVM: sys-firewall configured. See screenshot in the second post in this thread.
The only Qubes that have sys-whonix as NetVMs are anon-whonix and whonix-ws-16-dvm.
Despite this I still get the Anon Connection Wizard popup that prompts me to start TOR from sys-whonix as soon as I start Qube:personal. What could be the problem here?

PS: In regards to the other problem TOR not connecting, being stuck at 5%: I have tested pinging a public IP from other Qubes and they don’t work. sys-net can resolve DNS addresses and ping. But sys-firewall and all others AFAIK can’t.
sys-net runs in pv virt mode, while the other Qubes run in pvh.
I don’t remember changing anything else after the default install. What could be causing this behaviour?

Ok, so I dug a little further:

Remember this is mostly a fresh install and doesn’t have any firewall rules set. To reduce complexity further I set sys-net directly as NetVM for the Qube:personal skipping sys-firewall and rebootet. Still not working!

Next I am trying to understand how IP shown next to the Qube in the Qubes Manager and as visible_ip in qvm-prefs <VMNAME> --get is set in the VM.

The personal VM is supposed to have as IP according to qvm-prefs and Qubes Manager. And if I open a shell into the vm, and check with ip address I can see that in fact there is an eth0 interface with that IP. However the subnetmask is /32 and with ip route I can see a default via dev eth0 onlink. sysctl -a | grep ".forwarding" shows that forwarding/routing is disabled on this VM.

The sys-net VM is supposed to have as IP according to qvm-prefs and Qubes Manager. In a shell into the VM with ip address I see that there are 4 links besides the loopback: enp0s0, vif2.0, vif3.0 and vif4.0.

Only the enp0s0 has a single IPv4 address, which is the IP address assigned by my main networks’ DHCP server. I can not see anywhere! sysctl -a | grep ".forwarding" shows that forwarding/routing is enabled on this VM.

I found a two year old issue of somebody else that claims that he/she didn’t have internet access on a fresh install on github: SOLVED: No internet outside sys-net · Issue #6442 · QubesOS/qubes-issues · GitHub
There the problem fixed itself after moving to a different location/router and the cause of the problem was never found apparently.

How is the address supposed to be set on the sys-net VM? Is anything I figured out there out of the ordinary?

@kwinz Are you on a wireless network? what I did to make the other non-tor (personal, work) qubes to work on my end is that on the sys-net qube “Services” tab, I added network manager and connected to my access point.

and after that I checked qubes personal, sys-firewall and sys-net on my end it’s working perfectly. I can ping from the personal qube.

personal qube > routes to sys-firewall > routes to sys-net and I have a connection.
Hope this helps…

@zerologs I have pretty much a basic install and I tried the same personal qube > routes to sys-firewall > routes to sys-net as you and also bypassing sys-firewall and it doesn’t work.

Should I be seeing vm-net’s IP address as shown in the Qubes Manager if I open a shell to that VM and run ip address? Because I don’t! How does that work usually? I didn’t really find a lot of documentation about that (how the IPs are set on the individual VMs and how the plumbing works that glues the VM’s networks interfaces together), any hints are appreciated!

No I am not using WiFi, I am using qubesos in a VMWare VM (with this fix) which emulates a wired Intel 82545EM and NATs that to my main network.


I know that this works in principle because, as I already wrote, I can ping public IPs and resolve DNS from within Qubes OS from within the sys-net VM’s shell. I can also run updates in dom0 just fine.