Tor

Tor is an onion routing internet anonymity system.

Emerge
Install :

Configuration
Tor ships with a minimal configuration in so that it works out of the box:

OpenRC
To start immediately:

To start the tor service on system boot, add it to the default runlevel:

Systemd
To start immediately:

To start the tor service on system boot:

Emerge messages
* Messages for package net-misc/tor-0.2.3.25:

* We created a configuration file for tor, /etc/tor/torrc, but you can * change it according to your needs. Use the torrc.sample that is in * that directory as a guide. Also, to have privoxy work with tor * just add the following line * * forward-socks4a / localhost:9050. * * to /etc/privoxy/config. Notice the. at the end!

Any browser via PAC file
You can use a pac file to delegate browser requests to different proxies. Here connections to localhost are handled directly (no proxy). Eepsites are handled by i2p proxy on port 4444. Other traffic goes via Tor SOCKS proxy on running on port 9050.

Save this file as, and point your browser to it. Most browsers accept Proxy configuration URL, where you can specify.

Firefox
Edit > Preferences

Advanced > Network > Settings manual proxy configuration: http proxy          port: 0 ssl proxy           port: 0 ftp proxy           port: 0 socks host 127.0.0.1 port: 9050 check SOCKS v4 No Proxy for: localhost, 127.0.0.1

'SOCKS v4' is actually SOCKS 4a internally. SOCKS v5 needs more configuration for safe DNS, explained here.

Type into the URL textbox and set the following:

network.proxy.socks_remote_dns   true network.dns.disablePrefetch      true network.dns.disableIPv6          true

This way Firefox will resolve host names via tor, which prevents DNS leaks.

media.peerconnection.enabled   false

This prevents leaking the system ip address through WebRTC requests.

SSH
openssh doesn't have any native support for SOCKS5, so you will need to install openbsd-netcat. You'll need to modify your SSH config too. It is possible with ''netcat' also but the configuration below uses flags specific to the OpenBSD variant.

For all hosts:

You may prefer to do this for a specific host:

You could instead want to only enable the proxy for .onion addresses:

DNS
Some applications may leak DNS requests. The easiest way to check if this really happens is to look at system logs.

If an application is configured correctly, nothing shows in the logs. Below is an example of a message for a misconfigured application (or for a webpage that stores links in form of IP addresses):

Oct 14 14:44:44 localhost Tor[666]: Your application (using socks5 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.

In order to check how this works, one needs to give an application an IP address instead of a domain name, retrieved by running the tor-resolve command for example.

DNS Resolver
Tor can work like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records. MX and NS queries are never answered.

To enable the built-in DNS resolver, add the following lines to the /etc/tor/torrc file and restart the daemon:

Then to prevent leak DNS requests make Tor the ONLY default DNS resolver of you system in /etc/resolv.conf:

If you use dhcpd, you will need to change its settings in /etc/dhcpcd.conf so that it does not alter the resolv.conf configuration file:

If you use pppoe, you will need to change its settings in /etc/ppp/pppoe.conf so that it does not alter the resolv.conf configuration file:

Finally, redirect ALL DNS requests on your system from port 53 to 127.0.0.1:9053 where the Tor DNS listens for requests. Redirect any DNS to the the local (torified) nameserver:

If you also use IPv6, the same has to be done for ip6tables. When done using Tor, to disable the aforementioned rules use:

Notice: this will also disable any other existing NAT rules.

Disabling non-tor traffic
The following iptables rules will prevent non-Tor traffic leaving the host and disable all new connections from outside in case if the host must be configured as a Tor client:

And to flush these and any other existing rules:

Firewall
If you want allow Tor use only special addresses you can specify it. For example our firewall allow outgoing connection only through https (443) port, so add to /etc/tor/torrc:

torsocks
For applications which do not support the use of proxies or Tor, you can use the "torsocks" command to force their traffic through the Tor network. (e.g. - or ).

Transparent Tor Proxy
Tor can work like a transparent proxy.

To enable built-in transparent proxy add the following lines to the /etc/tor/torrc file and restart the daemon:

Finally, redirect ALL non-tor outgoing trafic to a Tor transparent proxy:

Stream isolation
You might not want to mix GPG traffic with the traffic of a web browser or to mix irssi circuits with the circuits of a bitcoin wallet. In all cases an exit node can make correlation between separate activities. Stream isolation provides an easy way to separate different Tor circuits and make different applications use isolated streams.

By default, multiple *Port lines (SocksPort, DNSPort, TransPort) will never share circuits. If you want to do stream isolation on a single *Port option, you can add one or more of the following isolation flags to *Port options: IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol, IsolateDestPort, IsolateDestAddr.

Note that some are enabled by default already and that more isolation flags does not necessarily mean more security/anonymity/privacy. To see the most up-to-date list of stream isolation flags, see `man tor`.

So if you want to be sure your GPG client and your instant messenger don't put streams on the same circuit, the easiest thing to do is add the following to your torrc and point them at different SocksPorts.

Rules for Tor circuits
man tor gives us a good explanation of various useful options. If you want to get away from ECHELON, you may consider adding the following to /etc/tor/torrc:

StrictNodes =1 together with ExcludeNodes {au}, {ca}, {gb}, {nz}, {us} will completely exclude Tor nodes from that country, but we also disallow connection to Tor hidden services located there. So it is better to comment ExcludeNodes or set StrictNodes 0. Also we mark NodeFamily {au}, {ca}, {gb}, {nz}, {us} all that nodes as "single administration" by Five Eyes. Directive NodeFamily can be used multiple times.

EntryNodes and ExitNodes can be used to select spacial nodes for entering end exit from Tor network respectively.

Instead of country codes you can use IPv4, IPv6 addresses and subnets.

Sandbox
Tor has own sandbox features. It may give more protection of your system if Tor is compromised. To turn it on add to /etc/tor/torrc:

Setting up a hidden service
Setting up a tor hidden service is easy.

All you need to do is add 2 lines to the configuration file, and make sure your permissions are correct for the data directory.

The first line tells Tor to insert the public and private keys into the directory specified.

The next line tells Tor to direct traffic on hidden service port 80 to the IP and port specified.

Simple command-line file downloading
The popular wget utility cannot talk to socks proxy. However, you can use the tor network to download any resource located at a given URL and save it in a FILE using :

The --socks5-hostname means that hostnames are resolved via tor instead of your system's DNS resolution, thus preventing DNS leaks.

If you don't have curl on your system, you can just emerge net-misc/curl.

Portage
You can configure Portage to sync its tree and fetch packages via tor. Add the following to :

All the extra quoting is necessary. Have a look at "man curl" for more customization options.

Curl doesn't follow 302 redirect by default (cf. ). Pass -L to enable that behaviour.

cannot be used to update the Portage tree via tor, because rsync cannot use socks proxy. In order to sync the Portage tree via tor, use the command:

This fetches the portage tree snapshot over http. The added advantage is that you can configure emerge-webrsync to additionally verify the cryptographic signature of the portage tree, which cannot be achieved when using. Such verification is explained in the Gentoo Handbook.

Installing or updating is done as usual, e.g.:

app-crypt/gnupg
Users who use cryptografic Portage tree verification can refresh Gentoo keys over Tor. Add 'use-tor' to your dirmngr.conf: echo use-tor >> /var/lib/gentoo/gkeys/keyrings/gentoo/release/dirmngr.conf killall dirmngr Then you can refresh expired Gentoo keys over Tor: gpg -v --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys Unfortunately currently (app-crypt/gnupg-2.2.10) there is no option for specifying Tor port, so you need the standard SOCKSPort 9050 in your /etc/tor/torrc.

Check if using Tor
Visit: https://check.torproject.org/

There is a lots of site in Internet for testing your anonymity. One of the best is whoer.net. Another nice one: ipleak.net. To hide more information, you can try disable: Javascript, Flash, Java, ActiveX, WebRTC. For hide HTML headers use Random Agent Spoofer and/or net-proxy/privoxy. Some mozila addons also may keep you privacy Request Policy, Privacy Badger and others...

For web browsing, you should just get Tor Browser from https://torproject.org. Change the security slider if you want, but you should not start adding "privacy" addons. The more you change in your browser, the more you'll stand out from the crowd.

Checking for network leaks
Tor is a great tool for enhancing your privacy in many situations. Unfortunately, it is a common misconception that it makes you always 100% anonymous. Unfortunately it's not so. Let's have a brief look at how our privacy has changed now that we have tor up and running.

Local network admin or ISP
These people can no longer easily see which other hosts you contact.

However, this only works for programs which were configured to use tor and do not leak DNS requests. So remember that you might have some non-tor traffic due to other browsers, email, IRC, instant messenger, video conferencing, games, bittorrent, bitcoin, remote desktop, other machines NATing through your box, and all other network software.

Even though your ISP cannot see exactly what you do while using tor, they can still see that you USE tor, and WHEN and HOW MUCH you download and upload via tor. Let's say there is a website under an adversary's observation. The adversary can see that someone accessed it via tor to download 2670kB at 9:22AM, upload 340kB at 9:27AM and download 9885kB at 9:31AM. If it was you, your ISP can see that at these precise times your tor activity was almost the same size. Then if the adversary observing the website can also get your traffic summary from your ISP, it will be obvious for them that it was you accessing the website. Just a few timestamps like this can identify you as the user beyond any doubt. A solution is to have lots of tor traffic entering and leaving your system at all times. Therefore it is highly advisable to configure tor to also act as a relay.

Machine admin
If some other people have administrative privileges on your machine, or gain your or root's privileges through an attack, they can easily monitor all you do, type, and browse, as you do it, or later by inspecting your history, and it doesn't help at all that you use tor. Therefore, make sure to administer your system yourself and treat security as an important constituent of remaining anonymous.

Attackers with physical access
It's as easy to install e.g. a small hardware keylogger as it was before using tor, so no privacy gains here.

The websites/services you connect to
Perhaps surprisingly, you didn't gain almost any extra privacy by using tor. Let us consider the websites you browse. From their point of view the only thing that has changed about you is your IP address. However, the IP address has never been used as a very useful tool to track and spy on users. This is because the vast majority of Internet users either have a dynamic IP address or share one with a large number of other users. Therefore the parties interested in tracking and spying on you have developed amazingly advanced techniques to knowing who you are and what you do online without knowing your IP address. Some of the most obvious tracking techniques are:
 * Cookies, supercookies, DOM/HTML5 storage. If you enable them, you can be very easily tracked. Solution: never ever enable cookies while using tor.
 * Browser fingerprinting. Your browser is sending huge amount of information about your system to any website you visit, making you uniquely identifiable. For an illustration, visit panopticlick.eff.org. As a note, this is true not only for browsers, but for other protocol clients as well. Solution: you may try some privacy plugins for your browser, or a special privacy-oriented browser.
 * JavaScript or other browser-native scripting. Scripts running in the browser can gather enormous amount of information about your system, making you uniquely identifiable. For an example, open your browser's JS developer tools (F12 in Firefox) and have a look at the 'navigator' built-in variable. Also whenever you type, websites can monitor the precise timing of your keystrokes to create your typing fingerprint. Such a fingerprint is very unique and if compared with your known typing fingerprint, it can identify you as the user. The same goes for mouse movements over the browser window as you browse. Solution: disable JavaScript in your browser.
 * Java. Many orders of magnitude worse than JavaScript. A signed Java applet has access to your filesystem, and can read and write files without asking for permission. It can also figure out your real IP (that's what we tried to hide with tor), create sockets, or send your files to some server without your knowledge. Solution: under no circumstance install Java for your browser.
 * Flash. Similar to Java, but in practice it's a bigger threat simply because so many websites require Flash, which forces many users to install it. It's just as large privacy threat as Java. Solution: under no circumstance install Flash. Beware, some browsers could come with Flash preinstalled, avoid those.
 * Geolocation. Websites can ask the browser to provide your geographic location. Solution: disable geolocation in your browser.
 * HTTP headers. Some headers like Referer or ETag are used to track you as you browse between various websites. Solution: Referer header can be disabled in Firefox in about:config, by setting network.http.sendRefererHeader to 0. FIXME: Any ETag solutions?
 * Login. As soon as you log in to any service, your whole anonymity is gone and your tor connection becomes identified as yours. Solution: Never ever log in to web mail, social network, or any other website while using tor. It might be a better idea to run another browser not via tor for the websites where you need to log in. Never use the same browser for both tor and non-tor traffic.
 * Browsers' bugs. Browsers have a lot of bugs that reduce or eliminate your privacy, and people who track and spy on you use them. Examples include a search giant using cookie preferences bug to set cookies even though disabled, or recent Chrome's bug that allows a website to access your microphone and monitor what you say: https://tech.slashdot.org/story/14/01/22/2156235/chrome-bugs-lets-sites-listen-to-your-private-conversations

This list is by no means exhaustive.

As you can see, just these most obvious techniques allow a website to easily identify you, no matter what your IP address appears to be.

Tips
Here are some tips to remain anonymous while using tor:


 * Advertisers and social media. This is by far the most widespread privacy threat faced on the web, simply because of the coverage. Almost all popular websites display ads from some giant ad provider. Similarly most websites include small pieces of code from many social networks, e.g. to display the "like" buttons, microblogging links, "login with FooBar" authentication dialogs, etc. This means that these few Internet giants have their code injected into almost any website people visit. This way they can easily track and spy on anyone visiting almost any website. Some other institutions are known to tap into this tracking/spying datastream. It's relatively difficult to eliminate this threat. Most of the ads can be blocked by an ad blocking browser plugin. Similarly, plugins may exist for your browser, which eliminate social network components, external authentication, and other third-party content.
 * Browsers' extensions. Some of the extensions that can be installed in browsers can in fact track you. E.g. social network integration plugins, extensions that observe your browsing, etc.
 * Browsers' usage statistics. Some browsers gather info about your browsing habits and send them to the developers. In Firefox this can be disabled in Preferences > Advanced > Data Choices.
 * Custom links. Let's say a friend uses a website to invite you to do something. Then the website sends you an email with a link like this: website.domain/enGm7IKS. By opening the link, your tor connection has been identified to be yours, because the enGm7IKS part is unique for your email address.
 * Tor attacks. There are a number of known attacks that can detorify you. E.g. if the adversary controls both your entry and exit node for tor network, they could after some time correlate your common activities and figure out who you are.
 * Sometimes just the fact that you use tor makes you quite special: https://yro.slashdot.org/story/13/12/18/047246/harvard-bomb-hoax-perpetrator-caught-despite-tor-use

Remember, some institutions having smart people and billions of dollars at their disposal are in the business of tracking and spying on you. This includes oppressive regimes, advertising giants, social networks, etc. The revelations coming from whistle-blowers have shown us the extent of some of the current surveillance. If you want to protect your privacy and remain anonymous, you have still a lot to do. Remain extra-paranoid. Above all please educate yourself about how the tor network works, what are the common problems, and what could be done to prevent it. Also, read about some recent government attacks on the tor network. In some countries most tor nodes might be run by an adversary. Also, read about browser fingerprinting and what could be done to prevent it. Find out about other non-tor-related privacy attacks. The privacy war will be a life-long one against giant opponents, and you are never done. Welcome aboard and good luck.