Tor

Tor is an onion routing Internet anonymity system.

Installation

USE flags

Emerge

Configuration

net-vpn/tor ships with a minimal configuration at /etc/tor/torrc, which works out of the box:

User tor
PIDFile /run/tor/tor.pid
Log notice syslog
DataDirectory /var/lib/tor/data

Sandbox

Tor has own sandbox features. It may provide increased protection of the system if Tor is compromised.

When enabled, the following options cannot be changed once tor is running:

• Address
• ConnLimit
• CookieAuthFile
• DirPortFrontPage
• ExtORPortCookieAuthFile
• Logs
• ServerDNSResolvConfFile
• ClientOnionAuthDir

Additionally, usage of the "GETINFO address" command through the ControlPort is disabled.

To use the Sandbox, Tor must be built with the seccomp USE flag:

# Build Tor with libseccomp for sandbox
net-vpn/tor seccomp

If this USE flag was not already enabled, net-vpn/tor can be rebuilt with:

Finally, Sandbox 1 can be added to /etc/tor/torrc:

Sandbox 1

Disabling non-Tor traffic

The following iptables rules will prevent non-Tor traffic leaving the host and disable all new connections from outside in case if the host must be configured as a Tor client:

And to flush these and any other existing rules:

Rules for Tor circuits

In the following examples, connections to ECHELON and Five Eyes will be restricted to varying degrees.

Restrict exit nodes

To restrict exit traffic from using nodes from these countries:

ExcludeExitNodes {au}, {ca}, {gb}, {nz}, {us}

Restrict node count

To treat nodes from these countries as if they are a single organization:

NodeFamily {au}, {ca}, {gb}, {nz}, {us}

Restrict traffic entirely

To entirely disallow traffic through or to nodes from these countries:

StrictNodes  1  # Force ExcludeNodes to all circuits, even if it breaks functionality
ExcludeNodes {au}, {ca}, {gb}, {nz}, {us}

Outbound Node Firewall

If the network where Tor is being used is restricted, such that traffic is only allows to certain IPs or ports, ReachableAddresses can be configured so Tor only attempts outbound connections matching the defined criteria:

# A comma-separated list of IP addresses and ports that your firewall allows you to connect to.
ReachableAddresses *:443, *:80

Stream isolation

The user might not want to mix GPG traffic with web browser traffic or to mix irssi circuits with bitcoin wallet circuits. In all cases an exit node can make correlation between separate activities. Stream isolation provides an easy way to separate different Tor circuits and make different applications use isolated streams.

By default, multiple *Port lines (SocksPort, DNSPort, TransPort) will never share circuits. To do stream isolation on a single *Port option, one might add one or more of the following isolation flags to *Port options: IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol, IsolateDestPort, IsolateDestAddr.

Some are enabled by default already and more isolation flags does not necessarily mean more security/anonymity/privacy. To see the most up-to-date list of stream isolation flags, see `man tor`.

So to ensure GPG client and instant messenger don't put streams on the same circuit, the easiest procedure is adding the following to torrc and point them at different SocksPorts.

# gpg client
SocksPort 127.0.0.1:9100
# instant messenger
SocksPort 127.0.0.1:9150
# More isolation:
SOCKSPort 9200 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
# etc...

Running a relay

To configure tor to run as a relay, define ORPort:

ORPort 9001

Running an Exit

Relays can be configured to forward exit traffic by setting ExitRelay 1 or by configuring an exit policy:

ORPort 9001
ReducedExitPolicy 1

Running a Hidden service

Running a Tor hidden service is easy, simply configure the following:

• HiddenServiceDir - Path to the directory used to store hidden service keys.
• HiddenServicePort - The first arg is the port used within the TOR network, the second is the target it forwards traffic to.

HiddenServiceDir /var/lib/tor/data/hiddenservice
HiddenServicePort 80 127.0.0.1:80

Service

OpenRC

To start immediately:

To start the Tor service on system boot, add it to the default runlevel:

systemd

To start immediately:

To start the Tor service on system boot:

Application Proxy Configuration

Browsers

Any browser via PAC file

A PAC file can delegate browser requests to different proxies. Here connections to localhost are handled directly (no proxy); Eepsites are handled by i2p proxy on port 4444 and other traffic goes via Tor SOCKS proxy on port 9050.

function FindProxyForURL(url, host)
{
   if(host.match(/^(localhost|127[.]0[.]0[.]1|192[.]168[.]1[.]1)$/))
       return 'DIRECT';
   if(host.match(/[.]i2p$/))
       return 'PROXY 127.0.0.1:4444';

   return 'SOCKS 127.0.0.1:9050';
}

Save this file as /usr/local/proxy.pac, and point the browser to it. Most browsers accept Proxy configuration URL, where one can specify file:///usr/local/proxy.pac.

Firefox

Hamburger menu > Settings > General > Network Settings

manual proxy configuration:
http proxy           port: 0
ssl proxy            port: 0
ftp proxy            port: 0
socks host 127.0.0.1 port: 9050
check SOCKS v4
No Proxy for: localhost, 127.0.0.1

'SOCKS v4' is actually SOCKS 4a internally. SOCKS v5 needs more configuration for safe DNS, .

Type about:config into the URL bar and set the following:

network.proxy.socks_remote_dns    true
network.dns.disablePrefetch       true
network.dns.disableIPv6           true

This way Firefox will resolve host names via Tor, preventing DNS leaks.

media.peerconnection.enabled    false

This prevents leaking the system IP address through WebRTC requests.

SSH

net-misc/openssh doesn't have any native support for SOCKS5, so install net-analyzer/openbsd-netcat and modify the SSH config. It is possible with net-analyzer/netcat also but the configuration below uses flags specific to the OpenBSD variant.

For all hosts:

Host *
	# Tell SSH to pass its connections through netcat, using a SOCKS5 proxy at 127.0.0.1:9050 (Tor default).
	ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

	# Privacy protections
	# Prevents SSH from telling the remote server about all of your public keys, potentially revealing your ID
	ForwardAgent no
	IdentitiesOnly yes

        # Merges connections to a server to prevent expensive reconnections
        # To avoid this, invoke ssh as: ssh -o 'ControlMaster no' ...
	ControlMaster auto
	ControlPath ~/.ssh/master-%r@%n:%p

        # Compression for low bandwidth lines (like Tor)
	Compression yes

For a specific host:

Host yourserver.com
        ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

For .onion addresses only:

Host *.onion
        ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

git

Since git can use either SSH or HTTP(S) to fetch data, the proxy setup is dependent on the URL.

For SSH fetching, e.g. git@foo.example:vcs.git, follow the SSH example above for this server.

For HTTP fetching, set the configuration^[1]:

DNS

Some applications may leak DNS requests. The easiest way to check if this really happens is to look at system logs.

If an application is configured correctly, nothing shows in the logs. Below is an example of a message for a misconfigured application or for a web page that stores links in form of IP addresses:

Oct 14 14:44:44 localhost Tor[666]: Your application (using socks5 to port 80) is giving Tor only an IP address.
Applications that do DNS resolves themselves may leak information.  Consider using Socks4A (e.g. via privoxy or socat) instead.
For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.

In order to check how this works, one needs to give an application an IP address instead of a domain name, retrieved by running the tor-resolve command for example.

DNS Resolver

Tor can work like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records. MX and NS queries are never answered.

To enable the built-in DNS resolver, add the following lines to the /etc/tor/torrc file and restart the daemon:

...
## Torified DNS
DNSPort 127.0.0.1:9053
AutomapHostsOnResolve 1

Then to prevent leak DNS requests make Tor the ONLY system default DNS resolver in /etc/resolv.conf:

nameserver 127.0.0.1

If using dhcpcd, then change its settings in /etc/dhcpcd.conf so it does not alter the resolv.conf configuration file:

nohook resolv.conf

If using pppoe, then change its settings in /etc/ppp/pppoe.conf so it does not alter the resolv.conf configuration file:

DNSTYPE=NOCHANGE

Finally, redirect ALL DNS requests on the system from port 53 to 127.0.0.1:9053 where the Tor DNS listens for requests. Redirect any DNS to the the local (torified) nameserver:

If also using IPv6, do the same for ip6tables. When done using Tor, to disable the aforementioned rules use:

This also disables any other existing NAT rules.

torsocks

For applications lacking support for proxies or Tor, the torsocks command can force their traffic through the Tor network, as in torsocks irssi -c irc.afraidirc.net or torify irssi -c mqctemuqfc3tp5ji.onion.

Transparent Tor Proxy

Tor can work like a transparent proxy.

To enable built-in transparent proxy add the following lines to the /etc/tor/torrc file and restart the daemon:

...
## Transparent proxy
TransPort 127.0.0.1:9040

Finally, redirect ALL non-Tor outgoing traffic to a Tor transparent proxy:

Simple command-line file downloading

The popular wget utility cannot talk to socks proxy. However, net-misc/curl can download over Tor any resource located at a given URL and save it in a FILE using:

The --socks5-hostname means that hostnames are resolved via Tor instead of the system's DNS resolution, thus preventing DNS leaks.

Portage

Portage can be configured to sync its tree and fetch packages via Tor. Add the following to /etc/portage/make.conf:

FETCHCOMMAND="curl --socks5-hostname 127.0.0.1:9050 --retry 3 --connect-timeout 60 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""
RESUMECOMMAND="curl -C - --socks5-hostname 127.0.0.1:9050 --retry 3 --connect-timeout 60 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""

All the extra quoting is necessary. Have a look at man curl for more customization options.

Curl doesn't follow 302 redirect by default (cf. bug #543268). Pass -L to enable that behaviour.

emerge --sync cannot be used to update the Portage tree via Tor, because rsync cannot use socks proxy. In order to sync the Portage tree via Tor, use the command:

This fetches the portage tree snapshot over HTTP. Additionally, emerge-webrsync can be configured to verify the cryptographic signature of the gentoo repository. Such verification is explained in the Gentoo Handbook. One negative effect is that only daily repository snapshots are retrieved. Issues that are fixed in the interim will not be available until the following daily snapshot.

Installing or updating is done as usual, e.g.:

Troubleshooting

Check if using Tor

Visit: https://check.torproject.org/

For web browsing, just get Tor Browser from https://torproject.org. Change the security slider if desired, but do not add "privacy" add-ons. The more the browser is changed, the more it stands out from the crowd.

Many websites can test anonymity. One of the best is whoer.net. Another nice one: ipleak.net.

To hide more information with a generic web browser, one can try disabling: Javascript, WebRTC. To hide HTML headers use [https://prism-break.org/en/projects/random-agent-spoofer/ Random Agent Spoofer] and/or net-proxy/privoxy. Some useful Mozilla add-ons include Request Policy, Privacy Badger and others.

Checking for network leaks

Tor is a great tool for enhancing privacy in many situations, but, unlike common belief, does not guarantee 100% anonymity. Let's have a brief look at how privacy changes with Tor up and running.

Local network admin or ISP

These people can no longer easily see which other hosts the user contacts.

However, this only works for programs which were configured to use Tor and do not leak DNS requests. There might be some non-Tor traffic due to other browsers, email, IRC, instant messenger, video conferencing, games, BitTorrent, bitcoin, remote desktop, other machines NATing through the user's box, and all other network software.

Even though the ISP cannot see exactly what is done through Tor, they can still detect Tor USAGE, and WHEN and HOW MUCH data is downloaded and uploaded via Tor. Let's say an adversary is observing a website. They can see that user X accessed it via Tor to download 2670kB at 9:22AM, upload 340kB at 9:27AM and download 9885kB at 9:31AM. The ISP can see that at these precise times user Y's Tor activity was almost the same size. Then if the adversary observing the website can also get that ISP traffic summary, they can determine X and Y are the same. Just a few timestamps like this can connect the identities beyond doubt. A solution is to have lots of Tor traffic entering and leaving the user's system at all times.

Machine admin

If some other people have administrative privileges on the user's machine, or gain her user or root's privileges through an attack, they can easily monitor all she does, type, and browse, in real time, or later by inspecting history, and then Tor doesn't help. Therefore, make sure to administer the system yourself and treat security as an important constituent of anonymity.

Attackers with physical access

It's as easy to install e.g. a small hardware key logger as it was before using Tor, so no privacy gains here.

The websites/services to which the user connects

From the websites browsed by the user, Tor only hide the IP address. However, the IP address has not been used as a very useful tool to track and spy on users. The vast majority of Internet users have a dynamic IP address or share one with a large number of other users. Therefore the parties interested in tracking and spying have developed amazingly advanced fingerprinting and tracking techniques without knowing the IP address. Some of the most obvious tracking techniques are:

• Cookies, supercookies, DOM/HTML5 storage easily track users. Solution: never enable cookies while using Tor.
• Browser fingerprinting. Your browser sends a huge amount of system information to any visited website, thus identifying the user. For an illustration, visit panopticlick.eff.org. This also applies to other protocol clients as well. Solution: use a special privacy-oriented browser (Tor Browser) or try some privacy plugins for your generic browser.
• JavaScript or other browser-native scripting. Scripts running in the browser can gather enormous amount of system information, thus identifying the user. For an example, open the browser's JS developer tools (F12 in Firefox) and look at the 'navigator' built-in variable. Websites can also monitor the precise timing of keystrokes to create a typing fingerprint. The same goes for mouse movements over the browser window while browsing. Solution: disable JavaScript in your browser.
• Geolocation. Websites can ask the browser for geographic location. Solution: disable geolocation in your browser.
• HTTP headers. Some headers like Referer or ETag track the user as she browses between various websites. Solution: Referer header can be disabled in Firefox in about:config, by setting network.http.sendRefererHeader to 0. FIXME: Any ETag solutions?
• Login. Logging in to any service connects that account with the Tor connection. Solution: Never ever log in to web mail, social network, or any other website while using Tor. It might be better to run another browser not via Tor for the websites where log in is needed. Never use the same browser for both Tor and non-Tor traffic.
• Browsers' bugs. Browsers have a lot of bugs that trackers and spies use to reduce or eliminate. Examples include a search giant using cookie preferences bug to set cookies even though disabled, or recent Chrome's bug that allows a website to access microphone and monitor speech: https://tech.slashdot.org/story/14/01/22/2156235/chrome-bugs-lets-sites-listen-to-your-private-conversations
• Java. Far worse than JavaScript. A signed Java applet has access to the filesystem, and can read and write files without asking for permission. It can also figure out the IP address which Tor tries to hide, create sockets, or send files to some server without the user's knowledge. Solution: never install Java for the browser. FIXME: major web browsers have long ago discontinued Java plugin support as of July 2024?
• Flash. Just as large privacy threat as Java. Solution: Never install Flash. Avoid any browser with it preinstalled. Note that Flash Player was officially discontinued on 31 December 2020, and its download page was removed two days later. Since 12 January 2021, Flash Player (original global variants) versions newer than 32.0.0.371, released in May 2020, refuse to play Flash content and instead display a static warning message. The software remained supported in mainland China and in some enterprise variants until 2022.

This list is not exhaustive.

Tips

Here are some tips to remain anonymous while using Tor:

• Advertisers and social media. This is by far the most widespread privacy threat faced on the web, simply because of the coverage. Almost all popular websites display ads from some giant ad provider. Similarly most websites include small pieces of code from many social networks, e.g. to display the "like" buttons, microblogging links, "login with FooBar" authentication dialogs, etc. These few Internet giants have their code injected into almost any website people visit. This way they can easily track and spy on anyone visiting almost any website. Some other institutions are known to tap into this tracking/spying datastream. It's relatively difficult to eliminate this threat. Most of the ads can be blocked by an ad blocking browser add-ons. Similarly, browser add-ons may eliminate social network components, external authentication, and other third-party content.
• Browsers' extensions. Some of the extensions that can be installed in browsers can in fact track the user. E.g. social network integration plugins, extensions that observe your browsing, etc.
• Browsers' usage statistics. Some browsers gather info about the user's browsing habits and send them to the developers. In Firefox this can be disabled in Settings > Privacy and Security > Firefox Data Collection and Use.
• Custom links. Let's say a friend uses a website to invite the user to do something. Then the website sends her an email with a link like website.domain/enGm7IKS. By opening the link, her Tor connection has been identified to be hers, because the enGm7IKS part is unique for her email address.
• Tor attacks. There are known attacks that can detorify the user. E.g. if the adversary controls both her entry and exit nodes for Tor network, they could after some time correlate her common activities and figure out who she is.
• Sometimes just using Tor makes the user quite special: https://yro.slashdot.org/story/13/12/18/047246/harvard-bomb-hoax-perpetrator-caught-despite-tor-use

Some institutions with smart people and billions of dollars at their disposal are in the business of tracking and spying on users. This includes advertising giants, social networks and states. The revelations coming from whistle-blowers have shown us the extent of some of the current surveillance. To protect privacy and anonymity, a lot more is necessary. Remain paranoid. Above all please educate yourself about how the Tor network works, what are the common problems, and what could be done to prevent it. Also, read about some recent state attacks on the Tor network. In some countries most Tor nodes might be run by an adversary. Also, read about browser fingerprinting and how it can be prevented. Find out about other non-Tor-related privacy attacks. The privacy war will be a life-long one against giant opponents. Welcome aboard and good luck.

See also

• I2P — an anonymous network, similar to Tor.
• Usenet — a federated and decentralized worldwide Internet forum and the world's oldest digital social network

References