From Gentoo Wiki
Jump to: navigation, search

Tor is an onion routing internet anonymity system.


USE flags

USE flags for net-vpn/tor Anonymizing overlay network for TCP

libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
lzma Support for LZMA (de)compression algorithm global
scrypt Use app-crypt/libscrypt for the scrypt algorithm local
seccomp Enable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs global
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking global
test Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore global
tor-hardening Compile tor with hardening on vanilla compilers/linkers local
web Build a tor2web service instead of a tor client local
zstd Use app-arch/zstd for compression local

Do not enable "web" unless you know what tor2web mode is and you really want it.


Install net-vpn/tor:

root #emerge --ask net-vpn/tor
If you only need to browse the Web via Tor, an easy alternative is to use the official portable Tor Browser. Even if you want to use Tor for other purposes, when you want to browse the web over Tor, you should always use Tor Browser.


Tor ships with a minimal configuration in /etc/tor/torrc so that it works out of the box:

FILE /etc/tor/torrc
User tor
PIDFile /var/run/tor/
Log notice syslog
DataDirectory /var/lib/tor/data



To start immediately:

root #rc-service tor start

To start the tor service on system boot, add it to the default runlevel:

root #rc-update add tor default


To start immediately:

root #systemctl start tor.service

To start the tor service on system boot:

root #systemctl enable tor.service

Emerge messages

* Messages for package net-misc/tor-
* We created a configuration file for tor, /etc/tor/torrc, but you can
* change it according to your needs.  Use the torrc.sample that is in
* that directory as a guide.  Also, to have privoxy work with tor
* just add the following line
* forward-socks4a / localhost:9050 .
* to /etc/privoxy/config.  Notice the . at the end!



You should be using Tor Browser from instead.

Edit > Preferences

Advanced > Network > Settings

manual proxy configuration:
http proxy           port: 0
ssl proxy            port: 0
ftp proxy            port: 0
socks host port: 9050
check SOCKS v4
No Proxy for: localhost,

'SOCKS v4' is actually SOCKS 4a internally. SOCKS v5 needs more configuration for safe DNS, explained here.

Type about:config into the URL textbox and set the following:

network.proxy.socks_remote_dns    true
network.dns.disablePrefetch       true
network.dns.disableIPv6           true

This way Firefox will resolve host names via tor, which prevents DNS leaks.

media.peerconnection.enabled    false

This prevents leaking the system ip address through WebRTC requests.


Use libsoup 2.42.2 or newer and xombrero 1.6.0 or newer in order to use a socks proxy directly.

Edit .xombrero.conf by adding the following lines:

FILE .xombrero.conf
# Browser mode, MUST be the first entry in this file
browser_mode			=	whitelist
# Proxy settings
http_proxy			=	socks5://
http_proxy_starts_enabled	=	1
# Homepage
home				=
# Disable F2 so as not to toggle proxy settings by accident
keybinding			=	tabnew,F2
# Work directory (mount /tmp as tmpfs)
work_dir			=	/tmp/.xombrero
# Download directory
download_dir			=	/tmp/downloads
Disable the geoloc and jit USE flags in webkit-gtk, which xombrero depends on. The geoloc USE flag enables geolocation support through the app-misc/geoclue package. The jit USE flag prevents use of some PaX memory protection features in Gentoo Hardened. It is also possible to compile webkit-gtk with all USE flags disabled.

Optionally, it is possible to set different string values to the user_agent and http_accept variables. There are two files with user_agent string and http_accept headers in xombrero source code folder: user-agent-headers and http-accept-headers. These strings can be easily selected and added to the {Path|.xombrero.conf}} file with the following commands:

user $cat user-agent-headers | grep Linux | shuf -n 1 >> .xombrero.conf
user $cat http-accept-headers | shuf -n 1 >> .xombrero.conf
Your browser fingerprint may be unique! Choose a more common user_agent/http_accept combination if this is a problem for you.


openssh doesn't have any native support for SOCKS5, so you will need to install openbsd-netcat. You'll need to modify your SSH config too. It is possible with netcat' also but the configuration below uses flags specific to the OpenBSD variant.

root #emerge --ask net-analyzer/openbsd-netcat

For all hosts:

FILE ~/.ssh/config
Host *
	# Tell SSH to pass its connections through netcat, using a SOCKS5 proxy at (tor default).
	ProxyCommand nc -X 5 -x %h %p

	# Privacy protections
	# Prevents SSH from telling the remote server about all of your public keys, potentially revealing your ID
	ForwardAgent no
	IdentitiesOnly yes

        # Merges connections to a server to prevent expensive reconnections
        # To avoid this, invoke ssh as: ssh -o 'ControlMaster no' ...
	ControlMaster auto
	ControlPath ~/.ssh/master-%r@%n:%p

        # Compression for low bandwidth lines (like Tor)
	Compression yes

You may prefer to do this for a specific host:

FILE ~/.ssh/config
        ProxyCommand nc -X 5 -x %h %p

You could instead want to only enable the proxy for .onion addresses:

FILE ~/.ssh/config
Host *.onion
        ProxyCommand nc -X 5 -x %h %p


Some applications may leak DNS requests. The easiest way to check if this really happens is to look at system logs.

user $sudo tail -f /var/log/messages

If an application is configured correctly, nothing shows in the logs. Below is an example of a message for a misconfigured application (or for a webpage that stores links in form of IP addresses):

Oct 14 14:44:44 localhost Tor[666]: Your application (using socks5 to port 80) is giving Tor only an IP address. 
Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. 
For more information, please see

In order to check how this works, one needs to give an application an IP address instead of a domain name, retrieved by running the tor-resolve command for example.

DNS Resolver

Tor can work like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records. MX and NS queries are never answered.

To enable the built-in DNS resolver, add the following lines to the /etc/tor/torrc file and restart the daemon:

FILE /etc/tor/torrcTor DNS Resolver
## Torified DNS
AutomapHostsOnResolve 1

Then to prevent leak DNS requests make Tor the ONLY default DNS resolver of you system in /etc/resolv.conf:

FILE /etc/resolv.confLocal Tor DNS Resolver

If you use dhcpd, you will need to change its settings in /etc/dhcpcd.conf so that it does not alter the resolv.conf configuration file:

FILE /etc/dhcpcd.confLocal Tor DNS Resolver
nohook resolv.conf

If you use pppoe, you will need to change its settings in /etc/ppp/pppoe.conf so that it does not alter the resolv.conf configuration file:

FILE /etc/ppp/pppoe.confLocal Tor DNS Resolver

Finally, redirect ALL DNS requests on your system from port 53 to where the Tor DNS listens for requests. Redirect any DNS to the the local (torified) nameserver:

root #iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination
root #iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination

If you also use IPv6, the same has to be done for ip6tables. When done using Tor, to disable the aforementioned rules use:

root #iptables -t nat -F
root #iptables -t nat -X

Notice: this will also disable any other existing NAT rules.

Disabling non-tor traffic

The following iptables rules will prevent non-Tor traffic leaving the host and disable all new connections from outside in case if the host must be configured as a Tor client:

root #iptables -F
root #iptables -P OUTPUT DROP
root #iptables -A OUTPUT -s -d -j ACCEPT
root #iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
root #iptables -P INPUT DROP
root #iptables -A INPUT -s -d -j ACCEPT
root #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

And to flush these and any other existing rules:

root #iptables -F
root #iptables -X


Only do this if you need to do so

If you want allow Tor use only special addresses you can specify it. For example our firewall allow outgoing connection only through https (443) port, so add to /etc/tor/torrc:

FILE /etc/tor/torrctorrc configuration
# If 1, Tor will only create outgoing connections to ORs running on ports that your firewall allows
FascistFirewall 1
# A comma-separated list of IP addresses and ports that your firewall allows you to connect to.
ReachableAddresses accept *:443, reject *:*
ReachableORAddresses *:443


root #emerge --ask net-proxy/torsocks

For applications which do not support the use of proxies or Tor, you can use the "torsocks" command to force their traffic through the Tor network. (e.g. - torsocks irssi -c or torify irssi -c mqctemuqfc3tp5ji.onion).

Transparent Tor Proxy

Tor can work like a transparent proxy.

To enable built-in transparent proxy add the following lines to the /etc/tor/torrc file and restart the daemon:

FILE /etc/tor/torrcTor Transparent Proxy
## Transparent proxy

Finally, redirect ALL non-tor outgoing trafic to a Tor transparent proxy:

root #iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination

Stream isolation

You might not want to mix GPG traffic with the traffic of a web browser or to mix irssi circuits with the circuits of a bitcoin wallet. In all cases an exit node can make correlation between separate activities. Stream isolation provides an easy way to separate different Tor circuits and make different applications use isolated streams.

By default, multiple *Port lines (SocksPort, DNSPort, TransPort) will never share circuits. If you want to do stream isolation on a single *Port option, you can add one or more of the following isolation flags to *Port options: IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol, IsolateDestPort, IsolateDestAddr.

Note that some are enabled by default already and that more isolation flags does not necessarily mean more security/anonymity/privacy. To see the most up-to-date list of stream isolation flags, see `man tor`.

So if you want to be sure your GPG client and your instant messenger don't put streams on the same circuit, the easiest thing to do is add the following to your torrc and point them at different SocksPorts.

FILE /etc/tor/torrctorrc configuration
# gpg client
# instant messenger
# etc...

Rules for Tor circuits

You may be reducing the total number of relays you can use by a significant amount by using these options. Modifying the parameters set by the Tor developers is not wise; for example, using an exit node in a country with a prominent intelligence agency should pose very little risk - the same risks exist with any exit node. It is instead sensible to avoid sending passwords over HTTP or other unencrypted protocols.
It is likely that you will not actually accomplish what you want when you use these Exclude options. See "DeTor: Provably Avoiding Geographic Regions in Tor" presented at USENIX 2017. Also note that GeoIP isn't necessarily very reliable to begin with.

man tor gives us a good explanation of various useful options. If you want to get away from ECHELON, you may consider adding the following to /etc/tor/torrc:

FILE /etc/tor/torrctorrc configuration
StrictNodes 1
GeoIPExcludeUnknown 1
#ExcludeSingleHopRelays 1
#ExcludeNodes {au}, {ca}, {gb}, {nz}, {us}
ExcludeExitNodes {au}, {ca}, {gb}, {nz}, {us}
NodeFamily {au}, {ca}, {gb}, {nz}, {us}
#UseEntryGuardsAsDirGuards 1
#FastFirstHopPK 0
#AllowSingleHopCircuits 0
#UseNTorHandshake 1
PathsNeededToBuildCircuits 0.95

StrictNodes =1 together with ExcludeNodes {au}, {ca}, {gb}, {nz}, {us} will completely exclude Tor nodes from that country, but we also disallow connection to Tor hidden services located there. So it is better to comment ExcludeNodes or set StrictNodes 0. Also we mark NodeFamily {au}, {ca}, {gb}, {nz}, {us} all that nodes as "single administration" by Five Eyes. Directive NodeFamily can be used multiple times.

EntryNodes and ExitNodes can be used to select spacial nodes for entering end exit from Tor network respectively.

Instead of country codes you can use IPv4, IPv6 addresses and subnets.


Tor has own sandbox features. It may give more protection of your system if Tor is compromised. To turn it on add to /etc/tor/torrc:

FILE /etc/tor/torrctorrc configuration
Sandbox 1

Setting up a hidden service

Setting up a tor hidden service is easy.

All you need to do is add 2 lines to the /etc/tor/torrc configuration file, and make sure your permissions are correct for the data directory.

FILE /etc/tor/torrc
HiddenServiceDir /var/lib/tor/data/hiddenservice
HiddenServicePort 80

The first line tells Tor to insert the public and private keys into the directory specified.

The next line tells Tor to direct traffic on hidden service port 80 to the IP and port specified.

Simple command-line file downloading

The popular wget utility cannot talk to socks proxy. However, you can use the tor network to download any resource located at a given URL and save it in a FILE using curl:

user $curl --socks5-hostname -o FILE URL

The --socks5-hostname means that hostnames are resolved via tor instead of your system's DNS resolution, thus preventing DNS leaks.

If you don't have curl on your system, you can just emerge net-misc/curl.


You can configure Portage to sync its tree and fetch packages via tor. Add the following to /etc/portage/make.conf:

FILE /etc/portage/make.conf
FETCHCOMMAND="curl --socks5-hostname --retry 3 --connect-timeout 60 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""
RESUMECOMMAND="curl -C - --socks5-hostname --retry 3 --connect-timeout 60 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""

All the extra quoting is necessary. Have a look at "man curl" for more customization options.

Curl doesn't follow 302 redirect by default (cf. bug #543268). Pass -L to enable that behaviour.

emerge --sync cannot be used to update the Portage tree via tor, because rsync cannot use socks proxy. In order to sync the Portage tree via tor, use the command:

root #emerge-webrsync

This fetches the portage tree snapshot over http. The added advantage is that you can configure emerge-webrsync to additionally verify the cryptographic signature of the portage tree, which cannot be achieved when using emerge --sync. Such verification is explained in the Gentoo Handbook.

Installing or updating is done as usual, e.g.:

root #emerge --ask some-package


Check if using Tor


There is a lots of site in Internet for testing your anonymity. One of the best is Another nice one: To hide more information, you can try disable: Javascript, Flash, Java, ActiveX, WebRTC. For hide HTML headers use Random Agent Spoofer and/or net-proxy/privoxy. Some mozila addons also may keep you privacy Request Policy, Privacy Badger and others...

For web browsing, you should just get Tor Browser from Change the security slider if you want, but you should not start adding "privacy" addons. The more you change in your browser, the more you'll stand out from the crowd.

Checking for network leaks

Tor is a great tool for enhancing your privacy in many situations. Unfortunately, it is a common misconception that it makes you always 100% anonymous. Unfortunately it's not so. Let's have a brief look at how our privacy has changed now that we have tor up and running.

Local network admin or ISP

These people can no longer easily see which other hosts you contact.

However, this only works for programs which were configured to use tor and do not leak DNS requests. So remember that you might have some non-tor traffic due to other browsers, email, IRC, instant messenger, video conferencing, games, bittorrent, bitcoin, remote desktop, other machines NATing through your box, and all other network software.

Even though your ISP cannot see exactly what you do while using tor, they can still see that you USE tor, and WHEN and HOW MUCH you download and upload via tor. Let's say there is a website under an adversary's observation. The adversary can see that someone accessed it via tor to download 2670kB at 9:22AM, upload 340kB at 9:27AM and download 9885kB at 9:31AM. If it was you, your ISP can see that at these precise times your tor activity was almost the same size. Then if the adversary observing the website can also get your traffic summary from your ISP, it will be obvious for them that it was you accessing the website. Just a few timestamps like this can identify you as the user beyond any doubt. A solution is to have lots of tor traffic entering and leaving your system at all times. Therefore it is highly advisable to configure tor to also act as a relay.

Machine admin

If some other people have administrative privileges on your machine, or gain your or root's privileges through an attack, they can easily monitor all you do, type, and browse, as you do it, or later by inspecting your history, and it doesn't help at all that you use tor. Therefore, make sure to administer your system yourself and treat security as an important constituent of remaining anonymous.

Attackers with physical access

It's as easy to install e.g. a small hardware keylogger as it was before using tor, so no privacy gains here.

The websites/services you connect to

Perhaps surprisingly, you didn't gain almost any extra privacy by using tor. Let us consider the websites you browse. From their point of view the only thing that has changed about you is your IP address. However, the IP address has never been used as a very useful tool to track and spy on users. This is because the vast majority of Internet users either have a dynamic IP address or share one with a large number of other users. Therefore the parties interested in tracking and spying on you have developed amazingly advanced techniques to knowing who you are and what you do online without knowing your IP address. Some of the most obvious tracking techniques are:

  • Cookies, supercookies, DOM/HTML5 storage. If you enable them, you can be very easily tracked. Solution: never ever enable cookies while using tor.
  • Browser fingerprinting. Your browser is sending huge amount of information about your system to any website you visit, making you uniquely identifiable. For an illustration, visit As a note, this is true not only for browsers, but for other protocol clients as well. Solution: you may try some privacy plugins for your browser, or a special privacy-oriented browser.
  • JavaScript or other browser-native scripting. Scripts running in the browser can gather enormous amount of information about your system, making you uniquely identifiable. For an example, open your browser's JS developer tools (F12 in Firefox) and have a look at the 'navigator' built-in variable. Also whenever you type, websites can monitor the precise timing of your keystrokes to create your typing fingerprint. Such a fingerprint is very unique and if compared with your known typing fingerprint, it can identify you as the user. The same goes for mouse movements over the browser window as you browse. Solution: disable JavaScript in your browser.
  • Java. Many orders of magnitude worse than JavaScript. A signed Java applet has access to your filesystem, and can read and write files without asking for permission. It can also figure out your real IP (that's what we tried to hide with tor), create sockets, or send your files to some server without your knowledge. Solution: under no circumstance install Java for your browser.
  • Flash. Similar to Java, but in practice it's a bigger threat simply because so many websites require Flash, which forces many users to install it. It's just as large privacy threat as Java. Solution: under no circumstance install Flash. Beware, some browsers could come with Flash preinstalled, avoid those.
  • Geolocation. Websites can ask the browser to provide your geographic location. Solution: disable geolocation in your browser.
  • HTTP headers. Some headers like Referer or ETag are used to track you as you browse between various websites. Solution: Referer header can be disabled in Firefox in about:config, by setting network.http.sendRefererHeader to 0. FIXME: Any ETag solutions?
  • Login. As soon as you log in to any service, your whole anonymity is gone and your tor connection becomes identified as yours. Solution: Never ever log in to web mail, social network, or any other website while using tor. It might be a better idea to run another browser not via tor for the websites where you need to log in. Never use the same browser for both tor and non-tor traffic.
  • Browsers' bugs. Browsers have a lot of bugs that reduce or eliminate your privacy, and people who track and spy on you use them. Examples include a search giant using cookie preferences bug to set cookies even though disabled, or recent Chrome's bug that allows a website to access your microphone and monitor what you say:

This list is by no means exhaustive.

As you can see, just these most obvious techniques allow a website to easily identify you, no matter what your IP address appears to be.


Here are some tips to remain anonymous while using tor:

  • Advertisers and social media. This is by far the most widespread privacy threat faced on the web, simply because of the coverage. Almost all popular websites display ads from some giant ad provider. Similarly most websites include small pieces of code from many social networks, e.g. to display the "like" buttons, microblogging links, "login with FooBar" authentication dialogs, etc. This means that these few Internet giants have their code injected into almost any website people visit. This way they can easily track and spy on anyone visiting almost any website. Some other institutions are known to tap into this tracking/spying datastream. It's relatively difficult to eliminate this threat. Most of the ads can be blocked by an ad blocking browser plugin. Similarly, plugins may exist for your browser, which eliminate social network components, external authentication, and other third-party content.
  • Browsers' extensions. Some of the extensions that can be installed in browsers can in fact track you. E.g. social network integration plugins, extensions that observe your browsing, etc.
  • Browsers' usage statistics. Some browsers gather info about your browsing habits and send them to the developers. In Firefox this can be disabled in Preferences > Advanced > Data Choices.
  • Custom links. Let's say a friend uses a website to invite you to do something. Then the website sends you an email with a link like this: website.domain/enGm7IKS. By opening the link, your tor connection has been identified to be yours, because the enGm7IKS part is unique for your email address.
  • Tor attacks. There are a number of known attacks that can detorify you. E.g. if the adversary controls both your entry and exit node for tor network, they could after some time correlate your common activities and figure out who you are.
  • Sometimes just the fact that you use tor makes you quite special:

Remember, some institutions having smart people and billions of dollars at their disposal are in the business of tracking and spying on you. This includes oppressive regimes, advertising giants, social networks, etc. The revelations coming from whistle-blowers have shown us the extent of some of the current surveillance. If you want to protect your privacy and remain anonymous, you have still a lot to do. Remain extra-paranoid. Above all please educate yourself about how the tor network works, what are the common problems, and what could be done to prevent it. Also, read about some recent government attacks on the tor network. In some countries most tor nodes might be run by an adversary. Also, read about browser fingerprinting and what could be done to prevent it. Find out about other non-tor-related privacy attacks. The privacy war will be a life-long one against giant opponents, and you are never done. Welcome aboard and good luck.

See also

  • I2P - The Invisible Internet Project.