https://wiki.archlinux.org/api.php?action=feedcontributions&user=Usprey&feedformat=atomArchWiki - User contributions [en]2024-03-28T15:22:25ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=User_talk:Usprey&diff=782734User talk:Usprey2023-07-07T16:27:27Z<p>Usprey: /* Template delete */</p>
<hr />
<div>== Template delete ==<br />
<br />
I don't know why you keep deleting [[Template:Style]] I've added. Templates are there to point out flaws in articles so they can improved upon. If you do not wish this, you are free to place content in your user page, but articles in the main space must comply with [[Help:Style]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:08, 5 December 2014 (UTC)<br />
<br />
: Sorry, fixed. --[[User:Usprey|Usprey]] ([[User talk:Usprey|talk]]) 20:06, 5 December 2014 (UTC)<br />
<br />
::Thank you for your contributions. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 21:38, 5 December 2014 (UTC)</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Wpa_supplicant&diff=441259Wpa supplicant2016-07-13T23:04:45Z<p>Usprey: /* Connecting with wpa_cli */ Added p2p_disabled to basic conf</p>
<hr />
<div>[[Category:Wireless networking]]<br />
[[Category:Network configuration]]<br />
[[es:WPA supplicant]]<br />
[[it:WPA supplicant]]<br />
[[ja:WPA supplicant]]<br />
[[ru:WPA supplicant]]<br />
[[zh-cn:WPA supplicant]]<br />
{{Related articles start}}<br />
{{Related|Network configuration}}<br />
{{Related|Wireless network configuration}}<br />
{{Related articles end}}<br />
<br />
[http://hostap.epitest.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform [[Wikipedia:Supplicant (computer)|supplicant]] with support for WEP, WPA and WPA2 ([[wikipedia:IEEE_802.11i|IEEE 802.11i]] / RSN (Robust Secure Network)). It is suitable for desktops, laptops and embedded systems.<br />
<br />
''wpa_supplicant'' is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wireless driver.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|wpa_supplicant}} package.<br />
<br />
Optionally also install {{Pkg|wpa_supplicant_gui}}, which provides ''wpa_gui'', a graphical front-end for ''wpa_supplicant''.<br />
<br />
== Overview ==<br />
<br />
The first step to connect to an encrypted wireless network is having ''wpa_supplicant'' obtain authentication from a WPA authenticator. In order to do this, ''wpa_supplicant'' must be configured so that it will be able to submit the correct credentials to the authenticator.<br />
<br />
Once the authentication is successful, it will be possible to connect to the network by normally obtaining an IP address by setting it manually with the [[Core utilities#ip|iproute2]] suite or using some networking program, like [[systemd-networkd]] or [[dhcpcd]], to configure an ''interface'' to obtain an IP address automatically via DHCP. See also the [[Wireless_network_configuration#Systemd_with_wpa_supplicant_and_static_IP|wireless]] and [[Network configuration#Configure the IP address|wired]] network configuration articles for methods and examples.<br />
<br />
== Connecting with wpa_cli ==<br />
<br />
This connection method allows scanning for the available networks, making use of ''wpa_cli'', a command line tool which can be used to interactively configure ''wpa_supplicant'' at runtime. See [http://linux.die.net/man/8/wpa_cli wpa_cli(8)] for details.<br />
<br />
In order to use ''wpa_cli'', a control interface must be specified for ''wpa_supplicant'', and it must be given the rights to update the configuration. p2p must be disabled as this seems to be the default. Do this by creating a minimal configuration file:<br />
<br />
{{hc|/etc/wpa_supplicant/example.conf|2=<br />
ctrl_interface=/run/wpa_supplicant<br />
update_config=1<br />
p2p_disabled=1<br />
}}<br />
<br />
Now start ''wpa_supplicant'' with:<br />
<br />
# wpa_supplicant -B -i ''interface'' -c /etc/wpa_supplicant/example.conf<br />
<br />
{{Tip|To discover your wireless network interface name, issue the {{ic|ip link}} command.}}<br />
<br />
At this point run:<br />
<br />
# wpa_cli<br />
<br />
This will present an interactive prompt ({{ic|>}}), which has tab completion and descriptions of completed commands.<br />
<br />
{{Tip|The default location of the control socket is {{ic|/var/run/wpa_supplicant/}}, custom path can be set manually with the {{ic|-p}} option to match the ''wpa_supplicant'' configuration. It is also possible to specify the interface to be configured with the {{ic|-i}} option, otherwise the first found wireless interface managed by ''wpa_supplicant'' will be used.}}<br />
<br />
Use the {{ic|scan}} and {{ic|scan_results}} commands to see the available networks:<br />
<br />
> scan<br />
OK<br />
<3>CTRL-EVENT-SCAN-RESULTS<br />
> scan_results<br />
bssid / frequency / signal level / flags / ssid<br />
00:00:00:00:00:00 2462 -49 [WPA2-PSK-CCMP][ESS] MYSSID<br />
11:11:11:11:11:11 2437 -64 [WPA2-PSK-CCMP][ESS] ANOTHERSSID<br />
<br />
To associate with {{ic|MYSSID}}, add the network, set the credentials and enable it:<br />
<br />
> add_network<br />
0<br />
> set_network 0 ssid "MYSSID"<br />
> set_network 0 psk "passphrase"<br />
> enable_network 0<br />
<2>CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed (reauth) [id=0 id_str=]<br />
<br />
If the SSID does not have password authentication, you must explicitly configure the network as keyless by replacing the command {{ic|set_network 0 psk "passphrase"}} with {{ic|set_network 0 key_mgmt NONE}}.<br />
<br />
{{Note|<br />
* Each network is indexed numerically, so the first network will have index 0.<br />
* The [[wikipedia:Pre-shared_key|PSK]] is computed from the ''quoted'' "passphrase" string, as also shown by the [[#Connecting with wpa_passphrase|wpa_passphrase]] command. Nonetheless, you can enter the PSK directly by passing it to {{ic|psk}} ''without'' quotes.}}<br />
<br />
Finally save this network in the configuration file:<br />
<br />
> save_config<br />
OK<br />
<br />
Once association is complete, all that is left to do is obtain an IP address as indicated in the [[#Overview]], for example:<br />
<br />
# dhcpcd ''interface''<br />
<br />
== Connecting with wpa_passphrase ==<br />
<br />
This connection method allows quickly connecting to a network whose SSID is already known, making use of ''wpa_passphrase'', a command line tool which generates the minimal configuration needed by ''wpa_supplicant''. For example:<br />
<br />
{{hc|$ wpa_passphrase MYSSID passphrase|2=<br />
network={<br />
ssid="MYSSID"<br />
#psk="passphrase"<br />
psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d<br />
}<br />
}}<br />
<br />
This means that ''wpa_supplicant'' can be associated with ''wpa_passphrase'' and simply started with:<br />
<br />
# wpa_supplicant -B -i ''interface'' -c <(wpa_passphrase MYSSID passphrase)<br />
<br />
{{Note|Because of the process substitution, you '''cannot''' run this command with [[sudo]] - you will need a root shell. Just pre-pending ''sudo'' will lead to the following error: <br />
Successfully initialized wpa_supplicant<br />
Failed to open config file '/dev/fd/63', error: No such file or directory<br />
Failed to read or parse configuration '/dev/fd/63'<br />
See also [[Help:Reading#Regular user or root]].}}<br />
<br />
{{Tip|<br />
* Use quotes, if the input contains spaces. For example: {{ic|"secret passphrase"}} <br />
* To discover your wireless network interface name, issue the {{ic|ip link}} command. <br />
* Some unusually complex passphrases may require input from a file, e.g. {{ic|wpa_passphrase MYSSID < passphrase.txt}}, or here strings, e.g. {{ic|wpa_passphrase MYSSID <<< "passphrase"}}.<br />
}}<br />
<br />
Finally, you should obtain an IP address as indicated in the [[#Overview]], for example:<br />
<br />
# dhcpcd ''interface''<br />
<br />
== Advanced usage ==<br />
<br />
For networks of varying complexity, possibly employing extensive use of [[wikipedia:Extensible_Authentication_Protocol|EAP]], it will be useful to maintain a customised configuration file. For an overview of the configuration with examples, refer to [http://linux.die.net/man/5/wpa_supplicant.conf wpa_supplicant.conf(5)]; for details on all the supported configuration parameters, refer to the example file {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}}. <br />
<br />
=== Configuration ===<br />
<br />
As is clear after reading [[#Connecting with wpa_passphrase]], a basic configuration file can be generated with:<br />
<br />
# wpa_passphrase MYSSID passphrase > /etc/wpa_supplicant/example.conf<br />
<br />
This will only create a {{ic|network}} section. A configuration file with some more common options may look like:<br />
<br />
{{hc|/etc/wpa_supplicant/example.conf|2=<nowiki><br />
ctrl_interface=/var/run/wpa_supplicant<br />
ctrl_interface_group=wheel<br />
update_config=1<br />
fast_reauth=1<br />
ap_scan=1<br />
<br />
network={<br />
ssid="MYSSID"<br />
psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d<br />
}</nowiki><br />
}}<br />
<br />
The passphrase can alternatively be defined in clear text by enclosing it in quotes, if the resulting security problems are not of concern:<br />
<br />
{{bc|1=<br />
network={<br />
ssid="MYSSID"<br />
psk="passphrase"<br />
}<br />
}}<br />
<br />
If the network does not have a passphrase, e.g. a public Wi-Fi:<br />
<br />
{{bc|1=<br />
network={<br />
ssid="MYSSID"<br />
key_mgmt=NONE<br />
}<br />
}}<br />
<br />
Further {{ic|network}} blocks may be added manually, or using ''wpa_cli'' as illustrated in [[#Connecting with wpa_cli]]. In order to use ''wpa_cli'', a control interface must be set with the {{ic|ctrl_interface}} option. Setting {{ic|1=ctrl_interface_group=wheel}} allows users belonging to such group to execute ''wpa_cli''. This setting can be used to enable users without root access (or equivalent via sudo etc) to connect to wireless networks. Also add {{ic|1=update_config=1}} so that changes made with ''wpa_cli'' to {{ic|example.conf}} can be saved. Note that any user that is a member of the {{ic|ctrl_interface_group}} group will be able to make changes to the file if this is turned on.<br />
<br />
{{ic|<nowiki>fast_reauth=1</nowiki>}} and {{ic|<nowiki>ap_scan=1</nowiki>}} are the ''wpa_supplicant'' options active globally at the time of writing. Whether you need them, or other global options too for that matter, depends on the type of network to connect to. If you need other global options, simply copy them over to the file from {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}}. <br />
<br />
Alternatively, {{ic|wpa_cli set}} can be used to see options' status or set new ones. Multiple network blocks may be appended to this configuration: the supplicant will handle association to and roaming between all of them. The strongest signal defined with a network block usually is connected to by default, one may define {{ic|priority<nowiki>=</nowiki>}} to influence behaviour. <br />
<br />
An advantage to be mentioned in using a customized configuration file at {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} is that it is used by default by [[dhcpcd]]. If you do so, you might want to make a backup of the original and delete the extensive network block examples in it. Otherwise, do not be surprised if your device suddenly connects to networks defined in them. In any case, changes to new versions of the configuration file should of course be [[Pacnew and Pacsave files|merged]].<br />
<br />
{{Tip|To configure a network block to a hidden wireless ''SSID'', which by definition will not turn up in a regular scan, the option {{ic|scan_ssid<nowiki>=</nowiki>1}} has to be defined in the network block.}}<br />
<br />
=== Connection ===<br />
<br />
==== Manual ====<br />
<br />
First start ''wpa_supplicant'' command, whose most commonly used arguments are:<br />
<br />
* {{ic|-B}} - Fork into background.<br />
* {{ic|-c ''filename''}} - Path to configuration file.<br />
* {{ic|-i ''interface''}} - Interface to listen on.<br />
* {{ic|-D ''driver''}} - Optionally specify the driver to be used. For a list of supported drivers see the output of {{ic|wpa_supplicant -h}}.<br />
** {{ic|nl80211}} is the current standard, but not all wireless chip's modules support it.<br />
** {{ic|wext}} is currently deprecated, but still widely supported.<br />
<br />
See [http://linux.die.net/man/8/wpa_supplicant wpa_supplicant(8)] for the full argument list. For example:<br />
<br />
# wpa_supplicant -B -i ''interface'' -c /etc/wpa_supplicant/example.conf<br />
<br />
followed by a method to obtain an ip address manually as indicated in the [[#Overview]], for example:<br />
<br />
# dhcpcd ''interface''<br />
<br />
{{Tip|''dhcpcd'' has a hook that can lauch ''wpa_supplicant'' implicitly, see [[dhcpcd#10-wpa_supplicant]].}}<br />
<br />
==== At boot (systemd) ====<br />
<br />
The ''wpa_supplicant'' package provides multiple [[systemd]] service files:<br />
<br />
* {{ic|wpa_supplicant.service}} - uses [[D-Bus]], recommended for [[NetworkManager]] users.<br />
* {{ic|wpa_supplicant@.service}} - accepts the interface name as an argument and starts the ''wpa_supplicant'' daemon for this interface. It reads the configuration file in {{ic|/etc/wpa_supplicant/wpa_supplicant-''interface''.conf}}.<br />
* {{ic|wpa_supplicant-nl80211@.service}} - also interface specific, but explicitly forces the {{ic|nl80211}} driver (see below). The configuration file path is {{ic|/etc/wpa_supplicant/wpa_supplicant-nl80211-''interface''.conf}}.<br />
* {{ic|wpa_supplicant-wired@.service}} - also interface specific, uses the {{ic|wired}} driver. The configuration file path is {{ic|/etc/wpa_supplicant/wpa_supplicant-wired-''interface''.conf}}.<br />
<br />
To enable wireless at boot, enable an instance of one of the above services on a particular wireless interface. For example, [[enable]] the {{ic|wpa_supplicant@''interface''}} systemd unit.<br />
<br />
Now choose and [[enable]] an instance of a service to obtain an ip address for the particular ''interface'' as indicated in the [[#Overview]]. For example, [[enable]] the {{ic|dhcpcd@''interface''}} systemd unit.<br />
<br />
{{Tip|''dhcpcd'' has a hook that can lauch ''wpa_supplicant'' implicitly, see [[dhcpcd#10-wpa_supplicant]].}}<br />
<br />
=== wpa_cli action script ===<br />
<br />
''wpa_cli'' can run in daemon mode and execute a specified script based on events from ''wpa_supplicant''. Two events are supported: {{ic|CONNECTED}} and {{ic|DISCONNECTED}}. Some [[environment variables]] are available to the script, see [http://linux.die.net/man/8/wpa_cli wpa_cli(8)] for details.<br />
<br />
The following example will use [[desktop notifications]] to notify the user about the events:<br />
<br />
{{bc|<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
CONNECTED)<br />
notify-send "WPA supplicant: connection established";<br />
;;<br />
DISCONNECTED)<br />
notify-send "WPA supplicant: connection lost";<br />
;;<br />
esac<br />
}}<br />
<br />
Remember to make the script executable, then use the {{ic|-a}} flag to pass the script path to ''wpa_cli'':<br />
<br />
$ wpa_cli -a ''/path/to/script''<br />
<br />
== Troubleshooting ==<br />
<br />
{{Warning|Make sure that you are '''not''' using the default configuration file at {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}}, which is filled with uncommented examples that will lead to lots of random errors in practice. This is a known packaging bug of the {{Pkg|wpa_supplicant}} package: {{Bug|40661}}.}}<br />
<br />
=== nl80211 driver not supported on some hardware ===<br />
<br />
On some (especially old) hardware, ''wpa_supplicant'' may fail with the following error:<br />
<br />
Successfully initialized wpa_supplicant<br />
nl80211: Driver does not support authentication/association or connect commands<br />
wlan0: Failed to initialize driver interface<br />
<br />
This indicates that the standard {{ic|nl80211}} driver does not support the given hardware. The deprecated {{ic|wext}} driver might still support the device:<br />
<br />
# wpa_supplicant -B -i wlan0 '''-D wext''' -c /etc/wpa_supplicant/example.conf<br />
<br />
If the command works to connect, and the user wishes to use [[systemd]] to manage the wireless connection, it is necessary to [[systemd#Editing provided units|edit]] the {{ic|wpa_supplicant@.service}} unit provided by the package and modify the {{ic|ExecStart}} line accordingly:<br />
<br />
{{hc|/etc/systemd/system/wpa_supplicant@.service.d/wext.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I '''-Dwext'''<br />
}}<br />
<br />
=== Problem with mounted network shares (cifs) and shutdown (Date: 1st Oct. 2015) ===<br />
When you use [[WPA supplicant]] (wlan) to connect to your network you might have the problem that the shutdown takes a very long time. That is because systemd runs against a 3 minute timeout. The reason is that WPA supplicant is shut down to early and you do not have the network online when systemd tries to unmount your share(-s). As a workaround (fix) you can add the following settings to the {{ic|wpa_supplicant.service}} file. This can be done by [[Systemd#Drop-in snippets]]. The result looks like this:<br />
<br />
{{hc|/etc/systemd/system/wpa_supplicant.service.d/override.conf|<nowiki><br />
[Unit]<br />
After=dbus.service<br />
Before=network.target<br />
Wants=network.target<br />
</nowiki>}}<br />
<br />
See more about this bug here: https://github.com/systemd/systemd/issues/1435<br />
<br />
This bug is not fixed in version 2.3 of {{Pkg|wpa_supplicant}}. In version 2.5 they added {{ic|<nowiki>Before=network.target</nowiki>}} and {{ic|<nowiki>Wants=network.target</nowiki>}} but still miss {{ic|<nowiki>After=dbus.service</nowiki>}}. So after an update to 2.5 you can remove the {{ic|<nowiki>Before=network.target</nowiki>}} and {{ic|<nowiki>Wants=network.target</nowiki>}} from your {{ic|/etc/systemd/system/wpa_supplicant.service.d/override.conf}}. After this bug has been fixed you can just remove {{ic|/etc/systemd/system/wpa_supplicant.service.d/override.conf}}.<br />
<br />
=== Password-related problems ===<br />
<br />
{{Pkg|wpa_supplicant}} may not work properly if directly passed via stdin particularly long or complex passphrases which include special characters. This may lead to errors such as {{ic|failed 4-way WPA handshake, PSK may be wrong}} when launching {{Pkg|wpa_supplicant}}.<br />
<br />
In order to solve this try using here strings {{ic|wpa_passphrase <MYSSID> <<< "<passphrase>"}} or passing a file to the {{ic|-c}} flag instead:<br />
<br />
$ wpa_supplicant -i <interface> -c /etc/wpa_supplicant/wpa_supplicant.conf<br />
<br />
In some instances it was found that storing the passphrase cleartext in the {{ic|psk}} key of the {{ic|wpa_supplicant.conf}} {{ic|network}} block gave positive results (see [http://www.linuxquestions.org/questions/linux-wireless-networking-41/wpa-4-way-handshake-failed-843394/]). However, this approach is rather insecure. Using {{ic|wpa_cli}} to create this file instead of manually writing it gives the best results most of the time and therefore is the recommended way to proceed.<br />
<br />
== See also ==<br />
<br />
* [http://hostap.epitest.fi/wpa_supplicant/ WPA Supplicant home]<br />
* [https://gist.github.com/buhman/7162560 wpa_cli usage examples]<br />
* [http://linux.die.net/man/8/wpa_supplicant wpa_supplicant(8)]<br />
* [http://linux.die.net/man/5/wpa_supplicant.conf wpa_supplicant.conf(5)]<br />
* [http://linux.die.net/man/8/wpa_cli wpa_cli(8)]<br />
* [http://wireless.kernel.org/en/users/Documentation/wpa_supplicant Kernel.org wpa_supplicant documentation]</div>Uspreyhttps://wiki.archlinux.org/index.php?title=I3&diff=441258I32016-07-13T22:58:09Z<p>Usprey: /* Screensaver and power management */ Added service file example that works, the referenced example is simpel, not forking</p>
<hr />
<div>{{DISPLAYTITLE:i3}}<br />
[[Category:Tiling WMs]]<br />
[[Category:Dynamic WMs]]<br />
[[ja:i3]]<br />
[[ko:I3]]<br />
[[ru:I3]]<br />
[[zh-CN:I3]]<br />
{{Related articles start}}<br />
{{Related|Desktop environment}}<br />
{{Related|Display manager}}<br />
{{Related|File manager functionality}}<br />
{{Related|Window manager}}<br />
{{Related|Comparison of tiling window managers}}<br />
{{Related|Clipboard}}<br />
{{Related|Autostarting#Graphical}}<br />
{{Related articles end}}<br />
[http://i3wm.org/ i3] is a dynamic [[Wikipedia:Tiling window manager|tiling window manager]] inspired by [[wmii]] that is primarily targeted at developers and advanced users.<br />
<br />
The stated goals for i3 include clear documentation, proper multi-monitor support, a tree structure for windows, and different modes like in [[vim]].<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Grp|i3}} [[Pacman#Installing package groups|package group]]. It includes the window manager {{Pkg|i3-wm}}, {{Pkg|i3status}} which writes a status line to i3bar through [[Wikipedia:Standard streams#Standard output (stdout)|stdout]], and {{Pkg|i3lock}}, a screen locker.<br />
<br />
Additional packages are available in the [[Arch User Repository]]. See the section [[#Patches]] for examples.<br />
<br />
=== Display manager ===<br />
<br />
{{Pkg|i3-wm}} includes {{ic|i3.desktop}} as [[Xsession]] which starts the window manager. {{ic|i3-with-shmlog.desktop}} enables logs (useful for debugging). {{AUR|i3-gnome}} integrates {{ic|i3}} into [[GNOME]].<br />
<br />
=== xinitrc ===<br />
<br />
Edit [[Xinitrc]], and add:<br />
<br />
exec i3<br />
<br />
To log the output from i3, add this line instead:<br />
<br />
exec i3 -V >> ~/i3log-$(date +'%F-%k-%M-%S') 2>&1<br />
<br />
If you have trouble mapping keys (e.g. {{ic|;}} as semicolon), use {{Pkg|xorg-xev}} or see [[Extra keyboard keys]].<br />
<br />
$ xev | grep -A2 --line-buffered '^KeyRelease' | sed -n '/keycode /s/^.*keycode \([0-9]*\).* (.*, \(.*\)).*$/\1 \2/p'<br />
<br />
== Usage ==<br />
<br />
See the [http://i3wm.org/docs official documentation] for more information, namely the [http://i3wm.org/docs/userguide.html i3 User’s Guide].<br />
<br />
=== Keybindings ===<br />
<br />
In i3, commands are invoked with a modifier key, referred to as {{ic|$mod}}. This is {{ic|Alt}} (Mod1) by default, with {{ic|Super}} (Mod4) being a popular alternative. Super is the key usually represented on a keyboard as a Windows icon, or on an Apple keyboard as a Command key.<br />
<br />
See the [http://i3wm.org/docs/refcard.html i3 reference card] and [http://i3wm.org/docs/userguide.html#_using_i3 Using i3] for the defaults. See [http://i3wm.org/docs/userguide.html#keybindings Keyboard bindings] to add new shortcuts.<br />
<br />
Users of non-Qwerty keyboard layouts may wish to circumvent the "configuration wizard" as [[#Configuration wizard and alternative keyboard layouts|described below]].<br />
<br />
=== Containers ===<br />
<br />
{{Expansion|The User's guide explains basic use of containers, yet is not sufficiently clear to allow more advanced use cases. It also does not mention ''focus child'' as it does ''focus parent''. See also: [https://faq.i3wm.org/question/222/how-to-get-rid-of-another-container/], [https://github.com/i3/i3/issues/1326]}}<br />
<br />
i3 manages windows in a tree structure, with containers as building blocks. This structure branches with horizontal or vertical splits. Containers are tiled by default, but can be set to tabbed or stacked layouts, as well as made floating (such as for dialog windows). Floating windows are always on top.<br />
<br />
See [http://i3wm.org/docs/userguide.html#_tree i3 Tree] and [http://www.youtube.com/watch?v=AWA8Pl57UBY Containers and the tree data structure] for details.<br />
<br />
=== Application launcher ===<br />
<br />
i3 uses [[dmenu]] as an application launcher, which is bound by default to {{ic|$mod+d}}. As an alternative, one can use {{AUR|dmenu2}} from the AUR which has many more features including transparency and support for xft fonts.<br />
<br />
{{Pkg|i3-wm}} contains ''i3-dmenu-desktop'', a [[Wikipedia:Perl|Perl]] wrapper for ''dmenu'' which uses [[desktop entries]] to create a list of all installed applications. Alternatively, the package {{AUR|j4-dmenu-desktop-git}} can be used; it is a near-drop-in replacement for ''i3-dmenu-desktop'', but much faster [https://github.com/enkore/j4-dmenu-desktop/blob/master/README.md].<br />
<br />
== Configuration ==<br />
<br />
See [http://i3wm.org/docs/userguide.html#configuring Configuring i3] for details. The rest of this article assumes the ''i3'' configuration file to be in the folder {{ic|~/.config}} (contrary to ''i3-config-wizard'', which creates {{ic|~/.i3/config}}).<br />
<br />
=== Configuration wizard and alternative keyboard layouts ===<br />
<br />
When ''i3'' is first started, it offers to run the configuration wizard ''i3-config-wizard''. This tool creates {{ic|~/.i3/config}} by rewriting a template configuration file in {{ic|/etc/i3/config.keycodes}}. It makes two modifications to the default template: <br />
<br />
# It asks the user to choose a default modifier key, which it adds to the template as a single line, like {{ic|set $mod Mod1}}; and <br />
# it replaces all ''bindcode'' lines with ''bindsym'' lines corresponding to the user's current keyboard layout.<br />
<br />
Step 2 is designed to ensure that the four navigation shortcuts, {{ic|j}}, {{ic|k}}, {{ic|l}} and "semicolon" on a Qwerty keyboard, will be mapped to keysyms which have the same location, e.g. {{ic|h}}, {{ic|t}}, {{ic|n}}, {{ic|s}} on a [[Dvorak]] keyboard. The side-effect of this magic is that up to fifteen other keysyms may be remapped in ways which break the mnemonics - so that, for a Dvorak user, "restart" is bound to {{ic|$mod1+p}} instead of {{ic|$mod1+r}}, "split horizontally" is bound to {{ic|$mod1+d}} instead of {{ic|$mod1+h}}, and so on.<br />
<br />
Therefore, users of alternate keyboard layouts who want straightforward key bindings, which match the bindings given in tutorials, may prefer to circumvent the "config wizard". This can be done by just copying {{ic|/etc/i3/config}} into {{ic|~/.config/i3/config}} (or {{ic|~/.i3/config}}), and editing that file.<br />
<br />
Note that a keycode-based configuration is also possible, e.g. for users who often switch between keyboard layouts, but want the i3 bindings to stay the same.<br />
<br />
=== Colorschemes ===<br />
<br />
The configuration file allows for customization of window decoration colors, but the syntax makes it impractical to create or share themes. There are several projects which make this easier and include a variety of user-contributed themes.<br />
<br />
* {{App|i3-style|Modifies your config in place from a theme stored in a JSON object, designed for frequently tweaking or changing a colorscheme|https://github.com/acrisci/i3-style|{{Aur|nodejs-i3-style}}{{Broken package link|{{aur-mirror|nodejs-i3-style}}}}}}<br />
* {{App|j4-make-config|Merge your config with a collection of themes or personal config parts, for example host-specific configuration, allowing quick changing of the theme and flexible, dynamic customization of the configuration|https://github.com/okraits/j4-make-config|{{Aur|j4-make-config-git}}}}<br />
<br />
=== i3bar ===<br />
<br />
In addition to showing workspace information, i3bar can act as an input for i3status or an alternative, such as those mentioned in the next section. For example:<br />
<br />
{{hc|~/.config/i3/config|2=<br />
bar {<br />
output LVDS1<br />
status_command i3status<br />
position top<br />
mode hide<br />
workspace_buttons yes<br />
tray_output none<br />
<br />
font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1<br />
<br />
colors {<br />
background #000000<br />
statusline #ffffff<br />
<br />
focused_workspace #ffffff #285577<br />
active_workspace #ffffff #333333<br />
inactive_workspace #888888 #222222<br />
urgent_workspace #ffffff #900000<br />
}<br />
}<br />
}}<br />
<br />
See the [http://i3wm.org/docs/userguide.html#_configuring_i3bar Configuring i3bar] for details.<br />
<br />
==== i3bar alternatives ====<br />
<br />
{{Accuracy|i3 is [[Wikipedia:Extended_Window_Manager_Hints|NETWM]] compliant, so workspace management from external panels should usally work. See also [http://i3wm.org/docs/wsbar.html]}}<br />
<br />
Some users may prefer panels such as those provided by conventional [[Desktop environment|Desktop Environments]]. This can be achieved within i3 by launching the panel application of choice during startup.<br />
<br />
For the [[Xfce#Panel|XFCE panel]], add the following line anywhere in {{ic|~/.config/i3/config}}:<br />
<br />
exec --no-startup-id xfce4-panel --disable-wm-check<br />
<br />
{{Note|Panel features that are specific to the [[Desktop environment]] (e.g., widgets for managing workspaces/sessions) will most likely not work, though i3's functionality should remain unaffected.}}<br />
<br />
i3bar can be disabled by commenting out the {{ic|<nowiki>bar{ }</nowiki>}} section of {{ic|~/.config/i3/config}} or using: <br />
<br />
{{hc|~/.config/i3/config|<br />
# bar toggle, hide or show <br />
bindsym $mod+m bar mode toggle<br />
}}<br />
<br />
This way you can show or hide bar as you want.<br />
<br />
=== i3status ===<br />
<br />
Copy over the default configuration files to the home directory:<br />
<br />
$ cp /etc/i3status.conf ~/.config/i3status/config<br />
<br />
Not all plugins are defined in the default configuration and some configuration values may be invalid for your system, so the need to be updated accordingly. See {{ic|man i3status}} for details.<br />
<br />
==== i3status replacements ====<br />
<br />
* {{App|[[conky]]| Highly extensible system monitor. For usage with i3bar see [http://i3wm.org/docs/user-contributed/conky-i3bar.html this tutorial] |https://github.com/brndnmtthws/conky|{{Pkg|conky}}}}<br />
* {{App|[[i3blocks]]|Extensible via shell scripts. It can handle click events, interrupts, and defining of refresh intervals on a per-block basis.|https://github.com/vivien/i3blocks|{{AUR|i3blocks}}}}<br />
* {{App|i3phtatus|An easily extensible i3status replacement meant for i3bar, written in PHP.|https://github.com/mwgg/i3phtatus}}<br />
* {{App|i3-phpbar|Same replacement for i3bar, written in PHP.|https://github.com/johnynsk/i3-phpbar}}<br />
* {{App|goi3bar|Concurrent, extensible i3status replacement written in Go. Components can update at individual rates. |https://github.com/denbeigh2000/goi3bar}}<br />
* {{App|i3pystatus|Extensible Python 3 status bar with many plugins and configuration options by default.|https://github.com/enkore/i3pystatus i3pystatus|{{AUR|i3pystatus-git}}}}<br />
* {{App|i3situation|Another Python 3 status bar generator.|https://github.com/HarveyHunt/i3situation|{{Aur|i3situation-git}}}}<br />
* {{App|j4status|Provides a statusline, configurable via plugins, and written in C. Extra plugins are provided by {{Aur|j4status-plugins-git}}.|http://j4status.j4tools.org/|{{Aur|j4status-git}}}}<br />
<br />
==== i3status wrappers ====<br />
<br />
* {{App|[[h2status]]|Bash wrapper for i3status that allows custom json entries as input, and can handle click events as well as asynchronous updates of the status bar.|[[H2status]]|{{Aur|h2status}}{{Broken package link|{{aur-mirror|h2status}}}}}}<br />
* {{App|i3cat|A [[go]] based wrapper which can concatenate inputs from multiple external sources. It can handle click events and forwarding user specified signals to its subprocesses.|http://vincent-petithory.github.io/i3cat/|{{AUR|i3cat-git}}}}<br />
* {{App|py3status|An extensible i3status wrapper written in Python.|https://github.com/ultrabug/py3status|{{Aur|py3status}}}}<br />
<br />
==== Iconic fonts in the status bar ====<br />
<br />
''i3bar'' can be [[#Patches|patched]] for XBM icon support, but you can use iconic font sets instead.<br />
<br />
* {{App|ttf-font-awesome|Scalable vector icons that can be customized with CSS. A [http://fortawesome.github.io/Font-Awesome/cheatsheet/ cheatsheet] shows the Unicode point for each glyph.|http://fortawesome.github.io/Font-Awesome/|{{AUR|ttf-font-awesome}}}}<br />
* {{App|ttf-font-icons|Non-overlapping and consistently sized mix of Awesome and Ionicons. This also avoids minor overlapping between DejaVu Sans and Awesome.|http://kageurufu.net/icons.pdf|{{AUR|ttf-font-icons}}}}.<br />
<br />
To combine fonts, define a font fallback sequence in your configuration file, separating fonts with {{ic|,}} like so:<br />
{{hc|~/.config/i3/config|2=<br />
bar {<br />
...<br />
font pango:DejaVu Sans Mono, Icons 8<br />
...<br />
}<br />
}}<br />
<br />
In accordance with [https://developer.gnome.org/pango/stable/pango-Fonts.html#pango-font-description-from-string pango syntax], font size is specified only once, at the end of the comma-separated list of font families. Setting a size for each font would cause all but the last font to be ignored.<br />
<br />
Add icons to the format strings in {{ic|~/.config/i3status/config}} using the unicode numbers given in the cheatsheets linked above. The input method will vary between text editors. For instance, to insert the "heart" icon (unicode number f004):<br />
<br />
{{Merge|Internationalization|Should be described in one place; see also [[ArchWiki:Requests#Input methods]].}}<br />
<br />
* in various gui text editors (e.g. [[gedit]], Leafpad) and terminals (e.g. GNOME Terminal, xfce4-terminal): {{ic|ctrl+shift+u}}, {{ic|f004}}, {{ic|Enter}}<br />
* in [[Emacs]]: {{ic|ctrl+x}}, {{ic|8}}, {{ic|Enter}}, {{ic|f004}}, {{ic|Enter}}<br />
* in [[Vim]] (while in insert mode): {{ic|Ctrl+v}}, {{ic|uf004}}<br />
* in [[urxvt]]: while holding {{ic|Ctrl+Shift}}, type {{ic|f004}}<br />
<br />
=== Terminal emulator ===<br />
<br />
By default when pressing {{ic|$mod+Return}} it launches the {{ic|i3-sensible-terminal}} which is a script that invokes a terminal. See {{ic|man i3-sensible-terminal}} for the order terminals are invoked in.<br />
<br />
To instead launch a terminal of choice, modify this line in {{ic|~/.config/i3/config}}:<br />
<br />
bindsym $mod+Return exec i3-sensible-terminal<br />
<br />
Alternatively, [[Environment_variable#Per_user|locally define]] the {{ic|$TERMINAL}} variable:<br />
<br />
$ export TERMINAL=''yourterminal''<br />
<br />
== Tips and tricks ==<br />
<br />
=== Advanced window navigation ===<br />
<br />
See [http://www.slackword.net/?p=657 i3 window Navigation Tips].<br />
<br />
=== Jump to open window ===<br />
<br />
*{{App|quickswitch-i3|Python utility to quickly change to and locate windows in i3|https://github.com/proxypoke/quickswitch-for-i3|{{Aur|quickswitch-i3}}}}<br />
*{{App|i3-wm-scripts|search for and jump to windows with particular names matching regexp|https://github.com/yiuin/i3-wm-scripts||}}<br />
*{{App|winmenupy|Launches dmenu with a list of clients, sorted after workspaces. Selecting a client jumps to that window.|https://github.com/ziberna/i3-py/blob/master/examples/winmenu.py||}}<br />
*{{App|[[rofi]]|Search and jump to open and scratchpad window|https://davedavenport.github.io/rofi/|{{Pkg|rofi}}}}<br />
<br />
=== Jump to urgent window ===<br />
<br />
Add to {{ic|.i3/config}}: [https://faq.i3wm.org/question/853/how-to-jump-to-urgent-workspace/]<br />
<br />
bindsym $mod+x [urgent=latest] focus<br />
<br />
=== Save and restore the window layout ===<br />
<br />
From version 4.8, and onward ''i3'' can save and restore workspace layouts. To do this, the following packages are needed: {{Pkg|perl-anyevent-i3}} and {{Pkg|perl-json-xs}} from the [[official repositories]].<br />
<br />
{{note| This section only provides quick tutorial on how to save the current window layout of a single workspace and how to restore it for later use. Refer to the [http://i3wm.org/docs/layout-saving.html official documentation] for more details}}<br />
<br />
==== Save the current window layout of a single workspace ====<br />
<br />
To save the current window layout, follow these steps:<br />
<br />
# First, execute various commands to open windows in a preferred workspace and resize them if needed. Make sure to write down each executed command for each window.<br />
# Now, in a new workspace, open a terminal and run the following: {{bc|i3-save-tree --workspace N > ~/.i3/workspace_N.json}} where N is the number of the preferred workspace. This will save the current layout of workspace N to the file {{ic|~/.i3/workspace_N.json}}.<br />
# The newly created file needs to be edited, however this may be done with the following commands: {{bc|<nowiki>tail -n +2 ~/.i3/workspace_N.json | fgrep -v '// splitv' | sed 's|//||g' > ~/.i3/workspace_N.json</nowiki>}}<br />
<br />
==== Restore the window layout of the workspace ====<br />
<br />
There are two ways to restore the layout of the workspace: by writing a script, or by editing {{ic|~/.i3/config}} to automatically load the layout. In this section only the first case will be considered, refer to the [http://i3wm.org/docs/layout-saving.html#_restoring_the_layout official documentation] for the second case.<br />
<br />
To restore the saved layout in the previous section, write a file named {{ic|load_layout.sh}} with the following contents:<br />
<br />
* The starting lines:<br />
<br />
{{hc|head=~/load_layout.sh|output=<br />
#!/bin/bash<br />
i3-msg "workspace M; append_layout ~/.i3/workspace_N.json"<br />
}}<br />
<br />
where M is the number of the workspace in which you would like to load the previously saved layout and N is the number of workspace saved in the previous section.<br />
* And the commands used in the previous section to get the preferred windows, but enclosed in parentheses and with an ampersand appended before the last parentheses.<br />
<br />
For example, if the saved layout contained three {{ic|uxterm}} windows:<br />
<br />
{{hc|head=~/load_layout.sh|output=<br />
#!/bin/bash<br />
<br />
# First we append the saved layout of worspace N to workspace M<br />
i3-msg "workspace M; append_layout ~/.i3/workspace_N.json"<br />
<br />
# And finally we fill the containers with the programs they had<br />
(uxterm &)<br />
(uxterm &)<br />
(uxterm &)<br />
}}<br />
<br />
Then set the file as executable:<br />
<br />
chmod u+x ~/load_layout.sh<br />
<br />
And finally, the layout of worskpace N can be loaded onto to workspace M by running:<br />
<br />
~/load_layout.sh<br />
<br />
{{tip|Adding {{ic|bindsym $mod+g exec ~/load_layout.sh}} to {{ic|~/.i3/config}} and restarting i3 will bind Mod+g to run the above script.}}<br />
<br />
{{note|If the above script does not work properly, refer to the [http://i3wm.org/docs/layout-saving.html#_editing_layout_files official documentation]. The ''swallows'' sections of {{ic|~/.i3/workspace_N.json}} needs to be manually edited.}}<br />
<br />
=== Scratchpad containers ===<br />
<br />
By default, [http://i3wm.org/docs/userguide.html#_scratchpad scratchpads] only contain a single window. However, containers can also be made a scratchpad.<br />
<br />
Create a new container (for example, {{ic|Mod+Enter}}), split it ({{ic|Mod+v}}) and create another container. Focus the parent ({{ic|Mod+a}}), split in the opposite direction ({{ic|Mod+h}}), and create again. <br />
<br />
Focus the first container (with focus parent as needed), make the window floating ({{ic|Mod+Shift+Space}}), and move it to the scratchpad ({{ic|Mod+Shift+-}}). You can now split containers to preference.<br />
<br />
{{Note|Containers cannot be resized individually in floating windows. Resize the containers before making windows floating.}}<br />
{{Tip|When only using terminal applications, consider a multiplexer such as [[tmux]] instead.}}<br />
<br />
See also [https://faq.i3wm.org/question/138/multiple-scratchpad/i3] for multiple scratchpads.<br />
<br />
=== Screensaver and power management ===<br />
<br />
With [[Power management#xss-lock]] you can register a screenlocker for your i3 session.<br />
The {{ic|-time}} option locks the screen after a given time period.<br />
<br />
xautolock -time 10 -locker "i3lock -i 'background_image.png'" &<br />
<br />
A [[systemd]] service file can be used to lock the screen before the system is being sent to sleep or hibernation state. <br />
An example {{ic|suspend@.service}} file can be found here: [[Power_management#Suspend.2Fresume_service_files]].<br />
The following line invokes the {{ic|i3lock}} program.<br />
ExecStart=/usr/bin/i3lock -i 'background_image.png'<br />
<br />
An example i3lock service file:<br />
{{hc|/etc/systemd/system/i3lock@.service|2=<nowiki><br />
[Unit]<br />
Description=i3lock<br />
Before=sleep.target<br />
<br />
[Service]<br />
User=%I<br />
Type=forking<br />
Environment=DISPLAY=:0<br />
ExecStart=/usr/bin/i3lock -c 000000<br />
<br />
[Install]<br />
WantedBy=sleep.target</nowiki>}}<br />
Service fails if not forking.<br />
Soruce: [https://bbs.archlinux.org/viewtopic.php?pid=1170536#p1170536]<br />
<br />
See also [[DPMS]].<br />
<br />
=== Shutdown, reboot, lock screen ===<br />
<br />
Key combinations for shutdown, reboot and screenlock can be added to {{ic|~/.config/i3/config}}. The below example assumes you have {{Pkg|polkit}} installed to allow unprivileged users to run [[systemd#Power_management|power management]] commands.<br />
<br />
{{bc|<br />
set $Locker i3lock && sleep 1<br />
<br />
set $mode_system System (l) lock, (e) logout, (s) suspend, (h) hibernate, (r) reboot, (Shift+s) shutdown<br />
mode "$mode_system" {<br />
bindsym l exec --no-startup-id $Locker, mode "default"<br />
bindsym e exec --no-startup-id i3-msg exit, mode "default"<br />
bindsym s exec --no-startup-id $Locker && systemctl suspend, mode "default"<br />
bindsym h exec --no-startup-id $Locker && systemctl hibernate, mode "default"<br />
bindsym r exec --no-startup-id systemctl reboot, mode "default"<br />
bindsym Shift+s exec --no-startup-id systemctl poweroff -i, mode "default" <br />
<br />
# back to normal: Enter or Escape<br />
bindsym Return mode "default"<br />
bindsym Escape mode "default"<br />
}<br />
<br />
bindsym $mod+Pause mode "$mode_system"<br />
}}<br />
<br />
Once completed, you will be presented with a prompt whenever you press {{ic|$mod+pause}}. For more complex behaviour, use a separate script, and refer to it in the mode. [https://gist.github.com/anonymous/c8cd0a59bf4acb273068]<br />
<br />
{{Note|1=<br><br />
* {{ic|sleep 1}} adds a small delay to prevent possible race conditions with suspend [https://bugs.launchpad.net/ubuntu/+source/unity-2d/+bug/830348]<br />
* The {{ic|-i}} argument for {{ic|systemctl poweroff}} causes a shutdown even if other users are logged-in (this requires {{Pkg|polkit}}), or when ''logind'' (wrongly) assumes so. [https://bugs.freedesktop.org/show_bug.cgi?id=62676]<br />
}}<br />
<br />
For a list of alternative screen lockers, see [[List of applications/Security#Screen lockers]].<br />
<br />
===External displays manual management===<br />
<br />
Thanks to [[xrandr]] there are many ways to easily manage systems displays. The below example integrates it in the i3 config file, and behave as the Power Management section above.<br />
<br />
Here a laptop with both VGA and HDMI outputs will use a menu selection to switch them On/Off:<br />
<br />
## Manual management of external displays<br />
# Set the shortcuts and what they do<br />
set $mode_display Ext Screen (v) VGA ON, (h) HDMI ON, (x) VGA OFF, (y) HDMI OFF<br />
mode "$mode_display" {<br />
bindsym v exec --no-startup-id xrandr --output VGA1 --auto --right-of LVDS1, mode "default"<br />
bindsym h exec --no-startup-id xrandr --output HDMI1 --auto --right-of LVDS1, mode "default"<br />
bindsym x exec --no-startup-id xrandr --output VGA1 --auto --off, mode "default"<br />
bindsym y exec --no-startup-id xrandr --output HDMI1 --auto --off, mode "default"<br />
<br />
# back to normal: Enter or Escape<br />
bindsym Return mode "default"<br />
bindsym Escape mode "default"<br />
}<br />
# Declare here the shortcut to bring the display selection menu<br />
bindsym $mod+x mode "$mode_display"<br />
<br />
Any window that is still open in a switched Off display will automatically come back to the remaining active display.<br />
<br />
The simplest way to determine names of your devices is to plug the device you wish to use and run:<br />
<br />
$ xrandr --query<br />
<br />
which will output the available, recognized devices and their in-system names to set your config file appropriately. <br />
<br />
Refer to the [[xrandr]] page or man page for the complete list of available options, the [http://i3wm.org/docs/userguide.html i3 userguide] and/or the [https://www.reddit.com/r/i3wm i3 FAQ on reddit] for more info.<br />
<br />
=== Tabbed or stacked web-browsing ===<br />
<br />
Some web-browsers intentionally do not implement tabs, since managing tabs is considered to be the task of the window manager, not the task of the browser.<br />
<br />
To let i3 manage your tab-less web-browser, in this example for [[uzbl]], add the following line to your {{ic|~/.config/i3/config}}<br />
<br />
for_window [class="Uzbl-core"] focus child, layout stacking, focus<br />
<br />
This is for stacked web browsing, meaning that the windows will be shown vertically. The advantage over tabbed browsing is that the window-titles are fully visible, even if a lot of browser windows are open.<br />
<br />
If you prefer tabbed browsing, with windows in horizontal direction ('tabs'), use<br />
<br />
for_window [class="Uzbl-core"] focus child, layout tabbed, focus<br />
<br />
=== Workspace variables ===<br />
<br />
As workspaces are defined multiple times in i3, assigning workspace variables can be helpful. For example [https://github.com/dkeg/bloat2.0/blob/master/i3config#L55]:<br />
<br />
set $WS1 term<br />
set $WS2 web<br />
set $WS3 misc<br />
set $WS4 media<br />
set $WS5 code<br />
<br />
Then replace workspace names with their matching variables:<br />
<br />
bindsym $mod+1 workspace $WS1<br />
...<br />
bindsym $mod+Shift+1 move container to workspace $WS1<br />
<br />
See [http://i3wm.org/docs/userguide.html#_changing_named_workspaces_moving_to_workspaces Changing named workspaces] for more information.<br />
<br />
=== Correct handling of floating dialogs ===<br />
<br />
While dialogs should open in floating mode by default [http://i3wm.org/docs/userguide.html#_floating], many still open in tiling mode. To change this behaviour, check the dialog's {{ic|WM_WINDOW_ROLE}} with {{pkg|xorg-xprop}} and add the correct rules to {{ic|~/.i3/config}} (using [http://www.pcre.org/ pcre] syntax):<br />
<br />
for_window [window_role="pop-up"] floating enable<br />
for_window [window_role="task_dialog"] floating enable<br />
<br />
You can also use title rules and regular expressions:<br />
<br />
for_window [title="Preferences$"] floating enable<br />
<br />
or {{ic|WM_CLASS}}:<br />
<br />
for_window [class="(?i)mplayer"] floating enable<br />
<br />
=== Network Download/Upload speed on statusbar ===<br />
<br />
You might adapt this upstream [http://code.stapelberg.de/git/i3status/tree/contrib/measure-net-speed.bash script]. For that,<br />
<br />
* rename both network cards according to your system (use {{ic|ip addr}})<br />
* find them on {{ic|/sys/devices}} then replace them appropriately:<br />
$ find /sys/devices -name ''network_interface''<br />
<br />
{{Tip|Use {{ic|/sys/class/net/''interface''/statistics/}} to not depend on PCI location.}}<br />
<br />
Now, just save the script in a suitable place (for example {{ic|~/.config/i3}}) and point your status program to it.<br />
<br />
== Patches ==<br />
<br />
Packages with patches not merged upstream are available in the [[AUR]]:<br />
<br />
* {{App|i3bar-icons-git|Display XBM icons in i3bar|https://github.com/ashinkarov/i3-extras|{{AUR|i3bar-icons-git}}{{Broken package link|{{aur-mirror|i3bar-icons-git}}}}}}<br />
* {{App|i3-smart-border|Smart borders|https://github.com/ashinkarov/i3-extras|{{AUR|i3-smart-border}}{{Broken package link|{{aur-mirror|i3-smart-border}}}}}}<br />
* {{App|i3-wm-iconpatch|Titlebar icon support|https://github.com/ashinkarov/i3-extras|{{AUR|i3-wm-iconpatch}}}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== General ===<br />
<br />
In many cases, bugs are fixed in the development versions {{AUR|i3-git}} and {{AUR|i3status-git}}, and upstream will ask to reproduce any errors with this version. [http://i3wm.org/docs/debugging.html] See also [[Debug - Getting Traces#General]].<br />
<br />
=== Buttons in the i3 message bar do not work ===<br />
<br />
Buttons such as "Edit config" in {{ic|i3-nagbar}} call {{ic|i3-sensible-terminal}}, so make sure your [[#Terminal_emulator|Terminal emulator]] is recognized by i3.<br />
<br />
=== Faulty line wraps in tiled terminals ===<br />
<br />
i3 v4.3 and higher ignore size increment hints for tiled windows [https://www.mail-archive.com/i3-discuss@i3.zekjur.net/msg00709.html]. This may cause terminals to wrap lines prematurely, amongst other issues. As a workaround, make the offending window floating, before tiling it again.<br />
<br />
=== Mouse cursor remains in waiting mode ===<br />
<br />
When starting a script or application which does not support startup notifications, the mouse cursor will remain in busy/watch/clock mode for 60 seconds.<br />
<br />
To solve this for a particlar application, use the {{ic|--no-startup-id}} parameter, for example:<br />
exec --no-startup-id ~/script<br />
bindsym $mod+d exec --no-startup-id dmenu_run<br />
<br />
To disable this animation globally, see [[Cursor themes#Create links to missing cursors]].<br />
<br />
=== Unresponsive key bindings ===<br />
<br />
Some tools such as [[Taking_a_screenshot#scrot|scrot]] may not work when used with a regular key binding (executed after key press). In those cases, execute commands after key release with the {{ic|--release}} argument [http://i3wm.org/docs/userguide.html#keybindings]:<br />
<br />
bindsym --release Print exec --no-startup-id scrot<br />
bindsym --release Shift+Print exec --no-startup-id scrot -s<br />
<br />
=== Tearing ===<br />
<br />
i3 does [https://github.com/i3/i3/issues/661 not properly implement double buffering] hence tearing or flickering may occur. To prevent this, install and configure [[compton]]. [https://faq.i3wm.org/question/3279/do-i-need-a-composite-manager-compton.1#post-id-3282]<br />
<br />
=== Tray icons not visible ===<br />
<br />
The default {{ic|tray_output primary}} directive may require setting a primary output with ''xrandr'', specifying the output explicitly or simply removing this directive. [https://github.com/i3/i3/issues/1144] See [[Xrandr]] for details. The default configuration created by i3-config-wizard will no longer add this directive to the configuration with i3 4.12.<br />
<br />
== See also ==<br />
<br />
* [http://i3wm.org Official website]<br />
* [http://www.funtoo.org/I3_Tiling_Window_Manager funtoo Wiki]<br />
* [http://code.stapelberg.de/git/i3 i3 Source code]<br />
* [https://github.com/ashinkarov/i3-extras i3-extras] - Collection of scripts and patches<br />
* [https://github.com/acrisci/i3ipc-glib i3ipc-glib] - A library for i3 extensions<br />
* [https://github.com/veelenga/i3ipc-ruby i3ipc-ruby] - An improved library for i3 extensions in Ruby<br />
* [http://www.j4tools.org/ j4tools] - non-official tools designed to work with i3<br />
<br />
'''Arch Linux Forums'''<br />
* [https://bbs.archlinux.org/viewtopic.php?id=99064 The i3 thread] - A general discussion about i3<br />
* [https://bbs.archlinux.org/viewtopic.php?id=103369 i3 desktop screenshots and config sharing]<br />
<br />
'''Screencasts'''<br />
* [http://www.youtube.com/watch?v=Wx0eNaGzAZU i3 window manager v4.1 screencast]<br />
* [https://www.youtube.com/watch?v=j1I63wGcvU4&index=1&list=PL5ze0DjYv5DbCv9vNEzFmP6sU7ZmkGzcf i3 window manager v4.1X screencasts]</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Resilio_Sync&diff=379803Resilio Sync2015-06-23T02:05:06Z<p>Usprey: /* Usage */ Added note about loginctl enable-lingering on headless servers</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[ja:BitTorrent Sync]]<br />
[http://labs.bittorrent.com/experiments/sync.html BitTorrent Sync] (BTSync) is a file sharing system that relies on the [http://en.wikipedia.org/wiki/Bittorrent BitTorrent] protocol. Instead of having a central server which archives every file, this syncing method uses peer-to-peer connections between the devices themselves therefore there is no limit on data storage and/or transfer speed. The user's data is exclusively stored on the devices with which the user chose to be in sync with, hence it is required to have at least two user devices, or "nodes" to be online. If many devices are connected simultaneously, files are shared between them in a mesh networking topology.<br />
<br />
== Security ==<br />
<br />
All traffic between devices is encrypted with AES-128 in counter mode, using a unique session key. This key is derived from a 'secret' which itself is a random 21 Byte key Base32-encoded. By handing over the 'secret', files and folders can be shared with other users.<br />
<br />
== Synchronization ==<br />
<br />
When a device adds a folder for synchronization, a secret is generated. From now on, every device that wants to synchronize that folder must know the secret key.<br />
<br />
The synchronization has no speed or size limits, as long as both devices have enough disk space.<br />
<br />
== Installation ==<br />
<br />
{{AUR|btsync}} can be installed from the [[AUR]]. The package includes [[systemd]] service definitions for managing the btsync daemon. This package creates a default /etc/btsync.conf for system/root operation. Make the desired changes (e.g. login id and password) to those files prior to enabling the service-file with systemctl. <br />
<br />
Alternatively, the bare 'tar.gz' packaged executable can be downloaded from the [http://www.bittorrent.com/sync/download/ official website]. The rest of this guide assumes that you are using the btsync AUR package.<br />
<br />
== Usage ==<br />
<br />
The Linux client of BTSync does not use a typical GUI, instead it sets up a WebUI server accessible at {{ic|localhost:8888}}. Shared folders can also be configured statically in a configuration file, but doing so disables the WebGUI.<br />
<br />
Once installed, you'll first need to create a configuration file at {{ic|~/.config/btsync/btsync.conf}}, see [[#Configuration]]. You will also need to create the {{ic|storage_path}} directory. When that is done, start and (if you want it to start on boot) enable the service:<br />
$ systemctl --user start btsync<br />
$ systemctl --user enable btsync<br />
The service will run as the user invoking the command. Note that the above command is ''not'' run as root: doing so may lead to a cryptic error stating that D-Bus has refused the connection.<br />
<br />
{{note|If running {{ic|btsync}} on a headless server, enable lingering to start {{ic|btsync}} and keep it running outside user sessions: [[Systemd/User#Automatic_start-up_of_systemd_user_instances]].}}<br />
<br />
You can also run it as the {{ic|btsync}} system user, just leave the {{ic|--user}} part out:<br />
# systemctl enable btsync<br />
# systemctl start btsync<br />
Configuration for this user is located at {{ic|/etc/btsync.conf}}, and metadata is saved in {{ic|/var/lib/btsync/}} by default. You should review the configuration settings especially user and password, see below.<br />
<br />
== Configuration ==<br />
A sample configuration file can be created using {{ic|btsync --dump-sample-config}}. You'll probably want to change some of the settings, including:<br />
<br />
* device_name<br />
* storage_path<br />
* webui/login<br />
* webui/password<br />
<br />
{{note|The {{ic|btsync}} executable does not create the {{ic|storage_path}} directory if it doesn't exist, you will have to do this manually or use [[#Automatic config file creation]].}}<br />
{{note|The storage_path setting defines where metadata will be saved, '''not''' the synced files themselves. Where synced files are saved is configured on a per-folder basis in the WebGUI.}}<br />
<br />
===Automatic config file creation===<br />
<br />
The {{AUR|btsync-autoconfig}} package provides a systemd user service ({{ic|btsync-autoconfig.service}}) which, if enabled, triggers when a user's {{ic|btsync.service}} starts and creates a config file with default values if it does not already exist.<br />
<br />
{{note| If the config file was generated by {{AUR|btsync-autoconfig}} it will be configured with a different port. Rather than 8888, the port for the user's instance of {{ic|btsync}} will be {{ic|7889 + $UID}}. If your {{ic|$UID}} is "1000", the port will be 8889.}}<br />
<br />
The install script enables the service for all users by default. Although disabling it defeats most of its purpose, it can be disabled using<br />
<br />
# systemctl --global disable btsync-autoconfig.service<br />
<br />
Individual users can then enable it if they like:<br />
<br />
$ systemctl --user enable btsync-autoconfig.service<br />
<br />
{{ic|btsync-autoconfig.service}} creates {{ic|~/.config/btsync/btsync.conf}} if it does not exist, and guesses some default values of the settings:<br />
<br />
* device_name: {{ic|$USER@$HOSTNAME}}<br />
* storage_path: {{ic|~/.btsync}}<br />
* webui/login: {{ic|$USER/password}}<br />
<br />
The script also creates the {{ic|storage_path}} directory set in the config file if it does not exist. This is done intependently from the creation of the config file.<br />
<br />
== Unofficial GUI ==<br />
The {{AUR|btsync-gui}} package provices an unofficial clone of the GUI interface for BTSync available for Windows. By default it disables the WebGUI interface for security reasons. If you want to migrate your existing BTSync setup - move the contents of your current storage folder (probably ~/.config/btsync) to ~/.btsync and disable the btsync@user Systemd service, that you're using currently.<br />
<br />
==Troubleshooting==<br />
<br />
===Missing storage path===<br />
<br />
If you start the service but can't reach the WebUI, check the status of the btsync by entering {{ic|systemctl --user status btsync}} (or {{ic|systemctl status btsync}} for the system-wide instance).<br />
<br />
A common error is {{ic|Storage path specified in config file does not exist.}}. This is easily fixed by {{ic|mkdir ~/.btsync}}, or whatever your {{ic|storage_path}} is set to.<br />
<br />
===Ignore some files/folders synchronization===<br />
<br />
If you don’t want BitTorrent Sync to track some files in your sync folder, please use <code>IgnoreList</code>. <code>IgnoreList</code> is located in hidden <code>.sync</code> folder.<br />
<br />
<code>IgnoreList</code> is a UTF-8 encoded .txt file that allows you to specify single files, paths or rules for ignoring during the synchronization job. Each line of the <code>IgnoreList</code> file represents a separate rule. All the files that fall under the ignore filter are not indexed and not counted in the "Size" column in Sync main view.<br />
<br />
It supports '?' and '*' wildcard symbols.<br />
<br />
Note that <code>IgnoreList</code> is applied only to the folder where it is contained and will not work with the files that have already been synced. If you add indexed files to <code>IgnoreList</code>, they will be deleted on other syncing devices. In order to avoid this:<br />
<br />
* Remove the folder from sync on all the devices.<br />
* Modify <code>IgnoreList</code> file on all of them so that it contains same info.<br />
* Re-add the modified folders.<br />
<br />
For further details, please refer to [http://help.getsync.com/customer/portal/articles/1673122-ignoring-files-in-sync-ignorelist-?b_id=3895 Ignoring files in Sync (IgnoreList)]<br />
<br />
===ARM alignment error===<br />
<br />
Add the line {{ic|w /proc/cpu/alignment - - - - 2}} to {{ic|/etc/tmpfiles.d/btsync.conf}}. (You need to create the file).<br><br />
Note that this may lead to performance degradation.<br />
<br />
== See also ==<br />
<br />
*[http://help.getsync.com/ Official BitTorrent Sync Help]<br />
*[http://www.bittorrent.com/help/faq/sync Official BitTorrent Sync FAQ]{{Dead link|2015|01|27}}</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=354835Tor2015-01-01T16:13:19Z<p>Usprey: /* Tor configuration */ formatting</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
<br />
In this example the container will reside in {{ic|/srv/container}}:<br />
# mkdir /srv/container/tor-exit<br />
<br />
Install the {{Pkg|arch-install-scripts}}:<br />
# pacman -S arch-install-scripts<br />
<br />
Install {{Grp|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]]:<br />
# pacstrap -i -c -d /srv/container/tor-exit base tor arm<br />
<br />
Create directory if it does not exist:<br />
# mkdir /var/lib/container<br />
<br />
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]]:<br />
# ln -s /srv/container/tor-exit /var/lib/container/tor-exit<br />
<br />
==== Virtual network interface ====<br />
<br />
Create a Dropin directory for the container service:<br />
# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
<br />
[[Start]] and enable {{ic|systemd-nspawn@tor-exit.service}}.<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
<br />
[[Start]] and enable {{ic|systemd-networkd.service}}. {{ic|networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
{{Note|See [[Tor#Running_Tor_in_a_systemd-nspawn_container_with_a_virtual_network_interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container. [[Haveged]] should be installed on the container host.}}<br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
SocksPort 0 ## Pure relay configuration without local socks proxy<br />
<br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
Tor opens a socks proxy on port 9050 by default -- even if you don't configure one. Set {{ic|SocksPort 0}} if you plan to run Tor only as a relay, and not make any local application connections yourself.<br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=354834Tor2015-01-01T16:12:48Z<p>Usprey: /* Tor configuration */ added socksport explanation</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
<br />
In this example the container will reside in {{ic|/srv/container}}:<br />
# mkdir /srv/container/tor-exit<br />
<br />
Install the {{Pkg|arch-install-scripts}}:<br />
# pacman -S arch-install-scripts<br />
<br />
Install {{Grp|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]]:<br />
# pacstrap -i -c -d /srv/container/tor-exit base tor arm<br />
<br />
Create directory if it does not exist:<br />
# mkdir /var/lib/container<br />
<br />
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]]:<br />
# ln -s /srv/container/tor-exit /var/lib/container/tor-exit<br />
<br />
==== Virtual network interface ====<br />
<br />
Create a Dropin directory for the container service:<br />
# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
<br />
[[Start]] and enable {{ic|systemd-nspawn@tor-exit.service}}.<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
<br />
[[Start]] and enable {{ic|systemd-networkd.service}}. {{ic|networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
{{Note|See [[Tor#Running_Tor_in_a_systemd-nspawn_container_with_a_virtual_network_interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container. [[Haveged]] should be installed on the container host.}}<br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
SocksPort 0 ## Pure relay configuration without local socks proxy<br />
<br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
Tor opens a socks proxy on port 9050 by default -- even if you don't configure one. Set {{ic|SocksPort 0}} if you plan to run Tor only as a relay, and not make any local application connections yourself.<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=354832Tor2015-01-01T16:10:27Z<p>Usprey: /* Tor configuration */ added SocksPort 0 to torrc</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
<br />
In this example the container will reside in {{ic|/srv/container}}:<br />
# mkdir /srv/container/tor-exit<br />
<br />
Install the {{Pkg|arch-install-scripts}}:<br />
# pacman -S arch-install-scripts<br />
<br />
Install {{Grp|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]]:<br />
# pacstrap -i -c -d /srv/container/tor-exit base tor arm<br />
<br />
Create directory if it does not exist:<br />
# mkdir /var/lib/container<br />
<br />
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]]:<br />
# ln -s /srv/container/tor-exit /var/lib/container/tor-exit<br />
<br />
==== Virtual network interface ====<br />
<br />
Create a Dropin directory for the container service:<br />
# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
<br />
[[Start]] and enable {{ic|systemd-nspawn@tor-exit.service}}.<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
<br />
[[Start]] and enable {{ic|systemd-networkd.service}}. {{ic|networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
{{Note|See [[Tor#Running_Tor_in_a_systemd-nspawn_container_with_a_virtual_network_interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container. [[Haveged]] should be installed on the container host.}}<br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
SocksPort 0 ## Pure relay configuration without local socks proxy<br />
<br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Internet_sharing&diff=352624Internet sharing2014-12-25T00:46:31Z<p>Usprey: /* Enable NAT */ always conntrack first... =)</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:Internet Share]]<br />
[[fr:Partage de connexion]]<br />
[[it:Internet Share]]<br />
[[ru:Internet sharing]]<br />
{{Related articles start}}<br />
{{Related|Android tethering}}<br />
{{Related|Software access point}}<br />
{{Related|Bridge with netctl}}<br />
{{Related|Ad-hoc networking}}<br />
{{Related|Sharing PPP Connection}}<br />
{{Related|Simple stateful firewall}}<br />
{{Related|Router}}<br />
{{Related|USB 3G Modem}}<br />
{{Related articles end}}<br />
This article explains how to share the internet connection from one machine to other(s).<br />
<br />
== Requirements ==<br />
<br />
* The machine acting as server should have an additional network device.<br />
* That network device should be connected to the machines that are going to receive internet access. They can be one or more machines. To be able to share internet to several machines a [[Wikipedia:Network switch|switch]] is required. If you are sharing to only one machine, a [[Wikipedia:Ethernet crossover cable|crossover cable]] is sufficient.<br />
<br />
{{Note|If one of the two computers has a gigabit ethernet card, a crossover cable is not necessary and a regular ethernet cable should be enough}}<br />
<br />
== Configuration ==<br />
<br />
This section assumes, that the network device connected to the client computer(s) is named '''''net0''''' and the network device connected to the internet as '''''internet0'''''.<br />
<br />
{{Tip|You can rename your devices to this scheme using [[Udev#Setting static device names]].}}<br />
<br />
=== Static IP address ===<br />
<br />
Assign an static IPv4 address to the interface connected to the other machines. The first 3 bytes of this address cannot be exactly the same as those of another interface.<br />
# ip link set up dev net0<br />
# ip addr add 192.168.123.100/24 dev net0 # arbitrary address<br />
<br />
To have your static ip assigned at boot, you can use [[netctl]].<br />
<br />
=== Enable packet forwarding ===<br />
<br />
Check the current packet forwarding settings:<br />
# sysctl -a | grep forward<br />
<br />
Enter this command to temporarily enable packet forwarding:<br />
# sysctl net.ipv4.ip_forward=1<br />
<br />
Edit {{ic|/etc/sysctl.d/30-ipforward.conf}} to make the previous change persistent after a reboot.<br />
{{hc|/etc/sysctl.d/30-ipforward.conf|<nowiki><br />
net.ipv4.ip_forward=1<br />
net.ipv6.conf.default.forwarding=1<br />
net.ipv6.conf.all.forwarding=1<br />
</nowiki>}}<br />
<br />
=== Enable NAT ===<br />
<br />
[[pacman|Install]] the package {{Pkg|iptables}} from the [[official repositories]]. Use iptables to enable NAT:<br />
<br />
# iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
# iptables -A FORWARD -i net0 -o internet0 -j ACCEPT<br />
<br />
{{Note|Of course, this also works with a mobile broadband connection (usually called ppp0 on routing PC).}}<br />
<br />
Read the [[iptables]] article for more information (especially saving the rule and applying it automatically on boot). There is also an excellent guide on iptables [[Simple stateful firewall]].<br />
<br />
=== Assigning ip addresses to the client pc(s) ===<br />
<br />
If you are planning to regularly have several machines using the internet shared by this machine, then is a good idea to install a [[Wikipedia:dhcp|dhcp server]].<br />
<br />
You can read the [[dhcpd]] wiki article, to add a dhcp server. Then, install the [[dhcpcd]] client on every client pc.<br />
<br />
If you are not planing to use this setup regularly, you can manually add an ip to each client instead.<br />
<br />
==== Manually adding an ip ====<br />
<br />
Instead of using dhcp, on each client pc, add an ip address and the default route:<br />
# ip addr add 192.168.123.201/24 dev eth0 # arbitrary address, first three blocks must match the address from above<br />
# ip link set up dev eth0<br />
# ip route add default via 192.168.123.100 dev eth0 # same address as in the beginning<br />
<br />
Configure a DNS server for each client, see [[resolv.conf]] for details.<br />
<br />
That's it. The client PC should now have Internet.<br />
<br />
== Troubleshooting ==<br />
<br />
If you are able to connect the two PCs but cannot send data (for example, if the client PC makes a DHCP request to the server PC, the server PC receives the request and offers an IP to the client, but the client does not accept it, timing out instead), check that you don't have other [[Iptables]] rules [https://bbs.archlinux.org/viewtopic.php?pid=1093208 interfering].</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352623Tor2014-12-25T00:35:58Z<p>Usprey: /* Host installation and configuration */ removed -p and -v because they are irrelevant</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
{{ic|# mkdir /srv/container/tor-exit}}<br />
In this example the container will reside in {{ic|/srv/container}}.<br />
<br />
{{ic|# pacman -S arch-install-scripts}}<br />
Install the {{Pkg|arch-install-scripts}}. <br />
<br />
{{ic|# pacstrap -i -c -d /srv/container/tor-exit base tor arm}}<br />
Install {{Grp|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]].<br />
<br />
{{ic|# mkdir /var/lib/container}}<br />
Create directory if it does not exist.<br />
<br />
{{ic|# ln -s /srv/container/tor-exit /var/lib/container/tor-exit}}<br />
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]].<br />
<br />
==== Virtual network interface ====<br />
{{ic|# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d}}<br />
Create a Dropin directory for the container service.<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
{{ic|# systemctl enable systemd-nspawn@tor-exit.service}}<br />
<br />
{{ic|# systemctl start systemd-nspawn@tor-exit.service}}<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
{{ic|# systemctl enable systemd-networkd}}<br />
<br />
{{ic|# systemctl start systemd-networkd}}<br />
<br />
{{ic|# networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
{{Note|See [[Tor#Running_Tor_in_a_systemd-nspawn_container_with_a_virtual_network_interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container. [[Haveged]] should be installed on the container host.}}<br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=User_talk:Usprey&diff=352293User talk:Usprey2014-12-24T10:30:07Z<p>Usprey: /* minor edits */ read indigo on minor edits</p>
<hr />
<div>== Template delete ==<br />
<br />
I don't know why you keep deleting [[Template:Style]] I've added. Templates are there to point out flaws in articles so they can improved upon. If you do not wish this, you are free to place content in your user page, but articles in the main space must comply with [[Help:Style]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:08, 5 December 2014 (UTC)<br />
<br />
:Sorry if i broke COC, was adding explanation and formatting which i thought would resolve the issue. Will read [[Help:Style]]. --[[User:Usprey|Usprey]] ([[User talk:Usprey|talk]]) 18:29, 5 December 2014 (UTC)<br />
<br />
:[[Tor#.2B100Mbps_Exit_Relay_configuration_example]] Finished, Better now? =) --[[User:Usprey|Usprey]] ([[User talk:Usprey|talk]]) 20:06, 5 December 2014 (UTC)<br />
<br />
::Thank you for your contributions. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 21:38, 5 December 2014 (UTC)<br />
<br />
You're welcome, Sir! Ty for the help! =) --[[User:Usprey|Usprey]] ([[User talk:Usprey|talk]]) 21:59, 5 December 2014 (UTC)<br />
<br />
== minor edits ==<br />
<br />
Hi, thank you again for your [[Special:Contributions/Usprey|your contributions]] to ArchWiki. Please make sure to properly mark non-minor edits. I'd suggest you to go to [[Special:Preferences#mw-prefsection-editing|Special:Preferences]] and uncheck ''"Mark all edits minor by default"'', which is more sensible default. In another setting you can choose ''"Prompt me when entering a blank edit summary"'', which can be a helpful reminder as well. <br />
<br />
As a guidance on what is "minor": [[wikipedia:Help:Minor edit]]. It is a guideline for Wikipedia, but it is so generic that it could be easily applied on ArchWiki. <br />
Once you have read this, feel free to close/remove the talk item right away. Thanks. <br />
--[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 09:40, 24 December 2014 (UTC)<br />
:ty, done. --[[User:Usprey|Usprey]] ([[User talk:Usprey|talk]]) 10:30, 24 December 2014 (UTC)</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352248Tor2014-12-24T03:20:05Z<p>Usprey: /* +100Mbps Exit Relay configuration example */ systemd-nspawn note</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
{{ic|# mkdir /srv/container/tor-exit}}<br />
In this example the container will reside in {{ic|/srv/container}}.<br />
<br />
{{ic|# pacman -S arch-install-scripts}}<br />
Install the {{Pkg|arch-install-scripts}}. <br />
<br />
{{ic|# pacstrap -i -c -d /srv/container/tor-exit base tor arm}}<br />
Install {{Pkg|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]].<br />
<br />
{{ic|# mkdir -p -v /var/lib/container}}<br />
Create directory if it does not exist.<br />
<br />
{{ic|# ln -s /srv/container/tor-exit /var/lib/container/tor-exit}}<br />
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]].<br />
<br />
==== Virtual network interface ====<br />
{{ic|# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d}}<br />
Create a Dropin directory for the container service.<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
{{ic|# systemctl enable systemd-nspawn@tor-exit.service}}<br />
<br />
{{ic|# systemctl start systemd-nspawn@tor-exit.service}}<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
{{ic|# systemctl enable systemd-networkd}}<br />
<br />
{{ic|# systemctl start systemd-networkd}}<br />
<br />
{{ic|# networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
{{Note|See [[Tor#Running_Tor_in_a_systemd-nspawn_container_with_a_virtual_network_interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container. [[Haveged]] should be installed on the container host.}}<br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Talk:Tor&diff=352247Talk:Tor2014-12-24T03:12:55Z<p>Usprey: Answered Alad</p>
<hr />
<div>== Merging with the ''Proxy routing with Tor and Privoxy'' article ==<br />
Agreed. The other one seems to be slightly better-written, and its title reflects the content better. --[[User:Veox|Veox]] 05:00, 11 May 2009 (EDT)<br />
: I am with Veox on this as well. --[[User:Japetto|Japetto]] 23:52, 8 January 2010 (EST)<br />
I dissagree. As many are using Polipo instead of Privoxy, for a variety of reasons. One primary reason being that Polipo makes using Tor seem to be a faster experience. --[[User:handy|handy]] 17:09, 30 August 2010 (EST)<br />
:why don't we merge the "proxy routing with tor and privoxy" to here instead? we can have subsections for polipo and privoxy (or any other http proxy with socks support that people want to use) [[User:Thestinger|Thestinger]] 04:12, 30 August 2010 (EDT)<br />
::Since this discussion has clearly been abandoned and no change has been made in over two years, I'm going to follow through on [[User:Thestinger|Thestinger]]'s suggestion. ~ [[User:Filam|Filam]] 10:51, 2 July 2011 (EDT)<br />
:::I'm going to create separate Polipo and Privoxy articles. I had the idea previously, but wanted to take some time to look through and edit the Tor article first. In its current state the Tor article is way too long. I'll finished dividing the Polipo and Tor content this article before creating a Polipo article which links to a HTTP Proxy section here. Then I'll move [[Proxy routing with Tor and Privoxy]] to [[Privoxy]] and link it to [[Tor]]. ~ [[User:Filam|Filam]] 11:49, 2 July 2011 (EDT)<br />
<br />
== File descriptor ulimit ==<br />
What is a [[Tor#Configuration|file descriptor ulimit]]? As far as I understand it, it is a file size limit on the files current open (i.e. in memory) as monitored by the Kernel. But the Tor configuration file states that it is a "custom ulimit for the maximum number of open files"? Is this a correct use of the term ''ulimit''? ~ [[User:Filam|Filam]] 09:30, 30 January 2012 (EST)<br />
:And more importantly, why would you want to set a limit on the maximum number of files open by Tor? Does Tor tend to open a unusually high number of files? ~ [[User:Filam|Filam]] 09:33, 30 January 2012 (EST)<br />
<br />
== Broken Link ==<br />
<br />
The polipo configuration file link is broken. Gitweb returns a 404 on the file. -yungtrizzle<br />
<br />
== Running a Tor server ==<br />
<br />
Considering the size of [[Tor#Running_a_Tor_server]], I would suggest moving it to a new page [[Tor/Running a Tor server]], or check for potential duplication. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 01:58, 24 December 2014 (UTC)<br />
:I can move [[Tor#.2B100Mbps_Exit_Relay_configuration_example]] to a seperate page if you wish or we can do the cleanup. --[[User:Usprey|Usprey]] ([[User talk:Usprey|talk]]) 03:12, 24 December 2014 (UTC)</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352241Tor2014-12-24T01:59:11Z<p>Usprey: /* Running Tor in a systemd-nspawn container with a virtual network interface */ Final</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
{{ic|# mkdir /srv/container/tor-exit}}<br />
In this example the container will reside in {{ic|/srv/container}}.<br />
<br />
{{ic|# pacman -S arch-install-scripts}}<br />
Install the {{Pkg|arch-install-scripts}}. <br />
<br />
{{ic|# pacstrap -i -c -d /srv/container/tor-exit base tor arm}}<br />
Install {{Pkg|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]].<br />
<br />
{{ic|# mkdir -p -v /var/lib/container}}<br />
Create directory if it does not exist.<br />
<br />
{{ic|# ln -s /srv/container/tor-exit /var/lib/container/tor-exit}}<br />
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]].<br />
<br />
==== Virtual network interface ====<br />
{{ic|# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d}}<br />
Create a Dropin directory for the container service.<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
{{ic|# systemctl enable systemd-nspawn@tor-exit.service}}<br />
<br />
{{ic|# systemctl start systemd-nspawn@tor-exit.service}}<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
{{ic|# systemctl enable systemd-networkd}}<br />
<br />
{{ic|# systemctl start systemd-networkd}}<br />
<br />
{{ic|# networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352239Tor2014-12-24T01:44:02Z<p>Usprey: /* Running Tor in a systemd container with virtual network interface */ Final draft</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd-nspawn container with a virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
=== Host installation and configuration ===<br />
{{ic|# mkdir /srv/container/tor-exit}}. In this example the container will reside in {{ic|/srv/container}}.<br />
<br />
{{ic|# pacman -S arch-install-scripts}}. Install the {{Pkg|arch-install-scripts}}. <br />
<br />
{{ic|# pacstrap -i -c -d /srv/container/tor-exit base tor arm}}. Install {{Pkg|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation_with_pacstrap]].<br />
<br />
{{ic|# mkdir -p -v /var/lib/container}} create directory if it do not exist.<br />
<br />
{{ic|# ln -s /srv/container/tor-exit /var/lib/container/tor-exit}} to register the container on the host, as per [[Systemd-nspawn#Boot_your_container_at_your_machine_startup]].<br />
<br />
==== Virtual network interface ====<br />
{{ic|# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d}} create a Dropin directory for the container service.<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}. <br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network in the container on {{ic|/srv/container/tor-exit/etc/systemd/network}}.<br />
<br />
==== Start and enable systemd-nspawn ====<br />
{{ic|# systemctl enable systemd-nspawn@tor-exit.service}}<br />
{{ic|# systemctl start systemd-nspawn@tor-exit.service}}<br />
<br />
=== Container configuration ===<br />
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl_command]].<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].<br />
<br />
==== Start and enable systemd-networkd ====<br />
{{ic|# systemctl enable systemd-networkd}}<br />
{{ic|# systemctl start systemd-networkd}}<br />
{{ic|# networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.<br />
<br />
=== Configure Tor ===<br />
See [[Tor#Running_a_Tor_server]].<br />
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352235Tor2014-12-24T01:10:59Z<p>Usprey: /* Running Tor in a systemd container with virtual network interface */</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd container with virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
In this example the container will reside in {{ic|/srv/container}}.<br />
{{ic|# mkdir /srv/container/tor-exit}}<br />
<br />
{{ic|# pacman -S arch-install-scripts}}<br />
<br />
{{ic|# pacstrap -i -c -d /srv/container/tor-exit base tor arm}}<br />
<br />
{{ic|# mkdir -p -v /var/lib/container}}<br />
<br />
{{ic|# ln -s /srv/container/tor-exit /var/lib/container/tor-exit}}<br />
<br />
{{ic|# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d}}<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}}<br />
<br />
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network inside the container in {{ic|/srv/container/tor-exit/etc/systemd/network}}.<br />
<br />
{{ic|# systemctl enable systemd-nspawn@tor-exit.service}}<br />
{{ic|# systemctl start systemd-nspawn@tor-exit.service}}<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}}<br />
{{ic|# machinectl login tor-exit}}<br />
<br />
{{ic|# systemctl enable systemd-networkd}}<br />
{{ic|# systemctl start systemd-networkd}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352234Tor2014-12-24T01:10:19Z<p>Usprey: /* Running Tor in a systemd container */ preliminary</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd container with virtual network interface ==<br />
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.<br />
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.<br />
<br />
In this example the container will reside in {{ic|/srv/container}}.<br />
{{ic|# mkdir /srv/container/tor-exit}}<br />
<br />
{{ic|# pacman -S arch-install-scripts}}<br />
<br />
{{ic|# pacstrap -i -c -d /srv/container/tor-exit base tor arm}}<br />
<br />
{{ic|# mkdir -p -v /var/lib/container}}<br />
<br />
{{ic|# ln -s /srv/container/tor-exit /var/lib/container/tor-exit}}<br />
<br />
{{ic|# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d}}<br />
<br />
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
{{ic|--network-macvlan=$INTERFACE --private-network}}<br />
<br />
{{ic|LimitNOFILE=32768}} per [[Tor#Raise_maximum_number_of_open_file_descriptors]].<br />
<br />
Setup [[systemd-networkd]] according to your network inside the container in {{ic|/srv/container/tor-exit/etc/systemd/network}}.<br />
<br />
{{ic|# systemctl enable systemd-nspawn@tor-exit.service}}<br />
{{ic|# systemctl start systemd-nspawn@tor-exit.service}}<br />
<br />
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}}<br />
{{ic|# machinectl login tor-exit}}<br />
<br />
{{ic|# systemctl enable systemd-networkd}}<br />
{{ic|# systemctl start systemd-networkd}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352231Tor2014-12-24T00:42:17Z<p>Usprey: added systemd container section</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Running Tor in a systemd container ==<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352229Tor2014-12-24T00:39:43Z<p>Usprey: /* iptables */</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352228Tor2014-12-24T00:32:58Z<p>Usprey: /* Tor configuration */</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default Tor behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 500 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 1000 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352227Tor2014-12-24T00:15:43Z<p>Usprey: /* iptables */</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352226Tor2014-12-24T00:11:18Z<p>Usprey: /* iptables */ fixed link and syntex</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being a [[Simple_stateful_firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established TCP connections per the below rules.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352225Tor2014-12-24T00:06:27Z<p>Usprey: /* iptables */ example configuration with explanation of parameters.</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup and learn to use [[iptables]]. Instead of being [[Simple_stateful_firewall stateful]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.<br />
<br />
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.<br />
<br />
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not when the host is an onion router.<br />
<br />
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.<br />
<br />
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established TCP connections per the following rules.<br />
<br />
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.<br />
<br />
{{ic|-A INPUT -p icmp -j ACCEPT}} allows [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
<br />
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allows incoming connections to the {{ic|ORPort}}.<br />
<br />
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allows incoming connections to the {{ic|DirPort}}.<br />
<br />
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352217Tor2014-12-23T23:41:06Z<p>Usprey: /* +100Mbps Exit Relay configuration example */</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup [[iptables]] according to the wiki.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=352213Tor2014-12-23T23:35:51Z<p>Usprey: /* +100Mbps Exit Relay configuration example */</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]], [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== iptables =====<br />
Setup [[iptables]] according to the wiki.<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
*raw<br />
-A PREROUTING -j NOTRACK<br />
-A OUTPUT -j NOTRACK<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
-A INPUT -p tcp ! --syn -j ACCEPT<br />
-A INPUT -p udp -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -p tcp --dport 443 -j ACCEPT<br />
-A INPUT -p tcp --dport 80 -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
COMMIT<br />
</nowiki>}}<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Haveged&diff=349145Haveged2014-12-08T18:55:35Z<p>Usprey: Added "See Also" section with links to project and digitalocean</p>
<hr />
<div>[[Category:Security]]<br />
[[ja:haveged]]<br />
The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.[http://www.issihosts.com/haveged/]<br />
<br />
==List available entropy==<br />
If you're not sure, whether you need haveged, run:<br />
# cat /proc/sys/kernel/random/entropy_avail<br />
This command shows you how much entropy your server has collected.<br />
If it is rather low (<1000), you should probably install haveged. Otherwise cryptographic applications will block until there is enough entropy available, which eg. could result in slow wlan speed, if your server is a [[Software access point]].<br />
<br />
You should use this command again to verify how much haveged boosted your entropy pool after the installation.<br />
<br />
==Installation==<br />
<br />
Install the {{pkg|haveged}} package from the [[official repositories]].<br />
<br />
==Service==<br />
<br />
The package provides {{ic|haveged.service}}, see [[systemd]] for details.<br />
<br />
==Alternatives==<br />
<br />
{{pkg|rng-tools}} provides a similar service.<br />
<br />
== See also==<br />
*[http://www.issihosts.com/haveged http://www.issihosts.com/haveged]<br />
*[http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged]</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=349058Tor2014-12-08T11:00:14Z<p>Usprey: /* Haveged */ fixed link title</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=349056Tor2014-12-08T10:58:53Z<p>Usprey: /* Haveged */ added official link</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=349051Tor2014-12-08T10:32:23Z<p>Usprey: /* +100Mbps Exit Relay configuration example */ mentioned haveged in intro</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for explanation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=349045Tor2014-12-08T10:14:09Z<p>Usprey: /* Haveged */ minor</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for explanation.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=349044Tor2014-12-08T10:12:51Z<p>Usprey: /* +100Mbps Exit Relay configuration example */ Added haveged section</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== Haveged =====<br />
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged].<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348897Tor2014-12-07T12:43:29Z<p>Usprey: /* Tor configuration */ RelayBandwidth* Units</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 400 Mbits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
RelayBandwidthBurst 500 MBits ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348844Tor2014-12-07T11:07:42Z<p>Usprey: /* Tor configuration */ support</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic support<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348840Tor2014-12-07T10:50:27Z<p>Usprey: /* Tor configuration */ aes link</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348839Tor2014-12-07T10:50:03Z<p>Usprey: /* Tor configuration */ added aes link</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348834Tor2014-12-07T10:44:25Z<p>Usprey: /* Tor configuration */ HardwareAccel elaboration, divided into relevant paragraphs for readability</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
<br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available".<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348759Tor2014-12-07T03:18:53Z<p>Usprey: /* Tor configuration */ ic bracket mistake</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348758Tor2014-12-07T03:18:15Z<p>Usprey: /* Tor configuration */ dirport added</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and [[ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348749Tor2014-12-07T02:39:28Z<p>Usprey: /* Tor configuration */ exitpolicy security explanatione</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections can't connect to the host or neighboring machines public IP and circumvent firewalls.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348748Tor2014-12-07T02:35:50Z<p>Usprey: /* Tor configuration */ fixed exit policy</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348747Tor2014-12-07T02:34:40Z<p>Usprey: /* Tor configuration */ performane</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related options ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348745Tor2014-12-07T02:31:41Z<p>Usprey: /* Tor configuration */ links fixed</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_Tor_to_privileged_ports]].<br />
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348743Tor2014-12-07T02:30:01Z<p>Usprey: /* Start tor.service as root to bind privileged ports */ better explanation</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind Tor to privileged ports ======<br />
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348741Tor2014-12-07T02:25:27Z<p>Usprey: /* arm */ comma</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348740Tor2014-12-07T02:24:57Z<p>Usprey: /* Tor configuration */ privileges</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. Use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348739Tor2014-12-07T02:23:52Z<p>Usprey: /* Tor configuration */ spelling capital T in Tor</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two Tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start your Tor as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. You should use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348738Tor2014-12-07T02:21:26Z<p>Usprey: /* Tor configuration */ syntax</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]].<br />
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start your Tor as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. You should use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348736Tor2014-12-07T02:20:23Z<p>Usprey: /* Tor configuration */ intro better</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start your Tor as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. You should use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348734Tor2014-12-07T02:17:37Z<p>Usprey: /* Tor configuration */ addded the</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service needs to be started as {{ic|root}}.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start your Tor as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. You should use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348733Tor2014-12-07T02:17:18Z<p>Usprey: /* Tor configuration */ Syntax and references in paragraphs</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service needs to be started as {{ic|root}}.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration is based on [https://www.torproject.org/docs/tor-manual.html.en Tor Manual]. <br />
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.<br />
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.<br />
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.<br />
ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}.<br />
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.<br />
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
{{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available".<br />
{{ic|NumCPUs 2}} run two tor threads.<br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start your Tor as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. You should use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Uspreyhttps://wiki.archlinux.org/index.php?title=Tor&diff=348729Tor2014-12-07T02:09:37Z<p>Usprey: /* Tor configuration */ divided explanation into paragraphs</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[Category:Proxy servers]]<br />
[[es:Tor]]<br />
[[ja:Tor]]<br />
[[ru:Tor]]<br />
[[zh-CN:Tor]]<br />
{{Related articles start}}<br />
{{Related|Gnunet}}<br />
{{Related|I2P}}<br />
{{Related|Freenet}}<br />
{{Related articles end}}<br />
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.<br />
<br />
== Introduction ==<br />
<br />
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.<br />
<br />
{{Warning|Tor by itself is ''not'' all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: [https://www.torproject.org/download/download.html#warning Want Tor to really work?]).}}<br />
<br />
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).<br />
<br />
See [[Wikipedia:Tor (anonymity network)]] for more information.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].<br />
<br />
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.<br />
<br />
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.<br />
<br />
{{Warning|There are projects that [https://www.whonix.org/wiki/Tor_Controller#Vidalia_recommended_against recommend against] using ''vidalia''.}}<br />
<br />
== Configuration ==<br />
<br />
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.<br />
<br />
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.<br />
<br />
=== Relay Configuration ===<br />
<br />
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.<br />
<br />
If your computer isn't running a webserver, and you haven't set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]<br />
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.<br />
<br />
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.<br />
<br />
== Running Tor in a Chroot ==<br />
<br />
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}<br />
<br />
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in /opt/torchroot:<br />
<br />
{{hc|~/torchroot-setup.sh|2=<nowiki><br />
#!/bin/bash<br />
export TORCHROOT=/opt/torchroot<br />
<br />
mkdir -p $TORCHROOT<br />
mkdir -p $TORCHROOT/etc/tor<br />
mkdir -p $TORCHROOT/dev<br />
mkdir -p $TORCHROOT/usr/bin<br />
mkdir -p $TORCHROOT/usr/lib<br />
mkdir -p $TORCHROOT/usr/share/tor<br />
mkdir -p $TORCHROOT/var/lib<br />
<br />
ln -s /usr/lib $TORCHROOT/lib<br />
cp /etc/hosts $TORCHROOT/etc/<br />
cp /etc/host.conf $TORCHROOT/etc/<br />
cp /etc/localtime $TORCHROOT/etc/<br />
cp /etc/nsswitch.conf $TORCHROOT/etc/<br />
cp /etc/resolv.conf $TORCHROOT/etc/<br />
cp /etc/tor/torrc $TORCHROOT/etc/tor/<br />
<br />
cp /usr/bin/tor $TORCHROOT/usr/bin/<br />
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/<br />
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/<br />
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/<br />
cp -r /var/lib/tor $TORCHROOT/var/lib/<br />
chown -R tor:tor $TORCHROOT/var/lib/tor<br />
<br />
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"<br />
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"<br />
<br />
mknod -m 644 $TORCHROOT/dev/random c 1 8<br />
mknod -m 644 $TORCHROOT/dev/urandom c 1 9<br />
mknod -m 666 $TORCHROOT/dev/null c 1 3<br />
<br />
if [[ "$(uname -m)" == "x86_64" ]]; then<br />
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.<br />
ln -sr /usr/lib64 $TORCHROOT/lib64<br />
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64<br />
fi<br />
<br />
</nowiki>}}<br />
<br />
After running the script as root, Tor can be launched in the [[chroot]] with the command:<br />
<br />
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor<br />
<br />
or if you use systemd overload the service:<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki><br />
[Service]<br />
User=root<br />
ExecStart=<br />
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"<br />
KillSignal=SIGINT<br />
</nowiki>}}<br />
<br />
== Usage ==<br />
<br />
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it from {{ic|vidalia}}, or with {{ic|sudo -u tor /usr/bin/tor}}.<br />
<br />
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).<br />
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor], [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.<br />
<br />
== Web browsing ==<br />
<br />
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.<br />
<br />
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 0x63FEE659) must be downloaded from the keyservers and added to the user gpg keyring with:<br />
$ gpg --recv-keys 0x63FEE659<br />
}}<br />
<br />
=== Firefox ===<br />
<br />
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.<br />
<br />
=== Chromium ===<br />
<br />
You can simply run:<br />
<br />
$ chromium --proxy-server="socks://localhost:9050"<br />
<br />
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].<br />
<br />
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.<br />
<br />
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.<br />
<br />
=== Luakit ===<br />
<br />
{{warning|It won't be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}<br />
<br />
You can simply run:<br />
<br />
$ torify luakit<br />
<br />
== HTTP proxy ==<br />
<br />
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.<br />
<br />
=== Firefox ===<br />
<br />
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.<br />
<br />
=== Polipo ===<br />
<br />
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.<br />
<br />
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).<br />
<br />
=== Privoxy ===<br />
<br />
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.<br />
<br />
== Instant messaging ==<br />
<br />
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.<br />
<br />
=== Pidgin ===<br />
<br />
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:<br />
<br />
Proxy type SOCKS5<br />
Host 127.0.0.1<br />
Port 9150<br />
<br />
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.<br />
<br />
== Irssi ==<br />
<br />
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}<br />
<br />
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating_with_SASL]]. Start irssi:<br />
<br />
$ torsocks irssi<br />
<br />
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are DH-BLOWFISH (recommended) and PLAIN.<br />
<br />
/sasl set ''network'' ''username'' ''password'' ''mechanism''<br />
<br />
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]<br />
<br />
/ignore * CTCPS<br />
/ignore * DCC<br />
/set hostname ''fake_host''<br />
<br />
Connect to Freenode:<br />
<br />
/connect -network ''network'' frxleqtzgvwkv7oz.onion<br />
<br />
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].<br />
<br />
== Pacman ==<br />
<br />
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).<br />
<br />
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}<br />
<br />
{{hc|/etc/pacman.conf|<br />
...<br />
<nowiki>XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o</nowiki><br />
...}}<br />
<br />
== Running a Tor server ==<br />
<br />
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.<br />
<br />
=== Running a Tor bridge ===<br />
<br />
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.<br />
<br />
==== Configuration ====<br />
<br />
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:<br />
<br />
SocksPort 0<br />
ORPort 443<br />
BridgeRelay 1<br />
Exitpolicy reject *:*<br />
<br />
==== Troubleshooting ====<br />
<br />
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.<br />
<br />
=== Running a "Middleman" relay ===<br />
<br />
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.<br />
<br />
==== Configuration ====<br />
<br />
You should at least share 20KiB/s:<br />
<br />
Nickname ''tornickname''<br />
ORPort 9001<br />
BandwidthRate 20 KB # Throttle traffic to 20KB/s<br />
BandwidthBurst 50 KB # But allow bursts up to 50KB/s<br />
<br />
Run Tor as middleman ( a relay):<br />
<br />
ExitPolicy reject *:*<br />
<br />
=== Running a Tor exit node ===<br />
<br />
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].<br />
<br />
==== Configuration ====<br />
<br />
Using the torrc, you can configure which services you wish to allow through your exit node.<br />
Allow all traffic:<br />
<br />
ExitPolicy accept *:*<br />
<br />
Allow only irc ports 6660-6667 to exit from node:<br />
<br />
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more<br />
<br />
By default, Tor will block certain ports. You can use the torrc to overide this.<br />
<br />
ExitPolicy accept *:119 # Accept nntp as well as default exit policy<br />
<br />
==== +100Mbps Exit Relay configuration example ====<br />
<br />
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor with [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]. <br />
<br />
===== Tor =====<br />
====== Raise maximum number of open file descriptors ======<br />
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki><br />
[Service]<br />
LimitNOFILE=32768<br />
</nowiki>}}<br />
<br />
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:<br />
<br />
{{hc|/etc/security/limits.conf|<nowiki><br />
...<br />
tor soft nofile 32768<br />
tor hard nofile 32768<br />
@tor soft nofile 32768<br />
@tor hard nofile 32768<br />
</nowiki>}}<br />
<br />
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.<br />
<br />
====== Start tor.service as root to bind privileged ports ======<br />
To bind to privileged ports we start as root. Please specify {{ic|User tor}} in {{ic|/etc/torrc}}.<br />
<br />
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki><br />
[Service]<br />
User=root<br />
</nowiki>}}<br />
<br />
====== Tor configuration ======<br />
To listen on Port 80 and 443 the service needs to be started as {{ic|root}}.<br />
<br />
{{hc|/etc/tor/torrc|<nowiki><br />
#Log notice stdout ## Default behavior<br />
<br />
ControlPort 9051 ## For arm connection<br />
CookieAuthentication 1 ## For arm connection<br />
<br />
ORPort 443 ## Service must be started as root<br />
<br />
Address $IP ## IP or FQDN<br />
Nickname $NICKNAME ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki><br />
<br />
RelayBandwidthRate 32000 KB ## 250Mbps bandwidth<br />
RelayBandwidthBurst 640000 KB ## 500Mbps bandwidth burst<br />
<br />
ContactInfo $E-MAIL - $BTC-ADDRESS ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki><br />
<br />
DirPort 80 ## Service must be started as root<br />
DirPortFrontPage /etc/tor/tor-exit-notice.html ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki><br />
<br />
MyFamily $($KEYID),$($KEYID)... ## Remember $ in front of keyid(s) ;)<br />
<br />
ExitPolicy reject XXX.XXX.XXX.XXX/XX:* ## Block domain of public IP in addition to std. exit policy<br />
<br />
User tor ## Return to tor user after service started as root to listen on privileged ports<br />
<br />
DisableDebuggerAttachment 0 ## For arm connection<br />
<br />
### Performance related ###<br />
AvoidDiskWrites 1 ## Reduce wear on SSD<br />
DisableAllSwap 1 ## Service must be started as root<br />
HardwareAccel 1 ## Look for OpenSSL hardware cryptographic libraries<br />
NumCPUs 2 ## Only start two threads<br />
</nowiki>}}<br />
<br />
This configuration changes logs to stdout (tor default), enables {{ic|ControlPort 9051}} with {{ic|CookieAuthentication 1}} and sets {{ic|DisableDebuggerAttachment 0}} for {{Pkg|arm}}. {{ic|ORPort 443}} and {{ic|DirPort 80}} listens on port 443 and 80 and displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80. ExitPolicy {{ic|reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}. {{ic|NumCPUs 2}} runs two tor threads. {{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD. {{ic|HardwareAccel 1}} tries "to use built-in (static) crypto hardware acceleration when available.". {{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out". <br />
<br />
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} requires that you start your Tor as {{ic|root}} as described in [[Tor#Start_tor.service_as_root_to_bind_privileged_ports]]. You should use the {{ic|User tor}} option to properly reduce Tor’s privileges.<br />
<br />
This configuration is based on [https://www.torproject.org/docs/tor-manual.html.en Tor Manual].<br />
<br />
===== arm =====<br />
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}} {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.<br />
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.<br />
<br />
===== pdnsd =====<br />
<br />
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}<br />
<br />
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.<br />
<br />
{{hc|/etc/pdnsd.conf|<nowiki><br />
...<br />
perm_cache=102400 ## (Default value)*100 = 1MB * 100 = 100MB<br />
...<br />
server {<br />
label= "resolvconf";<br />
file = "/etc/pdnsd-resolv.conf"; ## Preferably do not use /etc/resolv.conf<br />
timeout=4; ## Server timeout, this may be much shorter than the global timeout option.<br />
uptest=query; ## Test availability using empty DNS queries. <br />
query_test_name="."; ## To be used if remote servers ignore empty queries.<br />
interval=10m; ## Test every 10 minutes.<br />
purge_cache=off; ## Ignore TTL.<br />
edns_query=yes; ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.<br />
preset=off; ## Assume server is down before uptest.<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.<br />
<br />
====== Uncensored DNS ======<br />
<br />
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative_DNS_servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS_servers]].<br />
<br />
== TorDNS ==<br />
<br />
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:<br />
<br />
{{hc|/etc/tor/torrc|<br />
DNSPort 9053<br />
AutomapHostsOnResolve 1<br />
AutomapHostsSuffixes .exit,.onion<br />
}}<br />
<br />
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].<br />
<br />
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:<br />
<br />
{{bc|<br />
$ tor-resolve archlinux.org<br />
66.211.214.131<br />
}}<br />
<br />
=== Using TorDNS for all DNS queries ===<br />
<br />
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:<br />
<br />
DNSPort 53<br />
<br />
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.<br />
<br />
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.<br />
<br />
Modify its configuration file so that it contains:<br />
<br />
{{hc|/etc/dnsmasq.conf|<br />
no-resolv<br />
server&#61;127.0.0.1#9053<br />
listen-address&#61;127.0.0.1<br />
}}<br />
<br />
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.<br />
<br />
{{hc|/etc/resolv.conf|<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
Start the '''dnsmasq''' daemon.<br />
<br />
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:<br />
<br />
{{hc|/etc/dhcpcd.conf|<br />
nohook resolv.conf<br />
}}<br />
<br />
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.<br />
<br />
== Torify ==<br />
<br />
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:<br />
<br />
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''<br />
<br />
Usage example:<br />
<br />
$ torify elinks checkip.dyndns.org<br />
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki><br />
<br />
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:<br />
<br />
{{hc|$ tor-resolve checkip.dyndns.org|<br />
208.78.69.70<br />
}}<br />
<br />
$ torify elinks 208.78.69.70<br />
<br />
== Transparent Torification ==<br />
<br />
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.<br />
<br />
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).<br />
<br />
{{Note|<br />
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.<br />
<br />
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.<br />
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.<br />
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:<br />
<br />
SocksPort 9050<br />
DNSPort 5353<br />
TransPort 9040<br />
<br />
See {{ic|man iptables}}.<br />
}}<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
<br />
*nat<br />
:PREROUTING ACCEPT [6:2126]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [17:6239]<br />
:POSTROUTING ACCEPT [6:408]<br />
<br />
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
-A OUTPUT -o lo -j RETURN<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN<br />
-A OUTPUT -m owner --uid-owner "tor" -j RETURN<br />
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353<br />
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040<br />
COMMIT<br />
<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT DROP [0:0]<br />
<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -p icmp -j ACCEPT<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
--ipv6 -A INPUT -j REJECT<br />
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT<br />
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT<br />
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT<br />
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT<br />
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable<br />
--ipv6 -A OUTPUT -j REJECT<br />
COMMIT<br />
}}<br />
<br />
This file also works for ip6tables-restore, so you may symlink it:<br />
<br />
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules<br />
<br />
Then make sure Tor is running, and start iptables and ip6tables:<br />
<br />
systemctl {enable,start} tor iptables ip6tables<br />
<br />
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Problem with user value ===<br />
<br />
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)<br />
<br />
# tor<br />
<br />
If you get the following error<br />
<br />
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".<br />
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.<br />
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.<br />
May 23 00:27:24.624 [err] Reading config failed--see warnings above.<br />
<br />
Then it means that the problem is with the User value, which likely means that one or more files or directories in your {{ic|/var/lib/tor}} directory is not owned by tor. This can be determined by using the following find command:<br />
<br />
find /var/lib/tor/ ! -user tor<br />
<br />
Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:<br />
<br />
chown tor:tor /var/lib/tor/filename<br />
<br />
Or to change everything listed by the above find example, modify the command to this:<br />
<br />
find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;<br />
<br />
Tor should now start up correctly.<br />
<br />
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:<br />
<br />
User tor<br />
<br />
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows<br />
<br />
[Service]<br />
User=root<br />
Group=root<br />
Type=simple<br />
<br />
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:<br />
<br />
# chown -R tor:tor /var/lib/tor/<br />
# chmod -R 755 /var/lib/tor<br />
<br />
Now save changes and run the daemon:<br />
<br />
# systemctl --system daemon-reload<br />
# systemctl start tor.service<br />
<br />
== See also ==<br />
<br />
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]<br />
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]<br />
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]<br />
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']</div>Usprey