Difference between revisions of "Tor"

From ArchWiki
Jump to: navigation, search
(can someone confirm this?)
Line 123: Line 123:
 
Run Tor as middleman ( a relay):
 
Run Tor as middleman ( a relay):
 
  ExitPolicy reject *:*
 
  ExitPolicy reject *:*
 +
==Running a Tor bridge==
 +
===Configuration===
 +
According to https://www.torproject.org/docs/bridges :
 +
 +
    SocksPort 0
 +
    ORPort 443
 +
    BridgeRelay 1
 +
    Exitpolicy reject *:*
 +
 +
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you'll need to pick a higher ORPort (e.g. 8080) or do some complex port forwarding.
  
 
==TorDNS==
 
==TorDNS==

Revision as of 13:52, 10 February 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Summary help replacing me
This article will explain how to install and configure Tor alongside HTTP proxies like Privoxy and Polipo.
Required software
Tor
Privoxy
Polipo
Related
Privoxy
Polipo

Tor is an open source implementation of 2nd generation onion routing that provides free access to an anonymous proxy network. Its primary goal is to enable online anonymity by protecting against traffic analysis attacks.

Introduction

Template:Wikipedia Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.

Warning: Tor by itself is not all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: Want Tor to really work?).

Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. Although Tor is considerably safer than the commonly used direct DNS connections (i.e. without a proxy), it can be considerably slower due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).

Installation

Install tor, available in the Official Repositories.

Additionally, there is a Qt frontend for Tor called Vidalia. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages. Install vidalia, available in the Official Repositories.

Configuration

To get a better understanding of Tor review the /etc/tor/torrc configuration file. The configuration options are explained in man tor and the Tor website. The default configuration should work fine for most Tor users.

You can set custom file descriptor ulimits for Tor in /etc/conf.d/tor using the TOR_MAX_FD variable. This sets a limit on the maximum number of open files.

By default Tor logs to stdout with a log-level of "notice". If system logging is enabled in the torrc configuration file, it will default to /usr/local/var/log/tor/.

Usage

Start the tor service and add it to the DAEMONS array (see: Daemon). To check if Tor is functioning properly visit the Tor, Harvard or Xenobite.eu websites.

Web browsing

Tor primarily supports Firefox, but can also be used with Chromium.

Firefox

In Preferences > Advanced > Network tab > Settings manually set Firefox to use the SOCKS proxy localhost with port 9050.

Alternatively, install the Tor Browser Bundle. This will allow you to toggle very easily between Tor navigation and normal navigation instead of changing the preferences.

Chromium

You can simply run:

$ chromium --proxy-server="socks://localhost:9050"

HTTP Proxy

Tor can be used with an HTTP proxy like Polipo or Privoxy.

Note: Polipo is recommended over Privoxy by the Tor dev team. [1]

Firefox

The FoxyProxy add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port 8118 on localhost, which is where Polipo or Privoxy are running. These settings can be access under Add > Standard proxy type. Select a proxy label (e.g Tor) and enter the port and host into the HTTP Proxy and SSL Proxy fields. To check if Tor is functioning properly visit the Tor Check website and toggle Tor.

Polipo

The Tor Project has created a custom Polipo configuration file to prevent potential problems with Polipo as well to provide better anonymity.

Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use Chromium with Tor, you do not need the Polipo package (see: #Chromium).

Privoxy

You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. 127.0.0.1:8118). To use SOCKS proxy directly, you can point your application at Tor (i.e. 127.0.0.1:9050). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.

Irssi

Freenode does not recommend that you use Privoxy with Irssi. Instead they recommend using the mapaddress approach and running torify irssi to start it up. Therefore, add the following to /etc/tor/torrc:

mapaddress  10.40.40.40 p4fsi4ockecnea7l.onion

Freenode requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection. Download cap_sasl.pl, which enables SASL, from the Freenode website (i.e. http://www.freenode.net/sasl/cap_sasl.pl) and save it to ~/.irssi/scripts/cap_sasl.pl

Then install the following required perl modules with pacman and then Crypt::DH from the AUR.

$ pacman -S perl-crypt-openssl-bignum perl-crypt-blowfish

Alternatively, you can install the modules using perl:

$ perl -MCPAN -e 'install Crypt::OpenSSL::Bignum Crypt::DH Crypt::Blowfish'

Start irssi

$ torify irssi

Load the script that will employ the SASL mechanism.

/script load cap_sasl.pl

Set your identification to nickserv, which will be read when connecting. Supported mechanisms are PLAIN and DH-BLOWFISH.

/sasl set <network> <username> <password> <mechanism>

Connect to Freenode:

/connect -network <network> 10.40.40.40

For more information check Accessing freenode Via Tor and the SASL README at freenode.net or the IRC/SILC Wiki article at torproject.org.

If you are receiving errors check the Cannot Connect to Freenode IRC using Irssi & Tor thread on the Arch Linux forums.

Pacman

Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).

Warning: It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.
/etc/pacman.conf
...
XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o
...

Running a Tor Server

Configuration

You should at least share 20kb/s:

Nickname <tornickname>
ORPort 9001
BandwidthRate 20 KB            # Throttle traffic to 20KB/s
BandwidthBurst 50 KB           # But allow bursts up to 50KB/s

Allow irc ports 6660-6667 to exit from node:

ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more

Run Tor as an exit node:

ExitPolicy accept *:119        # Accept nntp as well as default exit policy

Run Tor as middleman ( a relay):

ExitPolicy reject *:*

Running a Tor bridge

Configuration

According to https://www.torproject.org/docs/bridges :

   SocksPort 0
   ORPort 443
   BridgeRelay 1
   Exitpolicy reject *:*

If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you'll need to pick a higher ORPort (e.g. 8080) or do some complex port forwarding.

TorDNS

The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file:

/etc/tor/torrc
 DNSPort 9053
 AutomapHostsOnResolve 1
 AutomapHostsSuffixes .exit,.onion

And restart Tor to load the updated configuration file:

/etc/rc.d/tor restart

This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this Debian-based introduction.

DNS queries can also be performed through a command line interface by using tor-resolve. For example:

$ tor-resolve archlinux.org
66.211.214.131

Torify

torify will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:

       torify  is  a simple wrapper that calls tsocks with a tor specific configuration
       file.

       tsocks itself is a wrapper between the tsocks library and the  application  that
       you would like to run socksified

Usage example:

$ torify elinks checkip.dyndns.org
$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations

Torify will not, however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with tor-resolve (described above). In this case, the procedure for the first of the above examples would look like this:

$ tor-resolve checkip.dyndns.org
208.78.69.70
$ torify elinks 208.78.69.70

Troubleshooting

Problem with User value

If the tor daemon failed to start, then run the following command as root (or use sudo)

# tor

If you get the following error

May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.
May 23 00:27:24.624 [err] Reading config failed--see warnings above.

Then it means that the problem is with the User value. So proceed with the following steps.

Check the permissions of the directory /var/lib/tor by running

# ls -l /var/lib/

If the permission for /var/lib/tor is as shown below

drwx------ 2 tor    tor    4096 May 12 21:03 tor

This means that the directory is owned by the user tor and the group tor. Change the owner to the user root, and the group root with the command:

# chown -R root:root /var/lib/tor

If you check the permissions again, it should now show

drwx------ 2 root   root   4096 May 12 21:03 tor

Now open /etc/tor/torrc and find the following lines

## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line.
RunAsDaemon 1
User tor
Group tor

Comment out the lines User tor and Group tor, so that the lines read as

## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line.
RunAsDaemon 1
#User tor
#Group tor

Save the changes and restart the tor daemon, it should now work.

# /etc/rc.d/tor restart

See Also