Difference between revisions of "Tor"

From ArchWiki
Jump to: navigation, search
(Pidgin: Update port number to 9150 for TBB)
m (wikified some filenames)
 
(228 intermediate revisions by 62 users not shown)
Line 1: Line 1:
[[Category:Internet Applications]]
+
[[Category:Internet applications]]
 
[[Category:Proxy servers]]
 
[[Category:Proxy servers]]
 
[[es:Tor]]
 
[[es:Tor]]
 +
[[fr:Tor]]
 +
[[ja:Tor]]
 
[[ru:Tor]]
 
[[ru:Tor]]
 
[[zh-CN:Tor]]
 
[[zh-CN:Tor]]
{{Article summary start}}
+
[[de:Tor]]
{{Article summary text|This article will explain how to install and configure Tor alongside HTTP proxies like [[Privoxy]] and [[Polipo]].}}
+
{{Related articles start}}
{{Article summary heading|Required software}}
+
{{Related|GNUnet}}
{{Article summary link|Tor|https://www.torproject.org}}
+
{{Related|I2P}}
{{Article summary link|Privoxy|http://privoxy.org/}}
+
{{Related|Freenet}}
{{Article summary link|Polipo|http://www.pps.jussieu.fr/~jch/software/polipo/}}
+
{{Related articles end}}
{{Article summary heading|Related}}
+
[https://www.torproject.org Tor] is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:Internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.
{{Article summary wiki|Gnunet}}
+
{{Article summary wiki|I2P}}
+
{{Article summary wiki|Freenet}}
+
{{Article summary end}}
+
  
'''Tor''' is an open source implementation of 2nd generation [[Wikipedia:Onion routing|onion routing]] that provides free access to an anonymous proxy network. Its primary goal is to enable [[Wikipedia:internet anonymity|online anonymity]] by protecting against [[Wikipedia:Traffic analysis|traffic analysis]] attacks.
+
== Introduction ==
  
==Introduction==
 
 
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.
 
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.
  
Line 25: Line 22:
 
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).
 
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).
  
{{Wikipedia|Tor (anonymity network)}}
+
See [[Wikipedia:Tor (anonymity network)]] for more information.
  
==Installation==
+
== Installation ==
[[pacman|Install]] {{Pkg|tor}}, available in the [[official repositories]].
+
  
Additionally, there is a [[Qt]] frontend for Tor in package {{Pkg|vidalia}}. In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.
+
[[Install]] the {{Pkg|tor}} package.
  
==Configuration==
+
The {{Pkg|arm}} (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.
To get a better understanding of Tor review the {{ic|/etc/tor/torrc}} configuration file. The configuration options are explained in {{Ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.
+
  
You can set custom [[Wikipedia:File descriptor|file descriptor]] ulimits for Tor in {{ic|/etc/conf.d/tor}} using the {{Ic|TOR_MAX_FD}} variable. This sets a limit on the maximum number of open files.
+
For a GUI, you can use {{aur|vidalia}}.
  
By default Tor logs to [[Wikipedia:Stdout#Standard output (stdout)|stdout]] with a log-level of "notice". If system logging is enabled in the {{ic|torrc}} configuration file, it will default to {{Ic|/usr/local/var/log/tor/}}.
+
{{Warning|Vidalia is discontinued and no longer supported by the Tor Project. Please see https://blog.torproject.org/blog/plain-vidalia-bundles-be-discontinued-dont-panic}}
  
==Usage==
+
== Configuration ==
  
Tor runs as a [[daemon]]. To launch it, use:
+
By default Tor reads configurations from the file {{ic|/etc/tor/torrc}}. The configuration options are explained in {{ic|man tor}} and the [https://torproject.org/docs/tor-manual.html.en Tor website]. The default configuration should work fine for most Tor users.
  
'''SysV'''
+
There are potential conflicts between configurations in {{ic|torrc}} and those in {{ic|tor.service}}.
/etc/rc.d/tor start
+
* In {{ic|torrc}}, {{ic|RunAsDaemon}} should, as by default, be set to {{ic|0}}, since {{ic|Type<nowiki>=</nowiki>simple}} is set in the {{ic|[Service]}} section in {{ic|tor.service}}.
(add it to the {{ic|DAEMONS}} array to have it launch at startup)
+
* In {{ic|torrc}}, {{ic|User}} should not be set unless {{ic|User<nowiki>=</nowiki>}} is set to {{ic|root}} in the {{ic|[Service]}} section in {{ic|tor.service}}.
  
'''systemd'''
+
=== Relay Configuration ===
systemctl start tor
+
(use ''systemctl enable tor'' to have it launch at startup)
+
  
Alternatively, you can launch it from the vidalia interface.
+
The maximum file descriptor number that can be opened by Tor can be set with {{ic|LimitNOFILE}} in {{ic|tor.service}}. Fast relays may want to increase this value.
  
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with '''vidalia''', standard settings).
+
If your computer is not running a webserver, and you have not set {{ic|AccountingMax}}, consider changing your {{ic|ORPort}} to {{ic|443}} and/or your {{ic|DirPort}} to {{ic|80}}. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[https://www.torproject.org/docs/tor-relay-debian]
 +
But since these are privileged ports, to do so Tor must be run as root, by setting {{ic|User<nowiki>=</nowiki>root}} in {{ic|tor.service}} and {{ic|User tor}} in {{ic|torrc}}.
 +
 
 +
You may wish to review [https://blog.torproject.org/blog/lifecycle-of-a-new-relay Lifecycle of a New Relay] Tor documentation.
 +
 
 +
== Running Tor in a Chroot ==
 +
 
 +
{{Warning| Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot}}
 +
 
 +
For security purposes, it may be desirable to run Tor in a [[chroot]]. The following script will create an appropriate chroot in {{ic|/opt/torchroot}}:
 +
 
 +
{{hc|~/torchroot-setup.sh|2=<nowiki>
 +
#!/bin/bash
 +
export TORCHROOT=/opt/torchroot
 +
 
 +
mkdir -p $TORCHROOT
 +
mkdir -p $TORCHROOT/etc/tor
 +
mkdir -p $TORCHROOT/dev
 +
mkdir -p $TORCHROOT/usr/bin
 +
mkdir -p $TORCHROOT/usr/lib
 +
mkdir -p $TORCHROOT/usr/share/tor
 +
mkdir -p $TORCHROOT/var/lib
 +
 
 +
ln -s /usr/lib  $TORCHROOT/lib
 +
cp /etc/hosts          $TORCHROOT/etc/
 +
cp /etc/host.conf      $TORCHROOT/etc/
 +
cp /etc/localtime      $TORCHROOT/etc/
 +
cp /etc/nsswitch.conf  $TORCHROOT/etc/
 +
cp /etc/resolv.conf    $TORCHROOT/etc/
 +
cp /etc/tor/torrc      $TORCHROOT/etc/tor/
 +
 
 +
cp /usr/bin/tor        $TORCHROOT/usr/bin/
 +
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
 +
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
 +
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/
 +
cp -r /var/lib/tor      $TORCHROOT/var/lib/
 +
chown -R tor:tor $TORCHROOT/var/lib/tor
 +
 
 +
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
 +
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"
 +
 
 +
mknod -m 644 $TORCHROOT/dev/random c 1 8
 +
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
 +
mknod -m 666 $TORCHROOT/dev/null c 1 3
 +
 
 +
if [[ "$(uname -m)" == "x86_64" ]]; then
 +
  cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
 +
  ln -sr /usr/lib64 $TORCHROOT/lib64
 +
  ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
 +
fi
 +
 
 +
</nowiki>}}
 +
 
 +
After running the script as root, Tor can be launched in the [[chroot]] with the command:
 +
 
 +
# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor
 +
 
 +
or if you use systemd overload the service:
 +
 
 +
{{hc|/etc/systemd/system/tor.service.d/chroot.conf|2=<nowiki>
 +
[Service]
 +
User=root
 +
ExecStart=
 +
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"
 +
KillSignal=SIGINT
 +
</nowiki>}}
 +
 
 +
== Running Tor in a systemd-nspawn container with a virtual network interface ==
 +
In this example we will create a [[systemd-nspawn]] container named {{ic|tor-exit}} with a virtual macvlan network interface.
 +
 
 +
See [[Systemd-nspawn]] and [[systemd-networkd]] for full documentation.
 +
 
 +
=== Host installation and configuration ===
 +
 
 +
In this example the container will reside in {{ic|/srv/container}}:
 +
# mkdir /srv/container/tor-exit
 +
 
 +
[[Install]] the {{Pkg|arch-install-scripts}}.
 +
 
 +
Install {{Grp|base}}, {{Pkg|tor}} and {{Pkg|arm}} and deselect {{Pkg|linux}} as per [[Systemd-nspawn#Installation with pacstrap]]{{Broken section link}}:
 +
# pacstrap -i -c -d /srv/container/tor-exit base tor arm
 +
 
 +
Create directory if it does not exist:
 +
# mkdir /var/lib/container
 +
 
 +
{{Note|Symlinks for {{ic|nspawn}} are currently broken (as of 2016-02-04; see https://github.com/systemd/systemd/issues/2001), and will give you a "too many levels of symlinks" error. As a (possibly insecure) workaround, simply pacstrap your install to the container directory instead.}}
 +
Symlink to register the container on the host, as per [[Systemd-nspawn#Boot your container at your machine startup]]{{Broken section link}}:
 +
# ln -s /srv/container/tor-exit /var/lib/container/tor-exit
 +
 
 +
==== Virtual network interface ====
 +
 
 +
Create a Dropin directory for the container service:
 +
# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d
 +
 
 +
{{hc|/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf|<nowiki>
 +
[Service]
 +
ExecStart=
 +
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i
 +
LimitNOFILE=32768
 +
</nowiki>}}
 +
 
 +
{{ic|<nowiki>--network-macvlan=$INTERFACE --private-network</nowiki>}} automagically creates a macvlan named {{ic|mv-$INTERFACE}} inside the container, which is not visible from the host. {{ic|--private-network}} is implied by {{ic|<nowiki>--network-macvlan=</nowiki>}} according to {{ic|man systemd-nspawn}}.
 +
This is advisable for security as it will allow you to give a private IP to the container, and it won't know what your machine's IP is. This can help obscure DNS requests.
 +
 
 +
{{ic|<nowiki>LimitNOFILE=32768</nowiki>}} per [[#Raise maximum number of open file descriptors]].
 +
 
 +
Setup [[systemd-networkd]] according to your network in {{ic|/srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network}}.
 +
 
 +
==== Start and enable systemd-nspawn ====
 +
 
 +
[[Start]] and enable {{ic|systemd-nspawn@tor-exit.service}}.
 +
 
 +
=== Container configuration ===
 +
{{ic|# machinectl login tor-exit}} login to the container, see [[Systemd-nspawn#machinectl command]]{{Broken section link}}.
 +
 
 +
{{ic|# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak}} if you get the error described in [[Systemd-nspawn#Troubleshooting]].
 +
 
 +
==== Start and enable systemd-networkd ====
 +
 
 +
[[Start]] and enable {{ic|systemd-networkd.service}}. {{ic|networkctl}} displays if {{ic|systemd-networkd}} is correctly configured.
 +
 
 +
=== Configure Tor ===
 +
See [[#Running a Tor server]].
 +
{{Tip|It is easier to edit files in the container from the host with your normal editor.}}
 +
 
 +
== Usage ==
 +
 
 +
Start/enable {{ic|tor.service}} [[systemd#Using units|using systemd]]. Alternatively, launch it with {{ic|sudo -u tor /usr/bin/tor}}.
 +
 
 +
To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings).
 
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor],  [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.
 
To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor],  [http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 Harvard] or [https://torcheck.xenobite.eu/ Xenobite.eu] websites.
  
==Web browsing==
+
== Web browsing ==
Tor primarily supports [[Firefox]], but can also be used with [[Chromium]] and other browsers.
+
 
 +
The Tor Project currently only supports web browsing with tor through the [https://aur.archlinux.org/packages/?K=tor-browser- Tor Browser Bundle], which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular [[Firefox]], [[Chromium]] and other browsers, but this is [https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser not recommended] by the Tor Project.
 +
 
 +
{{Tip|For makepkg to verify the signature on the AUR source tarball download for TBB, import the [https://www.torproject.org/docs/signing-keys.html.en signing keys from the Tor Project] (currently 2E1AC68ED40814E0) as explained in [[GnuPG#Import_a_public_key]].}}
 +
 
 +
=== Firefox ===
  
===Firefox===
 
 
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.
 
In ''Preferences > Advanced > Network tab > Settings'' manually set Firefox to use the SOCKS proxy {{ic|localhost}} with port {{ic|9050}}. Then you must type {{ic|about:config}} into the address bar and ''void your warranty''. Change {{ic|network.proxy.socks_remote_dns}} to {{ic|true}} and restart the browser. This channels all DNS requests through TOR's socks proxy.
  
Alternatively, install the Tor Browser Bundle ({{aur|tor-browser-en}}) from the AUR. This will allow you to toggle very easily between Tor navigation and normal navigation instead of changing the preferences.
+
=== Chromium ===
  
===Chromium===
 
 
You can simply run:
 
You can simply run:
$ chromium --proxy-server="socks://localhost:9050"
 
  
As for Firefox you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].
+
$ chromium --proxy-server="socks5://myproxy:8080" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE myproxy"
 +
 
 +
The --proxy-server="socks5://myproxy:8080" flag tells Chrome to send all http:// and https:// URL requests through the SOCKS proxy server "myproxy:8080", using version 5 of the SOCKS protocol. The hostname for these URLs will be resolved by the proxy server, and not locally by Chrome.
 +
 
 +
NOTE: proxying of ftp:// URLs through a SOCKS proxy is not yet implemented.
 +
 
 +
The --proxy-server flag applies to URL loads only. There are other components of Chrome which may issue DNS resolves directly and hence bypass this proxy server. The most notable such component is the "DNS prefetcher".Hence if DNS prefetching is not disabled in Chrome then you will still see local DNS requests being issued by Chrome despite having specified a SOCKS v5 proxy server. Disabling DNS prefetching would solve this problem, however it is a fragile solution since once needs to be aware of all the areas in Chrome which issue raw DNS requests. To address this, the next flag, --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE myproxy", is a catch-all to prevent Chrome from sending any DNS requests over the network. It says that all DNS resolves are to be simply mapped to the (invalid) address 0.0.0.0. The "EXCLUDE" clause make an exception for "myproxy", because otherwise Chrome would be unable to resolve the address of the SOCKS proxy server itself, and all requests would necessarily fail with PROXY_CONNECTION_FAILED.
 +
 
 +
Debug:
 +
 
 +
The first thing to check when debugging is look at the Proxy tab on about:net-internals, and verify what the effective proxy settings are:
 +
chrome://net-internals/#proxy
 +
 
 +
Next, take a look at the DNS tab of about:net-internals to make sure Chrome isn't issuing local DNS resolves:
 +
chrome://net-internals/#dns
 +
 
 +
Note that in versions of Chrome after r186548, you can do this more concisely by mapping to ~NOTFOUND rather than 0.0.0.0.
 +
Just as with Firefox, you can setup a fast switch for example through [https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm Proxy SwitchySharp].
  
 
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.
 
Once installed enter in its configuration page. Under the tab ''Proxy Profiles'' add a new profile ''Tor'', if ticked untick the option ''Use the same proxy server for all protocols'', then add ''localhost'' as SOCKS Host, ''9050'' to the respective port and select ''SOCKS v5''.
Line 74: Line 215:
 
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.
 
Optionally you can enable the quick switch under the ''General'' tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.
  
===Luakit===
+
=== Luakit ===
 +
 
 +
{{warning|It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.}}
 +
 
 
You can simply run:
 
You can simply run:
 +
 
  $ torify luakit
 
  $ torify luakit
  
==HTTP Proxy==
+
== HTTP proxy ==
 +
 
 
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.
 
Tor can be used with an HTTP proxy like [[Polipo]] or [[Privoxy]], however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.
  
===Firefox===
+
=== Firefox ===
 +
 
 
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on  allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.
 
The [https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ FoxyProxy] add-on  allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port {{ic|8118}} on {{ic|localhost}}, which is where [[Polipo]] or [[Privoxy]] are running. These settings can be access under ''Add > Standard proxy type''. Select a proxy label (e.g Tor) and enter the port and host into the ''HTTP Proxy'' and ''SSL Proxy'' fields. To check if Tor is functioning properly visit the [https://check.torproject.org/ Tor Check] website and toggle Tor.
  
===Polipo===
+
=== Polipo ===
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.
+
 
 +
The Tor Project has created a custom [https://gitweb.torproject.org/torbrowser.git/plain/build-scripts/config/polipo.conf?id=1ffcd9dafb9dd76c3a29dd686e05a71a95599fb5 Polipo configuration file] to prevent potential problems with Polipo as well to provide better anonymity.
  
 
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).
 
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use [[Chromium]] with Tor, you do not need the Polipo package (see: [[#Chromium]]).
  
===Privoxy===
+
=== Privoxy ===
 +
 
 
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.
 
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. {{ic|127.0.0.1:8118}}). To use SOCKS proxy directly, you can point your application at Tor (i.e. {{ic|127.0.0.1:9050}}). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.
  
==Instant Messaging==
+
== Instant messaging ==
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.  
+
 
+
In order to use an IM client with tor, we do not need an http proxy like [[polipo]]/[[privoxy]]. We will be using tor's daemon directly which listens to port 9050 by default.
===Pidgin===
+
 
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to Accounts -> Manage Accounts, select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:
+
=== Pidgin ===
 +
 
 +
You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to ''Accounts > Manage Accounts'', select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:
  
  Proxy type SOCKS5
+
  Proxy type SOCKS5
  Host         127.0.0.1
+
  Host 127.0.0.1
  Port         9150
+
  Port 9150
  
 
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.
 
Note that [https://trac.torproject.org/projects/tor/ticket/8135 some time in 2013] the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.
  
==Irssi==
+
== Irssi ==
Freenode does not recommend that you use Privoxy with [[Irssi]]. Instead they recommend using the {{Ic|mapaddress}} approach and running {{Ic|torify irssi}} to start it up. Therefore, add the following to {{ic|/etc/tor/torrc}}:
+
mapaddress  10.40.40.40 p4fsi4ockecnea7l.onion
+
  
Freenode requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during
+
{{Out of date|{{ic|cap_sasl.pl}} is broken with ''perl'' 5.20; SSL does also not work with {{ic|torsocks}}}}
connection. Download {{ic|cap_sasl.pl}}, which enables SASL in Irssi, from the Freenode website (i.e. http://www.freenode.net/sasl/cap_sasl.pl) and save it to {{Ic|~/.irssi/scripts/cap_sasl.pl}}
+
  
Then install {{Pkg|perl-crypt-openssl-bignum}}, {{Pkg|perl-crypt-blowfish}} and then {{AUR|perl-crypt-dh}} from the [[AUR]].
+
Freenode recommends connecting to {{ic|.onion}} directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see [[Irssi#Authenticating with SASL]]. Start irssi:
  
Alternatively, you can install the modules using perl:
+
  $ torsocks irssi
  $ perl -MCPAN -e 'install Crypt::OpenSSL::Bignum Crypt::DH Crypt::Blowfish'
+
  
Start irssi
+
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are ECDSA-NIST256P-CHALLENGE (see [https://github.com/atheme/ecdsatool/blob/master/cap_sasl.pl ecdsatool]) and PLAIN. DH-BLOWFISH is [https://freenode.net/sasl/sasl-irssi.shtml no longer supported].
  $ torify irssi
+
  
Load the script that will employ the SASL mechanism.
+
  /sasl set ''network'' ''username'' ''password'' ''mechanism''
  /script load cap_sasl.pl
+
  
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are PLAIN and DH-BLOWFISH.  
+
Disable CTCP and DCC and set a different hostname to prevent information disclosure: [https://encrypteverything.ca/IRC_Anonymity_Guide]
  /sasl set <network> <username> <password> <mechanism>
+
 
 +
/ignore * CTCPS
 +
/ignore * DCC
 +
  /set hostname ''fake_host''
  
 
Connect to Freenode:
 
Connect to Freenode:
/connect -network <network> 10.40.40.40
 
  
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor] and the [http://freenode.net/sasl/README.txt SASL README] at freenode.net or the [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article] at torproject.org.
+
/connect -network ''network'' frxleqtzgvwkv7oz.onion
  
If you are receiving errors check the ''[https://bbs.archlinux.org/viewtopic.php?pid=956467 Cannot Connect to Freenode IRC using Irssi & Tor]'' thread on the Arch Linux forums.
+
For more information check [http://freenode.net/irc_servers.shtml#tor Accessing freenode Via Tor], [http://freenode.net/sasl/README.txt SASL README] or [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC Wiki article].
  
==Pacman==
+
== Pacman ==
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).
+
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network.
  
{{Warning|It would be arguably simpler for an adversary, specifically one who desires to indiscriminately disseminate malware, to perform his/her activity by deploying malicious Tor exit node(s). Always use signed packages and verify new public keys by out-of-band means.}}
+
Advantages:
 +
* Attackers that can monitor your Internet connection and that specifically targets your machine cannot watch the updates anymore and, because of that, they cannot deduce the packages you have installed, how up to date they are, when or how frequently you update them. An attacker can still learn what software and the versions you use by other means, for instance watching the packets from your http server or probing the machine will show that you have an http server installed and its version.
 +
* If the mirror is not an onion, a malicious exit nodes you are going trough can watch the updates, and may decide to attack you, however they probably cannot know who they are attacking.
 +
* Attackers trying to make your machine believe that there are no new updates to prevent it from getting security fixes will have a harder time doing it since they cannot target your machine specifically.
 +
 
 +
Disadvantages:
 +
* Longer updates times due to Longer latency and lower throughput. This can be a big security risk if/when the updates needs to be done as fast as possible, especially on machines directly connected to the Internet. That is the case when there is a huge security flaw, and that the flaws are fast to probe, easy to exploit, and that attackers have already started targeting as many systems as they can before the systems are updated.
 +
 
 +
Reliability with Tor:
 +
* You don't need a working DNS anymore.
 +
* You depend on the Tor network and the exit nodes not blocking the updates.
 +
* You depend on the Tor daemon to work properly. The Tor daemon may not work if there is no more disk space available to it. "Reserved blocks gid:" in ext4, quotas, or other means can fix that.
 +
* If you are in a country where Tor is blocked, or that there are almost or no Tor users at all, you should use bridges.
 +
 
 +
Note on gpg:
 +
On stock arch, pacman only trust keys which are either signed by you (That can be done with pacman-key --lsign-key) or signed by 2 of 5 Arch master keys. If a malicious exit node replaces pakcages with ones signed by its key, pacman will not let the user install the package. {{Warning| This might not be true for other distributions derived from ARCH, for non-official repositories and for AUR}}
  
 
{{hc|/etc/pacman.conf|
 
{{hc|/etc/pacman.conf|
Line 142: Line 304:
 
...}}
 
...}}
  
==Running a Tor Server==
+
== Running a Tor server ==
 +
 
 +
The Tor network is reliant on people contributing bandwidth and setting up services. There are several ways to contribute to the network.
  
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to the network.
+
=== Running a Tor bridge ===
  
===Running a Tor bridge===
+
A Tor bridge is a Tor relay that is not listed in the public Tor directory, thus making it possible for people to connect to the Tor network when governments or ISPs block all public Tor relays.
  
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.
+
==== Configuration ====
  
====Configuration====
+
According to https://www.torproject.org/docs/bridges , make your {{ic|torrc}} be just these four lines (Default: {{ic|/etc/tor/torrc}}, or {{ic|$HOME/.torrc}} if that file is not found)
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:
+
:
  
 
     SocksPort 0
 
     SocksPort 0
Line 158: Line 322:
 
     Exitpolicy reject *:*
 
     Exitpolicy reject *:*
  
====Troubleshooting====
+
==== Troubleshooting ====
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you'll need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.
+
  
===Running a "Middleman" relay===
+
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps [http://www.portforward.com/ forward the port] in your router.
  
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor nodes/relays.
+
=== Running a Tor relay ===
 +
 
 +
This means that your machine will act as an entry node or forwarding relay and, unlike a bridge, it will be listed in the public Tor directory. Your IP address will be publicly visible in the Tor directory but the relay will only forward to other relays or Tor exit nodes, not directly to the internet.
 +
 
 +
==== Configuration ====
  
====Configuration====
 
 
You should at least share 20KiB/s:
 
You should at least share 20KiB/s:
  Nickname <tornickname>
+
 
  ORPort 9001
+
  Nickname ''tornickname''
 +
  ORPort 9001                   # This TCP-Port has to be opened/forwarded in your Firewall
 
  BandwidthRate 20 KB            # Throttle traffic to 20KB/s
 
  BandwidthRate 20 KB            # Throttle traffic to 20KB/s
 
  BandwidthBurst 50 KB          # But allow bursts up to 50KB/s
 
  BandwidthBurst 50 KB          # But allow bursts up to 50KB/s
  
Run Tor as middleman ( a relay):
+
Disallow exits from your relay:
 +
 
 
  ExitPolicy reject *:*
 
  ExitPolicy reject *:*
  
===Running a Tor Exit Node===
+
=== Running a Tor exit node ===
  
 
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].
 
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read [https://blog.torproject.org/running-exit-node Tips for Running an Exit Node With Minimal Harrasment].
  
====Configuration====
+
==== Configuration ====
  
 
Using the torrc, you can configure which services you wish to allow through your exit node.
 
Using the torrc, you can configure which services you wish to allow through your exit node.
 
Allow all traffic:
 
Allow all traffic:
  ExitPolicy accept *:*
+
 
 +
  ExitPolicy accept *:*
  
 
Allow only irc ports 6660-6667 to exit from node:
 
Allow only irc ports 6660-6667 to exit from node:
 +
 
  ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more
 
  ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more
  
 
By default, Tor will block certain ports. You can use the torrc to overide this.
 
By default, Tor will block certain ports. You can use the torrc to overide this.
 +
 
  ExitPolicy accept *:119        # Accept nntp as well as default exit policy
 
  ExitPolicy accept *:119        # Accept nntp as well as default exit policy
  
==TorDNS==
+
==== +100Mbps Exit Relay configuration example ====
 +
 
 +
If you run a fast exit relay (+100Mbps) with {{ic|ORPort 443}} and {{ic|DirPort 80}} (as recommended in [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu]) the following configuration changes might serve as inspiration to setup Tor alongside [[iptables]] firewall, [[Haveged]] to increase system entropy and [[pdnsd]] as DNS cache. It is important to ''first'' read [http://www.torproject.org/docs/tor-relay-debian.html.en#after Configuring a Tor relay on Debian/Ubuntu].
 +
 
 +
{{Note|See [[#Running Tor in a systemd-nspawn container with a virtual network interface]] for instructions to install Tor in a {{ic|systemd-nspawn}} container. [[Haveged]] should be installed on the container host.}}
 +
 
 +
===== Tor =====
 +
====== Raise maximum number of open file descriptors ======
 +
To handle more than 8192 connections {{ic|LimitNOFILE}} can be raised to 32768 as per [https://www.torproject.org/docs/faq.html.en#PackagedTor Tor FAQ].
 +
 
 +
{{hc|/etc/systemd/system/tor.service.d/increase-file-limits.conf|<nowiki>
 +
[Service]
 +
LimitNOFILE=32768
 +
</nowiki>}}
 +
 
 +
To succesfully raise {{ic|nofile}} limit, you may also have to append the following:
 +
 
 +
{{hc|/etc/security/limits.conf|<nowiki>
 +
...
 +
tor    soft    nofile    32768
 +
tor    hard    nofile    32768
 +
@tor    soft    nofile    32768
 +
@tor    hard    nofile    32768
 +
</nowiki>}}
 +
 
 +
Check if the {{ic|nofile}} (filedescriptor) limit is succesfully raised with {{ic|# sudo -u tor 'ulimit -Hn'}} or {{ic|# sudo -u tor bash}} and {{ic|# ulimit -Hn}}.
 +
 
 +
====== Start tor.service as root to bind Tor to privileged ports ======
 +
To bind Tor to privileged ports the service must be started as root. Please specify {{ic|User tor}} option in {{ic|/etc/tor/torrc}}.
 +
 
 +
{{hc|/etc/systemd/system/tor.service.d/start-as-root.conf|<nowiki>
 +
[Service]
 +
User=root
 +
</nowiki>}}
 +
 
 +
====== Tor configuration ======
 +
To listen on Port 80 and 443 the service need to be started as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].
 +
Use the {{ic|User tor}} option in {{ic|/etc/tor/torrc}} to properly reduce Tor’s privileges.
 +
 
 +
{{hc|/etc/tor/torrc|<nowiki>
 +
SocksPort 0                                      ## Pure relay configuration without local socks proxy
 +
 
 +
Log notice stdout                                ## Default Tor behavior
 +
 
 +
ControlPort 9051                                  ## For arm connection
 +
CookieAuthentication 1                            ## For arm connection
 +
 
 +
ORPort 443                                        ## Service must be started as root
 +
 
 +
Address $IP                                      ## IP or FQDN
 +
Nickname $NICKNAME                                ## Nickname displayed in </nowiki>[https://onionoo.torproject.org/ Onionoo]<nowiki>
 +
 
 +
RelayBandwidthRate 500 Mbits                      ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits
 +
RelayBandwidthBurst 1000 MBits                    ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits
 +
 
 +
ContactInfo $E-MAIL - $BTC-ADDRESS                ## See </nowiki>[https://oniontip.com/ OnionTip]<nowiki>
 +
 
 +
DirPort 80                                        ## Service must be started as root
 +
DirPortFrontPage /etc/tor/tor-exit-notice.html    ## Original: </nowiki>[https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html]<nowiki>
 +
 
 +
MyFamily $($KEYID),$($KEYID)...                  ## Remember $ in front of keyid(s) ;)
 +
 
 +
ExitPolicy reject XXX.XXX.XXX.XXX/XX:*            ## Block domain of public IP in addition to std. exit policy
 +
 
 +
User tor                                          ## Return to tor user after service started as root to listen on privileged ports
 +
 
 +
DisableDebuggerAttachment 0                      ## For arm connection
 +
 
 +
### Performance related options ###
 +
AvoidDiskWrites 1                                ## Reduce wear on SSD
 +
DisableAllSwap 1                                  ## Service must be started as root
 +
HardwareAccel 1                                  ## Look for OpenSSL hardware cryptographic support
 +
NumCPUs 2                                        ## Only start two threads
 +
</nowiki>}}
 +
 
 +
This configuration is based on the [https://www.torproject.org/docs/tor-manual.html.en Tor Manual].
 +
 
 +
Tor opens a socks proxy on port 9050 by default -- even if you do not configure one. Set {{ic|SocksPort 0}} if you plan to run Tor only as a relay, and not make any local application connections yourself.
 +
 
 +
{{ic|Log notice stdout}} changes logging to stdout, which is also the Tor default.
 +
{{ic|ControlPort 9051}}, {{ic|CookieAuthentication 1}} and {{ic|DisableDebuggerAttachment 0}} enables {{Pkg|arm}} to connect to Tor and display connections.
 +
 
 +
{{ic|ORPort 443}} and {{ic|DirPort 80}} lets Tor listen on port 443 and 80 and {{ic|DirPortFrontPage}} displays the [https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html tor-exit-notice.html] on port 80.
 +
 
 +
{{ic|ExitPolicy reject XXX.XXX.XXX.XXX/XX:*}} should reflect your public IP and netmask, which can be obtained with the command {{ic|# ip addr}}, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.
 +
 
 +
{{ic|AvoidDiskWrites 1}} reduces disk writes and wear on SSD.
 +
{{ic|DisableAllSwap 1}} "will attempt to lock all current and future memory pages, so that memory cannot be paged out".
 +
 
 +
If {{ic|<nowiki># cat /proc/cpuinfo | grep aes</nowiki>}} returns that your CPU supports AES instructions and {{ic|<nowiki># lsmod | grep aes</nowiki>}} returns that the module is loaded, you can specify {{ic|HardwareAccel 1}} which tries "to use built-in (static) crypto hardware acceleration when available", see [http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration].
 +
 
 +
{{ic|ORPort 443}}, {{ic|DirPort 80}} and {{ic|DisableAllSwap 1}} require that you start the Tor service as {{ic|root}} as described in [[#Start tor.service as root to bind Tor to privileged ports]].
 +
Use the {{ic|User tor}} option to properly reduce Tor’s privileges.
 +
 
 +
===== arm =====
 +
If {{ic|ControlPort 9051}} and {{ic|CookieAuthentication 1}} is specified in {{ic|/etc/tor/torrc}}, {{Pkg|arm}} can be started with {{ic|sudo -u tor arm}}.
 +
If you want to watch Tor connections in {{Pkg|arm}} {{ic|DisableDebuggerAttachment 0}} must also be specified.
 +
 
 +
===== iptables =====
 +
Setup and learn to use [[iptables]]. Instead of being a [[Simple stateful firewall]] where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.
 +
 
 +
{{hc|/etc/iptables/iptables.rules|<nowiki>
 +
*raw
 +
-A PREROUTING -j NOTRACK
 +
-A OUTPUT -j NOTRACK
 +
COMMIT
 +
 
 +
*filter
 +
:INPUT DROP [0:0]
 +
:FORWARD DROP [0:0]
 +
:OUTPUT ACCEPT [0:0]
 +
-A INPUT -p tcp ! --syn -j ACCEPT
 +
-A INPUT -p udp -j ACCEPT
 +
-A INPUT -p icmp -j ACCEPT
 +
-A INPUT -p tcp --dport 443 -j ACCEPT
 +
-A INPUT -p tcp --dport 80 -j ACCEPT
 +
-A INPUT -i lo -j ACCEPT
 +
COMMIT
 +
</nowiki>}}
 +
 
 +
{{ic|-A PREROUTING -j NOTRACK}} and {{ic|-A OUTPUT -j NOTRACK}} disables connection tracking in the {{ic|raw}} table.
 +
 
 +
{{ic|:INPUT DROP [0:0]}} is the default {{ic|INPUT}} target and drops input traffic we do not specifically {{ic|ACCEPT}}.
 +
 
 +
{{ic|:FORWARD DROP [0:0]}} is the default {{ic|FORWARD}} target and only relevant if the host is a normal router, not  when the host is an onion router.
 +
 
 +
{{ic|:OUTPUT ACCEPT [0:0]}} is the default {{ic|OUTPUT}} target and allows all outgoing connections.
 +
 
 +
{{ic|-A INPUT -p tcp ! --syn -j ACCEPT}} allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.
 +
 
 +
{{ic|-A INPUT -p udp -j ACCEPT}} allow all incoming UDP connections because we do not use connection tracking.
 +
 
 +
{{ic|-A INPUT -p icmp -j ACCEPT}} allow [[wikipedia:Internet_Control_Message_Protocol|ICMP]].
 +
 
 +
{{ic|-A INPUT -p tcp --dport 443 -j ACCEPT}} allow incoming connections to the {{ic|ORPort}}.
 +
 
 +
{{ic|-A INPUT -p tcp --dport 80 -j ACCEPT}} allow incoming connections to the {{ic|DirPort}}.
 +
 
 +
{{ic|-A INPUT -i lo -j ACCEPT}} allows all connections on the loopback interface.
 +
 
 +
===== Haveged =====
 +
See [[Haveged]] to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see [http://www.issihosts.com/haveged/ haveged - A simple entropy daemon] and [http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged how-to-setup-additional-entropy-for-cloud-servers-using-haveged] for documentation.
 +
 
 +
===== pdnsd =====
 +
 
 +
{{Warning|This configuration assumes your network DNS resolver is trusted (uncensored).}}
 +
 
 +
You can use [[pdnsd]] to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.
 +
 
 +
{{hc|/etc/pdnsd.conf|<nowiki>
 +
...
 +
perm_cache=102400                      ## (Default value)*100 = 1MB * 100 = 100MB
 +
...
 +
server {
 +
    label= "resolvconf";
 +
    file = "/etc/pdnsd-resolv.conf";    ## Preferably do not use /etc/resolv.conf
 +
    timeout=4;                          ## Server timeout, this may be much shorter than the global timeout option.
 +
    uptest=query;                      ## Test availability using empty DNS queries.
 +
    query_test_name=".";                ## To be used if remote servers ignore empty queries.
 +
    interval=10m;                      ## Test every 10 minutes.
 +
    purge_cache=off;                    ## Ignore TTL.
 +
    edns_query=yes;                    ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.
 +
    preset=off;                        ## Assume server is down before uptest.
 +
}
 +
...
 +
</nowiki>}}
 +
 
 +
This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.
 +
 
 +
====== Uncensored DNS ======
 +
 
 +
If your local DNS recursor is in some way censored or interferes with DNS queries, see [[Resolv.conf#Alternative DNS servers]] for alternatives and add them in a seperate server-section in {{ic|/etc/pdnsd.conf}} as per [[Pdnsd#DNS servers]].
 +
 
 +
== TorDNS ==
 +
 
 
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:
 
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:
 +
 
{{hc|/etc/tor/torrc|
 
{{hc|/etc/tor/torrc|
DNSPort 9053
+
DNSPort 9053
AutomapHostsOnResolve 1
+
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
+
AutomapHostsSuffixes .exit,.onion
 
}}
 
}}
  
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].
+
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this [https://techstdout.boum.org/TorDns/ Debian-based introduction].
  
 
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:
 
DNS queries can also be performed through a command line interface by using {{Ic|<nowiki>tor-resolve</nowiki>}}. For example:
 +
 
{{bc|
 
{{bc|
 
$ tor-resolve archlinux.org
 
$ tor-resolve archlinux.org
Line 207: Line 554:
 
}}
 
}}
  
===Using TorDNS for all DNS queries===
+
=== Using TorDNS for all DNS queries ===
  
 
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:
 
It is possible to configure your system, if so desired, to use TorDNS for ''all'' queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in {{ic|/etc/tor/torrc}} to show:
 +
 
  DNSPort 53
 
  DNSPort 53
 +
 
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.
 
Alternatively, you can use a local caching DNS server, such as [[dnsmasq]] or [[pdnsd]], which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up ''dnsmasq'' for this purpose.
  
Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq (available in the [extra] respository):
+
Change the tor setting to listen for the DNS request in port 9053 and install {{Pkg|dnsmasq}}.
# pacman -S dnsmasq
+
 
 
Modify its configuration file so that it contains:
 
Modify its configuration file so that it contains:
 +
 
{{hc|/etc/dnsmasq.conf|
 
{{hc|/etc/dnsmasq.conf|
no-resolv
+
no-resolv
server&#61;127.0.0.1#9053
+
server&#61;127.0.0.1#9053
listen-address&#61;127.0.0.1
+
listen-address&#61;127.0.0.1
 
}}
 
}}
 +
 
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.
 
These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit {{ic|/etc/resolv.conf}} so that your system will query only the dnsmasq server.
 +
 
{{hc|/etc/resolv.conf|
 
{{hc|/etc/resolv.conf|
nameserver 127.0.0.1
+
nameserver 127.0.0.1
 
}}
 
}}
Start the dns server with
+
 
======SysV======
+
Start the '''dnsmasq''' daemon.
# rc.d start dnsmasq
+
======systemd======
+
# systemctl start dnsmasq
+
  
 
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:
 
Finally if you use ''dhcpd'' you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:
 +
 
{{hc|/etc/dhcpcd.conf|
 
{{hc|/etc/dhcpcd.conf|
nohook resolv.conf
+
nohook resolv.conf
 
}}
 
}}
 +
 
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.
 
If you already have an ''nohook'' line, just add '''resolv.conf''' separated with a comma.
  
==Torify==
+
== Torify ==
 +
 
 
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:
 
'''torify''' will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:
  
''torify is a simple wrapper that calls tsocks with a tor specific configuration file. tsocks itself is a wrapper between the tsocks library and the  application  that you would like to run socksified''
+
''torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.''
  
 
Usage example:
 
Usage example:
{{bc|<nowiki>
 
$ torify elinks checkip.dyndns.org
 
$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations
 
</nowiki>}}
 
  
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{Ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:
+
$ torify elinks checkip.dyndns.org
{{bc|
+
<nowiki>$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations</nowiki>
$ tor-resolve checkip.dyndns.org
+
 
 +
Torify ''will not'', however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with {{ic|<nowiki>tor-resolve</nowiki>}} (described above). In this case, the procedure for the first of the above examples would look like this:
 +
 
 +
{{hc|$ tor-resolve checkip.dyndns.org|
 
208.78.69.70
 
208.78.69.70
$ torify elinks 208.78.69.70
 
 
}}
 
}}
  
==Troubleshooting==
+
$ torify elinks 208.78.69.70
===Problem with User value===
+
 
 +
== Transparent Torification ==
 +
 
 +
In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with [[iptables]] in such a way that all outbound packets are redirected through Tor's ''TransPort'', except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's ''SocksPort'' will still work. This also works for DNS via Tor's ''DNSPort'', but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [https://www.whonix.org/wiki/Comparison_with_Others]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like [http://tails.boum.org/ Tails] instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.
 +
 
 +
To enable transparent torification, use the following file for {{ic|iptables-restore}} and {{ic|ip6tables-restore}} (internally used by [[systemd]]'s {{ic|iptables.service}} and {{ic|ip6tables.service}}).
 +
 
 +
{{Note|
 +
This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.
 +
 
 +
* Now using {{ic|--ipv6}} and {{ic|--ipv4}} for protocol specific changes. {{ic|iptables-restore}} and {{ic|ip6tables-restore}} can now use the same file.
 +
* Where --ipv6 or --ipv4 is explicitly defined, {{ic|ip*tables-restore}} will ignore the rule if it is not for the correct protocol.
 +
* {{ic|ip6tables}} does not support {{ic|--reject-with}}. Make sure your torrc contains the following lines:
 +
 
 +
SocksPort 9050
 +
DNSPort 5353
 +
TransPort 9040
 +
 
 +
See {{ic|man iptables}}.
 +
}}
 +
 
 +
{{Note|
 +
iptables-restore: unable to initialize table 'nat'
 +
 
 +
Requires:
 +
 
 +
modprobe ip_tables
 +
modprobe iptable_nat
 +
modprobe ip_conntrack
 +
modprobe iptable-filter
 +
modprobe ipt_state
 +
 
 +
}}
 +
 
 +
{{hc|/etc/iptables/iptables.rules|
 +
 
 +
*nat
 +
:PREROUTING ACCEPT [6:2126]
 +
:INPUT ACCEPT [0:0]
 +
:OUTPUT ACCEPT [17:6239]
 +
:POSTROUTING ACCEPT [6:408]
 +
 
 +
-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
 +
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
 +
-A OUTPUT -o lo -j RETURN
 +
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
 +
-A OUTPUT -m owner --uid-owner "tor" -j RETURN
 +
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
 +
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
 +
COMMIT
 +
 
 +
*filter
 +
:INPUT DROP [0:0]
 +
:FORWARD DROP [0:0]
 +
:OUTPUT DROP [0:0]
 +
 
 +
-A INPUT -i lo -j ACCEPT
 +
-A INPUT -p icmp -j ACCEPT
 +
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 +
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 +
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 +
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
 +
--ipv6 -A INPUT -j REJECT
 +
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
 +
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
 +
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
 +
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 +
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
 +
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
 +
--ipv6 -A OUTPUT -j REJECT
 +
COMMIT
 +
}}
 +
 
 +
This file also works for ip6tables-restore, so you may symlink it:
 +
 
 +
ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules
 +
 
 +
Then make sure Tor is running, and [[start/enable]] the {{ic|iptables}} and {{ic|ip6tables}} systemd units.
 +
 
 +
You may want to add {{ic|1=Requires=iptables.service}} and {{ic|1=Requires=ip6tables.service}} to whatever systemd unit logs your user in (most likely a [[display manager]]), to prevent any user processes from being started before the firewall up. See [[systemd]].
 +
 
 +
== Troubleshooting ==
 +
 
 +
=== Problem with user value ===
 +
 
 
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)
 
If the '''tor''' daemon failed to start, then run the following command as root (or use sudo)
  
Line 282: Line 716:
 
Tor should now start up correctly.
 
Tor should now start up correctly.
  
===Daemon fails on restart===
+
Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the {{ic|/etc/tor/torrc}} file:
 +
 
 +
User tor
 +
 
 +
Now modify the systemd's tor service file {{ic|/usr/lib/systemd/system/tor.service}} as follows
 +
 
 +
[Service]
 +
User=root
 +
Group=root
 +
Type=simple
 +
 
 +
The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:
  
If after issuing {{Ic|/etc/rc.d/tor restart}} you have log entries similar to
+
# chown -R tor:tor /var/lib/tor/
 +
# chmod -R 755 /var/lib/tor
  
Interrupt: we have stopped accepting new connections, and will shut down in 30 seconds. Interrupt again to exit now
+
Now save changes:
  
and the daemon fails to start back up, a simple workaround is to open {{Ic|/etc/rc.d/tor}} in your favourite editor and increase the time waited between the shutting down and starting up again of the daemon. For example:
+
# systemctl --system daemon-reload
  
{{hc|/etc/rc.d/tor|    ;;
+
Then [[start]] {{ic|tor.service}}.
  restart)
+
    $0 stop
+
    sleep 35
+
    $0 start
+
    ;;}}
+
  
This will allow Tor to shutdown cleanly, and restart after a safe period of time. Remember that this file may be overwritten by upgrades.
+
== See also ==
  
==See Also==
 
 
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]
 
* [https://www.torproject.org/docs/tor-doc-unix.html.en Running the Tor client on Linux/BSD/Unix]
 
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]
 
* [https://trac.torproject.org/projects/tor/wiki#Unixish Unix-based Tor Articles]
 
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]
 
* [https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms Software commonly integrated with Tor]
 
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']
 
* [https://www.torproject.org/docs/tor-hidden-service.html.en How to set up a Tor ''Hidden Service'']
 +
* [https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports List of tor pluggable transports for obfuscating tor's traffic]

Latest revision as of 14:27, 15 November 2016

Related articles

Tor is an open source implementation of 2nd generation onion routing that provides free access to an anonymous proxy network. Its primary goal is to enable online anonymity by protecting against traffic analysis attacks.

Introduction

Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.

Warning: Tor by itself is not all you need to maintain your anonymity. There are several major pitfalls to watch out for (see: Want Tor to really work?).

Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. One trade off that has to be made for the anonymity Tor provides is that it can be considerably slower than a regular direct connection, due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).

See Wikipedia:Tor (anonymity network) for more information.

Installation

Install the tor package.

The arm (Anonymizing Relay Monitor) package provides a terminal status monitor for bandwidth usage, connection details and more.

For a GUI, you can use vidaliaAUR.

Warning: Vidalia is discontinued and no longer supported by the Tor Project. Please see https://blog.torproject.org/blog/plain-vidalia-bundles-be-discontinued-dont-panic

Configuration

By default Tor reads configurations from the file /etc/tor/torrc. The configuration options are explained in man tor and the Tor website. The default configuration should work fine for most Tor users.

There are potential conflicts between configurations in torrc and those in tor.service.

  • In torrc, RunAsDaemon should, as by default, be set to 0, since Type=simple is set in the [Service] section in tor.service.
  • In torrc, User should not be set unless User= is set to root in the [Service] section in tor.service.

Relay Configuration

The maximum file descriptor number that can be opened by Tor can be set with LimitNOFILE in tor.service. Fast relays may want to increase this value.

If your computer is not running a webserver, and you have not set AccountingMax, consider changing your ORPort to 443 and/or your DirPort to 80. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor relay. If you are already using ports 80 and 443, other useful ports are 22, 110, and 143.[1] But since these are privileged ports, to do so Tor must be run as root, by setting User=root in tor.service and User tor in torrc.

You may wish to review Lifecycle of a New Relay Tor documentation.

Running Tor in a Chroot

Warning: Connecting with telnet to the local ControlPort seems to be broken while running Tor in a chroot

For security purposes, it may be desirable to run Tor in a chroot. The following script will create an appropriate chroot in /opt/torchroot:

~/torchroot-setup.sh
#!/bin/bash
export TORCHROOT=/opt/torchroot

mkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib

ln -s /usr/lib  $TORCHROOT/lib
cp /etc/hosts           $TORCHROOT/etc/
cp /etc/host.conf       $TORCHROOT/etc/
cp /etc/localtime       $TORCHROOT/etc/
cp /etc/nsswitch.conf   $TORCHROOT/etc/
cp /etc/resolv.conf     $TORCHROOT/etc/
cp /etc/tor/torrc       $TORCHROOT/etc/tor/

cp /usr/bin/tor         $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/
cp -r /var/lib/tor      $TORCHROOT/var/lib/
chown -R tor:tor $TORCHROOT/var/lib/tor

sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"

mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3

if [[ "$(uname -m)" == "x86_64" ]]; then
  cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
  ln -sr /usr/lib64 $TORCHROOT/lib64
  ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fi

After running the script as root, Tor can be launched in the chroot with the command:

# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor

or if you use systemd overload the service:

/etc/systemd/system/tor.service.d/chroot.conf
[Service]
User=root
ExecStart=
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"
KillSignal=SIGINT

Running Tor in a systemd-nspawn container with a virtual network interface

In this example we will create a systemd-nspawn container named tor-exit with a virtual macvlan network interface.

See Systemd-nspawn and systemd-networkd for full documentation.

Host installation and configuration

In this example the container will reside in /srv/container:

# mkdir /srv/container/tor-exit

Install the arch-install-scripts.

Install base, tor and arm and deselect linux as per Systemd-nspawn#Installation with pacstrap[broken link: invalid section]:

# pacstrap -i -c -d /srv/container/tor-exit base tor arm

Create directory if it does not exist:

# mkdir /var/lib/container
Note: Symlinks for nspawn are currently broken (as of 2016-02-04; see https://github.com/systemd/systemd/issues/2001), and will give you a "too many levels of symlinks" error. As a (possibly insecure) workaround, simply pacstrap your install to the container directory instead.

Symlink to register the container on the host, as per Systemd-nspawn#Boot your container at your machine startup[broken link: invalid section]:

# ln -s /srv/container/tor-exit /var/lib/container/tor-exit

Virtual network interface

Create a Dropin directory for the container service:

# mkdir /etc/systemd/system/systemd-nspawn@tor-exit.service.d
/etc/systemd/system/systemd-nspawn@tor-exit.service.d/tor-exit.conf
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --network-macvlan=$INTERFACE --private-network --directory=/var/lib/container/%i
LimitNOFILE=32768

--network-macvlan=$INTERFACE --private-network automagically creates a macvlan named mv-$INTERFACE inside the container, which is not visible from the host. --private-network is implied by --network-macvlan= according to man systemd-nspawn. This is advisable for security as it will allow you to give a private IP to the container, and it won't know what your machine's IP is. This can help obscure DNS requests.

LimitNOFILE=32768 per #Raise maximum number of open file descriptors.

Setup systemd-networkd according to your network in /srv/container/tor-exit/etc/systemd/network/mv-$INTERFACE.network.

Start and enable systemd-nspawn

Start and enable systemd-nspawn@tor-exit.service.

Container configuration

# machinectl login tor-exit login to the container, see Systemd-nspawn#machinectl command[broken link: invalid section].

# mv /srv/container/tor-exit/etc/securetty /srv/container/tor-exit/etc/securetty.bak if you get the error described in Systemd-nspawn#Troubleshooting.

Start and enable systemd-networkd

Start and enable systemd-networkd.service. networkctl displays if systemd-networkd is correctly configured.

Configure Tor

See #Running a Tor server.

Tip: It is easier to edit files in the container from the host with your normal editor.

Usage

Start/enable tor.service using systemd. Alternatively, launch it with sudo -u tor /usr/bin/tor.

To use a program over tor, configure it to use 127.0.0.1 or localhost as a SOCKS5 proxy, with port 9050 (plain tor with standard settings). To check if Tor is functioning properly visit the Tor, Harvard or Xenobite.eu websites.

Web browsing

The Tor Project currently only supports web browsing with tor through the Tor Browser Bundle, which can be downloaded from the AUR. It is built with a patched version of the Firefox extended support releases. Tor can also be used with regular Firefox, Chromium and other browsers, but this is not recommended by the Tor Project.

Tip: For makepkg to verify the signature on the AUR source tarball download for TBB, import the signing keys from the Tor Project (currently 2E1AC68ED40814E0) as explained in GnuPG#Import_a_public_key.

Firefox

In Preferences > Advanced > Network tab > Settings manually set Firefox to use the SOCKS proxy localhost with port 9050. Then you must type about:config into the address bar and void your warranty. Change network.proxy.socks_remote_dns to true and restart the browser. This channels all DNS requests through TOR's socks proxy.

Chromium

You can simply run:

$ chromium --proxy-server="socks5://myproxy:8080" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE myproxy"

The --proxy-server="socks5://myproxy:8080" flag tells Chrome to send all http:// and https:// URL requests through the SOCKS proxy server "myproxy:8080", using version 5 of the SOCKS protocol. The hostname for these URLs will be resolved by the proxy server, and not locally by Chrome.

NOTE: proxying of ftp:// URLs through a SOCKS proxy is not yet implemented.

The --proxy-server flag applies to URL loads only. There are other components of Chrome which may issue DNS resolves directly and hence bypass this proxy server. The most notable such component is the "DNS prefetcher".Hence if DNS prefetching is not disabled in Chrome then you will still see local DNS requests being issued by Chrome despite having specified a SOCKS v5 proxy server. Disabling DNS prefetching would solve this problem, however it is a fragile solution since once needs to be aware of all the areas in Chrome which issue raw DNS requests. To address this, the next flag, --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE myproxy", is a catch-all to prevent Chrome from sending any DNS requests over the network. It says that all DNS resolves are to be simply mapped to the (invalid) address 0.0.0.0. The "EXCLUDE" clause make an exception for "myproxy", because otherwise Chrome would be unable to resolve the address of the SOCKS proxy server itself, and all requests would necessarily fail with PROXY_CONNECTION_FAILED.

Debug:

The first thing to check when debugging is look at the Proxy tab on about:net-internals, and verify what the effective proxy settings are: chrome://net-internals/#proxy

Next, take a look at the DNS tab of about:net-internals to make sure Chrome isn't issuing local DNS resolves: chrome://net-internals/#dns

Note that in versions of Chrome after r186548, you can do this more concisely by mapping to ~NOTFOUND rather than 0.0.0.0. Just as with Firefox, you can setup a fast switch for example through Proxy SwitchySharp.

Once installed enter in its configuration page. Under the tab Proxy Profiles add a new profile Tor, if ticked untick the option Use the same proxy server for all protocols, then add localhost as SOCKS Host, 9050 to the respective port and select SOCKS v5.

Optionally you can enable the quick switch under the General tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.

Luakit

Warning: It will not be hard for an observer to identify you by the rare user-agent string, and there may be further issues with Flash, JavaScript or similar.

You can simply run:

$ torify luakit

HTTP proxy

Tor can be used with an HTTP proxy like Polipo or Privoxy, however the Tor dev team recommends using the SOCKS5 library since browsers directly support it.

Firefox

The FoxyProxy add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port 8118 on localhost, which is where Polipo or Privoxy are running. These settings can be access under Add > Standard proxy type. Select a proxy label (e.g Tor) and enter the port and host into the HTTP Proxy and SSL Proxy fields. To check if Tor is functioning properly visit the Tor Check website and toggle Tor.

Polipo

The Tor Project has created a custom Polipo configuration file to prevent potential problems with Polipo as well to provide better anonymity.

Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use Chromium with Tor, you do not need the Polipo package (see: #Chromium).

Privoxy

You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e. 127.0.0.1:8118). To use SOCKS proxy directly, you can point your application at Tor (i.e. 127.0.0.1:9050). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.

Instant messaging

In order to use an IM client with tor, we do not need an http proxy like polipo/privoxy. We will be using tor's daemon directly which listens to port 9050 by default.

Pidgin

You can set up Pidgin to use Tor globally, or per account. To use Tor globally, go to Tools -> Preferences -> Proxy. To use Tor for specific accounts, go to Accounts > Manage Accounts, select the desired account, click Modify, then go to the Proxy tab. The proxy settings are as follows:

Proxy type SOCKS5
Host 127.0.0.1
Port 9150

Note that some time in 2013 the Port has changed from 9050 to 9150 if you use the Tor Browser Bundle. Try the other value if you receive a "Connection refused" message.

Irssi

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: cap_sasl.pl is broken with perl 5.20; SSL does also not work with torsocks (Discuss in Talk:Tor#)

Freenode recommends connecting to .onion directly. It also requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during connection; see Irssi#Authenticating with SASL. Start irssi:

$ torsocks irssi

Set your identification to nickserv, which will be read when connecting. Supported mechanisms are ECDSA-NIST256P-CHALLENGE (see ecdsatool) and PLAIN. DH-BLOWFISH is no longer supported.

/sasl set network username password mechanism

Disable CTCP and DCC and set a different hostname to prevent information disclosure: [2]

/ignore * CTCPS
/ignore * DCC
/set hostname fake_host

Connect to Freenode:

/connect -network network frxleqtzgvwkv7oz.onion

For more information check Accessing freenode Via Tor, SASL README or IRC/SILC Wiki article.

Pacman

Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network.

Advantages:

  • Attackers that can monitor your Internet connection and that specifically targets your machine cannot watch the updates anymore and, because of that, they cannot deduce the packages you have installed, how up to date they are, when or how frequently you update them. An attacker can still learn what software and the versions you use by other means, for instance watching the packets from your http server or probing the machine will show that you have an http server installed and its version.
  • If the mirror is not an onion, a malicious exit nodes you are going trough can watch the updates, and may decide to attack you, however they probably cannot know who they are attacking.
  • Attackers trying to make your machine believe that there are no new updates to prevent it from getting security fixes will have a harder time doing it since they cannot target your machine specifically.

Disadvantages:

  • Longer updates times due to Longer latency and lower throughput. This can be a big security risk if/when the updates needs to be done as fast as possible, especially on machines directly connected to the Internet. That is the case when there is a huge security flaw, and that the flaws are fast to probe, easy to exploit, and that attackers have already started targeting as many systems as they can before the systems are updated.

Reliability with Tor:

  • You don't need a working DNS anymore.
  • You depend on the Tor network and the exit nodes not blocking the updates.
  • You depend on the Tor daemon to work properly. The Tor daemon may not work if there is no more disk space available to it. "Reserved blocks gid:" in ext4, quotas, or other means can fix that.
  • If you are in a country where Tor is blocked, or that there are almost or no Tor users at all, you should use bridges.

Note on gpg:

On stock arch, pacman only trust keys which are either signed by you (That can be done with pacman-key --lsign-key) or signed by 2 of 5 Arch master keys. If a malicious exit node replaces pakcages with ones signed by its key, pacman will not let the user install the package.
Warning: This might not be true for other distributions derived from ARCH, for non-official repositories and for AUR
/etc/pacman.conf
...
XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o
...

Running a Tor server

The Tor network is reliant on people contributing bandwidth and setting up services. There are several ways to contribute to the network.

Running a Tor bridge

A Tor bridge is a Tor relay that is not listed in the public Tor directory, thus making it possible for people to connect to the Tor network when governments or ISPs block all public Tor relays.

Configuration

According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines (Default: /etc/tor/torrc, or $HOME/.torrc if that file is not found)

   SocksPort 0
   ORPort 443
   BridgeRelay 1
   Exitpolicy reject *:*

Troubleshooting

If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you will need to pick a higher ORPort (e.g. 8080), or perhaps forward the port in your router.

Running a Tor relay

This means that your machine will act as an entry node or forwarding relay and, unlike a bridge, it will be listed in the public Tor directory. Your IP address will be publicly visible in the Tor directory but the relay will only forward to other relays or Tor exit nodes, not directly to the internet.

Configuration

You should at least share 20KiB/s:

Nickname tornickname
ORPort 9001                    # This TCP-Port has to be opened/forwarded in your Firewall
BandwidthRate 20 KB            # Throttle traffic to 20KB/s
BandwidthBurst 50 KB           # But allow bursts up to 50KB/s

Disallow exits from your relay:

ExitPolicy reject *:*

Running a Tor exit node

Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed host, the request will appear as having originated from your machine. This means that running an exit node is generally considered more legally onerous than running other forms of Tor relays. Before becoming an exit relay, you may want to read Tips for Running an Exit Node With Minimal Harrasment.

Configuration

Using the torrc, you can configure which services you wish to allow through your exit node. Allow all traffic:

ExitPolicy accept *:*

Allow only irc ports 6660-6667 to exit from node:

ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more

By default, Tor will block certain ports. You can use the torrc to overide this.

ExitPolicy accept *:119        # Accept nntp as well as default exit policy

+100Mbps Exit Relay configuration example

If you run a fast exit relay (+100Mbps) with ORPort 443 and DirPort 80 (as recommended in Configuring a Tor relay on Debian/Ubuntu) the following configuration changes might serve as inspiration to setup Tor alongside iptables firewall, Haveged to increase system entropy and pdnsd as DNS cache. It is important to first read Configuring a Tor relay on Debian/Ubuntu.

Note: See #Running Tor in a systemd-nspawn container with a virtual network interface for instructions to install Tor in a systemd-nspawn container. Haveged should be installed on the container host.
Tor
Raise maximum number of open file descriptors

To handle more than 8192 connections LimitNOFILE can be raised to 32768 as per Tor FAQ.

/etc/systemd/system/tor.service.d/increase-file-limits.conf
[Service]
LimitNOFILE=32768

To succesfully raise nofile limit, you may also have to append the following:

/etc/security/limits.conf
...
tor     soft    nofile    32768
tor     hard    nofile    32768
@tor    soft    nofile    32768
@tor    hard    nofile    32768

Check if the nofile (filedescriptor) limit is succesfully raised with # sudo -u tor 'ulimit -Hn' or # sudo -u tor bash and # ulimit -Hn.

Start tor.service as root to bind Tor to privileged ports

To bind Tor to privileged ports the service must be started as root. Please specify User tor option in /etc/tor/torrc.

/etc/systemd/system/tor.service.d/start-as-root.conf
[Service]
User=root
Tor configuration

To listen on Port 80 and 443 the service need to be started as root as described in #Start tor.service as root to bind Tor to privileged ports. Use the User tor option in /etc/tor/torrc to properly reduce Tor’s privileges.

/etc/tor/torrc
SocksPort 0                                       ## Pure relay configuration without local socks proxy

Log notice stdout                                 ## Default Tor behavior

ControlPort 9051                                  ## For arm connection
CookieAuthentication 1                            ## For arm connection

ORPort 443                                        ## Service must be started as root

Address $IP                                       ## IP or FQDN
Nickname $NICKNAME                                ## Nickname displayed in Onionoo

RelayBandwidthRate 500 Mbits                      ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits
RelayBandwidthBurst 1000 MBits                    ## bytes|KBytes|MBytes|GBytes|KBits|MBits|GBits

ContactInfo $E-MAIL - $BTC-ADDRESS                ## See OnionTip

DirPort 80                                        ## Service must be started as root
DirPortFrontPage /etc/tor/tor-exit-notice.html    ## Original: https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-notice.html

MyFamily $($KEYID),$($KEYID)...                   ## Remember $ in front of keyid(s) ;)

ExitPolicy reject XXX.XXX.XXX.XXX/XX:*            ## Block domain of public IP in addition to std. exit policy

User tor                                          ## Return to tor user after service started as root to listen on privileged ports

DisableDebuggerAttachment 0                       ## For arm connection

### Performance related options ###
AvoidDiskWrites 1                                 ## Reduce wear on SSD
DisableAllSwap 1                                  ## Service must be started as root
HardwareAccel 1                                   ## Look for OpenSSL hardware cryptographic support
NumCPUs 2                                         ## Only start two threads

This configuration is based on the Tor Manual.

Tor opens a socks proxy on port 9050 by default -- even if you do not configure one. Set SocksPort 0 if you plan to run Tor only as a relay, and not make any local application connections yourself.

Log notice stdout changes logging to stdout, which is also the Tor default. ControlPort 9051, CookieAuthentication 1 and DisableDebuggerAttachment 0 enables arm to connect to Tor and display connections.

ORPort 443 and DirPort 80 lets Tor listen on port 443 and 80 and DirPortFrontPage displays the tor-exit-notice.html on port 80.

ExitPolicy reject XXX.XXX.XXX.XXX/XX:* should reflect your public IP and netmask, which can be obtained with the command # ip addr, so exit connections cannot connect to the host or neighboring machines public IP and circumvent firewalls.

AvoidDiskWrites 1 reduces disk writes and wear on SSD. DisableAllSwap 1 "will attempt to lock all current and future memory pages, so that memory cannot be paged out".

If # cat /proc/cpuinfo | grep aes returns that your CPU supports AES instructions and # lsmod | grep aes returns that the module is loaded, you can specify HardwareAccel 1 which tries "to use built-in (static) crypto hardware acceleration when available", see http://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration.

ORPort 443, DirPort 80 and DisableAllSwap 1 require that you start the Tor service as root as described in #Start tor.service as root to bind Tor to privileged ports. Use the User tor option to properly reduce Tor’s privileges.

arm

If ControlPort 9051 and CookieAuthentication 1 is specified in /etc/tor/torrc, arm can be started with sudo -u tor arm. If you want to watch Tor connections in arm DisableDebuggerAttachment 0 must also be specified.

iptables

Setup and learn to use iptables. Instead of being a Simple stateful firewall where connection tracking would have to track thousands of connections on a tor exit relay this firewall configuration is stateless.

/etc/iptables/iptables.rules
*raw
-A PREROUTING -j NOTRACK
-A OUTPUT -j NOTRACK
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp ! --syn -j ACCEPT
-A INPUT -p udp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

-A PREROUTING -j NOTRACK and -A OUTPUT -j NOTRACK disables connection tracking in the raw table.

:INPUT DROP [0:0] is the default INPUT target and drops input traffic we do not specifically ACCEPT.

:FORWARD DROP [0:0] is the default FORWARD target and only relevant if the host is a normal router, not when the host is an onion router.

:OUTPUT ACCEPT [0:0] is the default OUTPUT target and allows all outgoing connections.

-A INPUT -p tcp ! --syn -j ACCEPT allow already established incoming TCP connections per the rules below and TCP connections established from the exit node.

-A INPUT -p udp -j ACCEPT allow all incoming UDP connections because we do not use connection tracking.

-A INPUT -p icmp -j ACCEPT allow ICMP.

-A INPUT -p tcp --dport 443 -j ACCEPT allow incoming connections to the ORPort.

-A INPUT -p tcp --dport 80 -j ACCEPT allow incoming connections to the DirPort.

-A INPUT -i lo -j ACCEPT allows all connections on the loopback interface.

Haveged

See Haveged to decide if your system generates enough entropy to handle a lot of OpenSSL connections, see haveged - A simple entropy daemon and how-to-setup-additional-entropy-for-cloud-servers-using-haveged for documentation.

pdnsd
Warning: This configuration assumes your network DNS resolver is trusted (uncensored).

You can use pdnsd to cache DNS queries locally, so the exit relay can resolve DNS faster and the exit relay does not forward all DNS queries to an external DNS recursor.

/etc/pdnsd.conf
...
perm_cache=102400                       ## (Default value)*100 = 1MB * 100 = 100MB
...
server {
    label= "resolvconf";
    file = "/etc/pdnsd-resolv.conf";    ## Preferably do not use /etc/resolv.conf
    timeout=4;                          ## Server timeout, this may be much shorter than the global timeout option.
    uptest=query;                       ## Test availability using empty DNS queries. 
    query_test_name=".";                ## To be used if remote servers ignore empty queries.
    interval=10m;                       ## Test every 10 minutes.
    purge_cache=off;                    ## Ignore TTL.
    edns_query=yes;                     ## Use EDNS for outgoing queries to allow UDP messages larger than 512 bytes. May cause trouble with some legacy systems.
    preset=off;                         ## Assume server is down before uptest.
 }
...

This configuration stub shows how to cache queries to your normal DNS recursor locally and increase pdnsd cache size to 100MB.

Uncensored DNS

If your local DNS recursor is in some way censored or interferes with DNS queries, see Resolv.conf#Alternative DNS servers for alternatives and add them in a seperate server-section in /etc/pdnsd.conf as per Pdnsd#DNS servers.

TorDNS

The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:

/etc/tor/torrc
DNSPort 9053
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this Debian-based introduction.

DNS queries can also be performed through a command line interface by using tor-resolve. For example:

$ tor-resolve archlinux.org
66.211.214.131

Using TorDNS for all DNS queries

It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in /etc/tor/torrc to show:

DNSPort 53

Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose.

Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq.

Modify its configuration file so that it contains:

/etc/dnsmasq.conf
no-resolv
server=127.0.0.1#9053
listen-address=127.0.0.1

These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit /etc/resolv.conf so that your system will query only the dnsmasq server.

/etc/resolv.conf
nameserver 127.0.0.1

Start the dnsmasq daemon.

Finally if you use dhcpd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:

/etc/dhcpcd.conf
nohook resolv.conf

If you already have an nohook line, just add resolv.conf separated with a comma.

Torify

torify will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:

torify is a simple wrapper that attempts to find the best underlying Tor wrapper available on a system. It calls torsocks with a tor specific configuration file.

Usage example:

$ torify elinks checkip.dyndns.org
$ torify wget -qO- https://check.torproject.org/ | grep -i congratulations

Torify will not, however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with tor-resolve (described above). In this case, the procedure for the first of the above examples would look like this:

$ tor-resolve checkip.dyndns.org
208.78.69.70
$ torify elinks 208.78.69.70

Transparent Torification

In some cases it is more secure and often easier to transparently torify an entire system instead of configuring individual applications to use Tor's socks port, not to mention preventing DNS leaks. Transparent torification can be done with iptables in such a way that all outbound packets are redirected through Tor's TransPort, except the Tor traffic itself. Once in place, applications do not need to be configured to use Tor, though Tor's SocksPort will still work. This also works for DNS via Tor's DNSPort, but realize that Tor only supports TCP, thus UDP packets other than DNS cannot be sent through Tor and therefore must be blocked entirely to prevent leaks. Using iptables to transparently torify a system affords comparatively strong leak protection, but it is not a substitute for virtualized torification applications such as Whonix, or TorVM [3]. Transparent torification also will not protect against fingerprinting attacks on its own, so it is recommended to use it in conjunction with the Tor Browser (search the AUR for the version you want: https://aur.archlinux.org/packages/?K=tor-browser) or to use an amnesic solution like Tails instead. Applications can still learn your computer's hostname, MAC address, serial number, timezone, etc. and those with root privileges can disable the firewall entirely. In other words, transparent torification with iptables protects against accidental connections and DNS leaks by misconfigured software, it is not sufficient to protect against malware or software with serious security vulnerabilities.

To enable transparent torification, use the following file for iptables-restore and ip6tables-restore (internally used by systemd's iptables.service and ip6tables.service).

Note:

This file uses the nat table to force outgoing connections through the TransPort or DNSPort, and blocks anything it cannot torrify.

  • Now using --ipv6 and --ipv4 for protocol specific changes. iptables-restore and ip6tables-restore can now use the same file.
  • Where --ipv6 or --ipv4 is explicitly defined, ip*tables-restore will ignore the rule if it is not for the correct protocol.
  • ip6tables does not support --reject-with. Make sure your torrc contains the following lines:
SocksPort 9050
DNSPort 5353
TransPort 9040

See man iptables.

Note:

iptables-restore: unable to initialize table 'nat'

Requires:

modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe iptable-filter
modprobe ipt_state
/etc/iptables/iptables.rules

*nat
:PREROUTING ACCEPT [6:2126]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [17:6239]
:POSTROUTING ACCEPT [6:408]

-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -o lo -j RETURN
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
-A OUTPUT -m owner --uid-owner "tor" -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
--ipv6 -A INPUT -j REJECT
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
--ipv6 -A OUTPUT -j REJECT
COMMIT

This file also works for ip6tables-restore, so you may symlink it:

ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules

Then make sure Tor is running, and start/enable the iptables and ip6tables systemd units.

You may want to add Requires=iptables.service and Requires=ip6tables.service to whatever systemd unit logs your user in (most likely a display manager), to prevent any user processes from being started before the firewall up. See systemd.

Troubleshooting

Problem with user value

If the tor daemon failed to start, then run the following command as root (or use sudo)

# tor

If you get the following error

May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted".
May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root.
May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details.
May 23 00:27:24.624 [err] Reading config failed--see warnings above.

Then it means that the problem is with the User value, which likely means that one or more files or directories in your /var/lib/tor directory is not owned by tor. This can be determined by using the following find command:

find /var/lib/tor/ ! -user tor

Any files or directories listed in the output from this command needs to have its ownership changed. This can be done individually for each file like so:

chown tor:tor /var/lib/tor/filename

Or to change everything listed by the above find example, modify the command to this:

find /var/lib/tor/ ! -user tor -exec chown tor:tor {} \;

Tor should now start up correctly.

Still if you cannot start the tor service, run the service using root (this will switch back to the tor user). To do this, change the user name in the /etc/tor/torrc file:

User tor

Now modify the systemd's tor service file /usr/lib/systemd/system/tor.service as follows

[Service]
User=root
Group=root
Type=simple

The process will be run as tor user. For this purpose change user and group ID to tor and also make it writable:

# chown -R tor:tor /var/lib/tor/
# chmod -R 755 /var/lib/tor

Now save changes:

# systemctl --system daemon-reload

Then start tor.service.

See also