zh-CN:Tor Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary link Template:Article summary link Template:Article summary link Template:Article summary heading Template:Article summary wiki Template:Article summary end
Tor is an open source implementation of 2nd generation onion routing that provides free access to an anonymous proxy network. Its primary goal is to enable online anonymity by protecting against traffic analysis attacks.
- 1 Introduction
- 2 Installation
- 3 Configuration
- 4 Usage
- 5 Web browsing
- 6 HTTP Proxy
- 7 Instant Messaging
- 8 Irssi
- 9 Pacman
- 10 Running a Tor Server
- 11 Running a Tor bridge
- 12 Running a "Middleman" relay
- 13 Running a Tor Exit Node
- 14 TorDNS
- 15 Torify
- 16 Troubleshooting
- 17 See Also
Users of the Tor network run an onion proxy on their machine. This software connects out to Tor, periodically negotiating a virtual circuit through the Tor network. Tor employs cryptography in a layered manner (hence the 'onion' analogy), ensuring perfect forward secrecy between routers. At the same time, the onion proxy software presents a SOCKS interface to its clients. SOCKS-aware applications may be pointed at Tor, which then multiplexes the traffic through a Tor virtual circuit.
Through this process the onion proxy manages networking traffic for end-user anonymity. It keeps a user anonymous by encrypting traffic, sending it through other nodes of the Tor network, and decrypting it at the last node to receive your traffic before forwarding it to the server you specified. Although Tor is considerably safer than the commonly used direct DNS connections (i.e. without a proxy), it can be considerably slower due to the large amount of traffic re-routing. Additionally, although Tor provides protection against traffic analysis it cannot prevent traffic confirmation at the boundaries of the Tor network (i.e. the traffic entering and exiting the network).
Additionally, there is a Qt frontend for Tor in package . In addition to controlling the Tor process, Vidalia allows you to view and configure the status of Tor, monitor bandwidth usage, and view, filter, and search log messages.
To get a better understanding of Tor review the
/etc/tor/torrc configuration file. The configuration options are explained in
man tor and the Tor website. The default configuration should work fine for most Tor users.
You can set custom file descriptor ulimits for Tor in
/etc/conf.d/tor using the
TOR_MAX_FD variable. This sets a limit on the maximum number of open files.
By default Tor logs to stdout with a log-level of "notice". If system logging is enabled in the
torrc configuration file, it will default to
You can launch it from command line or via a GUI like vidalia.
Start the tor daemon and add it to the
DAEMONS array to have it connect always.
To use a program over tor, configure it to use 127.0.0.1 or localhost as SOCKS5 proxy, with port 9050 (plain tor with standard settings) or port 9051 (configuration with vidalia, standard settings).
To check if Tor is functioning properly visit the Tor, Harvard or Xenobite.eu websites.
In Preferences > Advanced > Network tab > Settings manually set Firefox to use the SOCKS proxy
localhost with port
Alternatively, install the Tor Browser Bundle (i.e.AUR). This will allow you to toggle very easily between Tor navigation and normal navigation instead of changing the preferences.
You can simply run:
$ chromium --proxy-server="socks://localhost:9050"
As for Firefox you can setup a fast switch for example through Proxy SwitchySharp.
Once installed enter in its configuration page. Under the tab Proxy Profiles add a new profile Tor, if ticked untick the option Use the same proxy server for all protocols, then add localhost as SOCKS Host, 9050 to the respective port and select SOCKS v5.
Optionally you can enable the quick switch under the General tab to be able to switch beetween normal navigation and Tor network just by left-clicking on the Proxy SwitchySharp's icon.
The FoxyProxy add-on allows you to specify multiple proxies for different URLs or for all your browsing. After restarting Firefox manually set Firefox to port
localhost, which is where Polipo or Privoxy are running. These settings can be access under Add > Standard proxy type. Select a proxy label (e.g Tor) and enter the port and host into the HTTP Proxy and SSL Proxy fields. To check if Tor is functioning properly visit the Tor Check website and toggle Tor.
The Tor Project has created a custom Polipo configuration file to prevent potential problems with Polipo as well to provide better anonymity.
Keep in mind that Polipo is not required if you can use a SOCKS 5 proxy, which Tor starts automatically on port 9050. If you want to use Chromium with Tor, you do not need the Polipo package (see: #Chromium).
You can also use this setup in other applications like messaging (e.g. Jabber, IRC). Applications that support HTTP proxies you can connect to Privoxy (i.e.
127.0.0.1:8118). To use SOCKS proxy directly, you can point your application at Tor (i.e.
127.0.0.1:9050). A problem with this method though is that applications doing DNS resolves by themselves may leak information. Consider using Socks4A (e.g. with Privoxy) instead.
Browse through preferences -> proxy and edit it to look like
Proxy type SOCKS5 Host 127.0.0.1 Port 9050
From now on pidgin will be using Tor. In some cases, depending on how different accounts are configured in IM services you have set up, you might want to change their proxy settings. Go to Accounts -> Manage Accounts and modify the account you wish, in Proxy tab to read
Proxy type Use Global Proxy Settings
Freenode does not recommend that you use Privoxy with Irssi. Instead they recommend using the
mapaddress approach and running
torify irssi to start it up. Therefore, add the following to
mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion
Freenode requires charybdis and ircd-seven's SASL mechanism for identifying to nickserv during
cap_sasl.pl, which enables SASL in Irssi, from the Freenode website (i.e. http://www.freenode.net/sasl/cap_sasl.pl) and save it to
Then install AUR., and then AUR from the
Alternatively, you can install the modules using perl:
$ perl -MCPAN -e 'install Crypt::OpenSSL::Bignum Crypt::DH Crypt::Blowfish'
$ torify irssi
Load the script that will employ the SASL mechanism.
/script load cap_sasl.pl
Set your identification to nickserv, which will be read when connecting. Supported mechanisms are PLAIN and DH-BLOWFISH.
/sasl set <network> <username> <password> <mechanism>
Connect to Freenode:
/connect -network <network> 10.40.40.40
If you are receiving errors check the Cannot Connect to Freenode IRC using Irssi & Tor thread on the Arch Linux forums.
Pacman download operations (repository DBs, packages, and public keys) can be done using the Tor network. Though relatively extreme, this measure is useful to prevent an adversary (most likely at one's LAN or the mirror) from knowing a subset of the packages you have installed, at the cost of longer latency, lower throughput, possible suspicion, and possible failure (if Tor is being filtered via the current connection).
... XferCommand = /usr/bin/curl --socks5-hostname localhost:9050 -C - -f %u > %o ...
Running a Tor Server
The Tor network is reliant on people contributing bandwidth. There are several ways to contribute to network.
Running a Tor bridge
This involves making your machine an 'entry node' for people who are having trouble connecting to Tor through traditional methods.
According to https://www.torproject.org/docs/bridges , make your torrc be just these four lines:
SocksPort 0 ORPort 443 BridgeRelay 1 Exitpolicy reject *:*
If you get "Could not bind to 0.0.0.0:443: Permission denied" errors on startup, you'll need to pick a higher ORPort (e.g. 8080), or perhaps forward the port in your router.
Running a "Middleman" relay
This means that your machine will contribute bandwidth to the 'internal' part of the network, acting as neither an entry nor exit point, merely forwarding bits to and from other Tor users.
You should at least share 20kb/s:
Nickname <tornickname> ORPort 9001 BandwidthRate 20 KB # Throttle traffic to 20KB/s BandwidthBurst 50 KB # But allow bursts up to 50KB/s
Run Tor as middleman ( a relay):
ExitPolicy reject *:*
Running a Tor Exit Node
Any requests from a Tor user to the regular internet obviously need to exit the network somewhere, and exit nodes provide this vital service. To the accessed service, the request will appear to the host as having come from your machine. This means that running an exit node is generally considered more legally onerous than other forms of Tor relays. Before becoming an exit relay, you may want to read Tips for Running an Exit Node With Minimal Harrasment.
Using the torrc, you can configure which services you wish allow through your exit node. Allow all traffic:
ExitPolicy accept *:*
Allow only irc ports 6660-6667 to exit from node:
ExitPolicy accept *:6660-6667,reject *:* # Allow irc ports but no more
By default, Tor will block certain ports. You can use the torrc to overide this.
ExitPolicy accept *:119 # Accept nntp as well as default exit policy
The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file:
DNSPort 9053 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion
And restart Tor to load the updated configuration file:
# rc.d restart tor
This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it's only able to resolve DNS queries for A-records; MX and NS queries are never answered. For more information see this Debian-based introduction.
DNS queries can also be performed through a command line interface by using
tor-resolve. For example:
$ tor-resolve archlinux.org 188.8.131.52
Using TorDNS for all DNS queries
Since TorDNS might be little slow to use TorDNS for all queries it is advised using dnsmasq to cache the results. So install dnsmasq and modify its configuration file so that it contains:
no-resolv server=127.0.0.1#9053 listen-address=127.0.0.1
This configuration file sets dnsmasq so that listen only the local computer and uses only the TorDNS service. It is now needed to edit resolv.conf so that it uses only the dnsmasq server.
Start the dns server with
# rc.d start dnsmasq
Finally if you use dhcpd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file:
If you already have an nohook line, just add resolv.conf separated with a comma.
torify will allow you use an application via the Tor network without the need to make configuration changes to the application involved. From the man page:
torify is a simple wrapper that calls tsocks with a tor specific configuration file. tsocks itself is a wrapper between the tsocks library and the application that you would like to run socksified
$ torify elinks checkip.dyndns.org $ torify wget -qO- https://check.torproject.org/ | grep -i congratulations
Torify will not, however, perform DNS lookups through the Tor network. A workaround is to use it in conjunction with
tor-resolve (described above). In this case, the procedure for the first of the above examples would look like this:
$ tor-resolve checkip.dyndns.org 184.108.40.206 $ torify elinks 220.127.116.11
Problem with User value
If the tor daemon failed to start, then run the following command as root (or use sudo)
If you get the following error
May 23 00:27:24.624 [warn] Error setting groups to gid 43: "Operation not permitted". May 23 00:27:24.624 [warn] If you set the "User" option, you must start Tor as root. May 23 00:27:24.624 [warn] Failed to parse/validate config: Problem with User value. See logs for details. May 23 00:27:24.624 [err] Reading config failed--see warnings above.
Then it means that the problem is with the User value. So proceed with the following steps.
Check the permissions of the directory
/var/lib/tor by running
# ls -l /var/lib/
If the permission for
/var/lib/tor is as shown below
drwx------ 2 tor tor 4096 May 12 21:03 tor
This means that the directory is owned by the user tor and the group tor. Change the owner to the user root, and the group root with the command:
# chown -R root:root /var/lib/tor
If you check the permissions again, it should now show
drwx------ 2 root root 4096 May 12 21:03 tor
/etc/tor/torrc and find the following lines
## Uncomment this to start the process in the background... or use ## --runasdaemon 1 on the command line. RunAsDaemon 1 User tor Group tor
Comment out the lines User tor and Group tor, so that the lines read as
## Uncomment this to start the process in the background... or use ## --runasdaemon 1 on the command line. RunAsDaemon 1 #User tor #Group tor
Save the changes and restart the tor daemon, it should now work.
# rc.d restart tor
Daemon fails on restart
If after issuing
/etc/rc.d/tor restart you have log entries similar to
Interrupt: we have stopped accepting new connections, and will shut down in 30 seconds. Interrupt again to exit now
and the daemon fails to start back up, a simple workaround is to open
/etc/rc.d/tor in your favourite editor and increase the time waited between the shutting down and starting up again of the daemon. For example:
;; restart) $0 stop sleep 35 $0 start ;;
This will allow Tor to shutdown cleanly, and restart after a safe period of time. Remember that this file may be overwritten by upgrades.