Tor
Tor is an onion routing Internet anonymity system.
Installation
USE flags
USE flags for net-vpn/tor Anonymizing overlay network for TCP
+man
|
Build and install man pages |
+server
|
Enable tor's relay module so it can operate as a relay/bridge/authority |
caps
|
Use Linux capabilities library to control privilege |
doc
|
Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally |
lzma
|
Support for LZMA compression algorithm |
scrypt
|
Use app-crypt/libscrypt for the scrypt algorithm |
seccomp
|
Enable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
systemd
|
Enable use of systemd-specific libraries and features like socket activation or session tracking |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
tor-hardening
|
Compile tor with hardening on vanilla compilers/linkers |
verify-sig
|
Verify upstream signatures on distfiles |
zstd
|
Enable support for ZSTD compression |
Emerge
Install net-vpn/tor:
root #
emerge --ask net-vpn/tor
For Web browsing via Tor, an easy alternative is the official portable Tor Browser. Even if also using Tor for other purposes, when web browsing over Tor always use Tor Browser.
Tor Browser requires Wayland to avoid Firefox Bug 1746715, which prevents Tor Browser from running.
Configuration
Tor ships with a minimal configuration in /etc/tor/torrc so it works out of the box:
User tor
PIDFile /run/tor/tor.pid
Log notice syslog
DataDirectory /var/lib/tor/data
Services
OpenRC
To start immediately:
root #
rc-service tor start
To start the Tor service on system boot, add it to the default runlevel:
root #
rc-update add tor default
systemd
To start immediately:
root #
systemctl start tor.service
To start the Tor service on system boot:
root #
systemctl enable tor.service
Emerge messages
* Messages for package net-misc/tor-0.2.3.25:
* We created a configuration file for tor, /etc/tor/torrc, but you can * change it according to your needs. Use the torrc.sample that is in * that directory as a guide. Also, to have privoxy work with tor * just add the following line * * forward-socks4a / localhost:9050 . * * to /etc/privoxy/config. Notice the . at the end!
Browsers
Any browser via PAC file
A PAC file can delegate browser requests to different proxies. Here connections to localhost are handled directly (no proxy); Eepsites are handled by i2p proxy on port 4444 and other traffic goes via Tor SOCKS proxy on port 9050.
function FindProxyForURL(url, host)
{
if(host.match(/^(localhost|127[.]0[.]0[.]1|192[.]168[.]1[.]1)$/))
return 'DIRECT';
if(host.match(/[.]i2p$/))
return 'PROXY 127.0.0.1:4444';
return 'SOCKS 127.0.0.1:9050';
}
Save this file as /usr/local/proxy.pac, and point the browser to it. Most browsers accept Proxy configuration URL, where one can specify file:///usr/local/proxy.pac
.
Firefox
Hamburger menu > Settings > General > Network Settings
manual proxy configuration: http proxy port: 0 ssl proxy port: 0 ftp proxy port: 0 socks host 127.0.0.1 port: 9050 check SOCKS v4 No Proxy for: localhost, 127.0.0.1
'SOCKS v4' is actually SOCKS 4a internally. SOCKS v5 needs more configuration for safe DNS, .
Type about:config into the URL bar and set the following:
network.proxy.socks_remote_dns true network.dns.disablePrefetch true network.dns.disableIPv6 true
This way Firefox will resolve host names via Tor, preventing DNS leaks.
media.peerconnection.enabled false
This prevents leaking the system IP address through WebRTC requests.
SSH
net-misc/openssh doesn't have any native support for SOCKS5, so install net-analyzer/openbsd-netcat and modify the SSH config. It is possible with net-analyzer/netcat also but the configuration below uses flags specific to the OpenBSD variant.
root #
emerge --ask net-analyzer/openbsd-netcat
For all hosts:
Host *
# Tell SSH to pass its connections through netcat, using a SOCKS5 proxy at 127.0.0.1:9050 (Tor default).
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
# Privacy protections
# Prevents SSH from telling the remote server about all of your public keys, potentially revealing your ID
ForwardAgent no
IdentitiesOnly yes
# Merges connections to a server to prevent expensive reconnections
# To avoid this, invoke ssh as: ssh -o 'ControlMaster no' ...
ControlMaster auto
ControlPath ~/.ssh/master-%r@%n:%p
# Compression for low bandwidth lines (like Tor)
Compression yes
For a specific host:
Host yourserver.com
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
For .onion addresses only:
Host *.onion
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
git
Since git can use either SSH or HTTP(S) to fetch data, the proxy setup is dependent on the URL.
For SSH fetching, e.g. git@foo.example:vcs.git, follow the SSH example above for this server.
For HTTP fetching, set the configuration[1]:
user $
git config --global http.proxy socks5://127.0.0.1:9050
DNS
Some applications may leak DNS requests. The easiest way to check if this really happens is to look at system logs.
user $
sudo tail -f /var/log/messages
If an application is configured correctly, nothing shows in the logs. Below is an example of a message for a misconfigured application or for a web page that stores links in form of IP addresses:
Oct 14 14:44:44 localhost Tor[666]: Your application (using socks5 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.
In order to check how this works, one needs to give an application an IP address instead of a domain name, retrieved by running the tor-resolve command for example.
DNS Resolver
Tor can work like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records. MX and NS queries are never answered.
To enable the built-in DNS resolver, add the following lines to the /etc/tor/torrc file and restart the daemon:
...
## Torified DNS
DNSPort 127.0.0.1:9053
AutomapHostsOnResolve 1
Then to prevent leak DNS requests make Tor the ONLY system default DNS resolver in /etc/resolv.conf:
nameserver 127.0.0.1
If using dhcpcd, then change its settings in /etc/dhcpcd.conf so it does not alter the resolv.conf configuration file:
nohook resolv.conf
If using pppoe, then change its settings in /etc/ppp/pppoe.conf so it does not alter the resolv.conf configuration file:
DNSTYPE=NOCHANGE
Finally, redirect ALL DNS requests on the system from port 53 to 127.0.0.1:9053 where the Tor DNS listens for requests. Redirect any DNS to the the local (torified) nameserver:
root #
iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053
root #
iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053
If also using IPv6, do the same for ip6tables. When done using Tor, to disable the aforementioned rules use:
root #
iptables -t nat -F
root #
iptables -t nat -X
This also disables any other existing NAT rules.
Disabling non-Tor traffic
The following iptables rules will prevent non-Tor traffic leaving the host and disable all new connections from outside in case if the host must be configured as a Tor client:
root #
iptables -F
root #
iptables -P OUTPUT DROP
root #
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
root #
iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
root #
iptables -P INPUT DROP
root #
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
root #
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
And to flush these and any other existing rules:
root #
iptables -F
root #
iptables -X
Firewall
Only do this if necessary.
If you want allow Tor use only special addresses you can specify it. For example our firewall allow outgoing connection only through https (443) port, so add to /etc/tor/torrc:
# If 1, Tor will only create outgoing connections to ORs running on ports that your firewall allows
FascistFirewall 1
# A comma-separated list of IP addresses and ports that your firewall allows you to connect to.
ReachableAddresses accept *:443, reject *:*
ReachableORAddresses *:443
torsocks
root #
emerge --ask net-proxy/torsocks
For applications lacking support for proxies or Tor, the torsocks command can force their traffic through the Tor network, as in torsocks irssi -c irc.afraidirc.net or torify irssi -c mqctemuqfc3tp5ji.onion.
Transparent Tor Proxy
Tor can work like a transparent proxy.
To enable built-in transparent proxy add the following lines to the /etc/tor/torrc file and restart the daemon:
...
## Transparent proxy
TransPort 127.0.0.1:9040
Finally, redirect ALL non-Tor outgoing traffic to a Tor transparent proxy:
root #
iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040
Stream isolation
The user might not want to mix GPG traffic with web browser traffic or to mix irssi circuits with bitcoin wallet circuits. In all cases an exit node can make correlation between separate activities. Stream isolation provides an easy way to separate different Tor circuits and make different applications use isolated streams.
By default, multiple *Port lines (SocksPort, DNSPort, TransPort) will never share circuits. To do stream isolation on a single *Port option, one might add one or more of the following isolation flags to *Port options: IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol, IsolateDestPort, IsolateDestAddr.
Some are enabled by default already and more isolation flags does not necessarily mean more security/anonymity/privacy. To see the most up-to-date list of stream isolation flags, see `man tor`.
So to ensure GPG client and instant messenger don't put streams on the same circuit, the easiest procedure is adding the following to torrc and point them at different SocksPorts.
# gpg client
SocksPort 127.0.0.1:9100
# instant messenger
SocksPort 127.0.0.1:9150
# More isolation:
SOCKSPort 9200 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
# etc...
Rules for Tor circuits
using these options may significantly reduce the total number of usable relays. Modifying the parameters set by the Tor developers is unwise; for example, using an exit node in a country with a prominent intelligence agency should pose very little risk -- the same risks exist with any exit node. It is instead sensible to avoid sending passwords over HTTP or other unencrypted protocols.
Use these Exclude options is unlikely to accomplish the goal. See "DeTor: Provably Avoiding Geographic Regions in Tor" presented at USENIX 2017. Also, GeoIP isn't necessarily very reliable to begin with.
man tor gives us a good explanation of various useful options. To get away from ECHELON, consider adding the following to /etc/tor/torrc:
StrictNodes 1
GeoIPExcludeUnknown 1
#ExcludeNodes {au}, {ca}, {gb}, {nz}, {us}
ExcludeExitNodes {au}, {ca}, {gb}, {nz}, {us}
NodeFamily {au}, {ca}, {gb}, {nz}, {us}
#UseNTorHandshake 1
PathsNeededToBuildCircuits 0.95
StrictNodes =1 together with ExcludeNodes {au}, {ca}, {gb}, {nz}, {us} will completely exclude Tor nodes from that country, but we also disallow connection to Tor hidden services located there. So it is better to comment ExcludeNodes or set StrictNodes 0. Also we mark NodeFamily {au}, {ca}, {gb}, {nz}, {us} all that nodes as "single administration" by Five Eyes. Directive NodeFamily can be used multiple times.
EntryNodes and ExitNodes can be used to select spacial nodes for entering end exit from Tor network respectively.
IPv4 and IPv6 addresses, and subnets can be used instead of country codes.
Sandbox
Tor has own sandbox features. It may give more protection of the system if Tor is compromised. To turn it on, first compile Tor with the secomp
USE flag:
# Allow Tor to use sandbox
net-vpn/tor seccomp
Then rebuild net-vpn/tor:
root #
emerge --ask tor
Then add to /etc/tor/torrc:
Sandbox 1
Setting up a Tor hidden service is easy -- just add 2 lines to /etc/tor/torrc and ensure correct permissions for the data directory.
HiddenServiceDir /var/lib/tor/data/hiddenservice
HiddenServicePort 80 127.0.0.1:80
Line 1 tells Tor to insert the public and private keys into the directory specified.
Line 2 tells Tor to direct traffic on hidden service port 80 to the IP and port specified.
The onion hostname will generated in /var/lib/tor/data/hiddenservice/hostname upon starting the Tor daemon.
Simple command-line file downloading
The popular wget utility cannot talk to socks proxy. However, net-misc/curl can download over Tor any resource located at a given URL and save it in a FILE using:
user $
curl --socks5-hostname 127.0.0.1:9050 -o FILE URL
The --socks5-hostname
means that hostnames are resolved via Tor instead of the system's DNS resolution, thus preventing DNS leaks.
Portage
Portage can be configured to sync its tree and fetch packages via Tor. Add the following to /etc/portage/make.conf:
FETCHCOMMAND="curl --socks5-hostname 127.0.0.1:9050 --retry 3 --connect-timeout 60 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""
RESUMECOMMAND="curl -C - --socks5-hostname 127.0.0.1:9050 --retry 3 --connect-timeout 60 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""
All the extra quoting is necessary. Have a look at man curl for more customization options.
Curl doesn't follow 302 redirect by default (cf. bug #543268). Pass -L to enable that behaviour.
emerge --sync cannot be used to update the Portage tree via Tor, because rsync cannot use socks proxy. In order to sync the Portage tree via Tor, use the command:
root #
emerge-webrsync
This fetches the portage tree snapshot over HTTP. Additionally, emerge-webrsync can be configured to verify the cryptographic signature of the gentoo repository. Such verification is explained in the Gentoo Handbook. One negative effect is that only daily repository snapshots are retrieved. Issues that are fixed in the interim will not be available until the following daily snapshot.
Installing or updating is done as usual, e.g.:
root #
emerge --ask some-package
Troubleshooting
Check if using Tor
Visit: https://check.torproject.org/
For web browsing, just get Tor Browser from https://torproject.org. Change the security slider if desired, but do not add "privacy" add-ons. The more the browser is changed, the more it stands out from the crowd.
Many websites can test anonymity. One of the best is whoer.net. Another nice one: ipleak.net.
To hide more information with a generic web browser, one can try disabling: Javascript, WebRTC. To hide HTML headers use [https://prism-break.org/en/projects/random-agent-spoofer/ Random Agent Spoofer] and/or net-proxy/privoxy. Some useful Mozilla add-ons include Request Policy, Privacy Badger and others.
Checking for network leaks
Tor is a great tool for enhancing privacy in many situations, but, unlike common belief, does not guarantee 100% anonymity. Let's have a brief look at how privacy changes with Tor up and running.
Local network admin or ISP
These people can no longer easily see which other hosts the user contacts.
However, this only works for programs which were configured to use Tor and do not leak DNS requests. There might be some non-Tor traffic due to other browsers, email, IRC, instant messenger, video conferencing, games, BitTorrent, bitcoin, remote desktop, other machines NATing through the user's box, and all other network software.
Even though the ISP cannot see exactly what is done through Tor, they can still detect Tor USAGE, and WHEN and HOW MUCH data is downloaded and uploaded via Tor. Let's say an adversary is observing a website. They can see that user X accessed it via Tor to download 2670kB at 9:22AM, upload 340kB at 9:27AM and download 9885kB at 9:31AM. The ISP can see that at these precise times user Y's Tor activity was almost the same size. Then if the adversary observing the website can also get that ISP traffic summary, they can determine X and Y are the same. Just a few timestamps like this can connect the identities beyond doubt. A solution is to have lots of Tor traffic entering and leaving the user's system at all times.
Machine admin
If some other people have administrative privileges on the user's machine, or gain her user or root's privileges through an attack, they can easily monitor all she does, type, and browse, in real time, or later by inspecting history, and then Tor doesn't help. Therefore, make sure to administer the system yourself and treat security as an important constituent of anonymity.
Attackers with physical access
It's as easy to install e.g. a small hardware key logger as it was before using Tor, so no privacy gains here.
The websites/services to which the user connects
From the websites browsed by the user, Tor only hide the IP address. However, the IP address has not been used as a very useful tool to track and spy on users. The vast majority of Internet users have a dynamic IP address or share one with a large number of other users. Therefore the parties interested in tracking and spying have developed amazingly advanced fingerprinting and tracking techniques without knowing the IP address. Some of the most obvious tracking techniques are:
- Cookies, supercookies, DOM/HTML5 storage easily track users. Solution: never enable cookies while using Tor.
- Browser fingerprinting. Your browser sends a huge amount of system information to any visited website, thus identifying the user. For an illustration, visit panopticlick.eff.org. This also applies to other protocol clients as well. Solution: use a special privacy-oriented browser (Tor Browser) or try some privacy plugins for your generic browser.
- JavaScript or other browser-native scripting. Scripts running in the browser can gather enormous amount of system information, thus identifying the user. For an example, open the browser's JS developer tools (F12 in Firefox) and look at the 'navigator' built-in variable. Websites can also monitor the precise timing of keystrokes to create a typing fingerprint. The same goes for mouse movements over the browser window while browsing. Solution: disable JavaScript in your browser.
- Geolocation. Websites can ask the browser for geographic location. Solution: disable geolocation in your browser.
- HTTP headers. Some headers like Referer or ETag track the user as she browses between various websites. Solution: Referer header can be disabled in Firefox in about:config, by setting network.http.sendRefererHeader to 0. FIXME: Any ETag solutions?
- Login. Logging in to any service connects that account with the Tor connection. Solution: Never ever log in to web mail, social network, or any other website while using Tor. It might be better to run another browser not via Tor for the websites where log in is needed. Never use the same browser for both Tor and non-Tor traffic.
- Browsers' bugs. Browsers have a lot of bugs that trackers and spies use to reduce or eliminate. Examples include a search giant using cookie preferences bug to set cookies even though disabled, or recent Chrome's bug that allows a website to access microphone and monitor speech: https://tech.slashdot.org/story/14/01/22/2156235/chrome-bugs-lets-sites-listen-to-your-private-conversations
- Java. Far worse than JavaScript. A signed Java applet has access to the filesystem, and can read and write files without asking for permission. It can also figure out the IP address which Tor tries to hide, create sockets, or send files to some server without the user's knowledge. Solution: never install Java for the browser. FIXME: major web browsers have long ago discontinued Java plugin support as of July 2024?
- Flash. Just as large privacy threat as Java. Solution: Never install Flash. Avoid any browser with it preinstalled. Note that Flash Player was officially discontinued on 31 December 2020, and its download page was removed two days later. Since 12 January 2021, Flash Player (original global variants) versions newer than 32.0.0.371, released in May 2020, refuse to play Flash content and instead display a static warning message. The software remained supported in mainland China and in some enterprise variants until 2022.
This list is not exhaustive.
Tips
Here are some tips to remain anonymous while using Tor:
- Advertisers and social media. This is by far the most widespread privacy threat faced on the web, simply because of the coverage. Almost all popular websites display ads from some giant ad provider. Similarly most websites include small pieces of code from many social networks, e.g. to display the "like" buttons, microblogging links, "login with FooBar" authentication dialogs, etc. These few Internet giants have their code injected into almost any website people visit. This way they can easily track and spy on anyone visiting almost any website. Some other institutions are known to tap into this tracking/spying datastream. It's relatively difficult to eliminate this threat. Most of the ads can be blocked by an ad blocking browser add-ons. Similarly, browser add-ons may eliminate social network components, external authentication, and other third-party content.
- Browsers' extensions. Some of the extensions that can be installed in browsers can in fact track the user. E.g. social network integration plugins, extensions that observe your browsing, etc.
- Browsers' usage statistics. Some browsers gather info about the user's browsing habits and send them to the developers. In Firefox this can be disabled in Settings > Privacy and Security > Firefox Data Collection and Use.
- Custom links. Let's say a friend uses a website to invite the user to do something. Then the website sends her an email with a link like website.domain/enGm7IKS. By opening the link, her Tor connection has been identified to be hers, because the enGm7IKS part is unique for her email address.
- Tor attacks. There are known attacks that can detorify the user. E.g. if the adversary controls both her entry and exit nodes for Tor network, they could after some time correlate her common activities and figure out who she is.
- Sometimes just using Tor makes the user quite special: https://yro.slashdot.org/story/13/12/18/047246/harvard-bomb-hoax-perpetrator-caught-despite-tor-use
Some institutions with smart people and billions of dollars at their disposal are in the business of tracking and spying on users. This includes advertising giants, social networks and states. The revelations coming from whistle-blowers have shown us the extent of some of the current surveillance. To protect privacy and anonymity, a lot more is necessary. Remain paranoid. Above all please educate yourself about how the Tor network works, what are the common problems, and what could be done to prevent it. Also, read about some recent state attacks on the Tor network. In some countries most Tor nodes might be run by an adversary. Also, read about browser fingerprinting and how it can be prevented. Find out about other non-Tor-related privacy attacks. The privacy war will be a life-long one against giant opponents. Welcome aboard and good luck.
See also
- I2P — an anonymous network, similar to Tor.
- Usenet — a federated and decentralized worldwide Internet forum and the world's oldest digital social network