HOWTO Anonymity with Tor and Privoxy

From Gentoo Linux Wiki

[edit] Introduction

This HOWTO explains how to browse the web anonymously by using Tor (TheOnionRouter) and Privoxy. Tor can also be used to make other network clients (instant messaging, Usenet, etc) act anonymously. This HOWTO also explains how to set up servers on your machine available anonymously through Tor's "hidden services" mechanism.

Do NOT use tor to abuse sites... let's keep the tor community clean!

[edit] Setting It Up

As root:

# emerge -av net-misc/tor net-proxy/privoxy

Add this line to /etc/privoxy/config (anywhere is fine, but line 1160 looks like the right place):

forward-socks4a / localhost:9050 .
# Don't forget the '.' at the end!

#debug   1    # show each GET/POST/CONNECT request

It is a common setup to have a proxy in the local network which is accessible from every other host on the network. So if your network is 192.168.0.0 and your proxy 192.168.0.1, use:

listen-address  192.168.0.1:8118

ReachableAddresses *:80,*:443

ReachableDirAddresses *:80
ReachableORAddresses *:443

Start tor:

# cp /etc/tor/torrc.sample /etc/tor/torrc
# /etc/init.d/tor start

Start privoxy:

# /etc/init.d/privoxy start

Add tor and privoxy to the default runlevel if you want them to start on bootup.

# rc-update add privoxy default
# rc-update add tor default

[edit] How to use Tor/Privoxy with your Software

[edit] Complete List

There is a wiki available with all Programs which known to work and how to set them up ( http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO ), bigger and more complete than this one. The following ones should be only some trivial examples to let you understand what is this about.

[edit] Aliases

Another way is to just use some already defined shell-aliases (telnet, scp, ssh etc) to avoid have to setup tor/privoxy for every single application on your box. http://shellscripts.org/project/toraliases

[edit] Autoconfigure Some Applications

To make apps that use http such as wget, lynx, curl etc. use tor automatically put this in your ~/.profile, or ~/.bashrc:

http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

[edit] Examples

[edit] Browsing anonymously

Configure your web browser's http proxy to point to: host: 127.0.0.1 port: 8118.

• Under Firefox, go to the Edit menu -> Preferences -> Advanced -> Network -> Settings (also see an extension for Firefox below)
• Under Opera, go to the Tools menu -> Preferences -> Advanced -> Network -> Proxy Servers
• Under Konqueror, go to the Settings menu -> Configure Konqueror. Scroll down to Proxy. Click Manually specify the proxy settings and then click Setup
• Under Epiphany, visit about:config, type proxy in the filter box and fill in the proxy.http.host and proxy.http.port fields. you might also want to look at proxy.ftp, proxy.ssl etc.

You should also set your SSL proxy to the same configuration, if you want to hide your SSL traffic.

The Tor people are recommending that you send all protocols via privoxy even if it breaks them.

From the Tor FAQ: [1] "Unfortunately, Privoxy only proxies http and https. This means you can't use Privoxy to handle ftp traffic. Worse, if you don't specify any proxy for your ftp traffic, then your browser will connect directly to the ftp site. So a web page can use an img link to an ftp site in order to trick you into revealing your real location!"

You are now browsing anonymously. Or at least you have a better chance of anonymity and are contributing to development of these solutions - the Tor authors specifically say that you should not rely on Tor to provide strong anonymity.

[edit] How to use Gaim with tor

Make sure you have privoxy and tor running as explained above.

In Gaim:

• Go to the Tools menu, select Accounts
• Select the IM protocol you want to anonymize
• Click Modify
• Click Show more options
• Under Proxy Options select proxy type SOCKS 5
• Enter 127.0.0.1 for the host
• Enter 9050 for the port
• Leave user/pass blank

[edit] Other Network Clients

The above method will work with any network client that is capable of SOCKS proxy, such as x-chat.

[edit] IRSSI

$ torify irssi

Do NOT use Tor with Bittorrent clients! The Tor network is only in its infant stages and will not be able to cope with that amount of traffic. Details Here

[edit] Firefox Extension

FoxyProxy allows for Wildcard and Regular Expressions parsed from the URL line to automatically choose a Proxy, or not; on an automatic case-by-case basis. It has Out Of Box support for communicating directly with Tor (not recommended, Firefox may report your IP, thusly defeating the whole point), or can be used in conjunction with Privoxy, or any other Proxy of your choice. It does away with the need to pick a Proxy manually, and the annoying tendency for a Proxy (de)selection in one Browser Window/Tab to be carried across all Browser Tabs/Windows, as with other Firefox Proxy Extensions. Eliminates the "Oops" Factor in proxy (de)selection.

There is a handy extension for Firefox, Switchproxy Extension, which facilitates switching between anonymous and non-anonymous modes quickly.

There is also a less general extension, Torbutton, which let you switch only between "direct connection" and tor/privoxy configurations.

[edit] Offering Hidden Services

A hidden service is a server on your computer that you make available via tor with a .onion top level domain.

Hidden Services have several known vulnerabilities to being exposed/identified/located which are documented and discussed here: http://www.onion-router.net/Publications/locating-hidden-servers.pdf Steps have been taken. Further study of the results of these steps, or studies of other larger-scale attacks, have not been made yet. The Idea that your Hidden Service will remain Anonymous, is not certain.

A website offered through a hidden service looks like this: http://6sxoyfb3h2nvok2d.onion/tor/SocatHelp. For example, you can access the Tor hidden wiki at: http://6sxoyfb3h2nvok2d.onion/tor/

You can offer hidden services while tor is running as a client or server.

To make your web server available anonymously, edit /etc/tor/torrc and in the hidden services portion add these lines:

HiddenServiceDir /var/lib/tor/apache_hidden/ 
HiddenServicePort 80 127.0.0.1:80

Now create /var/lib/tor/apache_hidden, chown it to tor:tor (you don't really have to do this, the directory is created by tor if it doesn't exist) and start tor. Look in the file /var/lib/tor/apache_hidden/hostname for the .onion address you want to publish.

[edit] Non-HTTP Service

Using tor and privoxy makes offering hidden services for web servers easy, but what if you want to make a non-http service available?

Say you have a mud server running on port 5454 and want to make it available as a hidden service. Follow the above steps, creating a directory named ~/mud_hidden/ instead.

To get to your mud people would use the address 34vss3f3tohrri.onion:5454. But telnet can't use the .onion namespace, so we need to use socat.

$ emerge net-misc/socat
$ socat TCP4-LISTEN:2222,fork SOCKS4A:localhost:34vss3f3tohrri.onion:7878,socksport=9050

Now you can test it by telnet'ing to localhost: 2222. Do this from another machine to verify it's working anonymously.

[edit] Note on Client/Server

All of the above steps will enable tor to be used as a client only. In other words you won't be a node and using 20 gigabytes of bandwidth per month, just what you'd normally use by surfing the web.

[edit] Privoxy Config

You can access the privoxy web configuration at http://config.privoxy.org/ when privoxy is turned on.

[edit] Note on Speed

Browsing through a proxy will slow down your connection. It's not a good idea to use tor with wget (which is used by emerge).

Gentoo Blocks Tor Exit Node Traffic from its Official Distfile Servers (among others), and almost all Official Mirrors. (Note from reader: As of 26th June in 2006 there's no problem with it.)

To turn off proxying for wget, change #use_proxy = on to use_proxy = off in /etc/wget/wgetrc around line 80.

[edit] Advanced usage

[edit] Offering a tor/privoxy proxy for others

The instructions up to now only cover setting up tor and privoxy on a single computer. Of course, if you administer a network or want to offer a publicly available service, you can do that too. To do that, you must instruct tor and privoxy to listen for connections not only locally, but on a publicly available network address. In the following example I assume a server on a local network, 192.168.0.0/24, with the IP 192.168.0.1. You must make the following modifications additionally to the ones mentioned above:

SocksBindAddress 192.168.0.1
SocksPolicy accept 192.168.0.0/24
SocksPolicy reject *

listen-address  192.168.0.1:8118
# replace the line "forward-socks4a / localhost:9050 ." with this:
forward-socks4a / 192.168.0.1:9050 .

Don't forget the period (".") at the end of the line.

Restart tor and privoxy, and set the proxy in the web clients throughout your net to 192.168.0.1:8118.

[edit] Running a tor server

If you have a lot of bandwidth, you might want to consider contributing to the tor network by running your node as a tor server. The more servers there are, the better the network works: More servers mean higher bandwidth and better anonymity. There are two ways you can help: Either running a Middleman or an Exit Node. An Exit Node allows traffic to leave the tor network at your server, so that it appears to the outside world that the traffic has come from your computer. Depending on the legislation of your country, this might get you in trouble. If you don't want to risk that, run a Middleman Node. The official documentation is at Configuring a Tor server. Also, you should read the Tor FAQ if you want to run a server. There are a number of issues which are beyond the scope of this wiki. Anyhow, here are the minimal instructions to get you started.

## This is required, but you can choose the port
ORPort 9001

## Required: A unique handle for this server. Choose one.
Nickname ididntedittheconfig

## The IP or fqdn for this server. Leave commented out and Tor will guess.
## This may be required, if tor cannot guess your public IP.
Address <your.public.ip>

## To limit your bandwidth usage, define this. Note that BandwidthRate
## must be at least 20 KB.
BandwidthRate 20 KB        # Throttle traffic to 20KB/s (160Kbps)
BandwidthBurst 50 KB       # But allow bursts up to 50KB/s (400Kbps)

## If you don't want to run an Exit Node, add this
ExitPolicy reject *:* # middleman only -- no exits allowed

[edit] Troubleshooting

The above steps should work for most machines. If you have strict firewall rules you'll need to allow local connections to port 8118 and port 9050. If your firewall blocks outgoing connections, punch a hole so it can connect to TCP ports 80, 443, and 9001-9033.

I also noticed that

listen-address localhost:8118

might have to be changed to

listen-address 127.0.0.1:8118

in order to work, possibly because /etc/hosts is missing the localhost entry.

Also only the latest version of tor is likelly to work but that might be masked in portage so add net-misc/tor ~* to your /etc/portage/package.keywords file.

-- Check the logs! --

If you have configure everything correctly but still are having problems please check /var/log/tor/tor.log for more insight. In my case I setup everything correctly but my time was not correct so nothing worked. Please make sure your time is correct as well.

[edit] References

• http://forums.gentoo.org/viewtopic.php?t=269815
• http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ

Concerns or Compliments? Please use the Discussion section.