wiki:TorBrowserBundleSAQ

Version 5 (modified by cyberpunks, 6 days ago) (diff)

Reverted to version 3. (should not have edited instructions for obsolete versions of tor browser)

This is a list of Seldomly Asked Questions pertaining to Tor Browser

How do I make Tor Browser 5.x use the tor that is already running on the system?

WARNING Using Tor Browser in this manner is NOT OFFICIALLY SUPPORTED

Using a local Tor SOCKS daemon

First of all, find the group that the Tor process runs under. On debian deriviatives, this will be 'debian-tor', on redhat/fedoracore this will be '_tor', on arch linux 'tor'. then run the command (as root):

usermod -a -G $GROUP $USER

where $GROUP is the group Tor runs under for your OS, and $USER is the user that will be running Tor Browser.

You will need to login again for the group change to be applied. Login again via:

su $USER

add or edit the following in your torrc

SocksPort 9050  IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth
ControlPort 9051
CookieAuthentication 1
CookieAuthFile /var/run/tor/control.authcookie
CookieAuthFileGroupReadable 1

The CookieAuthFile should be stored in a directory that the Tor process can write to and that you can read from. The Debian tor package already sets these for you.

Set some environment variables so that Tor Browser (the Tor Button and Tor Launcher extensions) knows how to talk to our local tor process.

export TOR_CONTROL_COOKIE_AUTH_FILE=/var/run/tor/control.authcookie
export TOR_CONTROL_PORT=9051
export TOR_SOCKS_PORT=9050
export TOR_SKIP_LAUNCH=1

Problems

It will no longer be able to make changes to your torrc, because in the system daemon tor ethos, it should not be able to edit it's own torrc So this will mean changes to bridges will be ephemeral, you should make any configuration changes to the /etc/tor/torrc file for bridges or proxy settings.

Using an external Tor SOCKS daemon

Qubes, Whonix, PORTAL and other Isolating Proxies

Here we won't be able to use cookie auth as we did previously, we'll need to use a HashedControlPassword (a pre-shared secret/password), to generate one run the command:

tor --hash-password "$PASSWORD"

Where $PASSWORD is the password you've chosen as your shared secret.

This will produce output like:

16:ED8B416384FE8EA660D22C7315374363C8C64BCE01EF7F82783DE02668

add or edit the following in your torrc

SocksPort 192.168.1.1:9050 KeepAliveIsolateSOCKSAuth
ControlPort 192.168.1.1:9051
HashedControlPassword 16:ED8B416384FE8EA660D22C7315374363C8C64BCE01EF7F82783DE02668

Replacing '192.168.1.1' with the IP address of the interface that the Tor Browser client will be connecting to.

Set some environment variables so that Tor Browser (the Tor Button and Tor Launcher extensions) knows how to talk to our local tor process.

export TOR_SOCKS_HOST=192.168.1.1
export TOR_SOCKS_PORT=9050
export TOR_CONTROL_HOST=192.168.1.1
export TOR_CONTROL_PORT=9051
export TOR_SKIP_LAUNCH=1
export TOR_CONTROL_PASSWD='"$PASSWORD"'

Ensure that you replace $PASSWORD with the password you hashed earlier. It must remain inside of double quotes.

Problems

Your data will traverse the connection before Torification or encryption, ensure that this connection is not shared, (eg, it is virtual and local or direct and physical and resistant to wiretapping)

Using an upstream Tor TransProxy daemon

Here we again can't use cookie auth, we also will not be able to take advantage or Tor Browser 4.5's SOCKS isolation-by-domain method. I will not be providing a guide here as to how you should make your control port available through your packet filter, I highly recommend that you do otherwise you will lose the new identity functionality. This guide assumes you've already set up an upstream transproxy tor daemon.

Follow the steps for the external SOCKS daemon section above to generate a control password hash.

add or edit the following in your torrc

ControlPort 192.168.1.1:9051
HashedControlPassword 16:ED8B416384FE8EA660D22C7315374363C8C64BCE01EF7F82783DE02668

Set some environment variables so that Tor Browser (the Tor Button and Tor Launcher extensions) knows how to talk to our local tor process.

export TOR_CONTROL_HOST=192.168.1.1
export TOR_CONTROL_PORT=9051
export TOR_SKIP_LAUNCH=1
export TOR_TRANSPROXY=1
export TOR_CONTROL_PASSWD='"$PASSWORD"'

Ensure that you replace $PASSWORD with the password you hashed earlier. It must remain inside of double quotes.

Problems

Lacking some of the context-aware isolation that the SOCKS method can provide this is certainly not the favored option, without the control port this becomes far more apparent as it wouldn't be able to send the NEWNYM signal to the remote Tor instance to force it to use new circuits for future connections.