Changes between Version 11 and Version 12 of doc/OpenbsdChrootedTor


Ignore:
Timestamp:
Apr 23, 2010, 4:47:27 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OpenbsdChrootedTor

    v11 v12  
     1##language:en
     2#pragma section-numbers on
     3##
     4##Above pragma from the FAQ
     5## Copyright (c) 2005 tyranix
     6## <add your name here if you claim copyright on parts>
     7## Distributed under the MIT license,
     8## See ./LegalStuff for a full text
     9##
     10[:../:up to Tor]
     11
     12Table of Contents
     13[[TableOfContents]]
     14
    115= Assumptions =
    216
    3  * You are installing """Tor 0.0.9.4"""
    4  * You are running """OpenBSD 3.6"""
    5  * You want to install the files to run into """/home/chrooted/tor"""
     17 * You are installing '''Tor 0.0.9.4'''
     18 * You are running '''OpenBSD 3.6'''
     19 * You want to install the files to run into '''/home/chrooted/tor'''
    620 * You do not want syslog entries from tor messages because if Tor misbehaves, you want it to affect the system as little as possible
    7  * You will use """ksh""" as the shell for both your user account and root in these examples (nothing permanent).
    8  * You have a normal user who will do the build process called """youruser""" who belongs to """yourgroup""".
     21 * You will use '''ksh''' as the shell for both your user account and root in these examples (nothing permanent).
     22 * You have a normal user who will do the build process called '''youruser''' who belongs to '''yourgroup'''.
    923
    1024Make adjustments accordingly if your setup differs.
    1125
    1226These instructions are based on [http://pestilenz.org/~bauerm/tor-openbsd-howto.html]
    13 with some needed changes.  Original by Matthias Bauer <obsdtor@weggla.franken.org>
    14 It also includes a few parts from TorInChroot.  The rest is new.
     27with some needed changes.  It also includes a few parts from TorInChroot.  The rest is new.
    1528
    1629This tutorial is setup so that the root and non-root commands are clearly
     
    7487== Add a _tor user to chroot to ==
    7588
    76 Note: Do """NOT""" use -L daemon because that is meant for root only!  It is
     89Note: Do '''NOT''' use -L daemon because that is meant for root only!  It is
    7790more free than you want a user to be, despite the misleading name.
    7891
     
    120133For all commands, you should use ksh.
    121134
    122 Assumed that your username is the creative """youruser""".
     135Assumed that your username is the creative '''youruser'''.
    123136{{{
    124137su - youruser
     
    198211time, and account expiration time) that we need to insert into the line.
    199212
    200 """NOTE""": This only works because you are not adding a user with a password.
     213'''NOTE''': This only works because you are not adding a user with a password.
    201214If you have a user with a password, the sed expression is not enough.  The
    202215master.passwd will contain the encrypted version of the password.  However,
     
    365378I am not using it.  Dante's client just sends requests to Tor.
    366379
    367 === Optional: Edit your privoxy config again ===
     380== Optional: Force clients to use Tor ==
     381
     382You can force clients to use Tor by removing their ability to normally contact
     383services.  For instance, irssi may reconnect without using socks.  So let's
     384setup PF to block such access in {{{/etc/pf.conf}}}:
     385
     386{{{
     387# Change for your device mentioned in the rest of your firewall rules.
     388int_if = xl0
     389
     390block in log quick on $int_if proto { tcp, udp } from any port { irc, 6667 } to any
     391block out log quick on $int_if proto { tcp, udp } from any to any port { irc, 6667 }
     392}}}
     393
     394Now irssi will not be able to reconnect to any IRC server without using a proxy
     395such as Tor.  Note that the above is only a portion of the {{{/etc/pf.conf}}} file
     396and you should definitely have other non-Tor related rules.  Also irc is technically
     397assigend to port 194 but most servers listen on 6667.
     398
     399== Optional: Edit your privoxy config again ==
    368400
    369401As you will note, your user agent is not changed.  Here is a quick and easy way
     
    385417because privoxy will forward to it:
    386418{{{
     419
     420if [ -f /home/chrooted/tor/devfs -a -b /dev/svnd0c ]; then
     421     echo -n 'tordevfs: ';
     422     vnconfig -c -v /dev/svnd0c /home/chrooted/tor/devfs
     423     mount /dev/svnd0c /home/tor/dev
     424fi
     425
    387426if [ -x /home/chrooted/tor/bin/tor ]; then
    388427     echo -n 'tor: ';