Version 9 (modified by cypherpunks, 7 years ago) (diff)

expand VM recommendation


When setting up TorBOX in the form of two VMs running on the same host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To prevent against such attacks we need a different approach: In this context we call it "bare metal" because the gateway system is directly installed on the hardware ("metal") and not in a VM. This drastically reduces the TCB by more than the half.


  • A computer with at least two network adapters, at least one of them ethernet, capable of running Linux. This will be our gateway.
  • A client computer connected via ethernet to the gateway. This will be the torified client system or Tor-Workstation.

How To Install

For the set up follow the Manual Configuration. Only very few changes are necessary.

  • Step 1: you need to apply the time syncing related commands on both the gateway and the client.
  • Step 2: Because VMs protect against hardware fingerprinting we still recommend that you use Virtualbox with Tor-Workstation.ova as the client. See TorBOX/Dev/BuildDocumentation
    • Instead of Internal Networking you'll need to use NAT or bridged networking, the latter is easier to configure as you can simply follow the standard networking set up detailed in the manuals (or use our shell scripts).
    • If you install the client "bare metal" as well it may be a good idea to use FDE (full disk encryption) and set up a screen saver. If not set them up on the host.
  • Step 3:
    • If you want to use ssh from the outside you obviously can't use the provided commands (ssh on
    • eth0 needs to be configured according to the requirements of your local network, e.g. static or with dhcp if the gateway is connected to a dhcp capable router.
    • Before running the script make sure eth1 and eth0 refer to the correct interfaces. Otherwise you have to change each instance of "eth*" in the script ('dmesg | grep eth' may be helpful).
    • It may be a good idea to set up FDE during installation

Instead of manual configuration, you can also use binary images for one or even both systems!

Further recommendations

We recommend that you use two dedicated computers for TorBOX that are never used for activities that could lead back to your identity.

non-anonymous use

  • non-anonymous box (leave it as is is, like you want)
  • non-anonymous home dial up internet router (leave it as is is, like you want)

anonymous use

  • Tor-Gateway
    • This really does not have to be a big desktop computer or ordinary server. There are alternatives.
    • smartphone 1, UMPC, pad, tablet, notebook, netbook, Raspberry Pi, router 2, set top box, etc.
    • how to utilize such a device as a linux server is beyond the scope of this guide, there are already better resources
  • anonymous 3G modem (see below) or anonymous wifi adapter (see below)
  • Tor-Workstation
    • You get the idea. Use a device which suits you.

1 for example some rooted android smartphones can install Debian Linux.
2 something like OpenWRT

anonymous 3G modem

  • plugged or integrated into Tor-Gateway
  • Buy the 3G modem anonymously [in a store, second hand, on street, no personal data].
  • Be sure to have never used it for non-anonymous use before.
  • This is because in many countries the telecommunication company log the IMEI and the phone number for each dial up.
  • Also be sure to buy the SIM-card anonymously. Prepaid is better. Buy cash codes in different stores.
  • Optionally use from random spots only. (security vs. comfort)
  • 3G uses a shared IP along many users, some providers do yet not log the ports of the users and therefore can not identify them. Nice to have, but don't rely on it.

anonymous wifi adapter

  • plugged or integrated into Tor-Gateway
  • Buy the wifi adapter anonymously [in a store, second hand, on street, no personal data].
  • Be sure to have never used it for non-anonymous use before.
  • This is because a few providers or hotspot providers log the mac address and the username (for paid hotspots) for each dial up.
  • Use only free hotspots or pay them anonymously (if that's possible).
  • Optionally use from random spots only. (security vs. comfort)