Version 129 (modified by proper, 8 years ago) (diff)

expanded: Hide the fact that you are using Tor/TorBOX

TorBOX Homepage

These are all OPTIONAL configurations. If you would like to use any of these features, go ahead and follow the instructions. However, you do not have to add any of those additional functions if you see no need for them.

Autologin into the Tor-Gateway

This feature is already implemented on Tor-Gateway 0.1.3 or in with -vm command line switch. To install it manually follow the instructions below.

If it bugs you to manually login into the Tor-Gateway after reach reboot you can use rungetty.

apt-get install rungetty

'nano /etc/init/tty1.conf'

exec /sbin/getty 38400 tty1


exec /sbin/rungetty --autologin USERNAME tty1

Disable power save (black display)

This feature is activated on Tor-Gateway 0.2.0 and above, for the download version and using the with -vm command line switch.

If it bugs you that the screen in the Tor-Gateways goes black after a while type

nano /home/user/.bashrc

and insert

setterm -blank 0 -powersave off -powerdown 0

Logout 'logout' and login again. Power saving features should now be disabled.

Using Tor's SocksProxy in Tor-Workstation

Moved to Identity correlation through circuit sharing

More than one Tor-Workstation

Moved to Recommendations to use multiple Tor-Workstation VM's and Snapshots.

Tunneling Tor through proxy, VPN or SSH

user -> proxy/VPN/SSH -> Tor

Read first: Tor Plus VPN and TorBOX VPN disclaimer.

This section is not fully tested/complete. Please give feedback if it worked for you.

Sometimes you are forced to use a proxy or VPN to make outgoing connections, some ISP's force you, or you are in a LAN with a proxy (router), or in a cooperate environment.

A proxy, VPN or SSH can also be possibly used to circumvent Tor blocks or to hide the fact you are using Tor. VPN and SSH are preferred choice, as they support secure encryption between you and them. It's a question, how much you can trust the server, they'll see, that you are using Tor, but thanks to Tor, they won't see what you are doing. If you use your own server in a safe country, while you are in a dangerous country, that's probable your best bet. Anyway, not so many people seem to do use a tunnel before they connect to Tor, therefore it's not so well tested, do not rely on it too much.

If nothing above applies for you, skip this section.

Tunnel Tor through proxy

user -> proxy -> Tor

Depending on your proxy configuration, add the settings you'll need to your /etc/torrc. For more information on these settings, have a look in the Tor manual and read the FAQ. 'nano /etc/tor/torrc'

HTTPProxy host[:port]
HTTPProxyAuthenticator username:password
HTTPSProxy host[:port]
HTTPSProxyAuthenticator username:password
Socks4Proxy host[:port]
Socks5Proxy host[:port]
Socks5ProxyUsername username
Socks5ProxyPassword password

Tunnel Tor through SSH

user -> SSH -> Tor

This chapter is about tunneling Tor through a SSH tunnel.

First we have to install the ssh client.

apt-get install ssh

Then be sure that your SSH connection itself is working well. SSH to your ssh server using 'ssh yourusername@…'. It's recommend to set up public key authentication. (TODO: how to create a private and public key) 'cd /home/yourusername', 'mkdir .ssh', 'nano authorized_keys', paste line beginning with 'ssh-rsa ...' (your public key) (TODO: how to create that line).

'exit' (terminate SSH connection) and login again using public key authentication. (TODO: how to do that) When that is working install your favorite text mode browser, for example 'apt-get install lynx' and test if the shell's external internet connection is working. 'lynx' You're done with the pre-requriements. Exit your shell. 'exit'

Now we will tell the SSH client to start a socks5 proxy server listening on localhost port 1080. The following command has to be run in background (TODO: add line how to do that) on each start up, before Tor starts (TODO: to which file, to do that). It would be wise to activate public key authentication (TODO: how to add private key to use public key authentication).

ssh -C -D 1080 your.ssh.server

Now we have to tell Tor to use the new local ssh server. 'nano /etc/torrc' and add


We are done, from now Tor will connect through the SSH server.

(TODO: any new firewall rules needed?)

Tunnel Tor through VPN

user -> VPN -> Tor

There are too many different VPN protocols. To many to add all of them to this guide. If you are forced to use a VPN server or if you are already using a VPN server, you most likely know how you can connect to it. You must know how to connect to your VPN server from the linux command line. Use the following order, start the firewall, connect to your VPN and start Tor afterwards.

If you are using VPN not because you are forced to use VPN by your ISP, but to hide the fact that you are using Tor or want to add an additional layer of protection, then be sure, that your VPN software is secure (ex: OpenVPN, not pptp). When your VPN is properly set up, all your connections are forced through the VPN. If you start Tor at the top of that, tunneling Tor through VPN will work.

TODO: protection on linux needed. Do not to send something in clear,

  • when VPN connection breaks down
  • when VPN client crashes or gets terminated

Tunneling Proxy/SSH/VPN through Tor

user -> Tor -> Proxy/SSH/VPN

Read first: Tor Plus VPN and TorBOX VPN disclaimer.

You can tunnel through Tor first and add an additional proxy, SSH or VPN hop at the very end of that chain as your "exit node". The services you connect to, will not know, that you are using Tor (unless it's a "transparent proxy" in sense of sending http forwarded for, covered in the article linked above). This can be useful to evade Tor bans, for example, to visit websites or IRC networks who blacklisted Tor. Beware of the risks, this adds a "permanent exit node", read the related wiki article.

To do that, go to your Tor-Workstation and add the proxy, SSH or VPN normally, like you would have to do, if you wouldn't use the Tor-Gateway.

Protocol leaks still apply, thought to a lesser extend. Leaks would 'only' leak through Tor and you have best possible Protocol-Leak-Protection and Fingerprinting-Protection.

Tunneling proxy through Tor

user -> Tor -> proxy

Note, that the connection, between the Tor exit node and the proxy, is in most cases, not encrypted.

Proxy Settings Method

Very simply to set up. Simply add a proxy to your application's proxy settings or use a socksifier.

Transparent Proxying


You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.

In case you redirect the network layer directly with iptables, you need a TransPort. Unfortunately very few applications, do offer a TransPort. For example, Tor supports a TransPort. In most other cases, you need to translate the different kinds of data.

Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.

Required reading:
Tor + VPN or Proxy


Tor is a socks proxy and also has a TransPort. Unfortunately, Tor can not be directly used as a http proxy. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort..

redsocks can also accept "Trans data streams" and can forward them to https, socks4 and socks5 proxies. Rather redsocks can convert UDP DNS queries to TCP DNS queries.

Privoxy is a http proxy and can also accept "Trans data streams", when accept-intercepted-requests is set to 1 in /etc/privoxy/config. Rather Privoxy is also able to forward traffic to so called parent proxies, those can be http(s) or socks4/4a/5 proxies.

Polipo is lighter, simpler and faster then Privoxy. Unfortunately, it can not handle "Trans data streams". It is a http proxy and can forward either to http or socks proxies.

JonDo is handy for testing and demonstration purposes. With free cascades it is a free, legal and reliable http proxy. Unfortunately https proxying (connect method) does not seem to be supported for JonDo free cascades. Although it's not a VPN, same as under TorBOX VPN disclaimer applies.

DNS resolution

The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.

It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see TorBOX/OtherAnonymizingNetworks#TransparentProxyingMethod for explanation. You need an extra DNS server, which answers over TCP.

You have several options to resolve DNS.

Either leave the setup as it is, Tor's DnsPort and therefore the Tor exit nodes will still do the DNS requests. This is probable not what you want, since you wanted to cloak your identity with an additional proxy after Tor.

Alternatively you can use a public DNS resolver. The instructions for DNSCrypt by OpenDNS should work out of the box (tested). Also httpsdnsd by JonDos might work, but you'd need to make some changes (use httpsdnsd as a system wide, Tor-Workstation wide, DNS resolver, not just for a specific user account). Or perhaps also ttdnsd with Google could work. All DNS resolvers should work, as long TCP is supported and as long you are querying a TCP enabled DNS server.

DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit node can sniff or manipulate your DNS requests, since they are encrypted and authenticated.

You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to /etc/resolv.conf in Tor-Workstation (i.e. Tor -> public DNS resolver), it would have no effect, as explained under TorBOX's Tor-Workstation is firewalled.

Read the DNS related warnings.


Not finished yet. Not fully tested.

Everything on Tor-Workstation.

Instal privoxy.

sudo apt-get install privoxy

Open /etc/privoxy/config and change the following setting. This will enable privoxy's intercepting proxy feature.

accept-intercepted-requests 1

Add the following to /etc/privoxy/config as well.

# example http proxy
# change IP and port to your http proxy
#   TODO: not sure about a dot at the end or not.
#   example for JonDon http proxy, works with free cascades
#   note that JonDonym free cascades allow only outgoing ports 80 and 443
#   also note, that the JonDo http does not seem to support the connect method,
#   therefore SSL protected websites will not be accessible,
# can be reached, the https version not
#   http working
#   https not working (connect method not supported by JonDo)
#   UDP not supported by http(s) proxies
forward /
#   another example with a httpS proxy
#   http working
#   https working
#   UDP not supported by http(s) proxies
#forward /

# example socks4 / socks4a (you may drop the a from the example)
#   http working
#   https not working using privoxy
#        (probable not supported by privoxy)
#   https working using redsocks
#        (simply exchange privoxy port 8118 with redsocks port 12345)
#   UDP not supported by socks4 / socks4a proxies
#forward-socks4a / .

# example socks5
#     TODO: Test UDP.
#     http working
#     https working
#     UDP untested
#forward-socks5 / .

Get your proxy. For example, install JonDoConsole.

Add user jondo for JonDoConsole.

sudo adduser jondo

Create a new console tab.

su jondo

Start jondo. 1 2 3

jondoconsole ctrl

1 The first time you may have to use passwd instant of ctrl and set a password.
2 For debugging with ctrl switch. Press help to see all commands. status to see if you are connected.
3 Later you may autostart jondo or run without console/debugging using 'jondodaemon start' (status, help, stop, etc.).

Create a new console tab.

su jondo

Start httpsdnsd with debugging output. 1 2


1 The error "Use of uninitialized value $Net::SSLeay::proxyauth in concatenation (.) or string at blib/lib/Net/ (autosplit into blib/lib/auto/Net/SSLeay/ line 1824." is probable a bug and does not break this setup.
2 After the setup is working you can drop the debugging output and either autostart httpsdsnd or start ith with 'sudo httpsdnsd --runasdaemon --daemon-user=jondo'.

Create a and use this firewall rules.

## TODO: these iptables rules need review.

# This is a example setup using the JonDonym
# free cascades. All users traffic,
# expect the traffic for the linux user accounts
# jondo and privoxy, # will be transparently routed through the
# JonDo http proxy. Note that the JonDonym free cascades
# allow only outgoing ports 80 and 443.
# You can adapt this example setup to use any proxy you wish.

# For debugging/testing use this command in console.
# tail -f /var/log/syslog

# Note rules commented out with #****** basically work,
# only the combination of
# system DNS request -> iptables -> httpsdnsd -> Tor's TransPort -> JonDonym -> JonDo DNS servers
# is very unreliable. Working on a solution.
# As long as these rules are commented out, DNS is resolved through
# Tor's DnsPort.

# Flush old rules.
iptables -F
iptables -t nat -F
iptables -X

# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Established outgoing connections are accepted.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept connections to httpsdnsd, privoxy and JonDo.
iptables -t filter -A OUTPUT -p tcp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 8118 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 8118 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 4001 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 4001 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 4053 -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 4053 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 8118 -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 8118 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 4001 -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 4001 -j ACCEPT

# httpsdnsd, privoxy and JonDo must be allowed to establish direct connections.
## TODO: usernames
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner privoxy
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner jondo
iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner privoxy
iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner jondo

# Redirect all other users DNS traffic to httpdnsd 4053.
## TODO: to port Privoxy 8118.
#****** iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 4053
#****** iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 4053

# Redirect all other users traffic to Privoxy 8118.
## Note: UDP functionality untested.
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 8118
#****** iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 8118

# Log blocked for debugging.
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables denied: "
iptables -t filter -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables denied FILTER: "
iptables -t nat -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables denied NAT: "

# Reject all other traffic.
#****** iptables -A OUTPUT -j REJECT

Tunneling SSH through Tor

user -> Tor -> SSH

This chapter is not about connecting to a SSH server as a client (see TorBOX in general and the Torify HOWTO). It is about adding an extra SSH tunnel after Tor.

Note, that even though SSH supports socks5, SSH is still not able to forward UDP on its own. Have a look the the source of that information. To summarize: to tunnel UDP over SSH client and shell admin need a special setup, which is for most shells, not going to happen.

A SSH tunnel will provide a local socks5 proxy. Create the SSH tunnel in the Tor-Workstation. From there you'll end up with a local socks5 proxy. You can use this socks5 proxy following the proxy instructions above. Once the SSH tunnel is established, there are not many differences, besides the difference already clarified above about UDP and that the warning about missing encryption to the proxy does not apply to SSH tunnels, since SSH is encrypted. The SSH process needs to be allowed to access the internet directly, if you use transparent proxying, run the SSH process under an account, which is privileged to access the internet directly.

Tunneling VPN through Tor

user -> Tor -> VPN

Note, that you have to choose TCP transport, because Tor does not support UDP.

For users who configured applications to use SocksPort, instant of TransPort. (TorBOX's Tor-Gateway default setting for some applications, Tor Browser, ...!)

SocksPort is used to prevent Identity correlation through circuit sharing. As Tor Plus VPN explains, you have to keep in mind, a VPN behind Tor adds a permanent exit node.

Rather, all applications, which are configured to use SocksPort, will not be tunneled through the VPN. They will be "only" tunneled through Tor. This is because, the VPN will not touch connections to, which is the Tor-Gateway. For example, if you wish to tunnel through Tor -> VPN, you have to remove all proxy settings from Tor Browser. will tell you then "You are not using Tor." and you'll see your VPN's IP. In fact your VPN was tunneled through Tor first. (Because Tor-Workstation can not make any non-Tor connections by design, everything is tunneled over Tor.) When you stop your VPN for test reasons ('sudo /etc/init.d/openvpn stop'), it will show "You are using Tor." again.

While you are using a VPN behind Tor, you probable also may not be able to make use of the upcoming stream isolation feature, which is planed Tor Browser. (#3455) This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the VPN instant.

VPN servers and VPN software can occasionally break down without announcement. Tor-Workstation will seamlessly continue to make "direct" connections through Tor once the VPN breaks down. This is not a TorBOX specific problem. Most users are simply not aware of it. This happens also with the common setup, where the VPN simply runs on a host. If you want to enforce, that the VPN is always tunneled over Tor, have a look at the modified routing table here.

Also note, that once Tor-Workstation gets rooted by malware, the VPN can be easily circumvented by the attacker and you are left to the protections by TorBOX and Tor.

By design, a VPN routes all your applications (those without any proxy settings, as explained above) through the VPN. You may not want this, as explained above (Identity correlation through circuit sharing). To circumvent that, you should use this Tor-Workstation only for the particular application you want to route through the VPN, read Recommendation to use multiple Tor-Workstations.

A Free example VPN working with TorBOX for testing purposes

Read first TorBOX VPN disclaimer.

Can be either:

The purpose of this chapter is mainly to demonstrate, how easy it is, to add a VPN to TorBOX. Unfortunately drops many TCP and UDP ports beside ports 80 and 443. That limits it's usefulness for testing purposes, such as Tunneling UDP over Tor. If you know a less restrictive free VPN provider, we'd be thankful for a comment.

Install openvpn.

apt-get install openvpn

Register at and leaf no personal information. Use an extra e-mail address for registration, which you will never use for anything else. Login and download their OpenVPN package to /home/user. Unpack. The folder contains contains ca.cert, client.cert, client.key, README.txt (with list of their servers and ports). Rename the folder to securitykiss. Structure should be like /home/user/ca.cert etc.

'nano /etc/openvpn/client.conf', edit server IP and port and past it. (It's almost only the default openvpn client.conf with minor changes.)

# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 443
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /home/user/securitykiss/ca.crt
cert /home/user/securitykiss/client.crt
key /home/user/securitykiss/client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

To initially start the VPN type:

sudo /etc/init.d/openvpn start
sudo openvpn /etc/openvpn/client.conf

After rebooting the VPN will be automatically started.

If you do not wish to start the VPN automatically for some reason: 'nano /etc/default/openvpn'


Connect to a Tor Gateway on your local network using PPTP VPN

For what this is useful: PPTP is used because it's very easy to configure and well supported by all kind of devices. Compared to a proper set up with a hardware gateway between the internet and the devices you want to torify it's less secure but doesn't require any kind of hardware or network layout changes.

Moved to TorBOX/PPTP.

Hosting hidden services

Read first: TorBOX/SecurityAndHardening.

Hidden webserver

At your Tor-Gateway become root 'sudo su', edit your torrc 'nano /etc/tor/torrc' and add

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80

Check if your torrc is valid. '/etc/init.d/tor --verify-config'. Reload Tor '/etc/init.d/tor reload'. To find out your hidden service domain type 'less /var/lib/tor/hidden_service/hostname' and copy it to a safe place.

Now go to your Tor-Workstation. First we test if the Tor internet connection is working, for example start your Tor Browser and look if shows "Congratulations. Your browser is configured to use Tor.". If that is working, test if you can also visit hidden services in general, for test you might use DuckDuckGo search engine's hidden service. Proceed only if that is working.

We'd recommend thttpd, a light http server. Do not use Apache, because it is not recommend on and does leak critical information. As root 'sudo su', 'apt-get install httpd'. You have to edit the thttpd default configuration files.

Then 'nano /etc/default/thttpd' and change it.

# source:


See if the following configuration suits your needs. 'nano /etc/thttpd/thttpd.conf'

# source:

# /etc/thttpd/thttpd.conf


Inside /var/www you can create your index.html. 'nano /var/www/index.html'

<h1>Under Construction!</h1>

To start the server type '/etc/init.d/thttpd start'. On (default port 80) nothing should answer. Go to your browser and test if your webserver is locally reachable If that is so, you should be also able to reach your hidden service url.

Congratulation, you've set up a hidden webserver.

Possible help: Nikto Web Scanner

Vidalia for TorBOX

Not recommend. Better use Arm.

You have two possibility to get Vidalia. 1. Vidalia on the Host and 2. Vidalia on the Tor-Gateway. Each option has it's pros and cons, we'll discuss here.

1. Vidalia on the Host

Ok, this is an ugly hack, but it works. Vidalia can be installed on the host, in this example on a Windows host but you can most likely do it also on a Linux host. We have to 'trick' Vidalia because Vidalia really wants to start Tor.

You will be able to stop Tor using Vidalia, but not be able to start it again. Restarting Tor has to be done manually in console or ssh. "Start proxy application when Tor starts" will probable work (untested) but it will start it on the host and not on the Tor-Gateway. What also won't work are all settings which modify torrc, because our torrc will be just a dummy one and the real torrc is inside the Tor-Gateway. All settings in the settings, network tab won't work. Neither the "Sharing/Setup Relaying" tab will work (there will be instructions how to do it manually in torrc for the Tor-Gateway). Services tab will also not work, this is covered above under Hosting Hidden Services. The "Start Tor" button will actually not start Tor, but connect to the Control Port inside the Tor-Gateway. "View the network", "Use a New Identity" and "Message Log" should be functional.

  1. You need to ensure yourself, that port 9051 is firewalled on your host. It must not be accessible from the internet.
  2. Create a folder Vidalia somewhere you like it. Ensure that your current user account has the neccessary rights read, create, modify.
  3. Grab some dummy exe, for example cmd.exe from C:\Windows\System32\cmd.exe and copy it to your new Vidalia folder.
  4. Login as root 'sudo su'. Go to your Tor-Gateway and type in console.
    tor --hash-password password

This will result in something like


copy it into the clipboard.

  1. 'nano /etc/tor/torrc' and add
    ControlPort 9051
    HashedControlPassword 16:E61CFDC2FF3FDCDE605D8EDC3631F268B554612B0721E99F95588282B5
  1. 'nano /etc/' and look out for the following
    # Allow incoming SSH connections on the external interface
    iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT

and add additionally the following below

# Allow incomming Tor ControlPort connections on the external interface
iptables -A INPUT -i $EXT_IF -p tcp --dport 9051 -j ACCEPT
  1. Then go to your host and create a file named 'control_auth_cookie' inside your Vidalia folder. Insert the password only, this example we used "password". Choose your secure password. control_auth_cookie has no file extension, be sure that Windows will normally show you file extensions (like .exe, .pdf...), otherwise you will be probable unable to create a file without extension.
  1. We need a start file, otherwise Vidalia will use the default documents and settings folder. Call it 'vidalia.bat' and create it inside your Vidalia folder. The content of vidalia.bat must be
    start do_not_start.exe --datadir .\\
  1. And of course you will be needing the Vidalia binaries. Download the Tor Browser Bundle for your platform. Go to '\Tor Browser\App\' and copy the following files into your Vidalia directory.

tor.exe and tor-resolv.exe will not be needed (we have our own dummy tor.exe).

  1. Rename vidalia.exe to do_not_start.exe.
  1. Create a file called 'vidalia.conf' inside your Vidalia directory. The content must be
  1. Create a file torrc inside your Vidalia directory, leave it empty, it's just another dummy file for Vidalia's fate.
  1. In the Tor-Gateway VM network settings. Set up Port Forwarding: within the "Adapter 1" tab click "Advanced", then Port Forwarding. Insert a new rule as follows: Name: Vidalia; Protocol: TCP; Host IP:; Host Port: 9052; Guest IP: leave blank; Guest Port: 9051
  1. That's it. From now you can vidalia.bat. For your convinience create a shortcut of vidalia.bat on your desktop.

((Optional, for debugging if you have problems.
We test if the IP/Port is reachable from the host. 'telnet 9051', press enter should say "514 Authenication required."))

((Vidalia FAQ))

2. Vidalia on the Tor-Gateway

Install a "minimal" desktop environment on the Tor-Gateway:

sudo apt-get install xinit xterm openbox vidalia

You'll be asked to add your user to the debian-tor group. Do so! To apply this change you need to log out (type 'exit') and log in again. Then use 'startx' from the console to launch the graphical desktop. Right-click on the desktop to open the menu, open a terminal and from that launch vidalia. A more user-friendly graphical environment would drastically increase RAM requirements and attack surface.

Do not be tempted to use Tor-Gateway as a client OS! Also remember that anything you do on the gateway is NOT routed through Tor.

Arm - "anonymizing relay monitor"

This feature is activated on Tor-Gateway 0.2.0 and above.

Instead of Vidalia you could also try arm which is a console program. Install with:

sudo apt-get install tor-arm 

Footnote: It may complain about torrc valuse differing, this is a bug in arm.

How to safely transfer files between host, gateway and tor-workstation

Using filesharing built into the VM isn't very secure. Between the gateway and the host you can use ssh and scp but the tor-gateway is firewalled tightly (and you should leave it that way). A secure and quick way to transfer files to the client vm is to use iso files: On the host install genisoimage:
sudo apt-get install genisoimage
To create an iso "files.iso" containing the content of "folder":
mkisofs -o files.iso /path/to/folder
Now attach the iso to the VM. Mount it with
sudo mount /dev/sr0 /media/cdrom

This is intentionally one-way as the Tor-Workstation is inherently untrusted and should remain isolated to prevent side-channel attacks and covert channel leaks.

TorBOX implementation with just a single VM (Tor runs on host)

More info on TorBOX/OneVM

Using (private) (obfuscated) bridges

More info on TorBOX/bridges

Hosting a (private) (obfuscated) bridge or (exit) relay

You can still volunteer to Tor and host a bridge, private bridge, obfuscated bridge, private obfuscated bridge, middle node or exit relay when you are using TorBOX. Either inside the Tor-Gateway or directly on the host.

Inside the Tor-Gateway

Simply follow all the usual instructions given on inside the Tor-Gateway just as you would, if Tor wouldn't run inside a virtual machine. The only additional thing to do is to set up a port forwarding from the host to the virtual machine. That is simple. For a similar example see Step 3 – How To Install - Install and Configure Tor-Gateway, under 'Set up Port Forwarding'. Just exchange the name and the ports, the rest is the same.

What's left are the firewall rules. On the Tor-Gateway 'sudo nano /etc/' and look out for

# Allow incoming SSH connections on the external interface
iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT

below that simply add similar

# Tor
iptables -A INPUT -i $EXT_IF -p tcp --dport YOURPORT -j ACCEPT

On the host

And if you do not like using the Tor-Gateway for this purpose, you can still host it directly on the host, simply follow the usual instructions on

Hide the fact that you are using Tor/TorBOX

Depending on how restricted your area is and how paranoid you are, you may want to hide the fact from your provider, that you are a Tor user. That's very tricky to archive. Be very careful. Here are some tips:

TorBOX users are most likely Tor power users. They are more paranoid then normal Tor users. And adversaries might ask themselves why. TorBOX users most likely host hidden services or do other fancy stuff over Tor.

Use either private and obfuscated bridges or a VPN/SSH proxy. It's most secure if you combine both ways.


  • Download Tor through a trusted internet service provider (in your [home] country) or through SSH or VPN (or before entering a hostile environment).
  • Setup the SSH/VPN tunnel or the private obfuscated bridges first. (Depending on what you want to use, read below.)
  • Remove your internet connection while installing. (Tor starts and connects automatically after installing the .deb.)
  • If you run apt-get update/upgrade on the Tor-Gateway this will leak that you are using the torproject repository! Activate #OptionalFeatureNr.1# in ~/ to download all updates over Tor and to prevent any non-Tor emissions. If you keep care, to tunnel Tor through SSH or VPN, there will be no other traffic, except traffic to SSH or VPN.
  • Another issue for hiding your TorBOX usage is installing or downloading TorBOX. If you download TorBOX form that download will go unencrypted and your internet service provider (or SSH/VPN provider) will learn, that you downloaded TorBOX. A workaround could be, to download TorBOX through the official Tor Browser Bundle. Or you can learn everything about TorBOX using the Tor Browser Bundle and build TorBOX from source. If you are doing so, that the tor-gateway script, will execute a specific set of apt-get commands, which could reveal to your internet service provider, that you are building TorBOX from source. If you understand the script you can also manually building TorBOX (or edit the script), without executing most of the apt-get commands. Also the Tor-Workstation script might reveal, you are installing TorBOX. To prevent that, choose -custom and check that the remaining essential modules do not issue suspicious network connectivity. The config_torbrowser module would get specific GPG public keys from the keyserver and execute specific wget commands.

Using a Proxy

Impossible! (The connection between you and your proxy is unencrypted. That goes for all proxies, http, socks4, socks4a, socks5.) Your ISP could still see, that you are connecting to the Tor network.

Using a SSH or VPN

See warnings above first. Tunnel all Tor related traffic first through a VPN or SSH server, this will hide the fact that you use Tor from your ISP. If the server is outside a national firewall this is also a way to circumvent Tor censorship.

If you do not trust any SSH or VPN providers, then anonymously host your own in a safe place.

Using private and obfuscated bridges

See warnings above first. Set up Tor to use private and obfuscated bridges. This makes it harder for ISPs and national firewalls to detect and block Tor but it does not prevent a dedicated adversary to find out that you are using Tor (research is ongoing, see obfsproxy).

TorBOX on Bare Metal

Using hardware instant of virtual machines. More secure. See Bare Metal Hints.

Anonymous 3G modem

Improves anonymity. See anonymous 3G modem.

Anonymous wifi adapter

Improves anonymity. See anonymous wifi adapter.

Other Anonymizing Networks

It's possible to use other anonymizing networks in together with TorBOX. Either in addition (tunneled through Tor) or as a replacement for Tor. See Other Anonymizing Networks.

Tunneling UDP over Tor

The Tor software does not support UDP itself yet. TorBOX provides a limited workaround for using UDP anyway, in the best possible secure manner.

Moved to TorBOX/OptionalConfigurations/TunnelingUDPoverTor.

Secondary DNS resolver

Normally Tor is used for DNS resolution. If you suspect a Tor exit node to tamper with DNS, you can get a second opinion from another non-Tor DNS server.

You shouldn't use other DNS resolvers than Tor over an extended amount of time. Although it's technically possible to replace DNS resolution completely (not using Tor for DNS resolution anymore), that is not recommend. That would add too much power to a single DNS server. Using a permanent DNS server is not recommend as not using a permanent Tor exit node.

Note, that even if you correctly set up all settings, it might happen that this won't work. Sometimes Tor or the DNS server causes a timeout. This gets even worse, when you additionally tunnel the DNS request (for example: Tor -> JonDonym -> DNS server).

DNSCrypt by OpenDNS

Although the official DNSCrypt website states, that a Linux version does not exit, this blog post suggests there is one.

This has nothing to do with DNSSEC, the differences of DNSSEC and DNSCrypt are well explained on the DNSCrypt website.

These instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system. Not recommend for a longer amount of time, see warning above. Some hints are included how to do it only for a specific user account.

  1. Download the dnscrypt source code and unpack. You have to compile it. Get into the dnscrypt directory 'cd dnscrypt-proxy-...". Configure './configure", make 'make'.
  1. Start dnscrypt-proxy. 1 2 3 4 5 6
    sudo dnscrypt-proxy --tcp-only

1 '--tcp-only' is required since Tor does not support UDP. The UDP DNS request will immediately get truncated reply and a RFC-compliant resolver should repeat same query via TCP in this case. This is the case for Ubuntu's default DNS resolver. You can get some more information on UDP/TCP/DNS on the unrelated redsocks website.
2 To start it later in background (after debugging) add '--daemonize'.
3 '--help' to see all options.
4 Start up takes a few seconds "[INFO] Generating a new key pair", this is normal, wait. Until it's done, DNS will not work.
5 '--user=username' can and should be used to start the dnscrypt-proxy under a specific user account.
6 Since this instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system, you could add '--local-port=5800' to let dnscrypt-proxy listen on port 5800. You would be able to add iptables rules to redirect only the DNS requests of a specific user account to opendns's dnscrypt, you can get some hints how to do that in the 'httpsdnsd by JonDos' chapter below, which would be a very similar setup.

  1. Edit your resolv.conf 'nano /etc/resolv.conf', comment out everything and add 'nameserver'.
  1. Check if it's working, there are several test pages on
  1. To shut it down you can use 'sudo killall dnscrypt-proxy' and don't forget to revert the changes in /etc/resolv.conf.

httpsdnsd by JonDos

Source: and also use it as a more verbose tutorial, but keep in mind that their tutorial is JonDonym specific, while this tutorial is Tor specific.

Everything inside your Tor-Workstation.


Install dependencies.

sudo apt-get install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl

Download httpsdnsd. (See source above in case download link changed.)



Go into the httpsdnsd folder.

cd httpsdnsd

Install httpsdnsd. 1

1 (It contains also a, if you want to uninstall it later.)


Add a new user for httpsdnsd.

sudo adduser --system --disabled-password --group httpsdns_daemon

Editing /etc/resolv.conf is not required. (You still could out comment everything against DNS leaks.)

Create a firewall script.


Insert these firewall rules.

# Flush old rules
iptables -F
iptables -t nat -F
iptables -X

# Redirect DNS traffic to httpdnsd.
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 53 -j REDIRECT --to-ports 4053

# Accept connections to the httpdnsd.
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 4053 -j ACCEPT

# Reject all other traffic for anonuser.
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT

Install Privoxy. 1

1 Wiki Version 95 of this site contains a working example using Polipo. Changed later to Privoxy, because Privoxy can be useful for other tasks as well. (Incomming: TransPort, http proxy; forwarding: http and socks.)

sudo apt-get install privoxy

Open the privoxy configuration file.

nano /etc/privoxy/config

Add the following to your privoxy configuration file. Note Identity correlation through circuit sharing and change the port from 9100 to something else.

# Theoretically you can tunnel through any
# http or socks proxy. Local or remote proxy.
# Inside Tor-Workstation, due to design,
# everything will be tunneled through Tor first.

# Using Tor's socks5 proxy, running on Tor-Gateway. 
# Change the port, see above...
forward-socks5 / .

# Another example using a http proxy.
# (In this case, JonDo running on localhost.)
# forward /

Restart privoxy to enable the changes.

sudo /etc/init.d/privoxy restart

Privoxy is now listening on 2

2 For debugging you can enter this IP/port into Tor Browser as http proxy and try if you can still reach Deactivate after testing.


Run httpsdnsd. 1 2 3 4

1 For debugging, kill httpsdnsd and drop the --runasdaemon.
2 Run 'httpsdnsd --help' or 'man httpsdnsd' for help.
3 Httpsdnsd will by default listen on localhost port 4053 for DNS queries. 4 --https_proxy_port=8118 will redirect traffic to port 8118, where Privoxy is listening. This is necessary because Tor offers a socks proxy and httpsdnsd requires a http proxy. Privoxy translates from http to socks.

sudo httpsdnsd --https_proxy_port=8118 --runasdaemon

Activate the firewall. Shouldn't show any errors.

sudo ./


Open a console and switch to anonuser.

su anonuser

Resolve DNS.



Untested. Not done yet. In development. Please leave feedback if it worked for you.

Introduction into OnionCat
torproject wiki about OnionCat about OnionCat

OnionCat (Tor) might work with TorBOX. GarliCat (i2p) might partially work with TorBOX.

General debugging hints: there at multiple sources for issues, you might stumble upon. Therefore it's recommend, before you try using OnionCat with TorBOX, try first to successfully test OnionCat without TorBOX. As soon as you learnt that, it eliminated one source for possible issues (OnionCat) and can start learning how to use it with TorBOX (which might introduce new issues, but enhanced security will be your reward). You also have to learn first, how to use hidden services with TorBOX, see TorBOX/OptionalConfigurations#Hostinghiddenservices for reference.

Over Tor

As long you want to use OnionCat over Tor, it may work.

IPv6 is currently disabled on Tor-Gateway, because Tor doesn't support IPv6 yet, and we didn't see need for it. We also have no IPv6 firewall for Tor-Gateway yet, because it's disabled. Anyway, that will be probable no issue. IPv6 on Tor-Workstation, where OnionCat will be running, is enabled. Since only OnionCat's underlying operating system requires IPv6, but not the Tor process there will be probable no problem. OnionCat on Tor-Workstation will probable translate the IPv6 requests to IPv4 to the Tor process which is running on Tor-Gateway. Therefore probable no IPv6 on Tor-Gateway is required.

There instructions on look very promising. To use them with TorBOX, minor modifications are required. Follow the instructions on but execute the steps on the right machine, either on Tor-Gateway or on Tor-Workstation.

  1. Install ocat <-- on Tor-Workstation
  1. Create a hidden service <-- on Tor-Gateway
  1. Create the directory /etc/tor/ocat <-- on Tor-Gateway
  1. Find the hostname of your hidden service <-- on Tor-Gateway

Also possibly see TorBOX/OptionalConfigurations#Hostinghiddenservices for reference. Debugging: It's recommend to test if your hidden service is reachable first (for example, use test wise a hidden webserver), before you proceed with OnionCat.

  1. Start ocat <-- on Tor-Workstation
  1. Final nodes. <-- on Tor-Workstation

Over i2p

GarliCat over i2p might only work, if you use ip2 over Tor.

There was the idea to create an i2pBOX, but it never came to live due to lack of community interest, which means GarliCat directly over i2p will not be supported by TorBOX.

As soon as i2p over Tor is working, you can probable follow the instructions on without modifications.