This FAQ has been migrated to General FAQ. The answers in this FAQ may be old, incorrect, or obsolete.
IMPORTANT: Don't change section titles (=== title here ===) or it will change
the anchors which are used by different parts of the homepage (also outside of
the wiki).
- Copyright 2003-2006 Roger Dingledine
- Copyright 2004-2005 Nick Mathewson
- Copyright 2004 Douglas F. Calvert
- Copyright 2004-2006 Peter Palfrader
- Copyright 2005-2009 Andrew Lewman
- Copyright 2007 Matt D. Harris
- Copyright 2010 The Tor Project, Inc.
Distributed under the MIT license, see Legal Stuff for a full text.
Running Tor
[#P2P How can I share files anonymously through Tor?]
Answer moved to our new FAQ page
[#torrc I'm supposed to "edit my torrc". What does that mean?]
Answer moved to our new FAQ page
[#logs How do I set up logging, or see Tor's logs?]
Answer moved to our new FAQ page
[#loglevel What log level should I use?]
Answer moved to our new FAQ page
Do I have to open all these outbound ports on my firewall?
Answer moved to our new FAQ page
[#crashes My Tor keeps crashing].
Answer moved to our new FAQ page
[#DoesntWork I installed Tor and Polipo but it's not working.]
Answer moved to our new FAQ page
[#Isitworking How can I tell if Tor is working], and that my connections really are anonymized? Are there external servers that will test my connection?
Answer moved to our new FAQ page
How do I use my browser for ftp with Tor?
Answer moved to our new FAQ page
Will Torbutton be available for other browsers?
Answer moved to our new FAQ page
[#NoDataScrubbing Does Tor remove personal information] from the data my application sends?
Moved to https://www.torproject.org/docs/faq.html.en#NoDataScrubbing
I want to run my Tor client on a different computer than my applications.
Answer moved to our new FAQ page
How often does Tor change its paths?
Answer moved to our new FAQ page
Why does netstat show these outbound connections?
Answer moved to our new FAQ page
Tor uses hundreds of bytes for every IRC line. I can't afford that!
Answer moved to our new FAQ page
Can I control what nodes I use for entry/exit, or what country the nodes are in?
Answer moved to our new FAQ page
Google makes me solve a Captcha or tells me I have spyware installed.
Answer moved to our new FAQ page
Gmail warns me that my account may have been compromised.
Answer moved to our new FAQ page
[#ForeignGoogle Why does Google show up in foreign languages?]
Answer moved to our new FAQ page
How do I access Tor hidden services?
Answer moved to our new FAQ page
My Internet connection requires an HTTP or SOCKS proxy.
Answer moved to our new FAQ page
[#restrictedfirewall My firewall only allows a few outgoing ports].
Answer moved to our new FAQ page
[#defaultexitports Is there a list of default exit ports?]
Answer moved to our new FAQ page
What should I do if I can't use an http proxy with my application?
Answer moved to our new FAQ page
I keep seeing these warnings about SOCKS and DNS and information leaks. Should I worry?
Answer moved to our new FAQ page
[#SocksandDNS How do I check if my application] that uses SOCKS is leaking DNS requests?
Answer moved to our new FAQ page
Tor/Vidalia prompts for a password at start
Answer moved to our new FAQ page
Why do we need Polipo or Privoxy with Tor? Which is better?
You do not need one anymore. See https://www.torproject.org/docs/faq#TBBPolipo
Vidalia doesn't work in Windows 2000?
No. Vidalia doesn't work in Win2k because of a winsock DLL bug in Win2K. The explanation for why is here: http://msdn.microsoft.com/en-us/library/ms737931. If you don't want to recompile Vidalia yourself, this site offers a replacement DLL (with source) that appears to work: http://codemagnet.blogspot.com/2007/10/winsock2-replacement.html and http://martin.brenner.de/files/winsock2_getaddrinfo.rar
Tor Browser Bundle
There is no Flash in TBB!
Moved to https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash
I'm on OSX or Linux and I want to run another application through the Tor launched by Tor Browser Bundle. How do I predict my SOCKS port?
In Vidalia, go to Settings->Advanced and uncheck the box that says 'Configure ControlPort automatically'. Your SOCKS port will then be on 9050.
I need an HTTP proxy.
Moved to https://www.torproject.org/docs/faq#TBBPolipo
I want to leave Tor Browser Bundle running but close the browser.
Moved to https://www.torproject.org/docs/faq#TBBCloseBrowser
I want to use a different browser with Tor.
Answer moved to our new FAQ page
I want to install my favorite extension in TBB. How do I do it?
You can install extensions in TBB the same way you install them in a normal Firefox.
Do I have to reinstall my extensions every time I upgrade TBB?
If you are extracting a new TBB over the old TBB directory, assuming there are no version conflicts between a new Firefox and your old extensions, it should work. If it doesn't, please let us know by filing a bug.
Running a Tor relay
How do I decide if I should run a relay?
Moved to https://www.torproject.org/docs/faq.html.en#HowDoIDecide
Why isn't my relay being used more?
Moved to https://www.torproject.org/docs/faq.html.en#WhyIsntMyRelayBeingUsedMore
How can I get Tor to fully make use of my high capacity connection?
Moved to https://www.torproject.org/docs/faq.html.en#HighCapacityConnection
I'd run a relay, but I don't want to deal with abuse issues.
Answer moved to our new FAQ page
Do I get better anonymity if I run a relay?
Moved to https://www.torproject.org/docs/faq.html.en#BetterAnonymity
Why doesn't my Windows (or other OS) Tor relay run well?
Moved to https://www.torproject.org/docs/faq#BestOSForRelay
So I can just configure a nickname and ORPort and join the network?
Moved to https://www.torproject.org/docs/faq.html.en#JoinTheNetwork
I want to upgrade/move my relay. How do I keep the same key?
Answer moved to our new FAQ page
How do I run my Tor relay as an NT service?
Moved to https://www.torproject.org/docs/faq.html.en#NTService
[#Virtualserver Can I run a Tor relay from my virtual server account?]
Moved to https://www.torproject.org/docs/faq.html.en#VirtualServer
[#ManyRelays I want to run more than one relay.]
Answer moved to our new FAQ page
My relay is picking the wrong IP address.
Moved to https://www.torproject.org/docs/faq.html.en#WrongIP
I don't have a static IP.
Moved to https://www.torproject.org/docs/faq.html.en#IDontHaveAStaticIP
I'm behind a NAT/Firewall
Moved to https://www.torproject.org/docs/faq#BehindANAT
My cable/dsl modem keeps crashing. What's going on?
Moved to https://www.torproject.org/docs/faq.html.en#ModemKeepsCrashing
Why do I get portscanned more often when I run a Tor relay?
Moved to https://www.torproject.org/docs/faq.html.en#PortscannedMore
I have more than one CPU. Does this help?
Moved to https://www.torproject.org/docs/faq.html.en#MoreThanOneCPU
Why is my Tor relay using so much memory?
Answer moved to our new FAQ page
What bandwidth shaping options are available to Tor relays?
Moved to https://www.torproject.org/docs/faq.html.en#BandwidthShaping
Does BandwidthRate really work?
Moved to https://www.torproject.org/docs/faq.html.en#BandwidthShaping
How can I limit the total amount of bandwidth used by my Tor relay?
Moved to https://www.torproject.org/docs/faq.html.en#LimitTotalBandwidth
Why does my relay write more bytes onto the network than it reads?
Moved to https://www.torproject.org/docs/faq#RelayWritesMoreThanItReads
Note that in Tor 0.1.1.8-alpha and later, your relay is more intelligent about deciding whether to advertise its DirPort. The main change is to not advertise it if we're running at capacity and either a) we could hibernate or b) our capacity is under 50kB and we're using a DirPort above 1024.
Why can I not browse anymore after limiting bandwidth on my Tor relay?
Moved to https://www.torproject.org/docs/faq#Hibernation
How can I make my relay accessible to people stuck behind restrictive firewalls?
Expose your Tor relay on port 443 (HTTPS) so that people whose firewalls restrict them to HTTPS can still get to it. Also, you should expose your directory mirror on port 80 (that even works if Apache is already listening there; but not working for a bridge).
If you're using the version of Tor packaged for Debian (or Debian-based distributions like Ubuntu) then you can do this by setting orport to 443 and dirport to 80 in your relay's torrc.
However, if you aren't using Tor's deb package then this will take some more work. Binding to ports under 1024 usually requires you to run as root, and running Tor as root is not recommended (in case there are unknown exploitable bugs). Instead, you should configure Tor to advertise its orport as 443, but really bind to another port (such as 9001). Then, set up your computer to forward incoming connections from port 443 to port 9001.
The Tor side is pretty easy - just set this in your torrc file:
ORPort 443 NoListen
ORPort 0.0.0.0:9001 NoAdvertiseThis will make your Tor relay listen for connections to any of its IPs on port 9001, but tell the world that it's listening on port 443 instead. Similarly, "DirPort 80" and "DirPort 0.0.0.0:9030 NoAdvertise" will bind to port 9030 locally but advertise port 80.
If your relay has multiple IP addresses and you want to advertise a port on an IP address that isn't your default IP, you can do this with Tor's "Address" config option.
Forwarding TCP connections is system dependent, however. Here are some possibilities (you can put them in your rc.local so they execute at boot):
- On Linux 2.4 or 2.6 (with iptables):
iptables -t nat -A PREROUTING -p tcp -d $IP --dport 443 \
-j DNAT --to-destination $IP:9001 . Assuming you have a simple, consumer-level NAT gateway/firewall that is configured to forward TCP requests on port 443 of your external (WAN) IP to port 443 of your Tor relay, then "$IP", in the command above, refers to the internal (LAN) IP address of your Tor relay. Often (but not always), this will begin with 192.168....
- If you want to make this redirection work from localhost, add the following rule as well:
iptables -t nat -A OUTPUT -p tcp -d $external_IP --dport 443 \
-j DNAT --to-destination $internal_IP:9001. Here, "internal_IP" is the same as "IP" in the previous example, but "$external_IP" refers to the WAN IP of your gateway/firewall.
- When using shorewall (version 2.2.3) you may find it helpful to do add something like this (inside /etc/shorewall/rules):
# DirPort $IP:9091 NoAdvertise #Listen address
DNAT net $FW:$IP:9091 tcp 80 - $IP
ACCEPT $FW:$IP net tcp 9091
# ORPort $IP:9090 NoAdvertise #Listen address
DNAT net $FW:$IP:9090 tcp 443 - $IP
ACCEPT $FW:$IP net tcp 9090. Don't forget to tune your default policy (/etc/shorewall/policy) so that it doesn't log those rules when they're triggered.
- With ssh (do not use in conjunction with DirPolicyg):
ssh -fNL 443:localhost:9001 localhost. Note: if you get an error message "channel 2: open failed: connect failed: Connection refused", try replacing "localhost" with "127.0.0.1" in the ssh command.)
- To offer your directory mirror on port 80, where apache is already listening, add this to your apache config:
<IfModule mod_proxy.c>
ProxyPass /tor/ http://localhost:9030/tor/
ProxyPassReverse /tor/ http://localhost:9030/tor/
</IfModule>. Ideally you wouldn't log those requests. That's not very hard either: Remove your normal AccessgLog, and use a Custom}}}Log:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
...
SetEnvIf Request_URI "^/tor/" request_is_for_tor=yes
CustomLog /var/log/apache/combined.log combined env=!request_is_for_tor
CustomLog /dev/null common env=request_is_for_tor. Refer to the Apache documentation for why this works: http://httpd.apache.org/docs/mod/mod_log_config.html#customlog and http://httpd.apache.org/docs/mod/mod_setenvif.html
- If you have Nginx instead of Apache, add this to your config to achieve the same:
location /tor {
# Proxy all requests for /tor* to the DirPort
proxy_pass http://localhost:9030;
# But don't log them.
access_log off;
}. See http://wiki.nginx.org/NginxHttpProxyModule and http://wiki.nginx.org/HttpLogModule
-
To offer your directory on port 80 when Apache (or anything else) is not listening, use a port redirection for the dirport, as per the orport method described earlier in this section.
-
On Linux 2.4 or 2.6 (with iptables):
iptables -t nat -A PREROUTING -p tcp -d $IP --dport 80 \
-j DNAT --to-destination $IP:9030- On OpenBSD/FreeBSD/NetBSD with PF (Tutorial). Assume you have a 3com 905b card connected to an Internet gateway.
# Redirect traffic coming in on xl0 from any:any to $IP:443 to localhost:9001 rdr on xl0 proto tcp from any to $IP port 443 -> $IP port 9001 g- On Mac OS X (tested on Leopard, might work on Panther/Tiger as well):
sudo ipfw add fwd 127.0.0.1,9030 tcp from any to me 80 in
sudo ipfw add fwd 127.0.0.1,9001 tcp from any to me 443 in- If you just use an external NAT router as your firewall, you only need to do the port forwarding through that.
Volunteers: please add advice for other platforms if you know how they work.
Bridge related questions
- See the Bridge manual for details on setting up, publicizing, understanding and troubleshooting your bridge. * How long until a new bridge gets some traffic? Hard to answer. We're working on better feedback mechanisms for bridge operators.
Can I install Tor on a central server, and have my clients connect to it?
Moved to https://www.torproject.org/docs/faq.html.en#ServerClient
How do I provide a hidden service?
Moved to https://www.torproject.org/docs/faq.html.en#ProvideAHiddenService
What is the BadExit flag?
Moved to https://www.torproject.org/docs/faq#WhatIsTheBadExitFlag
I got the BadExit flag. Why did that happen?
Moved to https://www.torproject.org/docs/faq#IGotTheBadExitFlagWhyDidThatHappen
My relay recently got the Guard flag and traffic dropped by half!
https://www.torproject.org/docs/faq#MyRelayRecentlyGotTheGuardFlagAndTrafficDroppedByHalf
I'm facing legal trouble. How do I prove that my server was a Tor relay at a given time?
https://www.torproject.org/docs/faq#FacingLegalTrouble
I'm still having issues. Where can I get help?
Moved to https://www.torproject.org/docs/faq.html.en#SupportMail
Running an Onion Service
See NextGenOnions
=== How can I protect my Onion Service?
See "Tor Hidden (Onion) Services Best Practices" in https://www.torproject.org/docs/tor-onion-service.html.en#three
Start by running an onion server on a dedicated machine in a network enclave behind NAT and with intentionally invalid hostnames, so that any/all metadata that might leak in (say) Apache headers, is mostly useless; the NAT-internal network would be 10.0.0.0/24, the hostname "invalid.invalid", etc...
The other benefit of putting your onion servers in a NAT enclave is that you can lock down your guards to a limited set and drill holes in your firewall specifically for those, and then ban all other outgoing traffic from your machine; this will help prevent identification via DNS lookups, package update checks, pingbacks in your CMS stack, etc.
Then: work out for yourself how to do software updates via (say) a HTTP proxy + VPN.
=== How to audit an Onion Service to make sure that my IP can not easily be compromised?
For HTTP(S) servers:
- Ensure your clock is correct and is corrected automatically once or twice a day to reduce time skews
- If your server is exposed to the internet, ensure that one cannot hit your onionsite by specifying it in the host header on the clearnet. Ensure the onionsite is only listening on the internal IP.
- Similarly, ensure that your external website(s)are only listening on external ip addresses, and one cannot hit them over the onionsite by specifying them in the Host header
- Best case: run your service on a machine that has no external IP address and only internal IP addresses
- Check your SSL configuration and ensure your onionsite isn't sending a cert for external websites
- Don't run a relay and a hidden service on the same tor instance
Then there are a ton of advice items for individual languages/frameworks. For example for PHP, don't expose phpinfo() or $_SERVER. Don't expose error messages.
There is a class of web attack called 'SSRF' or Server Side Request Forgery. The toehold of this attack is that you can induce the server to perform a connection. This could be through a DNS lookup, a XML DTD fetch, or other types of vulnerabilities. If an attacker can do this on your onionsite, they can trigger you to connect to their server and learn your server address. You can mitigate this by strict egress firewalling.
What attacks remain against onion routing?
Moved to https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting
=== Is there a list of things to do to try to hack my own site to try to find the IP? Have a look at README_SECURITY.md in vanguards.
Development
Who is responsible for Tor?
Moved to https://www.torproject.org/docs/faq.html.en#WhoIsResponsible
What do these weird version numbers mean?
Moved to https://www.torproject.org/docs/faq.html.en#VersionNumbers
How do I set up my own private Tor network?
Moved to https://www.torproject.org/docs/faq.html.en#PrivateTorNetwork
How can I make my Java program use the Tor Network?
Moved to https://www.torproject.org/docs/faq.html.en#UseTorWithJava
What is libevent?
Moved to https://www.torproject.org/docs/faq.html.en#WhatIsLibevent https://www.torproject.org/docs/faq.html.en#WhatIsLibevent
What do I need to do to get a new feature into Tor?
Moved to https://www.torproject.org/docs/faq.html.en#MyNewFeature
Anonymity and Security
What protections does Tor provide?
Moved to https://www.torproject.org/docs/faq.html.en#WhatProtectionsDoesTorProvide
Can exit nodes eavesdrop on communications? Isn't that bad?
https://www.torproject.org/docs/faq.html.en#CanExitNodesEavesdrop
What is Exit Enclaving?
Moved to https://www.torproject.org/docs/faq.html.en#ExitEnclaving
So I'm totally anonymous if I use Tor?
Moved to https://www.torproject.org/docs/faq.html.en#AmITotallyAnonymous
Please explain Tor's public key infrastructure.
Answer moved to our new FAQ page
Where can I learn more about anonymity?
Read these papers (especially the ones in boxes) to get up to speed on anonymous communication systems.
What's this about entry guard (formerly known as "helper") nodes?
Answer moved to our new FAQ page
What about powerful blocking mechanisms?
Moved to https://www.torproject.org/docs/faq#PowerfulBlockers
Does Tor resist "remote physical device fingerprinting"?
Moved to https://www.torproject.org/docs/faq.html.en#RemotePhysicalDeviceFingerprinting
Tor and VPN
See TorPlusVPN.
Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor
Moved to https://www.torproject.org/docs/faq.html.en#Proxychains
bridge vs non-bridge users anonymity
"How safe is it to use bridges compared to not using bridges?"
See tor-talk anonymity: bridge users vs. entry guard users question from proper and answer from Roger Dingledine.
Which Tor node knows what?
There is a lot of confusion, which Tor node knows what. Read How is Tor different from other proxies? and How Tor works as introduction. The following comparison tells the same, just in another overview.
Bridge/guard
- knows:
- the Tor user's IP/location
- middle node's IP/location
- doesn't know:
- IP/location of exit node
- message for middle node
- message of exit node
Middle node
- knows:
- IP/location of bridge/guard
- IP/location of exit node
- doesn't know:
- Tor user's IP/location
- message for exit's node
- message for the bridge/guard's node
Exit node
- knows:
- IP/location of middle node
- content of the message from the user
- When not using end-to-end encryption, such as SSL, or if end-to-end encryption is broken (malicious certificate authority, yes happened):
- For example it knows some things like:
- "Someone wants to know what IP has the DNS name example.com, which is 1.2.3.4."
- "Someone wants to view 1.2.3.4."
- Date and time of transmission.
- When fetching 1.2.3.4: the content of that transmission (how the site looks like).
- A pattern, amount of x traffic send from time y to time z.
- "Login with username: exampleuser and password: examplepassword."
- For example it knows some things like:
- When using end-to-end encryption:
- For example it knows some things like:
- "Someone wants to know what IP has the DNS name example.com, which is 1.2.3.4."
- "Someone wants to view 1.2.3.4."
- Date and time of transmission.
- When fetching 1.2.3.4: how much traffic has been transmitted.
- A pattern, amount of x traffic send from time y to time z.
- For example it knows some things like:
- When not using end-to-end encryption, such as SSL, or if end-to-end encryption is broken (malicious certificate authority, yes happened):
- doesn't know:
- Tor user's IP/location
- bridge/guard's IP/location
- message for the bridge/guard's node
- message for the middle node
Another story
Overview as table
| user | bridge node or entry guard | middle node | exit node | |
|---|---|---|---|---|
| Tor user's IP/location | yes | yes | no | no |
| IP of bridge node or entry guard | yes | yes | yes | no |
| message for bridge node or entry guard | yes | yes | no | no |
| IP of middle node | yes | yes | yes | yes |
| message for middle node | yes | no | yes | no |
| IP of exit node | yes | no | yes | yes |
| message for exit node | yes | no | no | yes |
| IP of destination server | yes | no | no | yes |
| message for destination server | yes | no | no | yes |
Comments:
- Of course, everyone knows their own IP.
- Due to the nature of the internet, you know the IP/location of your predecessor and your successor.
- See above for detailed information, what happens, when using end-to-end encryption.
Alternate designs that we don't do (yet)
You should send padding so it's more secure.
Moved to https://www.torproject.org/docs/faq.html.en#SendPadding
You should make every Tor user be a relay.
Answer moved to our new FAQ page
You should transport all IP packets, not just TCP packets.
Answer moved to our new FAQ page
You should hide the list of Tor relays, so people can't block the exits.
Answer moved to our new FAQ page
You should let people choose their path length.
Moved to https://www.torproject.org/docs/faq.html.en#ChoosePathLength
You should split each connection over many paths.
Moved to https://www.torproject.org/docs/faq.html.en#SplitEachConnection
You should migrate application streams across circuits.
Moved to https://www.torproject.org/docs/faq.html.en#MigrateApplicationStreamsAcrossCircuits
- It's not just a 2/3 improvement, it is a thing that is simply necessary to truly anonymize hosts connected using a dynamic IP setup, like many consumer ISPs use them. Without the possibility to migrate streams, an attacker can examine which long-lived connections end when the observed person gets a new IP. By allowing stream migration, the connection can persist as if nothing had happened. This will make Tor a tool for more than anonymity, as it improves networking in general. Maybe it's not even that hard to implement. It could be gradually phased into the protocol. The first step would be to send sequencing information with the data stream. Future versions could then investigate possibilities for picking up the connections. Security should not be a problem as we are already using strong cryptography, which enables us to authenticate the stream owner.
You should let the network pick the path, not the client.
Moved to https://www.torproject.org/docs/faq#LetTheNetworkPickThePath
You should use steganography to hide Tor traffic.
Moved to https://www.torproject.org/docs/faq.html.en#Steganography
Your default exit policy should block unallocated net blocks too.
Moved to https://www.torproject.org/docs/faq.html.en#UnallocatedNetBlocks
Exit policies should be able to block websites, not just IP addresses
Moved to https://www.torproject.org/docs/faq.html.en#BlockWebsites
You should change Tor to prevent users from posting certain content.
Moved to https://www.torproject.org/docs/faq.html.en#BlockContent
Tor should support IPv6.
https://www.torproject.org/docs/faq.html.en#IPv6
Abuse
Doesn't Tor enable criminals to do bad things?
Moved to https://www.torproject.org/docs/faq.html.en#Criminals
How do I respond to my ISP about my exit relay?
Moved to https://www.torproject.org/docs/faq.html.en#RespondISP
Info to help with police or lawyers questions about exit relays
Moved to https://www.torproject.org/docs/faq.html.en#HelpPoliceOrLawyers