Read first!!!

New Advice (March 2012)

Filesharing / Bittorrent

Just google for Bittorrent and Tor. What you will find is ethical advice "do not use Tor with Bittorrent as Tor isn't designed for that and can't handle the load" and technical advice.

  • use proxy settings to torify
  • use socks4a to prevent DNS leak

What's the problem with this?

  • no one cared to use a packet sniffer to see if it's working
  • the application does not honor the proxy settings
  • the protocol itself will leak your IP


'ssh' will leak your unix username. If you do 'ssh theloginyouwant@…' it will not leak your username. That is why we suggest to use non-identifying usernames to prevent such leaks in the first place.

Ssh inside Whonix should be safe.

More recent dedicated article ssh.
You may optionally view below SSH section as well.

Video streams

You can use streamlink with proxy settings.

streamlink --http-proxy socks5h:// --https-proxy socks5h:// --rtmp-proxy socks5h://<yourstream> 480p

In place of 480p you can use e.g. 720p, best. By default it will try to run vlc or another player that it finds; use the --player=<command> option to customize. Notice the socks5h scheme on the proxy URLs. The `h` means to do DNS lookups through the proxy; this is an artifact of the urllib3 library that streamlink uses underneath. If you use just plain socks5 instead of socks5h, you will definitely leak DNS requests.


Moved to doc/TorifyHOWTO/GnuPG.

TLS / SSL / https

TLS encrypted connections in a correctly torified (or default Tor Browser Bundle) Tor Browser are already anonymous.

You should not put too much trust into TLS. The upstream TLS (OpenSSL) is very strong, they make good use of cryptography. The problem lays in the browsers root certificate authorities. DigiNotar was compromised.; Comodo was compromised.

Tor Browser Bundle does pin the SSL certificate, see TBB: hardcode SSL cert check to prevent MITM.

To enhance the situation there are several ways:

  • Pin the SSL CA. This assumes, that the issuing SSL CA must be compromised. Therefore not any SSL CA can issue a fraudulent certificate. It's more secure, but not perfect.
  • Pin the SSL certificate directly. See Whonix Wiki about SSL certificate pinning. Easy if it's your own server, otherwise it's difficult. How do you initially get the SSL certificate? You most likely have to trust the root CAs once or ask the website to publish a GPG signed statement with their SSL fingerprint.
  • (For your own servers:) Use self signed certificates and check the fingerprint. The fingerprints must be shared over a pre-shared secure channel, such as a meeting (where you do not need to stay anonymosu) or GPG encrypted.
  • Use SSL alternatives. (Any reviews on their security?)

SSL Alternatives:

Old Advice (outdated)

Unix and Linux Configuration

(Basic Configuration Issues)

Warning: After reading this chapter, you should also look if there is also a specialized article for your application you are working with. (under browser, irc, etc.) Ensure you know everything about protocol leaks.

First, we assume you installed Privoxy or Polipo. Many applications can be set to use an HTTP proxy, and that will make your life much easier.

Under Unix and GNU/Linux, most HTTP capable applications, like lynx, wget and curl, will honor the value of the http_proxy environment variable. Some applications use all lower case, some all upper, so specify both to be safe.

Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:

export http_proxy HTTP_PROXY

Mac OS X Configuration

(Basic Configuration Issues)

Warning: After reading this chapter, you should also look if there is also a specialized article for your application you are working with. (under browser, irc, etc.) Ensure you know everything about protocol leaks.

First, we assume that you downloaded the Vidalia Bundle and not the Browser Bundle. Vidalia comes with Tor and Polipo. Polipo is a pre-configured HTTP and HTTPS proxy server. Using it we can connect everything on our Mac that requires an internet connection to run through Tor!

Once Vidalia is installed open System Preferences, and open up your Network settings. Choose the network connection on the left hand side that you use to connect to the internet, and then click on the advanced button near the bottom right of the window. Go to the Proxies Tab.

You need to Select and set both the HTTP Web Proxy, and the HTTPS Secure Web Proxy server. Click on the proxy you are setting (remember to set both of them) Set the Web Proxy Server to: "localhost" without the quotes and set the Port to 8118. It is important that you set both the HTTP, and HTTPS proxies to these settings, otherwise only some of your data will be sent through Tor.


Warning: This is really only for apt. Graphical front ends such as Apper in KDE, Software Center or Gnome will most likely not be torified just by torifying apt.

Warning: This will only work for HTTP because Privoxy does not support FTP.

Look here for FTP. <-- (adrelanos) Not sure if FTP torification will torify apt's ftp traffic.

method 1

Add the following line to /etc/apt/apt.conf:

Acquire::http::Proxy "";

method 2

method 3


Wget (HTTP)

Wget will also respect the http_proxy enviroment variable, but you can edit /etc/wgetrc:

http_proxy = http://localhost:8118
use_proxy = on


curl --proxy "socks5h://localhost:9150" -L --1.1 --compressed --user-agent "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' url

Replace useragent with the relevant one from your TorBrowser's about:config general.useragent.override


More recent dedicated article ssh.

SSH: Method 1 (torify)

Simply run torify ssh <parameters> host if the host is not on a local network and you're done. You could additional use tor-resolve to transform the hostname into the IP address. Just use torify ssh <parameters> $(tor-resolve host).

SSH: Method 2 (connect)

These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.

1 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka Panther) - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version from the OpenSSH website. If you're using Mac OS X, using MacPorts may be easier for you.

2 - Download and build the connect source code, Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its

A pre-compiled version of connect for Mac OS X is available at (md5sum: b5180cb789813fc958209c58b99039fa)

Install connect into the /usr/local/bin directory.

3 - Add the following line to your ssh_config file located at: /etc/ssh/ssh_config (system-wide) or $HOME/.ssh/config (on a per-user basis).

If you used fink to install OpenSSH, it is located at /sw/etc/ssh/ssh_config.

ProxyCommand none
Host *
ProxyCommand /usr/local/bin/connect -4 -S %h %p

You should replace <PRIVATE_IPADDRESS> by those address which are defined in RFC 1918. This avoids it, that local IP addresses are sent through Tor. The last two lines instruct SSH to use connect as proxy and connect uses a SOCKS-server (-S) with SOCKS-version 4 (-4) to relay to port 9050 at localhost.

You may want to look up your SSH server's IP with tor-resolve and use the IP in place of a hostname; see the note on torsocks and DNS above.

SSH: Method 3 (socat)

Use as described above. One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the ProxyCommand option in your ~/.ssh/config file, as follows:

Host MyHost-tor
ProxyCommand socat -,socksport=9050

Now you can simply use ssh MyHost-tor.

Similarly, if you have an SSH server running as a hidden service, then you will wish to ssh to it with minimal fuss.

Host MyHost-tor
ProxyCommand socat - SOCKS4A:localhost:MyHost.onion:22,socksport=9050

This method is more secure than using torsocks ssh MyHost.onion because ssh will first resolve the hostname, and then try to connect to it. This means that you lose by giving away your IP address during the DNS lookup.

Using wildcards and parameter expansions features of SSH you can put a single configuration for all .onion addresses:

Host *.onion
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050

If you want every SSH communication to go through Tor, you can even say :

Host *
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050

SSH: Method 4 (over HTTP using corkscrew)

Install the corkscrew TCP tunnel program and any HTTP proxy (Privoxy, Polipo, 3proxy) configured to go through Tor, as described in the Tor documentation or, in the case of 3proxy, in the POP3 section of this HOW-TO (substituting "pop3p" with "proxy" in the last line). The add the ProxyCommand option to the right host's section (or to the Host * section) in your configuration file, usually ~/.ssh/config:

ProxyCommand corkscrew 8118 %h %p

Change 8118 to the port number on which your HTTP proxy is listening.


Putty is a neat suite of programs for doing Telnet, SSH, SCP, etc. Instructions are here.


It is possible to run a (slow) vpnd through tor. How to setup this up is explained at

SubVersion (SVN)

Simply add the following lines:

http-proxy-host = localhost
http-proxy-port = 8118 

(NO spaces in front) to the "global" section in your servers file in your SubVersion's config directory ($HOME/.subversion on Linux).

This will only work for HTTP-based SVN connections, and you need a HTTP Proxy, like Privoxy. See Tor's docs for Polipo configuration details.


For HTTPS repositories GIT uses cURL. Add into config

	proxy = socks5h://localhost:9150
	sslVerify = true
	proxy = socks5h://localhost:9150
	sslVerify = true

to both prevent DNS leaks and route traffic through Tor. Protocol leaks need to be evaluated.


Install and start 3proxy, as described in FTP. Add the following line:


to the main section of your YUM configuration file (usually, this is /etc/yum.conf).

KsCD and KDE applications in general

KDE proxy settings are global for all KDE applications, thus identity correlation through circuit sharing is at risk'''

Bug 308682 - per application proxy settings

Go to the KDE Control Center - Network - Proxy and set everything as described Kongqueror and KonquerorFTP. Works for KsCD.

KDE Applications such as Kopete, Konversation (basically everything that is not http) respect only the global Socks proxy settings. In order to use them with Tor, you seed to first 'socksify' the environment, and redirect the socks proxy to Tor. To socksify KDE, we use Assuming you have Tor listening at, configure dante-client (the config file is usually at /etc/dante.conf) to forward all the requests to The comments in the default config file will help you edit it correctly. Then go to the Proxy settings in the KDE Control Panel -> Networking and enable socks support, choosing 'Dante'. Most other KDE applications should start working.

Warning : DNS requests will not go through Tor, and can probably be insecure. Also, depending on your network configuration or on an incorrect setting in dante.conf, it might not be possible to access the DNS server. You can try connecting via the IP address of the host to solve both problems.

XMMS - The X Multimedia System

Proxies for streaming media can only be set on a per-plugin basis. Open the Preferences window (Ctrl+P) and select the first tab (sound input/output plugins). Find a plugin that is used to play streaming media (like Ogg Vorbis or MPEG Layer 1/2/3) and hit "Configure". Select the "Streaming" tab (or find another place with network settings), enable proxying and (for HTTP transport) point the plugin to Privoxy (server, port 8118). Remember to increase the buffer size and/or initial buffer fill percentage.

nc (netcat)

To pass nc's traffic directly to Tor, use the followind command-line options:

nc -n -X 5 -x <target_host> <target_port>

Any TCP-based protocol

For any TCP-based protocol (telnet, ssh, nntp etc.), you can use TCP portmapping with 3proxy. For example, to map port 2200 of the local computer to port 22 (ssh) of my.ssh.server replace last string or add new string

tcppm -i127.0.0.1 2200 my.ssh.server 22

to the 3proxy configuration from POP3. Now you can do

ssh -p2200

to connect via SSH to my.ssh.server.

Last modified 10 days ago Last modified on Jan 7, 2018, 7:28:55 AM