wiki:doc/TorifyHOWTO/Misc

Version 71 (modified by Jaruga, 6 months ago) (diff)

Added wget example. Edited cURL instructions

Read first!!!

Misc. Torifying Advice

Filesharing / Bittorrent

It is highly advised against torrenting over Tor. Not only is it unsecured and prone to leakage, it creates a significant load on the network that it is not designed to manage. This harms every other person using it.

SSH

More recent dedicated article SSH.
The information originally found under the SSH section has been merged to that page as well.

Video streams

You can use streamlink with proxy settings.

streamlink --http-proxy socks5h://127.0.0.1:9050/ --https-proxy socks5h://127.0.0.1:9050/ --rtmp-proxy socks5h://127.0.0.1:9050/ https://www.twitch.tv/<yourstream> 480p

In place of 480p you can use e.g. 720p, best. By default it will try to run vlc or another player that it finds; use the --player=<command> option to customize. Notice the socks5h scheme on the proxy URLs. The `h` means to do DNS lookups through the proxy; this is an artifact of the urllib3 library that streamlink uses underneath. If you use just plain socks5 instead of socks5h, you will definitely leak DNS requests.

GnuPG

Moved to doc/TorifyHOWTO/GnuPG.

TLS / SSL / https

(adrelanos)
TLS encrypted connections in a correctly torified (or default Tor Browser Bundle) Tor Browser are already anonymous.

You should not put too much trust into TLS. The upstream TLS (OpenSSL) is very strong, they make good use of cryptography. The problem lays in the browser's root certificate authorities. DigiNotar was compromised.; Comodo was compromised.

Tor Browser Bundle does pin the https://check.torproject.org SSL certificate, see TBB: hardcode SSL cert check to prevent MITM.

To enhance the situation there are several ways:

  • Pin the SSL CA. This assumes, that the issuing SSL CA must be compromised. Therefore not any SSL CA can issue a fraudulent certificate. It's more secure, but not perfect.
  • Pin the SSL certificate directly. See Whonix Wiki about SSL certificate pinning. Easy if it's your own server, otherwise it's difficult. How do you initially get the SSL certificate? You most likely have to trust the root CAs once or ask the website to publish a GPG signed a statement with their SSL fingerprint.
  • (For your own servers:) Use self-signed certificates and check the fingerprint. The fingerprints must be shared over a pre-shared secure channel, such as a meeting (where you do not need to stay anonymous) or GPG encrypted.
  • Use SSL alternatives. (Any reviews on their security?)

SSL Alternatives:

Wget (HTTP)

Quick note: wget sends a User-Agent that often provides both a wget version number and the originating platform. For example, Tails 2.5 provides wget/1.16 (linux-gnu) as its User-Agent. Every operating system will provide different versions of wget in their repositories at any given time, thus allowing a hypothetical observer to make an educated guess at your current operating system. It's advisable to either fake your User-Agent (you can find the one Tor Browser is using by searching general.useragent.override in about:config), use a common operating system like Ubuntu or Debian, or simply by using a distribution like Tails that is designed to create a consistent anonymous set for all of its users.

In wget, spoofing the User Agent can be done with the -U or --user-agent option. An example:

wget -U "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" [urlhere]

Method 1: Torsocks

Wget can be torified by using Torsocks. This can be accomplished by simply typing:

torsocks wget [fileaddress]

Method 2: Proxy / Modifying wgetrc

Wget will also respect the http_proxy enviroment variable, however you can simplify the process by editing /etc/wgetrc after installing Privoxy or similar:

...
http_proxy = http://localhost:8118
use_proxy = on
...

Please note port 8118 is simply the default port of Privoxy, and should be adjusted as per your local setup / software.

cURL

Method 1: Proxy Settings

cURL can be torified by simply using its --proxy argument. An example:

curl --proxy "socks5h://localhost:9050" --tlsv1.2 --compressed --user-agent "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'DNT: 1' [urlhere]

Notice: Replace the --user-agent with the relevant one from the general.useragent.override field in your Tor Browser's about:config. Anonymizing the User Agent is important.

Method 2: Torsocks

Using Torsocks.


Old Advice (outdated)

Quick note: Polipo has been obsolete for a while. It was removed from Tor Browser Bundle in 2010. For any instructions below that invoke it, it is recommended to utilize torsocks instead of SOCKS proxy capable traffic, and Privoxy otherwise.

Unix and Linux Configuration

(Basic Configuration Issues)

Warning: After reading this chapter, you should also look if there is also a specialized article for your application you are working with. (under browser, IRC, etc.) Ensure you know everything about protocol leaks.

First, we assume you installed Privoxy. Many applications can be set to use an HTTP proxy, and that will make your life much easier.

Under Unix and GNU/Linux, most HTTP capable applications, like lynx, wget and curl, will honor the value of the http_proxy environment variable. Some applications use all lower case, some all upper, so specify both to be safe.

Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:

http_proxy=http://127.0.0.1:8123/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

Mac OS X Configuration

(Basic Configuration Issues)

Warning: After reading this chapter, you should also look if there is also a specialized article for your application you are working with. (under browser, IRC, etc.) Ensure you know everything about protocol leaks.

First, we assume that you downloaded the Vidalia Bundle and not the Browser Bundle. Vidalia comes with Tor. Privoxy is a pre-configured HTTP and HTTPS proxy server. Using it we can connect everything on our Mac that requires an internet connection to run through Tor!

Once Vidalia is installed open System Preferences, and open up your Network settings. Choose the network connection on the left-hand side that you use to connect to the internet, and then click on the advanced button near the bottom right of the window. Go to the Proxies Tab.

You need to Select and set both the HTTP Web Proxy, and the HTTPS Secure Web Proxy server. Click on the proxy you are setting (remember to set both of them) Set the Web Proxy Server to: "localhost" without the quotes and set the Port to 8118. It is important that you set both the HTTP, and HTTPS proxies to these settings, otherwise, only some of your data will be sent through Tor.

APT

Update: APT specific page has been created with included information on apt-transport-tor. The depreciated information previously found in this subsection can now be found right here. - Jaruga

SSH

More recent dedicated article: SSH. All information previously found here has been migrated to the new page.

Putty

Putty is a neat suite of programs for doing Telnet, SSH, SCP, etc. Instructions are here.

vpnd

It is possible to run a (slow) vpnd through tor. How to setup this up is explained at http://www.vanheusden.com/Linux/tt.html.

SubVersion (SVN)

Simply add the following lines:

http-proxy-host = localhost
http-proxy-port = 8118 

(NO spaces in front) to the "global" section in your servers file in your SubVersion's config directory ($HOME/.subversion on Linux).

This will only work for HTTP-based SVN connections, and you need an HTTP Proxy, like Privoxy.

GIT

Method 1: Torsocks

Using GIT with Torsocks has been tested and proven to not leak for pulls. Push must be tested.(Checked Feb 27th, 2018)

(Old) Method 2: Curl Config

For HTTPS repositories GIT uses cURL. Add into config

[http]
	proxy = socks5h://localhost:9150
	sslVerify = true
[https]
	proxy = socks5h://localhost:9150
	sslVerify = true

to both prevent DNS leaks and route traffic through Tor. Current evaluation needed

YUM

Notice: YUM is depreciated. Instructions and testing are needed for DNF. (Jaruga)

Using 3proxy, Privoxy or a similar http proxy program, add the following lines to the main section of your YUM configuration file (usually, this is /etc/yum.conf):

proxy=http://127.0.0.1:110

KsCD and KDE applications in general

KDE proxy settings are global for all KDE applications, thus identity correlation through circuit sharing is at risk'''

Bug 308682 - per application proxy settings

Go to the KDE Control Center - Network - Proxy and set everything as described Kongqueror and KonquerorFTP. Works for KsCD.

KDE Applications such as Kopete, Konversation (basically everything that is not HTTP) respect only the global Socks proxy settings. In order to use them with Tor, you seed to first 'socksify' the environment and redirect the socks proxy to Tor. To socksify KDE, we use http://linux.about.com/cs/linux101/g/danteclient.htm. Assuming you have Tor listening at 127.0.0.1:9050, configure dante-client (the config file is usually at /etc/dante.conf) to forward all the requests to 127.0.0.1:9050. The comments in the default config file will help you edit it correctly. Then go to the Proxy settings in the KDE Control Panel -> Networking and enable socks support, choosing 'Dante'. Most other KDE applications should start working.

Warning: DNS requests will not go through Tor, and can probably be insecure. Also, depending on your network configuration or on an incorrect setting in dante.conf, it might not be possible to access the DNS server. You can try connecting via the IP address of the host to solve both problems.

XMMS - The X Multimedia System

Proxies for streaming media can only be set on a per-plugin basis. Open the Preferences window (Ctrl+P) and select the first tab (sound input/output plugins). Find a plugin that is used to play streaming media (like Ogg Vorbis or MPEG Layer 1/2/3) and hit "Configure". Select the "Streaming" tab (or find another place with network settings), enable proxying and (for HTTP transport) point the plugin to Privoxy (server 127.0.0.1, port 8118). Remember to increase the buffer size and/or initial buffer fill percentage.

nc (netcat)

To pass nc's traffic directly to Tor, use the followind command-line options:

nc -n -X 5 -x 127.0.0.1:9050 <target_host> <target_port>

Any TCP-based protocol

For any TCP-based protocol (telnet, ssh, nntp etc.), you can use TCP port mapping with 3proxy. For example, to map port 2200 of the local computer to port 22 (ssh) of my.ssh.server replace last string or add new string

tcppm -i127.0.0.1 2200 my.ssh.server 22

to the 3proxy configuration from POP3. Now you can do

ssh -p2200 127.0.0.1

to connect via SSH to my.ssh.server.