Changes between Version 62 and Version 63 of doc/TorifyHOWTO


Ignore:
Timestamp:
Apr 23, 2010, 4:49:01 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorifyHOWTO

    v62 v63  
    1 #pragma section-numbers on
    21## Copyright (c) 2004 Thomas Sjogren.
    32## Distributed under the MIT license,
     
    65[:../:up to Tor]
    76
    8 Table of Contents
    9 [[TableOfContents]]
    107
    118= TORifying software HOWTO =
    129
    13 Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at [http://tor.eff.org tor.eff.org] first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV ({{{/etc/init.d/}}} startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific. Feel free to edit this page; it's a Wiki, after all.
    14 
    15 == Basic Configuration Issues ==
    16 === Unix and Linux Configuration ===
    17 
    18 Under Unix and GNU/Linux, most HTTP capable applications, like {{{lynx}}}, {{{wget}}} and {{{curl}}}, will honor the value of the {{{http_proxy}}} environment variable. Some applications use all lower case, some all upper, so specify both to be safe.
    19 
    20 Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:
    21 
     10Note that this is a very brief document on how to make various software use Tor as a proxy, you should read the documentation at [http://freehaven.net/tor/ freehaven/tor] first. Second, since most software, web browsers for example, uses similar locations for various settings the following examples will get you going most of the time. If you're using anything that needs a bit of configuration besides the ordinary or your distribution doesn't use /etc/init.d/ for example, this guide is a bit Bash and Debian specific, feel free to edit this page. It's Wiki after all.
     11
     12== 0. Basic Configuration Issues ==
     13=== 0.1 Unix and Linux Configuration ===
     14
     15Under Unix and GNU/Linux, most HTTP capable applications (i.e. lynx, wget, curl, etc.) will honor the value of the http_proxy environmental variable (some apps use all lower case, some all upper so specify both to be safe).
     16
     17Add the following lines to your .*profile, .bashrc, or env settings:
    2218{{{
    2319http_proxy=http://127.0.0.1:8118/
     
    2622}}}
    2723
    28 [[Anchor(DNSNote)]]
    29 === About DNS and tsocks ===
    30 
    31 tsocks correctly replaces ''connect(2)'' calls with calls to your SOCKS proxy (Tor), but it doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.
    32 
    33 Other applications that use SOCKS 4 or SOCKS 5 directly often have the same shortcoming.
    34 
    35 Tor 0.0.8 (or later) has a workaround for this problem; until we can hack tsocks (or a work-alike) to support DNS, instead of using a hostname directly, first use {{{tor-resolve}}} to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.
    36 
    37 See [:TheOnionRouter/TorFAQ#SOCKSAndDNS: the FAQ] for more information.
    38 
    39 [[Anchor(socat)]]
    40 === About socat ===
    41 
    42 [http://www.dest-unreach.org/socat/ socat] is a multipurpose relay for bidirectional data transfer.  It is possible to use socat as a general means by which programs agnostic of SOCKS can use Tor by connecting to a local TCP port.
    43 
    44  Socat (for SOcket CAT) establishes two bidirectional byte streams
    45  and transfers data between them. Data channels may be files, pipes,
    46  devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw,
    47  UDP, TCP, SSL). It provides forking, logging and tracing, different
    48  modes for interprocess communication and many more options.
    49 
    50  It can be used, for example, as a TCP relay (one-shot or daemon),
    51  as an external socksifier, as a shell interface to Unix sockets,
    52  as an IPv6 relay, as a netcat and rinetd replacement, to redirect
    53  TCP-oriented programs to a serial line, or to establish a relatively
    54  secure environment (su and chroot) for running client or server shell
    55  scripts inside network connections.
    56 
    57 Suppose that you wanted to connect to an IRC server running on barbaz.com, port 6667.
    58 
    59   {{{ socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:barbaz.com:6667,socksport=9050 }}}
    60 
    61 Connecting to localhost, port 4242, would then be equivalent to connecting to barbaz.com, port 6667, via Tor.
    62 
    63 What interests us most for Tor is that it supports socks4a redirection, allowing your client to connect
    64 to an hidden service. Assuming you want to join to an hidden irc server running on foo.onion on port 6667.
    65 
    66 You might want to start a local tunnel that forwards connection for local port 4242 to this service using Tor.
    67 
    68   {{{ socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050 }}}
    69 
    70 '''Warning:''' socat versions up to and including 1.3.2.2 had a bug that would use SOCKS4A only
    71 when a direct DNS resolution attempt failed, thus possibly revealing which DNS names you
    72 accessed through socat. See [http://archives.seul.org/or/dev/Jul-2004/msg00000.html this post tor-dev] for details.
    73 
    74 == Web browsers ==
    75 === Konqueror ===
     24=== 0.2 About DNS and tsocks ===
     25
     26tsocks correctly replaces 'connect' calls with calls to your SOCKS proxy (Tor). But tsocks doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.
     27
     28Tor 0.0.8 has a workaround for this problem, until we can hack tsocks (or a work-alike) to support DNS. Instead of using a hostname directly, first use 'tor-resolve' to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.
     29
     30== 1. Web browsers ==
     31=== 1.1 Konqueror ===
    7632
    7733Settings -> Configure Konqueror -> Proxy -> Manually Specify the proxy settings -> Setup
    78 
    7934{{{
    8035HTTP/S Proxy: 127.0.0.1 port 8118
    8136}}}
    8237
    83 Or edit {{{$HOME/.kde/share/config/kioslaverc}}}:
    84 
     38Or edit $HOME/.kde/share/config/kioslaverc
    8539{{{
    8640...
     
    9347}}}
    9448
    95 === Links ===
     49=== 1.2 Links ===
    9650
    9751Setup -> Network Options
    98 
    9952{{{
    10053HTTP Proxy:  127.0.0.1 port 8118
    10154}}}
    10255
    103 Or edit {{{/etc/links.cfg}}} (system-wide) or {{{$HOME/.links/links.cfg}}} (per-user):
    104 
    105 {{{
    106 ...
    107 http_proxy 127.0.0.1:8118
    108 ...
    109 }}}
    110 
    111 === Lynx ===
    112 
    113 Lynx will respect the {{{http_proxy}}} enviroment variable, but you can edit {{{/etc/lynx.cfg}}}:
     56Or edit $HOME/.links/links.cfg
     57{{{
     58...
     59http_proxy "127.0.0.1:8118"
     60...
     61}}}
     62
     63=== 1.3 Lynx ===
     64
     65Lynx will respect the http_proxy enviromental variable or you can edit /etc/lynx.cfg
    11466
    11567{{{
     
    12274}}}
    12375
    124 === Mozilla Firefox ===
     76=== 1.4 Mozilla Firefox ===
    12577
    12678Edit -> Preferences -> General -> Connection Settings -> Manual proxy configuration
     
    13183}}}
    13284
    133 To change the proxy configuration for all Firefox users on your machine, edit the {{{/usr/lib/mozilla-firefox/greprefs/all.js}}} file:
     85To change the default configuration for the Firefox installation, edit the /usr/lib/mozilla-firefox/greprefs/all.js file.
    13486
    13587{{{
     
    148100}}}
    149101
    150 Also, Mac OS X users should change the above preferences by entering about:config in the URL bar because the firefox preferences dialog is a bit screwy.
    151 
    152 == Email ==
    153 === Fetchmail ===
    154 
    155 This isn't the most elegant solution, but it works. Rename your {{{/etc/init.d/fetchmail}}} file to {{{{fetchmail-orig}}}, for example, then save the script below as {{{/etc/init.d/fetchmail}}}, and restart fetchmail with {{{/etc/init.d/fetchmail restart}}}. Your mail will now be fetched through the Tor network.
     102=== 1.5 Wget ===
     103
     104Edit /etc/wgetrc
     105
     106{{{
     107...
     108http_proxy = http://localhost:8118
     109use_proxy = on
     110...
     111}}}
     112
     113== 2. Email ==
     114=== 2.1 Fetchmail ===
     115
     116This isn't the most beautiful solution but it works. Rename your /etc/init.d/fetchmail file to fetchmail-orig for example, use the script below as /etc/init.d/fetchmail, and restart fetchmail with {{{ /etc/init.d/fetchmail restart }}}. Your mail is now fetched thrugh the Tor network.
    156117
    157118{{{
     
    172133case "$1" in
    173134        start)
    174                 $DAEMON $FMINIT start
     135                $DAEMON $FMINIT start   
    175136                ;;
    176137        stop)
    177                 $DAEMON $FMINIT stop
     138                $DAEMON $FMINIT stop   
    178139                ;;
    179140        force-reload|restart)
     
    204165}}}
    205166
    206 An alternative configuration for fetchmail for those that prefer to start it on a per-user basis. Add the following to the user's {{{.bashrc}}}:
     167An alternative configuration for Fetchmail for those that prefer to start it on a per user basis. Add the following to the users .bashrc:
    207168{{{
    208169CONF_FILE="$HOME/.fetchmailrc"
     
    212173
    213174  function FetchMailAlive () {
    214     if test -f $CONF_FILE && test -f $FETCHMAIL; then
    215       if test -f $PID_FILE; then
     175    if test -f $CONF_FILE && test -f $FETCHMAIL; then 
     176      if test -f $PID_FILE; then 
    216177        if ! kill -0 `cut -d \  -f1 $PID_FILE` 2>/dev/null; then
    217178          eval $($TSOCKS $FETCHMAIL)
    218179          echo New FetchMail started. >&2
    219180        fi
    220       else
     181      else   
    221182        eval $($TSOCKS $FETCHMAIL)
    222183        echo New FetchMail started. >&2
     
    231192}}}
    232193
    233 Then it checks for a running fetchmail daemon every time a new shell is opened and starts one if needed.
    234 
    235 You may want to look up your mail server's IP with {{{tor-resolve}}} and use the IP in place
    236 of a hostname; see the note on tsocks and DNS above.
    237 
    238 == Instant messaging ==
    239 === Gaim ===
     194Then it checks for a running fetchmail daemon everytime a new shell is openned and starts one if needed.
     195
     196== 3. Instant messaging ==
     197=== 3.1 Gaim ===
    240198
    241199Preferences -> Network -> Proxy
     
    245203Port: 9050
    246204}}}
    247 
    248 See the note on tsocks and DNS above.
    249 
    250 === Psi ===
    251 
    252 [http://psi.affinix.com/ Psi] is a Jabber client with support for
    253 additional [http://www.jabber.org/jeps/jep-0027.html Jabber JEP-0027 encryption],
    254 with [http://www.gnupg.org/(en)/index.html GnuPG] and Socks 5 proxy support.
    255 
    256 Account Setup -> Modify -> Connection -> Proxy -> Edit -> New
    257 {{{
    258 Properties:
    259 Name: Tor
    260 Type: SOCKS Version 5
    261 Settings:
    262 Host: 127.0.0.1
    263 Port: 9050
    264 }}}
    265 
    266 
    267 See the note on tsocks and DNS above.
    268 
    269 == IRC/SILC ==
    270 === Irssi ===
    271 If you are running Privoxy, as recommended, you can just configure irssi's own proxy settings to use Privoxy as an HTTP proxy.
    272 Otherwise, you can run Irssi with {{{tsocks irssi}}}.  Unfortunately, as mentioned above, Irssi's own proxy configuration options are HTTP specific.
    273 
    274 For Gentoo and Debian users: {{{torify irssi}}}.  Note that torify is just a shell script that calls
    275 tsocks after setting the config file to /etc/tor/tor-tsocks.conf so it is not Gentoo/Debian specific.
    276 
    277 For OpenBSD users, you can either hack tsocks to work (as of 3.6 there is no port) or you can use dante.
    278 Dante is in the ports system.  A simple example config that works with irssi and Tor looks like this
    279 for `/etc/socks.conf` (client configuration only)
    280 {{{
    281 route {
    282         from: 0.0.0.0/0   to: 0.0.0.0/0  via: 127.0.0.1  port = 9050
    283         proxyprotocol: socks_v4
    284 }
    285 }}}
    286 and then you can run {{{socksify irssi}}} assuming that Tor is running on localhost:9050.
    287 
    288 You may want to look up your IRC server's IP with {{{tor-resolve}}} and use the IP in place
    289 of a hostname; see the [:#DNSNote: note on tsocks and DNS] above.
    290 
    291 === X-Chat ===
     205Tor servers usually forbids port 5190 tunnelling which is required for ICQ so we have to use Socks instead of the HTTP proxy.
     206
     207== 4. IRC/SILC ==
     208=== 4.1 Irssi ===
     209Add {{{ alias irssi='tsocks irssi'}}} to your .bashrc file.
     210
     211=== 4.2 Xchat ===
    292212Settings-> Preferences -> Network -> Network setup -> Proxy server
    293213{{{
    294214Hostname: 127.0.0.1
    295215Port: 9050
    296 Type: Socks5
    297 }}}
    298 
    299 See the note on tsocks and DNS above.
    300 
    301 === SILC ===
    302 Since the [http://www.silcnet.org SILC] client is based on Irssi, you can follow the same procedure to make it use Tor. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at [http://www.silcnet.org its website].
    303 
    304 ==== Silky ====
    305 [http://silky.sf.net/ Silky] is a GTK2 SILC client. It does not currently support SOCKS, so the best way to make it work with Tor is using socat (IMO).:
    306 
    307 {{{ socat TCP4-LISTEN:6666 SOCKS4A:localhost:silc.silcnet.org:706,socksport=9050 }}}
    308 
    309 And then tell Silky to connect to localhost:6666.
    310 
    311 === BitchX ===
    312 In order to use [http://www.bitchx.org BitchX] with tor, you first need to get [http://proxychains.sourceforge.net ProxyChains], a *NIX-only HTTP and SOCKS proxy client.  On Debian systems, install the {{{proxychains}}} package.  Once installed, just add
    313 
    314 {{{
    315 socks5 127.0.0.1 9050
    316 http localhost 8118
    317 }}}
    318 to the ProxyChains config file at {{{~/.proxychains/proxychains.conf}}}.
    319 Now that it is configured, type {{{proxychains bitchx}}} at the command line.
    320 
    321 The gentoo build of proxychains seems to be broken on x86 arch.  Using {{{tsocks BitchX}}} or
    322 {{{torify BitchX}}} works well.
    323 
    324 You may want to look up your IRC server's IP with {{{tor-resolve}}} and use the IP in place
    325 of a hostname; see the note on tsocks and DNS above.
    326 
    327 == BitTorrent ==
    328 Same procedure as with BitchX, but using {{{proxychains btdownloadcurses}}}.
    329 
    330 === Azureus ===
    331 
    332 See [http://azureus.sourceforge.net/doc/AnonBT/].
    333 
    334 
    335 == Misc ==
    336 
    337 === GnuPG ===
    338 Add or edit the following lines in your {{{$HOME/.gnupg/gpg.conf}}}:
     216Type: Socks5
     217}}}
     218
     219=== 4.3 SILC-client ===
     220Since the SILC-client is based on irssi just add {{{ alias silc='tsocks silc' }}} to your .bashrc file. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at [http://www.silcnet.org www.silcnet.org].
     221
     222== 5. BitTorrent ==
     223
     224=== 5.1 Azureus ===
     225
     226See [http://azureus.sourceforge.net/doc/AnonBT/]
     227
     228== 6. Misc ==
     229
     230=== 6.1 GnuPG ===
     231Add or edit the following lines in your .gnupg/gpg.conf:
    339232{{{
    340233keyserver x-hkp://yod73zr3y6wnm2sw.onion
    341234keyserver-options honor-http-proxy broken-http-proxy
    342235}}}
    343 You may obviously use any public keyserver, like {{{subkeys.pgp.net}}}, but hidden services are preferred. At the time of this writing. only two key servers running as hidden servers are publicly available -- [http://d3ettcpzlta6azsm.onion/ d3ettcpzlta6azsm.onion/ ] and [http://yod73zr3y6wnm2sw.onion yod73zr3y6wnm2sw.onion].
    344 
    345 After that is done, just run
     236The key server can of course be any key server available, subkeys.pgp.net for example, but hidden services are always nice. At the time of this writing only two key servers with a onion-address is publicly available: [http://d3ettcpzlta6azsm.onion/ d3ettcpzlta6azsm.onion/ ] and [http://yod73zr3y6wnm2sw.onion yod73zr3y6wnm2sw.onion].
     237
     238After that's done just do
    346239{{{
    347240export http_proxy=http://127.0.0.1:8118/
     
    349242}}}
    350243
    351 If you don't want to write the export line every time, you can add {{{ alias gpg='http_proxy=http://127.0.0.1:8118/ gpg' }}} to your .bashrc file as well; if you have set the {{{http_proxy}}} environment variable, you may skip this step.
    352 
    353 === Wget ===
    354 
    355 Wget will also respect the http_proxy enviroment variable, but you can edit {{{/etc/wgetrc}}}:
    356 
    357 {{{
    358 ...
    359 http_proxy = http://localhost:8118
    360 use_proxy = on
    361 ...
    362 }}}
    363 
    364 [[Anchor(sshconnect)]]
    365 === SSH: Method 1 (connect) ===
    366 
    367 These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.
    368 
    369 1 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka ''Panther'') - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version from the [http://www.openssh.org OpenSSH website]. If you're using Mac OS X, using [http://fink.sourceforge.net fink] may be easier for you.
    370 
    371 2  - Download and build the connect [http://www.taiyo.co.jp/~gotoh/ssh/connect.c source code]. Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its [http://www.taiyo.co.jp/~gotoh/ssh/connect.html website].
    372 
    373 A pre-compiled version of {{{connect}}} for Mac OS X is available [http://members.lycos.co.uk/hardapple/tools/connect.tar here]. (md5sum: b5180cb789813fc958209c58b99039fa)
    374 
    375 Install connect into the {{{/usr/local/bin}}} directory.
    376 
    377 3 - Add the following line to your {{{ssh_config}}} file located at: {{{/etc/ssh/ssh_config}}} (system-wide) or {{{$HOME/.ssh/config}}} (on a per-user basis).
    378   If you used fink to install OpenSSH, it is located at {{{/sw/etc/ssh/ssh_config}}}.
    379 
    380 {{{
    381 ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:9050 %h %p
    382 }}}
    383 
    384 All SSH connections will now go through tor.
    385 
    386 You may want to look up your SSH server's IP with {{{tor-resolve}}} and use the IP in place
    387 of a hostname; see the note on tsocks and DNS above.
    388 
    389 [[Anchor(sshsocat)]]
    390 === SSH: Method 2 (socat) ===
    391 
    392 Use [http://www.dest-unreach.org/socat/ socat] as described above.  One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the {{{ProxyCommand}}} option in your {{{~/.ssh/config}}} file, as follows:
    393 
    394 {{{Host MyHost-tor
    395   ProxyCommand socat - SOCKS4A:localhost:barbaz.com:22,socksport=9050}}}
    396 
    397 Now you can simply use {{{ssh MyHost-tor}}}.
    398 
    399 Similarly, if you have an SSH server running as a hidden service, then you will wish to ssh to it with minimal fuss.
    400 
    401 {{{Host MyHost-tor
    402   ProxyCommand socat - SOCKS4A:localhost:MyHost.onion:22,socksport=9050}}}
    403 
    404 This method is more secure than using {{{tsocks ssh MyHost.onion}}} because ssh will first resolve the hostname, and then try to connect to it. This means that you lose by giving away your IP address during the DNS lookup.
    405 
    406 Using wildcards and parameter expansions features of SSH you can put a single configuration for all .onion addresses:
    407 
    408 {{{Host *.onion
    409   ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}
    410 
    411 If you want ''every'' SSH communication to go through Tor, you can even say :
    412 
    413 {{{ Host *
    414   ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}
    415 
    416 == Remailing ==
    417 
    418 This How-To is intended to increase the security and anonymity of Remailing for email and usenet to the *highest* possible level.
    419 
    420 In this How-To I detail the use of the remailer client QuickSilver; I use this example as QS is the client I use.  Antoher excellent, free and open-source client is Jack B. Nymble 2 (Panta's Mod); either client can use the routes I describe.
    421 
    422 This How-To details:
    423 
    424 A. How to route your SMTP & M2N messages (via. TLS) through QS > Stunnel > Tor > TLS SMTP/M2N
    425 
    426 B. How to download NG messages (via. TLS) through QS > Stunnel > Tor > NNTPS
    427 
    428 C. How to route your SMTP & M2N messages (via. Hidden Services) through QS > Tor > Hidden Services > SMTP/M2N
    429 
    430 D. How to download NG messages (via. Hidden Services) through QS > Tor > Hidden Services > NNTP
    431 
    432 {{{
    433 This How-To is written in laymen's lanuage; but it's not "dumbed down". }}}
    434 
    435 
    436 {{{
    437 These instructions should work fine for any OS, but I have only tested them on Windows XPHome (don't worry, I'm not an average Windoze user ;-) . }}}
    438 
    439 === TLS SMTP & Mail2News ===
    440 
    441 If you use remailers you should use TLS and Tor as these add a large amount of additional anonymity.  There are only a few remailers that accept TLS connections and offer non-standard SMTP ports; my favorite is mail.bananasplit.news, another good one is panta-rhei.dyndns.org.
    442 
    443 I assume you have a working knowledge of MixMaster, Reliable, Cyberpunks, PGP (6.5.8.ckt 08), Stunnel, QuickSilver (or JBN2 Panta mod) and Tor.
    444 
    445 All these programs and apps are free and open-source (except SocksCap).  Some programs (like SocksCap) are OS specific; you'll need to find a Socks forwarding program for your OS.
    446 
    447 ==== QS Remailers Statics & Key Rings HTTP Web Proxy ====
    448 
    449 You want to ensure QS accesses the remailer Stats page (which is HHTP) via. Tor.  I have tried to configure a route of QS > Privoxy > Tor > HTTP Stats DL Page; unfortunitly QS only hangs when I attempt this.
    450 
    451 {{{ Start QS > Tools > Remailers > Proxy:
    452 
    453 Proxy Host: 127.0.0.1
    454 Port: 9050
    455 Socks Level: Socks4a }}}
    456 
    457 ==== QS New Message Header Proxy Settings ====
    458 
    459 When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; disable it.
    460 
    461 {{{
    462 Start QS > header create/ message send window > uncheck the "use Proxy" box }}}
    463 
    464 ==== QS TLS SMTP Header Template ====
    465 
    466 This template will route QS traffic as so: QS > Stunnel (via. Sockscap) > Tor (via. port 2525) > mail.bananasplit.info > random remailer > ramdom remailer > itlay > reciepent.
    467 
    468 This template is an example of a config. message to hod.aarg.net; any SMTP mail will work.
    469 
    470 Copy and paste this into the headers section of the send mail window:
    471 
    472 {{{
    473 Tor: 127.0.0.1:9050,4a; write.what.you.want.here.com
    474 Host: 127.0.0.1:2525
    475 From: your nym here <your nym h...@hod.aarg.net>
    476 From: your nym here
    477 Chain: banana,*,*,italy; copies=6
    478 To: con...@hod.aarg.net
    479 Subject: test a
    480 Pgp: sign= your nym PGP here ; encrypt= your nym PGP here  }}}
    481 
    482 Note:  You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.
    483 
    484 Note: You need to add a Banana HashCash Token to use Banana M2N; get HashCash here:
    485 
    486 ---- /!\ '''Edit conflict - other version:''' ----
    487  < http://www.panta-rhei.dyndns.org/downloads/ >
    488 
    489 ---- /!\ '''Edit conflict - your version:''' ----
    490  < http://www.panta-rhei.dyndns.org/downloads/ >
    491 
    492 ---- /!\ '''End of edit conflict''' ----
    493 
    494 ==== QS TLS SMTP M2N Template ====
    495 
    496 This template will route traffic to Usenet via. the route described above then on though Banana's M2N gateways.
    497 
    498 Copy and paste this into the headers section of the send mail window:
    499 
    500 
    501 {{{
    502 Tor: 127.0.0.1:9050,4a; write.what.you.want.here.com
    503 Host: 127.0.0.1:2525
    504 From: your nym here <your nym h...@hod.aarg.net>
    505 From: your nym here
    506 Chain: banana,*,*,italy; copies=6
    507 References:
    508 To: mail2news_munge@bananasplit.info,mail2news@bananasplit.info
    509 Newsgroups:
    510 X-Hashcash: You need Banana's HashCash Token to post via. M2N.
    511 Subject:
    512 Pgp: sign= your nym PGP here ; encrypt= your nym PGP here  }}}
    513 
    514 Note:  You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.
    515 
    516 Note: You need to add a Banana HashCash Token to use Banana M2N; get HashCash here:
    517 
    518 ---- /!\ '''Edit conflict - other version:''' ----
    519  < http://www.panta-rhei.dyndns.org/downloads/ >
    520 
    521 ---- /!\ '''Edit conflict - your version:''' ----
    522  < http://www.panta-rhei.dyndns.org/downloads/ >
    523 
    524 ---- /!\ '''End of edit conflict''' ----
    525 
    526 ==== Configure Stunnel ====
    527 
    528 This template will accecpt QS traffic via. LocalHost (127.0.0.1); Port 2525 and use bananasplit as TLS host. 
    529 
    530 This template will work for sending TLS SMTP and TLS SMTP M2N.
    531 
    532 This template will work for downloading NG messages via. QS > Stunnel > Tor > new.bananasplit.info:5563
    533 
    534 Copy and paste this into your Stunnel .conf file:
    535 
    536 {{{
    537 debug = 7
    538 output = log.txt
    539 client = yes
    540 options = all
    541 RNDbytes =  2048
    542 RNDfile = bananarand.bin
    543 RNDoverwrite = yes
    544 
    545 [BANANA_TLS_SMTP]
    546 protocol = smtp
    547 accept  = 2525
    548 connect = mail.bananasplit.info:2525
    549 delay = no   
    550 #
    551 [BANANA_NNTPS_GROUPS]
    552 accept = 127.0.0.1:2000
    553 connect = news.bananasplit.info:5563
    554 delay = no  }}}
    555 
    556 ==== Configure SocksCap ====
    557 
    558 SocksCap will route traffic from Stunnel into Tor using Socks5.
    559 
    560 Import the address of Stunnel.exe shortcut into SocksCap; then when you want to use Stunnel click "Run Socksified".
    561 
    562 {{{
    563 Start SocksCap > File > Setup >
    564 
    565 127.0.0.1:9050
    566 Socks 5
    567 Resolve all names remotely }}}
    568 
    569 ==== Configure Tor ====
    570 
    571 Upgrade to current stable (or test) release; default setup.
    572 
    573 ==== DLing TLS NG Messages ====
    574 
    575 You can also setup QS to download on-topic messages from news.bananasplit.info via. QS > Stunnel > Tor >.
    576 
    577 All the setting requred you have already configured; all you need to do is confire the QS News Plugin (NNTP).
    578 
    579 
    580 ===== QS NNTP Account Manager Setup =====
    581 
    582 {{{
    583 Start QS > Tools > News Accounts >
    584 
    585 New > News Server > mail.bananasplit.info
    586 News Groups and Subjects > On-topic groups; use Esub for a.a.m }}}
    587 
    588 {{{
    589 Start QS > Tools > News Accounts > Proxy >
    590 
    591 Proxy Server > 127.0.0.1
    592 Proxy Port > 2000
    593 Socks Level > 5 }}}
    594 
    595 
    596 === Remailing SMTP & NNTP via. Tor Hidden Services ===
    597 
    598 Panta runs hidden services for remailing via. SMTP and reading on-topic security/anonymity NG's (posting disabled).
    599 
    600 Remailing via. SMTP and NNTP Hidden Services prevents an adavsary from knowing you use SMTP or NNTP.  I am not sure if this more secure than useing TLS but it seems more anonymous to me.
    601 
    602 Another advantage to using Hidden Services is they resist D.D.S. and D.O.S. attacts; as does the MixMaster network to a certain extent.
    603 
    604 ==== QS New Message Header Proxy Settings ====
    605  
    606 When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; enable it.
    607 
    608 {{{
    609 Start QS > header create/ message send window > check the "use Proxy" box >
    610 
    611 Proxy: 127.0.0.1:9050
    612 Socks4a
    613 Check the use Tor box }}}
    614 
    615 ==== QS SMTP Hidden Service Template ====
    616 
    617 This template will route SMTP traffic through the Hidden Service to Panta then on to your reciepent.
    618 
    619 Copy and paste this into the headers section of the send mail window:
    620 
    621 {{{
    622 Tor: 127.0.0.1:9050,4a; make.something.up.com
    623 Host: rjgcfnw4sd2jaqfu.onion
    624 From: your nym here <your nym h...@hod.aarg.net>
    625 From: f...@bar.com
    626 Chain: panta,*,*,italy; copies=6
    627 To: xxx@hod.aarg.net
    628 Subject: test a
    629 Pgp: sign= your nym PGP here ; encrypt= your nym PGP here }}}
    630 
    631 Note:  You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Service.
    632 
    633 Note: You need to add a Panta HashCash Token to use Panta M2N; get HashCash here:
    634 
    635 ---- /!\ '''Edit conflict - other version:''' ----
    636  < http://www.panta-rhei.dyndns.org/downloads/ >.
    637 
    638 ---- /!\ '''Edit conflict - your version:''' ----
    639  < http://www.panta-rhei.dyndns.org/downloads/ >.
    640 
    641 ---- /!\ '''End of edit conflict''' ----
    642 
    643 ==== QS SMTP M2N Hidden Service Template ====
    644 
    645 This template will route traffic to Usenet via. the route described above then on though Panta's M2N gateways.
    646 
    647 Copy and paste this into the headers section of the send mail window:
    648 
    649 {{{
    650 Tor: 127.0.0.1:9050,4a; make.something.up.com
    651 Host: rjgcfnw4sd2jaqfu.onion
    652 From: your nym here <your nym h...@hod.aarg.net>
    653 From: f...@bar.com
    654 Chain: panta,*,*,italy; copies=6
    655 References:
    656 To: mail2news-hashcash@panta-rhei.dyndns.org,mail2news-hashcash_nospam@panta-rhei.dyndns.org
    657 X-Hashcash: You need Panta's HashCash Token to post via. M2N.
    658 Subject:
    659 Pgp: sign= your nym PGP here ; encrypt= your nym PGP here }}}
    660 
    661 {{{
    662 Note: Make sure to un-wrap the
    663 "To: mail2news-hashcash@panta...,mail2news-hashcash_nospam@panta..." header }}}
    664 
    665 Note:  You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Service.
    666 
    667 Note: You need to add a Panta HashCash Token to use Panta M2N; get HashCash here:
    668 
    669 ---- /!\ '''Edit conflict - other version:''' ----
    670  < http://www.panta-rhei.dyndns.org/downloads/ >.
    671 
    672 ---- /!\ '''Edit conflict - your version:''' ----
    673  < http://www.panta-rhei.dyndns.org/downloads/ >.
    674 
    675 ---- /!\ '''End of edit conflict''' ----
    676 
    677 ==== Configure Tor ====
    678 
    679 Upgrade to current stable (or test) release; default setup.
    680 
    681 ==== DLing Hidden Service NG Messages ====
    682 
    683 You can also setup QS to download on-topic messages from rjgcfnw4sd2jaqfu.onion via. QS > Tor >.
    684 
    685 All the setting requred you have already configured; all you need to do is confire the QS News Plugin (NNTP).
    686 
    687 ===== QS NNTP Account Manager Setup =====
    688 
    689 {{{
    690 Start QS > Tools > News Accounts >
    691 
    692 New > News Server > rjgcfnw4sd2jaqfu.onion
    693 News Groups and Subjects > On-topic groups; use Esub for a.a.m }}}
    694 
    695 {{{
    696 Start QS > Tools > News Accounts > Proxy >
    697 
    698 Proxy Server > 127.0.0.1
    699 Proxy Port > 9050
    700 Socks Level > 4a }}}
    701 
    702 
    703 ==== End Notes ====
    704 
    705 A. Banana also offers a NNTP and SMTP via. Tor Hidden Services.  ZAX's hidden services are down right now but he's getting them up soon.
    706 
    707 As far as I understand you can post & dl though Banana'a hidden NNTP portal.
    708 
    709 B. Occasionally when I dl messages from Panta's Hidden NNTP I get an error message from QS stating "1060 not a winsock err" (something to that effect). This is caused by a problem with one of the Tor nodes (most
    710 likley).
    711 
    712 In this case wait 2 minutes then retry dling from the a.a.m.  Every 60 seconds or so of inactivity Tor creates a new route which should allow you access to the Hidden Services.  If you still can't gain access to
    713 the Hidden Services shutdown/restart Tor & QS; that should do the trick.
    714 
    715 C. Don't have Stunnel running in system tray when your using Hidden Services and QS; this causes QS to lock and give me "unable to wipe" error message; requiring hard restart of QS.
    716 
    717 === Hidden Services Security Issues ===
    718 
    719 ==== Tor Rendezvous Node ====
    720 
    721 The rendezvous node of the Tor network is where you and the Panta or Banana hidden service meet, IMHO the rendezvous node should be verified; by default it  is unverified.
    722 
    723 ***NOTE:  It is possible this tweak may decrease the overall anonymity of the Tor network.  I don't think that by forcing Tor to use verified rendezvous nodes it's anonymity will weaken; as this tweak only slighlty decreases the selection and number of nodes.
    724 
    725 {{{
    726 It may be wise to *not* apply this tweak at this time.  I am not an expert on Tor or Onion Routing so I can't say if this tweak should positivly be applied or not.
    727 
    728 >>I would like an experts opinon on this matter please.<<
    729 }}}
    730 
    731 Rendezvous node tweak:
    732 
    733 {{{
    734 1. Open Torrc file
    735 
    736 2. find the section "client options"
    737 
    738 3. find the line labeled "AllowUnverifiedNodes middle,rendezvous"
    739 
    740 4. delete this ",rendezvous"
    741 
    742 5. save file and close
    743 
    744 6. restart Tor }}}
    745 
    746 Now the rendezvous node must have it's PGP sig and Tor fingerprint w/valid email on file with the Tor network (DirPort). 
    747 
    748 ==== EHLO Answer ====
    749 
    750 There is a *large* anonymity hole in the use of remailers and Tor Hidden Services.  When you use remailers (SMTP) on Tor's Hidden Service your real Host and IP can be leaked via. EHLO answer to the entry and/or rendezvous node.
    751 
    752 QS spoofs the EHLO answer (as does JBN2 Panta mod) so your Host and IP are secure.
    753 
    754 === Everyday Use ===
    755 
    756 Your done!  Now to use the monster you created:
    757 
    758 ==== TLS SMTP/M2N ====
    759 
    760 A. Start QS
    761 
    762 B. Start SocksCap
    763 
    764 C. Start Stunnel via. SockCap
    765 
    766 D. Start Tor
    767 
    768 E. Use either template for TLS SMTP or M2N
    769 
    770 ==== TLS NNTPS DLing ====
    771 
    772 A. Start QS
    773 
    774 B. Start SocksCap
    775 
    776 C. Start Stunnel via. SockCap
    777 
    778 D. Start Tor
    779 
    780 E. Start QS News Pluging
    781 
    782 F. Select News Account for "news.bananasplit.info"
    783 
    784 E. Start Dling messages
    785 
    786 ==== Hidden Service SMTP/M2N ====
    787 
    788 A. Start QS
    789 
    790 B. Start Tor
    791 
    792 C. Use either template for Hidden Service SMTP or M2N
    793 
    794 ==== Hidden Service NNTP ====
    795 
    796 A. Start QS
    797 
    798 B. Start Tor
    799 
    800 C. Start QS News Plugin
    801 
    802 D. Select News Account for "rjgcfnw4sd2jaqfu.onion"
    803 
    804 E. Start DLing messages
    805 
    806 === Further Reading ===
    807 
    808 Panta Hidden service info & JBN/Tor:
    809 
    810 ---- /!\ '''Edit conflict - other version:''' ----
    811 
    812  < http://www.panta-rhei.dyndns.org/pantawiki/HowToJbnAndTor >
    813 
    814 Panta's website:
    815 
    816  < http://www.panta-rhei.dyndns.org/ >
    817 
    818 Banana's website:
    819 
    820  < http://www.bananasplit.info/ >
    821 
    822 Banana's TLS/SSL SMTP webpage:
    823 
    824  < http://www.bananasplit.info/mailtls.html >
    825 
    826 Banana's Stunnel How-To webpage:
    827 
    828  < http://www.bananasplit.info/stunnel.html >
    829 
    830 TLS@noreply:
    831 
    832  < http://www.noreply.org/tls/ >
    833 
    834 QS website:
    835 
    836  < http://www.quicksilvermail.net/ >
    837 
    838 ---- /!\ '''Edit conflict - your version:''' ----
    839 
    840  < http://www.panta-rhei.dyndns.org/pantawiki/HowToJbnAndTor >
    841 
    842 Panta's website:
    843 
    844  < http://www.panta-rhei.dyndns.org/ >
    845 
    846 Banana's website:
    847 
    848  < http://www.bananasplit.info/ >
    849 
    850 Banana's TLS/SSL SMTP webpage:
    851 
    852  < http://www.bananasplit.info/mailtls.html >
    853 
    854 Banana's Stunnel How-To webpage:
    855 
    856  < http://www.bananasplit.info/stunnel.html >
    857 
    858 TLS@noreply:
    859 
    860  < http://www.noreply.org/tls/ >
    861 
    862 QS website:
    863 
    864  < http://www.quicksilvermail.net/ >
    865 
    866 ---- /!\ '''End of edit conflict''' ----
    867 
    868 === In A Perfect World... ===
    869 
    870 ...SocksCap speaks Socks4a, both Panta and Banana offer NNTPS and SMTP(TLS) via. Tor Hidden Services on port 563 &
    871 2525 (or other ports).
    872 
    873 This way we could use NNTPS and SMTP(TLS) through QS > Stunnel > Tor > Hidden Servies > NNTPS/SMTP(TLS).
    874 
    875 Thus, haveing an encrypted end-to-end rout though Hidden Services without an advasary knowing were using anything but the Tor network.
    876 
    877 I don't know if this is possible as Hidden Services may not allow a Stunnel (TLS) forward ex.:
    878 
    879 {{{
    880 #[PANTA_TLS_SMTP_HIDDEN_SERVICES]
    881 #accept = 2525
    882 #connect = rjgcfnw4sd2jaqfu.onion
    883 #delay = no }}}
    884 
    885 Or something of that nature...
    886 
     244If you don't want to write the export line every time you can add {{{ alias gpg='http_proxy=http://127.0.0.1:8118/ gpg' }}} to your .bashrc file as well.
    887245
    888246== Credits ==
     
    894252        * Dave Vehrs
    895253        * Nick Mathewson
    896         * Thomas Hardly
    897         * tyranix
    898         * HereHere