Changes between Version 80 and Version 81 of doc/TorifyHOWTO


Ignore:
Timestamp:
Apr 23, 2010, 4:49:01 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorifyHOWTO

    v80 v81  
    11#pragma section-numbers on
    22## Copyright (c) 2004 Thomas Sjogren.
    3 ## Copyright (C) 2004, 2005, 2006  Contributors
    43## Distributed under the MIT license,
    54## See ./LegalStuff for a full text
     5##Original version available at http://www.northernsecurity.net/articles/torify.html
    66[:../:up to Tor]
    7 
    8 = Torifying software HOWTO =
    9 
    10 This document explains how to configure particular programs to use Tor. It was originally written for
    11 a Linux/UNIX environment, but it should include some instructions for Windows and OS X users too. Please add your own Windows configurations to this document.
    12 
    13 Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at [http://tor.eff.org tor.eff.org] first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV ({{{/etc/init.d/}}} startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific. Feel free to edit this page --- it's a Wiki, after all.
    14 
    157
    168Table of Contents
    179[[TableOfContents]]
    1810
    19 [[Anchor(BasicConfigIssues)]]
    20 = Basic Configuration Issues =
    21 [#BasicConfigIssues [link]]
    22 
    23 [[Anchor(UnixLinuxConfiguration)]]
    24 == Unix and Linux Configuration ==
    25 [#UnixLinuxConfiguration [link]]
    26 
    27 First, we assume you installed Privoxy. Many applications can be set to use an http proxy,
    28 and that will make your life much easier.
     11= TORifying software HOWTO =
     12
     13Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at [http://tor.eff.org tor.eff.org] first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV ({{{/etc/init.d/}}} startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific. Feel free to edit this page; it's a Wiki, after all.
     14
     15== Basic Configuration Issues ==
     16=== Unix and Linux Configuration ===
    2917
    3018Under Unix and GNU/Linux, most HTTP capable applications, like {{{lynx}}}, {{{wget}}} and {{{curl}}}, will honor the value of the {{{http_proxy}}} environment variable. Some applications use all lower case, some all upper, so specify both to be safe.
     
    3927
    4028[[Anchor(DNSNote)]]
    41 == About DNS and tsocks ==
    42 [#DNSNote [link]]
     29=== About DNS and tsocks ===
    4330
    4431tsocks correctly replaces ''connect(2)'' calls with calls to your SOCKS proxy (Tor), but it doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.
     
    5037See [:TheOnionRouter/TorFAQ#SOCKSAndDNS: the FAQ] for more information.
    5138
    52 '''NOTE:''' There is now a patch to the tsocks code that handles dns leaks and .onion addresses, [http://www.totalinfosecurity.com/patches/tor.php tordns]
    53 
    54 [[Anchor(Socat)]]
    55 == About socat ==
    56 [#Socat [link]]
     39[[Anchor(socat)]]
     40=== About socat ===
    5741
    5842[http://www.dest-unreach.org/socat/ socat] is a multipurpose relay for bidirectional data transfer.  It is possible to use socat as a general means by which programs agnostic of SOCKS can use Tor by connecting to a local TCP port.
     
    8872accessed through socat. See [http://archives.seul.org/or/dev/Jul-2004/msg00000.html this post tor-dev] for details.
    8973
    90 [[Anchor(SocatOpenBSD)]]
    91 === Socat on OpenBSD ===
    92 [#SocatOpenBSD [link]]
    93 
    94 For enhanced security you can use socat like this:
    95 
    96 {{{
    97 ## Connect to oftc on 127.0.0.1:6777
    98 /bin/systrace -e -a -t /usr/local/opt/bin/socat TCP4-LISTEN:6777,bind=localhost,range=127.0.0.1/32,fork \
    99 SOCKS4A:127.0.0.1:irc.oftc.net:6667,socksport=9050 > socat_log.$$ 2>&1 &
    100 }}}
    101 
    102 Now in irssi, you would just type {{{ /connect 127.0.0.1 6677 }}} and it would connect you to irc.oftc.net:6667 through
    103 Tor.
    104 
    105 Add {{{ /bin/systrace -e -a -t }}} if you have a systrace policy for socat.  Here's an example policy for IRC.
    106 
    107 {{{
    108 Policy: /usr/local/opt/bin/socat, Emulation: native
    109         native-__sysctl: permit
    110         native-issetugid: permit
    111         native-mmap: permit
    112         native-munmap: permit
    113         native-mprotect: permit
    114         native-mquery: permit
    115         native-break: permit
    116         native-write: permit
    117         native-close: permit
    118         native-exit: permit
    119         native-fcntl: permit
    120         native-fsread: filename eq "/etc/malloc.conf" then permit
    121         native-fsread: filename eq "/home/$USER" then deny
    122         native-fsread: filename eq "/home/$USER/." then deny
    123         native-fsread: filename eq "/var/mail/$USER" then deny
    124         native-fsread: filename eq "/var/run/ld.so.hints" then permit
    125         native-fsread: filename eq "/usr/lib" then permit
    126         native-fsread: filename match "/usr/lib/libssl.so.*" then permit
    127         native-fsread: filename match "/usr/lib/libcrypto.so.*" then permit
    128         native-fsread: filename match "/usr/lib/libutil.so.*" then permit
    129         native-fsread: filename match "/usr/lib/libc.so.*" then permit
    130         native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
    131         native-fsread: filename eq "/usr/share/zoneinfo/US/Eastern" then permit
    132         native-fsread: filename eq "/usr/share/zoneinfo/GMT" then permit
    133         native-fsread: filename eq "/usr/share/zoneinfo/posixrules" then permit
    134         native-fsread: filename eq "/etc/resolv.conf" then permit
    135         native-fsread: filename eq "/etc/hosts" then permit
    136         native-fsread: filename eq "/etc/pwd.db" then permit
    137         native-fsread: filename eq "/etc/group" then permit
    138         native-fstat: permit
    139         native-getegid: permit
    140         native-geteuid: permit
    141         native-getgid: permit
    142         native-getpid: permit
    143         native-getppid: permit
    144         native-gettimeofday: permit
    145         native-getsockname: permit
    146         native-getuid: permit
    147         native-sigaction: permit
    148         native-sigprocmask: permit
    149         native-read: permit
    150         native-fsread: filename eq "/" then permit
    151         native-execve: filename eq "/usr/local/opt/bin/socat" and argv eq "/usr/local/bin/irssi" then permit
    152         native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
    153         native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
    154         native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
    155         native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
    156         native-connect: sockaddr eq "inet-[127.0.0.1]:9050" then permit
    157         native-connect: sockaddr eq "inet-[127.0.0.1]:53" then permit
    158         native-bind: sockaddr eq "inet-[127.0.0.1]:6677" then permit
    159         native-bind: sockaddr eq "inet-[127.0.0.1]:6777" then permit
    160         native-listen: permit
    161         native-accept: permit
    162         native-getpeername: permit
    163         native-fork: permit
    164         native-chroot: filename eq "/var/empty" then permit
    165         native-wait4: permit
    166         native-wait: permit
    167         native-sigreturn: permit
    168         native-pread: permit
    169         native-setgroups: permit
    170         native-select: permit
    171         native-shutdown: permit
    172 
    173 }}}
    174 
    175 '''Note'''' that the above {{{native-shutdown}}} refers to the function call shutdown(2) to shut down
    176 part of a full-duplex connection and not the command shutdown.
    177 
    178 If you didn't use the configure line above, you will have to add more {{{native-fsread}}} statements
    179 for the extra libraries.
    180 
    181 This also assumes that you have dsocks' {{{tor-dns-proxy.py}}} setup to handle DNS requests on
    182 127.0.0.1:53.
    183 
    184 [[Anchor(WebBrowsers)]]
    185 = Web browsers =
    186 [#WebBrowsers [link]]
    187 
    188 Web browsing and Privoxy is also covered in the [http://tor.eff.org/documentation tor setup docs], specifically
    189  * http://tor.eff.org/docs/tor-doc-osx
    190  * http://tor.eff.org/docs/tor-doc-unix
    191  * http://tor.eff.org/docs/tor-doc-win32
    192 
    193 [[Anchor(Konqueror)]]
    194 == Konqueror ==
    195 [#Konqueror [link]]
     74== Web browsers ==
     75=== Konqueror ===
    19676
    19777Settings -> Configure Konqueror -> Proxy -> Manually Specify the proxy settings -> Setup
     
    21393}}}
    21494
    215 [[Anchor(Links)]]
    216 == Links ==
    217 [#Links [link]]
     95=== Links ===
    21896
    21997Setup -> Network Options
     
    231109}}}
    232110
    233 [[Anchor(Lynx)]]
    234 == Lynx ==
    235 [#Lynx [link]]
     111=== Lynx ===
    236112
    237113Lynx will respect the {{{http_proxy}}} enviroment variable, but you can edit {{{/etc/lynx.cfg}}}:
     
    246122}}}
    247123
    248 
    249 [[Anchor(Opera)]]
    250 == Opera ==
    251 [#Opera [link]]
    252 
    253 Open Tools -> Preferences -> Advanced -> Network -> Proxy Servers. Check HTTP and enter "127.0.0.1" and "8118" as port or open about:config and enter "127.0.0.1:8118" in Proxy -> HTTP Server.
    254 
    255 [[Anchor(MozillaFirefox)]]
    256 == Mozilla Firefox ==
    257 [#MozillaFirefox [link]]
    258 
    259 In later versions of Firefox, at least in the current version 1.5.0.1 under Linux and Windows XP, you can enable the browser to do remote domain name lookups. The option network.proxy.socks_remote_dns is available via about:config and should look like
    260 
    261 {{{
    262 network.proxy.socks_remote_dns  user set        boolean         true
    263 }}}
    264 
    265 At [http://www.imperialviolet.org/deerpark.html http://www.imperialviolet.org/deerpark.html] you can find an excellent step-by-step introduction on how to configure Firefox in this manner.
    266 '''Be careful, though:  In some versions of Firefox, it is possible that even with this option set remote DNS resolution will not work.  In this case, you may want to use Privoxy or similar projects.'''  To find out whether your version implements remote DNS resolution correctly, you may try out a URL ending in `.onion`, like [http://6sxoyfb3h2nvok2d.onion/tor/ this one] leading to the [http://6sxoyfb3h2nvok2d.onion/tor/ the Hidden Tor Wiki].  If the Hidden Wiki shows up, remote DNS resolution works.
    267 
    268 Otherwise, to use Privoxy with Firefox 1.5x on Windows, do the following in Firefox:
    269 
    270 Tools -> Options -> General -> Connection Settings -> Manual proxy configuration
    271 
    272 Set HTTP Proxy 127.0.0.1 (or localhost), port 8118 and tick the box [X] Use for all protocols.  Or you may explicitly set the Proxy information for SSL, FTP, and Gopher to localhost/8118 and then set the SOCKS Host information to localhost/9050, making sure to specify SOCKS v5.
    273 
    274 '''Remember: Configuring Privoxy for FTP will break ftp:// URLs, but if you don't do this, your Firefox will leak your IP address for those sites. Use Filezilla for handling FTP traffic (Windows only) or read the [#FTP FTP] section below.'''
    275 
    276 
    277 http://wiki.noreply.org/images/firefox_proxy.png
     124=== Mozilla Firefox ===
     125
     126Edit -> Preferences -> General -> Connection Settings -> Manual proxy configuration
     127{{{
     128HTTP Proxy: 127.0.0.1 port 8118
     129SSL Proxy: 127.0.0.1 port 8118
     130SOCKS v5
     131}}}
     132
     133To change the proxy configuration for all Firefox users on your machine, edit the {{{/usr/lib/mozilla-firefox/greprefs/all.js}}} file:
     134
     135{{{
     136...
     137pref("network.proxy.type",                  1);
     138...
     139pref("network.proxy.http",         "127.0.0.1");
     140pref("network.proxy.http_port",          8118);
     141pref("network.proxy.ssl",          "127.0.0.1");
     142pref("network.proxy.ssl_port",           8118);
     143pref("network.proxy.socks",                 "");
     144pref("network.proxy.socks_port",            0);
     145pref("network.proxy.socks_version",         5);
     146pref("network.proxy.no_proxies_on",         "localhost, 127.0.0.1");
     147...
     148}}}
    278149
    279150Also, Mac OS X users should change the above preferences by entering about:config in the URL bar because the firefox preferences dialog is a bit screwy.
    280151
    281 
    282 [[Anchor(OpenHTTPProxies)]]
    283 == Circumventing Tor blocks using open HTTP proxies ==
    284 [#OpenHTTPProxies [link]]
    285 
    286 Some websites have blocked access from Tor users. Often, however, these websites still allow access from any of millions of open HTTP proxies on the internet. Unfortunately, using an open HTTP proxy directly is not very anonymous.
    287 
    288 The solution is to chain an open HTTP proxy between Tor and the unfriendly website. This provides all the anonymity benefits of Tor, while obscuring the fact that you're using Tor from the website.
    289 
    290 === Privoxy ===
    291 
    292 One method involves Privoxy. This example config will send all requests through Tor, only chaining an open HTTP proxy after Tor for a select site. Replace 0.0.0.0:80 with the proxy's address and port.
    293 
    294 {{{
    295 forward-socks4a / localhost:9050 .
    296 forward-socks4a *.wikipedia.org localhost:9050 0.0.0.0:80
    297 }}}
    298 
    299 === Socat ===
    300 
    301 Another method requires Socat. This will forward all connections to localhost:8080 to an open HTTP proxy through Tor. Just configure your browser to use localhost:8080 as an HTTP proxy. Once again, replace 0.0.0.0:80 with the proxy's address and port.
    302 
    303 {{{
    304 socat TCP4-LISTEN:8080,bind=localhost,fork SOCKS4A:localhost:0.0.0.0:80,socksport=9050
    305 }}}
    306 
    307 === 3proxy ===
    308 
    309 Download and install (may need compiling) the [http://www.security.nnov.ru/soft/3proxy/ 3proxy] proxy server. Create a configuration file (plain text) like this:
    310 
    311 {{{
    312 # put 3proxy in background mode. For Windows replace with "service"
    313 daemon
    314 # set archiver to compress log files. Remove or replace for Windows.
    315 archiver gz /bin/gzip %F
    316 # we'll have 2 log files
    317 rotate 2
    318 # format of log record
    319 logformat "- +_L%d.%m %H:%M:%S srv=%N:%p err=%E src=%C:%c dst=%R:%r out=%O in=%I %T"
    320 # path to log file (CHANGE IT BECAUSE IT'S NOT SECURE!), rotate it monthly
    321 log /tmp/3proxy.log M
    322 # set timeouts above defaults, because tor may be a bit slow
    323 timeouts 30 30 60 60 180 1800 60 120
    324 # this is required to use ACLs and redirections
    325 auth iponly
    326 # preventing DNS requests leak
    327 fakeresolve
    328 # redirect all traffic
    329 allow *
    330 # first redirection hop is tor
    331 parent 1000 socks4+ 127.0.0.1 9050
    332 # and the second hop is an open HTTP proxy. Replace "0.0.0.0 80" with the proxy's address and port.
    333 parent 1000 http 0.0.0.0 80
    334 # now, start anonymous HTTP proxy on localhost:8080, configure this in
    335 # your browser as single proxy for all protocols
    336 proxy -a -i127.0.0.1 -p8080
    337 }}}
    338 (you should edit at least the log path) and start 3proxy, giving the configuration file name on the command line. For Linux, this may look something like {{{./3proxy ./3proxyrc}}}.
    339 
    340 
    341 [[Anchor(Email)]]
    342 = Email =
    343 [#Email [link]]
    344 
    345 [[Anchor(Fetchmail)]]
    346 == Fetchmail ==
    347 [#Fetchmail [link]]
     152== Email ==
     153=== Fetchmail ===
    348154
    349155This isn't the most elegant solution, but it works. Rename your {{{/etc/init.d/fetchmail}}} file to {{{{fetchmail-orig}}}, for example, then save the script below as {{{/etc/init.d/fetchmail}}}, and restart fetchmail with {{{/etc/init.d/fetchmail restart}}}. Your mail will now be fetched through the Tor network.
     
    430236of a hostname; see the note on tsocks and DNS above.
    431237
    432 If you are lazy you can also just call {{{torify fetchmail}}} or {{{torify fetchmail -d 900}}}.
    433 
    434 [[Anchor(Thunderbird)]]
    435 == Mozilla Thunderbird ==
    436 [#Thunderbird [link]]
    437 
    438 Install the [https://addons.mozilla.org/thunderbird/2275/ Torbutton] extension and enable Tor in Thunderbird by clicking on the onion in the toolbar (if it has a red cross).
    439 
    440 Just remember to '''exclude all your SMTP servers''' in th Connection settings (Edit-Preferences-General or Tools-Options-General) dialog box, otherwise you probably won't be able to send any mail.
    441 
    442 If you're using the same server name for receiving and sending mail but still want to recieve mail through Tor, change your SMTP server's name to it's IP and exclude the IP from being proxied. This way, mail will be received from your mail server by it's name (and through Tor), but sent by the same server without Tor.
    443 
    444 [[Anchor(POP3_3proxy)]]
    445 == 3proxy as a POP3 proxy ==
    446 [#POP3_3proxy [link]]
    447 
    448 Download and install (may need compiling) the [http://www.security.nnov.ru/soft/3proxy/ 3proxy] proxy server.
    449 
    450 Let's say you have a POP3 account with settings below:
    451  E-mail: testaccount@gmail.com
    452 
    453  POP3 server: pop.gmail.com
    454 
    455  Account name: testaccount@gmail.com
    456 
    457  Pasword: ******
    458 
    459 First,  you  need  to  configure  and  start 3proxy as a pop3 proxy with
    460 redirection to tor. Create a configuration file (plain text) like this:
    461 
    462 {{{
    463 # put 3proxy in background mode. For Windows replace with "service"
    464 daemon
    465 # set archiver to compress log files. Remove or replace for Windows.
    466 archiver gz /bin/gzip %F
    467 # we'll have 2 log files
    468 rotate 2
    469 # format of log record
    470 logformat "- +_L%d.%m %H:%M:%S srv=%N:%p err=%E src=%C:%c dst=%R:%r out=%O in=%I %T"
    471 # path to log file (CHANGE IT BECAUSE IT'S NOT SECURE!), rotate it monthly
    472 log /tmp/3proxy.log M
    473 # set timeouts above defaults, because tor may be a bit slow
    474 timeouts 30 30 60 60 180 1800 60 120
    475 # this is required to use ACLs and redirections
    476 auth iponly
    477 # preventing DNS requests leak
    478 fakeresolve
    479 # redirect all traffic
    480 allow *
    481 # redirect traffic to Tor
    482 parent 1000 socks4+ 127.0.0.1 9050
    483 # now, start pop3 proxy on port 127.0.0.1:110
    484 # you can run it on alternative port, if port 110 is in use or not accessible
    485 pop3p -i127.0.0.1 -p110
    486 }}}
    487 
    488 (you should edit at least the log path) and start 3proxy, giving the configuration file name on the command line. For Linux, this may look something like {{{./3proxy ./3proxyrc}}}.
    489 
    490 Now,  you  must  configure  your  e-mail  agent  (any with POP3 support:
    491 Eudora,  Outlook  Express,  Outlook,  Apple Mail). Specify 3proxy server
    492 (localhost  in  example)  as  a POP3 server and add address of real POP3
    493 server  to  account  login  name  after  '@'  characcter. That is, e-mail agent
    494 settings are now:
    495 
    496  E-mail: testaccount@gmail.com
    497 
    498  POP3 server: 127.0.0.1
    499 
    500  Account name: testaccount@gmail.com@pop.gmail.com
    501 
    502  Pasword: ******
    503 
    504 If the POP3 proxy on a different port than 110, you should also change
    505 POP3 port settings in your mail agent.
    506 
    507 [[Anchor(SMTP3proxy)]]
    508 == SMTP with "Submission" protocol and 3proxy portmapping ==
    509 [#SMTP3proxy [link]]
    510 
    511 As   a  measure  against  spammers,  Tor  doesn't  allow  outgoing  SMTP
    512 connection to TCP/25 port, but some mail servers still may be reached by
    513 alternative   ports. The most commonly used one is TCP/587 (submission).
    514 "Submission"  is  actually  SMTP  protocol with moderate authentication.
    515 smtp.gmail.com,  smtp.aol.com,  smtp.yandex.ru and many others are known
    516 to  support  submission protocol. You can use e.g. portmapping (see
    517 [#TCP General TCP] below)
    518 to  map  some  port  on  local  host  to port 587 of your preferred mail
    519 server.
    520 
    521 Gmail example: for any 3proxy configuration above, like [#POP3_3proxy POP3],
    522 add a line
    523 
    524 {{{tcppm -i127.0.0.1 2525 smtp.gmail.com 587}}}
    525 
    526 This maps local 2525 port to Submission port of smtp.gmail.com.
    527 
    528 Now  set  up  SMTP host 127.0.0.1 and SMTP port 2525 for your mail agent
    529 and  configure  SMTP  authentication.  Currently  there is no SMTP proxy
    530 server  support.  If  you  need a  second  submission  server, add a second
    531 portmapping with different local port (e.g. 2526) to configuration.
    532 
    533 Note:  some  mail agents, including Microsoft Outlook and Outlook Express
    534 are  known  to  leak  sensitive information, including local IP address,
    535 through mail headers.
    536 
    537 [[Anchor(IM)]]
    538 = Instant messaging =
    539 [#IM [link]]
    540 
    541 [[Anchor(qip)]]
    542 == qip ==
    543 http://img209.imageshack.us/img209/6103/qipyq5.png
    544 
    545 [[Anchor(ICQ)]]
    546 == ICQ ==
    547 
    548 First Step:
    549 
    550 http://img60.imageshack.us/img60/4654/icq1ps8.png
    551 
    552 Second Step:
    553 
    554 http://img209.imageshack.us/img209/6752/icq2ec7.png
    555 
    556 [[Anchor(Pidgin)]]
    557 == Pidgin (formerly Gaim) ==
    558 [#Pidgin [link]]
     238== Instant messaging ==
     239=== Gaim ===
    559240
    560241Preferences -> Network -> Proxy
     
    567248See the note on tsocks and DNS above.
    568249
    569 [[Anchor(Konversation)]]
    570 == Konversation ==
    571 [#Konversation [link]]
    572 
    573 See the note on [#KDE KDE Applications] below.
    574 
    575 
    576 [[Anchor(Kopete)]]
    577 == Kopete ==
    578 [#Kopete [link]]
    579 
    580 See the note on [#KDE KDE Applications] below.
    581 
    582 
    583 [[Anchor(Psi)]]
    584 == Psi ==
    585 [#Psi [link]]
     250=== Psi ===
    586251
    587252[http://psi.affinix.com/ Psi] is a Jabber client with support for
     
    602267See the note on tsocks and DNS above.
    603268
    604 [[Anchor(Miranda)]]
    605 == Miranda ==
    606 [#Miranda [link]]
    607 "M" Menu -> Options -> Network
    608 
    609 {{{
    610 Proxy Type: SOCKS5
    611 Proxy Server: localhost or 127.0.0.1
    612 Port: 9050
    613 }}}
    614 
    615 [[Anchor(Bitlbee)]]
    616 == Bitlbee ==
    617 [#Bitlbee [link]]
    618 
    619 Simply add the following to {{{/etc/bitlbee/bitlbee.conf}}} and connect with your favorite IRC client:
    620 {{{
    621 Proxy = socks5://localhost:9050
    622 }}}
    623 
    624 
    625 [[Anchor(GG)]]
    626 == Gadu-Gadu ==
    627 [#GG [link]]
    628 
    629 To use Gadu-Gadu (the Polish closed and insecure instant messaging network) with Tor, point your client program to Privoxy (127.0.0.1 and port 8118). In [http://www.kadu.net Kadu], this is in: Menu - Konfiguracja - Siec. In [http://ekg.chmurka.net EKG], go to the main window, type {{{set proxy 127.0.0.1:8118}}}, then type {{{save}}} and reconnect.
    630 
    631 [[Anchor(IRC)]]
    632 = IRC/SILC =
    633 [#IRC [link]]
    634 
    635 [[Anchor(weechat)]]
    636 == weechat ==
    637 [#weechat [link]]
    638 
    639 weechat is (afaik) the only console irc client with working socks5 support. Making it play nice with Tor is as easy as changing the following lines in the [proxy] section of ~/weechat/weechat.rc :
    640 
    641 {{{
    642 [proxy]
    643 proxy_use = on
    644 proxy_type = socks5
    645 proxy_ipv6 = off
    646 proxy_address = "127.0.0.1"
    647 proxy_port = 9050
    648 }}}
    649 
    650 This works fine with in-Tor IRC servers as well (notably ORC at irc://3d2et7ek4jjhnv3k.onion)
    651 
    652 [[Anchor(Irssi)]]
    653 == Irssi ==
    654 [#Irssi [link]]
    655 
     269== IRC/SILC ==
     270=== Irssi ===
    656271If you are running Privoxy, as recommended, you can just configure irssi's own proxy settings to use Privoxy as an HTTP proxy.
    657272Otherwise, you can run Irssi with {{{tsocks irssi}}}.  Unfortunately, as mentioned above, Irssi's own proxy configuration options are HTTP specific.
    658273
    659 Alternative: {{{torify irssi}}}.  Note that torify is just a shell script that calls
    660 tsocks after setting the config file to /etc/tor/tor-tsocks.conf.
     274For Gentoo and Debian users: {{{torify irssi}}}.  Note that torify is just a shell script that calls
     275tsocks after setting the config file to /etc/tor/tor-tsocks.conf so it is not Gentoo/Debian specific.
    661276
    662277For OpenBSD users, you can either hack tsocks to work (as of 3.6 there is no port) or you can use dante.
     
    674289of a hostname; see the [:#DNSNote: note on tsocks and DNS] above.
    675290
    676 Add the following to your .irssi/config if you want to use Privoxy as your proxy:
    677 
    678 {{{
    679 settings = {
    680   core = {
    681     real_name = "TorUser";
    682     user_name = "TorUser";
    683     nick = "TorUser";
    684     proxy_password = "";
    685     use_proxy = "yes";
    686     proxy_string = "CONNECT %s:%d HTTP/1.0\n\n";
    687     proxy_port = "8118";
    688     proxy_address = "127.0.0.1";
    689   };
    690 };
    691 }}}
    692 
    693 Don't forget to modify the limit-connect settings in the Privoxy .action files first. This is typically found in default.action, and is a filter that limits what ports Privoxy will connect to. Since Privoxy only listens on the local interface, it is safe to replace this line with '+limit-connect{1-}' which allows Privoxy to connect to all ports.
    694 
    695 To minimize information leakage about your client and timezone add
    696  
    697 {{{
    698 ignores = ( { level = "CTCPS"; } );
    699 }}}
    700 
    701 or run
    702 
    703 {{{
    704 /ignore * CTCPS
    705 }}}
    706 
    707 and then
    708 
    709 {{{
    710 /save
    711 }}}
    712 
    713 [[Anchor(XChat)]]
    714 == X-Chat ==
    715 [#XChat [link]]
    716 
    717 [http://www.xchat.org/ X-Chat] supports SOCKS 5 and does not leak DNS requests.
    718 
     291=== X-Chat ===
    719292Settings-> Preferences -> Network -> Network setup -> Proxy server
    720293{{{
     
    724297}}}
    725298
    726 [http://xrl.us/h7rs Unofficial builds] of X-Chat for Windows are free.
    727 
    728299See the note on tsocks and DNS above.
    729300
    730 [[Anchor(XChatAqua)]]
    731 == X-Chat Aqua 0.16.0 ==
    732 [#XChatAqua [link]]
    733 
    734 [http://sourceforge.net/projects/xchataqua/ X-Chat Aqua is X-Chat with an Aqua interface for MacOS X. X-Chat Aqua uses the irc engine from X-Chat, and is designed to look and feel like the GTK+ front end.
    735 
    736 This is a free IRC client for Macintosh OSX that works with TOR.
    737 
    738 X-Chat Aqua-> Preferences -> Network -> Network setup
    739 {{{
    740 Address to bind to:
    741 Proxy server: localhost
    742 Port: 9050
    743 Proxy type: Socks5
    744 }}}
    745 
    746 [[Anchor(SILC)]]
    747 == SILC ==
    748 [#SILC [link]]
    749 
     301=== SILC ===
    750302Since the [http://www.silcnet.org SILC] client is based on Irssi, you can follow the same procedure to make it use Tor. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at [http://www.silcnet.org its website].
    751303
    752 [[Anchor(Silky)]]
    753 === Silky ===
    754 [#Silky [link]]
    755 
     304==== Silky ====
    756305[http://silky.sf.net/ Silky] is a GTK2 SILC client. It does not currently support SOCKS, so the best way to make it work with Tor is using socat (IMO).:
    757306
     
    760309And then tell Silky to connect to localhost:6666.
    761310
    762 [[Anchor(BitchX)]]
    763 == BitchX ==
    764 [#BitchX [link]]
    765 
     311=== BitchX ===
    766312In order to use [http://www.bitchx.org BitchX] with tor, you first need to get [http://proxychains.sourceforge.net ProxyChains], a *NIX-only HTTP and SOCKS proxy client.  On Debian systems, install the {{{proxychains}}} package.  Once installed, just add
    767313
     
    779325of a hostname; see the note on tsocks and DNS above.
    780326
    781 [[Anchor(mIrc)]]
    782 == mIRC ==
    783 [#mIrc [link]]
    784 
    785 Mirc.co.uk: [http://www.mirc.co.uk/help/proxies.html Proxies and Firewalls]
    786 
    787 File -> Options -> Connect -> Firewall
    788 
    789 Older versions:
    790 Mark the "Use SOCKS Firewall" box.
    791 Newer versions (mIRC 6.0 and up):
    792 Select "Both" from the "Firewall support" pulldown.
    793 
    794 {{{
    795 Protocol: SOCKS5
    796 Hostname: 127.0.0.1
    797 Port: 9050
    798 }}}
    799 
    800 http://wiki.noreply.org/images/mirc_firewall.png
    801 
    802 Don't use SOCKS4. Use SOCKS5.
    803 
    804 There is a way to automate this with two commands...
    805 
    806 {{{
    807 /firewall -cm5+d on localhost 9050
    808 }}}
    809 
    810 to activate it and...
    811 
    812 {{{
    813 /firewall -d off
    814 }}}
    815 
    816 to deactivate the proxy. You can add this commands to your personal commands menu by following these instructions:
    817 
    818  Press Alt+P to open the popup editor and type this bellow "Commands"
    819  
    820 {{{
    821 Anonymize:/firewall -cm5+d on localhost 9050
    822 de-Anonymize:/firewall -d off
    823 }}}
    824 
    825 [[Anchor(Trillian)]]
    826 == Trillian ==
    827 [#Trillian [link]]
    828 
    829 Preferences -> Advanced Preferences -> Proxy Server
    830 {{{
    831 Use proxy server to resolve names.
    832 Use proxy server.
    833 Protocol: SOCKS5
    834 Host: localhost or 127.0.0.1
    835 Port: 9050
    836 }}}
    837 
    838 
    839 
    840 [[Anchor(KVIrc)]]
    841 == KVIrc ==
    842 [#KVIrc [link]]
    843 
    844 [http://www.kvirc.net KVIrc]
    845 
    846 Settings -> Configure KVIrc -> Connection -> Proxy Hosts
    847 
    848 {{{
    849 Use proxy.
    850 New proxy.
    851 Proxy: tor
    852 Port: 9050
    853 IP Address: 127.0.0.1
    854 Protocol: SOCKSv5
    855 }}}
    856 
    857 http://img143.imageshack.us/img143/6898/kvirc5er.png
    858 
    859 Since kVIrc does not support remote dns yet, you have to add a mapping to your tor config, if you want to connect to a hidden service. Do this  like:
    860 {{{
    861 echo 'mapaddress  10.40.40.40  mejokbp2brhw4omd.onion' >> /etc/tor/torrc
    862 pkill -HUP tor
    863 }}}
    864 and then connect to 10.40.40.40 through your Tor proxy.
    865 
    866 http://img137.imageshack.us/img137/9471/kvirctorhiddenservicetm9.png
    867 
    868 
    869 [[Anchor(BitTorrent)]]
    870 = BitTorrent =
    871 [#BitTorrent [link]]
    872 
    873 For bittorrent it is probably not so helpful to torrify data. Compared to the amount of damage you will do to your throughput and the amount of damage you will do to the Tor network, torryfing data is overkill for the protection you gain. Aside from search index logs and tracker http logs, the attacks needed to determine who is downloading a torrent are somewhat similar to attacks on Tor: the adversary has to be running torrent clients and watching to see who connects to them. This is hard to do on a large scale. You are probably much more at risk for showing up in the webserver logs for popular trackers and index sites.
    874 
    875 For this reason, you may want to use tor to communicate with the tracker. For this, just add {{{--tracker-proxy 127.0.0.1:8118}}}:
    876 {{{
    877 btlaunchmanycurses --tracker_proxy 127.0.0.1:8118 <directory>
    878 }}}
    879 
    880 [[Anchor(uTorrent)]]
    881 == µTorrent ==
    882 
    883 Again, torifying the bittorrent traffic of µTorrent would just add more overhead and reduce your transfer throughput a lot. It also severely taxes the Tor network and is considered poor etiquette.
    884 The following image shows how to configure µTorrent to torify tracker traffic. Note the unchecked {{{Use proxy server for peer-to-peer connections}}}. Checking this will severely limit transfer speeds and needlesly tax the Tor network.
    885 
    886 http://img166.imageshack.us/img166/610/utorrenttorifyag8.jpg
    887 
    888 [[Anchor(Azureus)]]
    889 == Azureus ==
    890 [#Azureus [link]]
    891 
    892 Again, pretty much all you really need to do here is to proxy tracker communications. There is an option for this under the connections pane in Azureus. Fill in 127.0.0.1 9050 for the SOCKS proxy for tracker data.
    893 
    894 For more information on setting up torrents tracked via hidden service (which is not really taxing), and to be thoroughly confused by other possibilites, see: [http://azureus.sourceforge.net/doc/AnonBT/]. [http://www.azureuswiki.com/index.php/Super_Seeding Super Seeding] is another option if you are the first to seed a file and want to optimally distribute it anonymously. This is an acceptable exception to the request not to torrify data.
    895 
    896 ==rTorrent==
    897 rTorrent can use a proxy for communicating over HTTP. One merely has to edit ~/.rtorrent.rc and insert something like the following:
    898  http_proxy = http://127.0.0.1:8118/
    899 
    900 [[Anchor(FTP)]]
    901 = FTP =
    902 [#FTP [link]]
    903 
    904 FTP requires 2 different connections: one for commands and one for data.
    905 Data  connections  is  created  every  time directory listing or file is
    906 transmitted.   Almost   any  FTP  server  nowdays  checks  both  control
    907 connection  and  data  connection  to come from the same IP address. Tor
    908 changes  circuit  for  new TCP connection every 10 minutes. It means, if
    909 you  download  many files from the same FTP server (or browse content of
    910 FTP server) you will fail approximately once in 10 minutes and will need
    911 to  re-connect.  It  only affects new connections and does not interrupt
    912 file download.
    913 
    914 3proxy (see [#POP3_3proxy POP3]) may act as an FTP proxy with redirection to Tor. There are
    915 2  different  types  of  FTP  proxies. First type is a FTP over HTTP proxy - it converts
    916 listsings  and  file transfers between FTP and HTTP and it's mainly used
    917 by  browsers  (Internet  Explorer,  Moziila, Opera, wget, etc). It leaks
    918 support  for many FTP commands. Second type is a plain FTP proxy - it fully
    919 supports the FTP protocol and is used in FTP clients (gFTP, NcFTP, CuteFTP).
    920 3proxy  supports  both. For the real FTP proxy, 2 methods are supported: USER
    921 extension  and SITE/OPEN extension. In order real FTP proxy to work with
    922 Tor you need the latest devel version (0.6).
    923 
    924 In the configuration file from [#POP3_3proxy POP3] replace (or add, to use both services) the string
    925 
    926 {{{pop3p -i127.0.0.1 -p110}}}
    927 
    928 with
    929 
    930 {{{proxy -i127.0.0.1 -p110}}}
    931 
    932 for HTTP proxy with FTP over HTTP support, and/or
    933 
    934 {{{ftppr -i127.0.0.1 -p110}}}
    935 
    936 for FTP proxy.
    937 
    938 '''You may sometimes get 404 Errors (after a long time of waiting) when connecting to an FTP site. Don't worry, this is normal (I mean, this is neither 3proxy's fault nor a configuration problem). Just wait a few minutes and everything will be fine.'''
    939 
    940 [[Anchor(FxFTP)]]
    941 == Mozilla Firefox ==
    942 [#FxFTP [link]]
    943 
    944 Install and start 3proxy, as described above. Go to Edit-Preferences (that used to be Tools-Options on Windows) - General - Connection settings. Then type 'localhost' and port number ('110' using the above configuration) under the FTP Proxy entry. That should do it.
    945 
    946 [[Anchor(WgetFTP)]]
    947 == Wget (FTP) ==
    948 [#WgetFTP [link]]
    949 
    950 Install and start 3proxy, as described above. Set the {{{ftp_proxy}}} environment variable to {{{127.0.0.1:110}}}. You may also set this in the Wget configuration file.
    951 
    952 [[Anchor(OperaFTP)]]
    953 == Opera ==
    954 [#OperaFTP [link]]
    955 
    956 Install and start 3proxy, as described above. Go to Tools-Preferences-Advanced-Network-Proxy servers. Enable FTP and type 127.0.0.1 and port 110.
    957 
    958 [[Anchor(KonquerorFTP)]]
    959 == Konqueror ==
    960 [#KonquerorFTP [link]]
    961 
    962 Install and start 3proxy, as described above. Go to Settings - Configure Konqueror - Manually Specify the proxy settings - Setup. Enter 127.0.0.1 and port number 110 (or whatever number you chose) under the FTP Proxy.
    963 
    964 [[Anchor(SmartFTP)]]
    965 == SmartFTP ==
    966 [#SmartFTP [link]]
    967 
    968 Install and start proxy. Go to Extras - Settings - Connection/Proxy. Choose Type "SOCKS 4" and Host "127.0.0.1" Port "9050".
    969 
    970 [[Anchor(FileZilla)]]
    971 == File Zilla ==
    972 [#FileZilla [link]]
    973 
    974 Install and start proxy. Go to Extras - Settings - Connection/Proxy. Choose Type "SOCKS 4a" and Host "127.0.0.1" Port "9050".
    975 
    976 [[Anchor(Misc)]]
    977 = Misc =
    978 [#Misc [link]]
    979 
    980 [[Anchor(APT)]]
    981 == APT ==
    982 [#APT [link]]
    983 
    984 '''Warning''': This will only work for HTTP because Privoxy does not support FTP. Look [#FTP above] for FTP.
    985 
    986 Add the following line to {{{/etc/apt/apt.conf}}}:
    987 {{{
    988 Acquire::http::Proxy "http://127.0.0.1:8118/";
    989 }}}
    990 
    991 [[Anchor(GnuPGprivoxy)]]
    992 == GnuPG: Method 1 (Privoxy) ==
    993 [#GnuPGprivoxy [link]]
    994 
     327== BitTorrent ==
     328Same procedure as with BitchX, but using {{{proxychains btdownloadcurses}}}.
     329
     330=== Azureus ===
     331
     332See [http://azureus.sourceforge.net/doc/AnonBT/].
     333
     334
     335== Misc ==
     336
     337=== GnuPG ===
    995338Add or edit the following lines in your {{{$HOME/.gnupg/gpg.conf}}}:
    996339{{{
     
    1008351If you don't want to write the export line every time, you can add {{{ alias gpg='http_proxy=http://127.0.0.1:8118/ gpg' }}} to your .bashrc file as well; if you have set the {{{http_proxy}}} environment variable, you may skip this step.
    1009352
    1010 [[Anchor(GnuPGtorify)]]
    1011 == GnuPG: Method 2 (torify) ==
    1012 [#GnuPGtorify [link]]
    1013 
    1014 At least a couple of people have had problems with using GPG over Privoxy. It is possible to use GPG with torify instead. If you have {{{http_proxy}}} set, GPG will try to use it. Add {{{no-honor-http-proxy}}} to your {{{keyserver-options}}} to prevent that.
    1015 
    1016 Remember that torify doesn't handle DNS! Use tor-resolve to get the IP of your keyserver and use that. Either add it to {{{$HOME/.gnupg/gpg.conf}}} as the {{{keyserver}}} option or put it on the command line.
    1017 
    1018 Now run
    1019 {{{
    1020 torify gpg --refresh-keys
    1021 }}}
    1022 
    1023 or
    1024 
    1025 {{{
    1026 torify gpg --keyserver [result of tor-resolve] --refresh-keys
    1027 }}}
    1028 
    1029 [[Anchor(Wget)]]
    1030 == Wget (HTTP) ==
    1031 [#Wget [link]]
     353=== Wget ===
    1032354
    1033355Wget will also respect the http_proxy enviroment variable, but you can edit {{{/etc/wgetrc}}}:
     
    1040362}}}
    1041363
    1042 [[Anchor(SSHtorify)]]
    1043 == SSH: Method 1 (torify) ==
    1044 [#SSHtorify [link]]
    1045 
    1046 Simply run {{{torify ssh <parameters>}}} if the host is not on a local network and you're done.
    1047 
    1048 [[Anchor(SSHconnect)]]
    1049 == SSH: Method 2 (connect) ==
    1050 [#SSHconnect [link]]
     364[[Anchor(sshconnect)]]
     365=== SSH: Method 1 (connect) ===
    1051366
    1052367These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.
     
    10543691 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka ''Panther'') - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version from the [http://www.openssh.org OpenSSH website]. If you're using Mac OS X, using [http://fink.sourceforge.net fink] may be easier for you.
    1055370
    1056 2  - Download and build the connect [http://www.taiyo.co.jp/~gotoh/ssh/connect.c source code]. Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its [http://www.taiyo.co.jp/~gotoh/ssh/connect.html website]. Note: the site appears to be down at the moment, we've mirrored the script at https://savannah.gnu.org/maintenance/connect.c
    1057 
    1058 A pre-compiled version of {{{connect}}} for Mac OS X is available at [http://members.lycos.co.uk/hardapple/tools/connect.tar]. (md5sum: b5180cb789813fc958209c58b99039fa)
     3712  - Download and build the connect [http://www.taiyo.co.jp/~gotoh/ssh/connect.c source code]. Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its [http://www.taiyo.co.jp/~gotoh/ssh/connect.html website].
     372
     373A pre-compiled version of {{{connect}}} for Mac OS X is available [http://members.lycos.co.uk/hardapple/tools/connect.tar here]. (md5sum: b5180cb789813fc958209c58b99039fa)
    1059374
    1060375Install connect into the {{{/usr/local/bin}}} directory.
     
    1064379
    1065380{{{
    1066 Host 10.*.*.*
    1067 ProxyCommand none
    1068 Host 172.16.*.*
    1069 ProxyCommand none
    1070 Host 172.17.*.*
    1071 ProxyCommand none
    1072 Host 172.18.*.*
    1073 ProxyCommand none
    1074 Host 172.19.*.*
    1075 ProxyCommand none
    1076 Host 172.20.*.*
    1077 ProxyCommand none
    1078 Host 172.21.*.*
    1079 ProxyCommand none
    1080 Host 172.22.*.*
    1081 ProxyCommand none
    1082 Host 172.23.*.*
    1083 ProxyCommand none
    1084 Host 172.24.*.*
    1085 ProxyCommand none
    1086 Host 172.25.*.*
    1087 ProxyCommand none
    1088 Host 172.26.*.*
    1089 ProxyCommand none
    1090 Host 172.27.*.*
    1091 ProxyCommand none
    1092 Host 172.28.*.*
    1093 ProxyCommand none
    1094 Host 172.29.*.*
    1095 ProxyCommand none
    1096 Host 172.30.*.*
    1097 ProxyCommand none
    1098 Host 172.31.*.*
    1099 ProxyCommand none
    1100 Host 192.168.*.*
    1101 ProxyCommand none
    1102 Host *
    1103381ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:9050 %h %p
    1104382}}}
    1105383
    1106 All SSH connections, except to the private address ranges defined by the IANA in RFC-1918, will now go through tor.
     384All SSH connections will now go through tor.
    1107385
    1108386You may want to look up your SSH server's IP with {{{tor-resolve}}} and use the IP in place
    1109387of a hostname; see the note on tsocks and DNS above.
    1110388
    1111 [[Anchor(SSHsocat)]]
    1112 == SSH: Method 3 (socat) ==
    1113 [#SSHsocat [link]]
     389[[Anchor(sshsocat)]]
     390=== SSH: Method 2 (socat) ===
    1114391
    1115392Use [http://www.dest-unreach.org/socat/ socat] as described above.  One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the {{{ProxyCommand}}} option in your {{{~/.ssh/config}}} file, as follows:
     
    1134411If you want ''every'' SSH communication to go through Tor, you can even say :
    1135412
     413{{{ Host *
     414  ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}
     415
     416== Remailing ==
     417
     418This How-To is intended to increase the security and anonymity of Remailing for email and usenet to the *highest* possible level.
     419
     420In this How-To I detail the use of the remailer client QuickSilver; I use this example as QS is the client I use.  Antoher excellent, free and open-source client is Jack B. Nymble 2 (Panta's Mod); either client can use the routes I describe.
     421
     422This How-To details:
     423
     424A. How to route your SMTP & M2N messages (via. TLS) through QS > Stunnel > Tor > TLS SMTP/M2N
     425
     426B. How to download NG messages (via. TLS) through QS > Stunnel > Tor > NNTPS
     427
     428C. How to route your SMTP & M2N messages (via. Hidden Services) through QS > Tor > Hidden Services > SMTP/M2N
     429
     430D. How to download NG messages (via. Hidden Services) through QS > Tor > Hidden Services > NNTP
     431
     432{{{
     433This How-To is written in laymen's lanuage; but it's not "dumbed down". }}}
     434
     435
     436{{{
     437These instructions should work fine for any OS, but I have only tested them on Windows XPHome (don't worry, I'm not an average Windoze user ;-) . }}}
     438
     439=== TLS SMTP & Mail2News ===
     440
     441If you use remailers you should use TLS and Tor as these add a large amount of additional anonymity.  There are only a few remailers that accept TLS connections and offer non-standard SMTP ports; my favorite is mail.bananasplit.news, another good one is panta-rhei.dyndns.org.
     442
     443I assume you have a working knowledge of MixMaster, Reliable, Cyberpunks, PGP (6.5.8.ckt 08), Stunnel, QuickSilver (or JBN2 Panta mod) and Tor.
     444
     445All these programs and apps are free and open-source (except SocksCap).  Some programs (like SocksCap) are OS specific; you'll need to find a Socks forwarding program for your OS.
     446
     447==== QS Remailers Statics & Key Rings HTTP Web Proxy ====
     448
     449You want to ensure QS accesses the remailer Stats page (which is HHTP) via. Tor.  I have tried to configure a route of QS > Privoxy > Tor > HTTP Stats DL Page; unfortunitly QS only hangs when I attempt this.
     450
     451{{{ Start QS > Tools > Remailers > Proxy:
     452
     453Proxy Host: 127.0.0.1
     454Port: 9050
     455Socks Level: Socks4a }}}
     456
     457==== QS New Message Header Proxy Settings ====
     458
     459When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; disable it.
     460
    1136461{{{
    1137 Host *
    1138 ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050
    1139 }}}
    1140 
    1141 [[Anchor(Putty)]]
    1142 == Putty ==
    1143 [#Putty [link]]
    1144 
    1145 Putty is a neat suite of programs for doing Telnet, SSH, SCP, etc.[[BR]]
    1146 [wiki:/Putty Configuration Details][[BR]]
    1147 
    1148 [[Anchor(vpnd)]]
    1149 == vpnd ==
    1150 [#vpnd [link]]
    1151 
    1152 It is possible to run a (slow) vpnd through tor.
    1153 How to setup this up is explained at [http://www.vanheusden.com/Linux/tt.html].
    1154 
    1155 [[Anchor(svn)]]
    1156 == SubVersion (SVN) ==
    1157 [#svn [link]]
    1158 
    1159 Simply add the following lines:
    1160 {{{
    1161 http-proxy-host = localhost
    1162 http-proxy-port = 8118
    1163 }}}
    1164 
    1165 ('''NO''' spaces in front) to the "global" section in your '''servers''' file in your SubVersion's config directory ($HOME/.subversion on Linux).
    1166 
    1167 This will only work for HTTP-based SVN connections, and you need a HTTP Proxy, like Privoxy. See [http://tor.eff.org Tor's docs] for Privoxy configuration details.
    1168 
    1169 [[Anchor(yum)]]
    1170 == YUM ==
    1171 [#yum [link]]
    1172 
    1173 Install and start 3proxy, as described [#FTP above]. Add the following line:
    1174 {{{
    1175 proxy=http://127.0.0.1:110
    1176 }}}
    1177 to the '''main''' section of your YUM configuration file (usually, this is /etc/yum.conf).
    1178 
    1179 [[Anchor(TCP)]]
    1180 == Any TCP-based protocol ==
    1181 [#TCP [link]]
    1182 
    1183 For  any  TCP-based  protocol (telnet, ssh, nntp etc.), you can use TCP
    1184 portmapping with 3proxy. For example, to map port 2200 of the local computer
    1185 to port 22 (ssh) of my.ssh.server replace last string or add new string
    1186 
    1187 {{{tcppm -i127.0.0.1 2200 my.ssh.server 22}}}
    1188 
    1189 to the 3proxy configuration from [#POP3_3proxy POP3]. Now you can do
    1190 
    1191 {{{ssh -p2200 127.0.0.1}}}
    1192 
    1193 to connect via SSH to my.ssh.server.
    1194 
    1195 [[Anchor(KDE)]]
    1196 == KsCD and KDE applications in general ==
    1197 [#KDE [link]]
    1198 
    1199 Either [#Konqueror configure Konqueror for HTTP] and [#KonquerorFTP FTP] or go to the KDE Control Center - Network - Proxy and set everything as described [#Konqueror here] and [#KonquerorFTP here]. Works for KsCD.
    1200 
    1201 KDE Applications such as Kopete, Konversation (basically everything that is not http) respect only the global Socks proxy settings. In order to use them with tor, you seed to first 'socksify' the environment, and redirect the socks proxy to tor. To socksify kde, we use [http://linux.about.com/cs/linux101/g/danteclient.htm dante-client]. Assuming you have  tor listening at 127.0.0.1:9050, configure dante-client (the config file is usually at /etc/dante.conf) to forward all the requests to 127.0.0.1:9050. The comments in the default config file will help you edit it correctly. Then go to the Proxy settings in the KDE Control Panel -> Networking and enable socks support, choosing 'Dante'. Most other KDE applications should start working.
    1202 
    1203 Warning : DNS requests will not go through tor, and can probably be insecure. Also, depending on your network configuration or on an incorrect setting in dante.conf, it might not be possible to access the DNS server. You can try connecting via the IP address of the host to solve both problems.
    1204 
    1205 
    1206 [[Anchor(Remailing)]]
    1207 = Remailing =
    1208 [#Remailing [link]]
    1209 
    1210 [:TheOnionRouter/RemailingAndTor:see Remailing: achieve strong remailing anonymity/security via. Tor and Stunnel]
    1211 
    1212 [[Anchor(CrazyAndLazy)]]
    1213 = For the Crazy and Lazy =
    1214 [#CrazyAndLazy [link]]
    1215 
    1216 If you are lazy and don't want to repeat most of the steps laid out here every time you call the program (and who would?) you can have a look at [http://shellscripts.org/project/toraliases the tor aliases project].
    1217 
    1218 [[Anchor(TorCredits)]]
    1219 = Credits =
    1220 [#Credits [link]]
     462Start QS > header create/ message send window > uncheck the "use Proxy" box }}}
     463
     464==== QS TLS SMTP Header Template ====
     465
     466This template will route QS traffic as so: QS > Stunnel (via. Sockscap) > Tor (via. port 2525) > mail.bananasplit.info > random remailer > ramdom remailer > itlay > reciepent.
     467
     468This template is an example of a config. message to hod.aarg.net; any SMTP mail will work.
     469
     470Copy and paste this into the headers section of the send mail window:
     471
     472{{{
     473Tor: 127.0.0.1:9050,4a; write.what.you.want.here.com
     474Host: 127.0.0.1:2525
     475From: your nym here <your nym h...@hod.aarg.net>
     476From: your nym here
     477Chain: banana,*,*,italy; copies=6
     478To: con...@hod.aarg.net
     479Subject: test a
     480Pgp: sign= your nym PGP here ; encrypt= your nym PGP here  }}}
     481
     482Note:  You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.
     483
     484Note: You need to add a Banana HashCash Token to use Banana M2N; get HashCash here:
     485 http://www.panta-rhei.dyndns.org/downloads/
     486
     487==== QS TLS SMTP M2N Template ====
     488
     489This template will route traffic to Usenet via. the route described above then on though Banana's M2N gateways.
     490
     491Copy and paste this into the headers section of the send mail window:
     492
     493
     494{{{
     495Tor: 127.0.0.1:9050,4a; write.what.you.want.here.com
     496Host: 127.0.0.1:2525
     497From: your nym here <your nym h...@hod.aarg.net>
     498From: your nym here
     499Chain: banana,*,*,italy; copies=6
     500References:
     501To: mail2news_munge@bananasplit.info,mail2news@bananasplit.info
     502Newsgroups:
     503X-Hashcash: You need Banana's HashCash Token to post via. M2N.
     504Subject:
     505Pgp: sign= your nym PGP here ; encrypt= your nym PGP here  }}}
     506
     507Note:  You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.
     508
     509Note: You need to add a Banana HashCash Token to use Banana M2N; get HashCash here:
     510 http://www.panta-rhei.dyndns.org/downloads/
     511
     512==== Configure Stunnel ====
     513
     514This template will accecpt QS traffic via. LocalHost (127.0.0.1); Port 2525 and use bananasplit as TLS host. 
     515
     516This template will work for sending TLS SMTP and TLS SMTP M2N.
     517
     518This template will work for downloading NG messages via. QS > Stunnel > Tor > new.bananasplit.info:5563
     519
     520Copy and paste this into your Stunnel .conf file:
     521
     522{{{
     523debug = 7
     524output = log.txt
     525client = yes
     526options = all
     527RNDbytes =  2048
     528RNDfile = bananarand.bin
     529RNDoverwrite = yes
     530
     531[BANANA_TLS_SMTP]
     532protocol = smtp
     533accept  = 2525
     534connect = mail.bananasplit.info:2525
     535delay = no   
     536#
     537[BANANA_NNTPS_GROUPS]
     538accept = 127.0.0.1:2000
     539connect = news.bananasplit.info:5563
     540delay = no  }}}
     541
     542==== Configure SocksCap ====
     543
     544SocksCap will route traffic from Stunnel into Tor using Socks5.
     545
     546Import the address of Stunnel.exe shortcut into SocksCap; then when you want to use Stunnel click "Run Socksified".
     547
     548{{{
     549Start SocksCap > File > Setup >
     550
     551127.0.0.1:9050
     552Socks 5
     553Resolve all names remotely }}}
     554
     555==== Configure Tor ====
     556
     557Upgrade to current stable (or test) release; default setup.
     558
     559==== DLing TLS NG Messages ====
     560
     561You can also setup QS to download on-topic messages from news.bananasplit.info via. QS > Stunnel > Tor >.
     562
     563All the setting requred you have already configured; all you need to do is confire the QS News Plugin (NNTP).
     564
     565
     566===== QS NNTP Account Manager Setup =====
     567
     568{{{
     569Start QS > Tools > News Accounts >
     570
     571New > News Server > mail.bananasplit.info
     572News Groups and Subjects > On-topic groups; use Esub for a.a.m }}}
     573
     574{{{
     575Start QS > Tools > News Accounts > Proxy >
     576
     577Proxy Server > 127.0.0.1
     578Proxy Port > 2000
     579Socks Level > 5 }}}
     580
     581
     582=== Remailing SMTP & NNTP via. Tor Hidden Services ===
     583
     584Panta runs hidden services for remailing via. SMTP and reading on-topic security/anonymity NG's (posting disabled).
     585
     586Remailing via. SMTP and NNTP Hidden Services prevents an adavsary from knowing you use SMTP or NNTP.  I am not sure if this more secure than useing TLS but it seems more anonymous to me.
     587
     588Another advantage to using Hidden Services is they resist D.D.S. and D.O.S. attacts; as does the MixMaster network to a certain extent.
     589
     590==== QS New Message Header Proxy Settings ====
     591 
     592When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; enable it.
     593
     594{{{
     595Start QS > header create/ message send window > check the "use Proxy" box >
     596
     597Proxy: 127.0.0.1:9050
     598Socks4a
     599Check the use Tor box }}}
     600
     601==== QS SMTP Hidden Service Template ====
     602
     603This template will route SMTP traffic through the Hidden Service to Panta then on to your reciepent.
     604
     605Copy and paste this into the headers section of the send mail window:
     606
     607{{{
     608Tor: 127.0.0.1:9050,4a; make.something.up.com
     609Host: rjgcfnw4sd2jaqfu.onion
     610From: your nym here <your nym h...@hod.aarg.net>
     611From: f...@bar.com
     612Chain: panta,*,*,italy; copies=6
     613To: xxx@hod.aarg.net
     614Subject: test a
     615Pgp: sign= your nym PGP here ; encrypt= your nym PGP here }}}
     616
     617Note:  You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Service.
     618
     619Note: You need to add a Panta HashCash Token to use Panta M2N; get HashCash here:
     620
     621http://www.panta-rhei.dyndns.org/downloads/
     622
     623 
     624==== QS SMTP M2N Hidden Service Template ====
     625
     626This template will route traffic to Usenet via. the route described above then on though Panta's M2N gateways.
     627
     628Copy and paste this into the headers section of the send mail window:
     629
     630{{{
     631Tor: 127.0.0.1:9050,4a; make.something.up.com
     632Host: rjgcfnw4sd2jaqfu.onion
     633From: your nym here <your nym h...@hod.aarg.net>
     634From: f...@bar.com
     635Chain: panta,*,*,italy; copies=6
     636References:
     637To: mail2news-hashcash@panta-rhei.dyndns.org,mail2news-hashcash_nospam@panta-rhei.dyndns.org
     638X-Hashcash: You need Panta's HashCash Token to post via. M2N.
     639Subject:
     640Pgp: sign= your nym PGP here ; encrypt= your nym PGP here }}}
     641
     642{{{
     643Note: Make sure to un-wrap the
     644"To: mail2news-hashcash@panta...,mail2news-hashcash_nospam@panta..." header }}}
     645
     646Note:  You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Service.
     647
     648Note: You need to add a Panta HashCash Token to use Panta M2N; get HashCash here:
     649
     650http://www.panta-rhei.dyndns.org/downloads/
     651
     652==== Configure Tor ====
     653
     654Upgrade to current stable (or test) release; default setup.
     655
     656==== DLing Hidden Service NG Messages ====
     657
     658You can also setup QS to download on-topic messages from rjgcfnw4sd2jaqfu.onion via. QS > Tor >.
     659
     660All the setting requred you have already configured; all you need to do is confire the QS News Plugin (NNTP).
     661
     662===== QS NNTP Account Manager Setup =====
     663
     664{{{
     665Start QS > Tools > News Accounts >
     666
     667New > News Server > rjgcfnw4sd2jaqfu.onion
     668News Groups and Subjects > On-topic groups; use Esub for a.a.m }}}
     669
     670{{{
     671Start QS > Tools > News Accounts > Proxy >
     672
     673Proxy Server > 127.0.0.1
     674Proxy Port > 9050
     675Socks Level > 4a }}}
     676
     677
     678==== End Notes ====
     679
     680A. Banana also offers a NNTP and SMTP via. Tor Hidden Services.  ZAX's hidden services are down right now but he's getting them up soon.
     681
     682As far as I understand you can post & dl though Banana'a hidden NNTP portal.
     683
     684B. Occasionally when I dl messages from Panta's Hidden NNTP I get an error message from QS stating "1060 not a winsock err" (something to that effect). This is caused by a problem with one of the Tor nodes (most
     685likley).
     686
     687In this case wait 2 minutes then retry dling from the a.a.m.  Every 60 seconds or so of inactivity Tor creates a new route which should allow you access to the Hidden Services.  If you still can't gain access to
     688the Hidden Services shutdown/restart Tor & QS; that should do the trick.
     689
     690C. Don't have Stunnel running in system tray when your using Hidden Services and QS; this causes QS to lock and give me "unable to wipe" error message; requiring hard restart of QS.
     691
     692=== Hidden Services Security Issues ===
     693
     694==== Tor Rendezvous Node ====
     695
     696The rendezvous node of the Tor network is where you and the Panta or Banana hidden service meet, IMHO the rendezvous node should be verified; by default it  is unverified.
     697
     698***NOTE:  It is possible this tweak may decrease the overall anonymity of the Tor network.  I don't think that by forcing Tor to use verified rendezvous nodes it's anonymity will weaken; as this tweak only slighlty decreases the selection and number of nodes.
     699
     700{{{
     701It may be wise to *not* apply this tweak at this time.  I am not an expert on Tor or Onion Routing so I can't say if this tweak should positivly be applied or not.
     702
     703>>I would like an experts opinon on this matter please.<<
     704}}}
     705
     706Rendezvous node tweak:
     707
     708{{{
     7091. Open Torrc file
     710
     7112. find the section "client options"
     712
     7133. find the line labeled "AllowUnverifiedNodes middle,rendezvous"
     714
     7154. delete this ",rendezvous"
     716
     7175. save file and close
     718
     7196. restart Tor }}}
     720
     721Now the rendezvous node must have it's PGP sig and Tor fingerprint w/valid email on file with the Tor network (DirPort). 
     722
     723==== EHLO Answer ====
     724
     725There is a *large* anonymity hole in the use of remailers and Tor Hidden Services.  When you use remailers (SMTP) on Tor's Hidden Service your real Host and IP can be leaked via. EHLO answer to the entry and/or rendezvous node.
     726
     727QS spoofs the EHLO answer (as does JBN2 Panta mod) so your Host and IP are secure.
     728
     729=== Everyday Use ===
     730
     731Your done!  Now to use the monster you created:
     732
     733==== TLS SMTP/M2N ====
     734
     735A. Start QS
     736
     737B. Start SocksCap
     738
     739C. Start Stunnel via. SockCap
     740
     741D. Start Tor
     742
     743E. Use either template for TLS SMTP or M2N
     744
     745==== TLS NNTPS DLing ====
     746
     747A. Start QS
     748
     749B. Start SocksCap
     750
     751C. Start Stunnel via. SockCap
     752
     753D. Start Tor
     754
     755E. Start QS News Pluging
     756
     757F. Select News Account for "news.bananasplit.info"
     758
     759E. Start Dling messages
     760
     761==== Hidden Service SMTP/M2N ====
     762
     763A. Start QS
     764
     765B. Start Tor
     766
     767C. Use either template for Hidden Service SMTP or M2N
     768
     769==== Hidden Service NNTP ====
     770
     771A. Start QS
     772
     773B. Start Tor
     774
     775C. Start QS News Plugin
     776
     777D. Select News Account for "rjgcfnw4sd2jaqfu.onion"
     778
     779E. Start DLing messages
     780
     781=== Further Reading ===
     782
     783Panta Hidden service info & JBN/Tor:
     784
     785http://www.panta-rhei.dyndns.org/pantawiki/HowToJbnAndTor
     786
     787Panta's website:
     788
     789http://www.panta-rhei.dyndns.org/
     790
     791Banana's website:
     792
     793http://www.bananasplit.info/
     794
     795Banana's TLS/SSL SMTP webpage:
     796
     797http://www.bananasplit.info/mailtls.html
     798
     799Banana's Stunnel How-To webpage:
     800
     801http://www.bananasplit.info/stunnel.html
     802
     803TLS@noreply:
     804
     805http://www.noreply.org/tls/
     806
     807QS website:
     808
     809http://www.quicksilvermail.net/ 
     810
     811=== In A Perfect World... ===
     812
     813...SocksCap speaks Socks4a, both Panta and Banana offer NNTPS and SMTP(TLS) via. Tor Hidden Services on port 563 &
     8142525 (or other ports).
     815
     816This way we could use NNTPS and SMTP(TLS) through QS > Stunnel > Tor > Hidden Servies > NNTPS/SMTP(TLS).
     817
     818Thus, haveing an encrypted end-to-end rout though Hidden Services without an advasary knowing were using anything but the Tor network.
     819
     820I don't know if this is possible as Hidden Services may not allow a Stunnel (TLS) forward ex.:
     821
     822{{{
     823#[PANTA_TLS_SMTP_HIDDEN_SERVICES]
     824#accept = 2525
     825#connect = rjgcfnw4sd2jaqfu.onion
     826#delay = no }}}
     827
     828Or something of that nature...
     829
     830
     831== Credits ==
    1221832
    1222833Thomas Sjogren with Northern Security started this howto and still maintains a copy at:
     
    1228839        * Thomas Hardly
    1229840        * tyranix
    1230         * thalunil
    1231         * BogdanDrozdowski (FTP stuff, 3proxy stuff with great help from it's author - 3APA3A, Gadu-Gadu, TB, SVN, Yum and KDE stuff)
     841        * HereHere