Version 384 (modified by trac, 10 years ago) (diff)


#pragma section-numbers on ## Copyright (c) 2004 Thomas Sjogren. ## Copyright (C) 2004, 2005, 2006 Contributors ## Distributed under the MIT license, ## See ./LegalStuff for a full text [:../:up to Tor]

Torifying software HOWTO

This document explains how to configure particular programs to use Tor. It was originally written for a Linux/UNIX environment, but it should include some instructions for Windows and OS X users too. Please add your own Windows configurations to this document.

Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV (/etc/init.d/ startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific.

Feel free to edit this page --- it's a Wiki, after all. One note: use only link identifiers which start with a letter or the underscore character (_) and don't use identifiers with spaces inside them. Things like that make the page invalid (X)HTML and nobody wants that.

~+Table of Contents+~



Basic Configuration Issues



Unix and Linux Configuration


First, we assume you installed Privoxy. Many applications can be set to use an http proxy, and that will make your life much easier.

Under Unix and GNU/Linux, most HTTP capable applications, like lynx, wget and curl, will honor the value of the http_proxy environment variable. Some applications use all lower case, some all upper, so specify both to be safe.

Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:

export http_proxy HTTP_PROXY


About DNS and tsocks


tsocks correctly replaces connect(2) calls with calls to your SOCKS proxy (Tor), but it doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.

Other applications that use SOCKS 4 or SOCKS 5 directly often have the same shortcoming.

Tor 0.0.8 (or later) has a workaround for this problem; until we can hack tsocks (or a work-alike) to support DNS, instead of using a hostname directly, first use tor-resolve to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.

See [:TheOnionRouter/TorFAQ#SOCKSAndDNS: the FAQ] for more information.

NOTE: There is now a patch to the tsocks code that handles dns leaks and .onion addresses, tordns


About socat


socat is a multipurpose relay for bidirectional data transfer. It is possible to use socat as a general means by which programs agnostic of SOCKS can use Tor by connecting to a local TCP port.

Socat (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging and tracing, different modes for interprocess communication and many more options.

It can be used, for example, as a TCP relay (one-shot or daemon), as an external socksifier, as a shell interface to Unix sockets, as an IPv6 relay, as a netcat and rinetd replacement, to redirect TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts inside network connections.

Suppose that you wanted to connect to an IRC server running on, port 6667.

socat TCP4-LISTEN:4242,fork,socksport=9050

Connecting to localhost, port 4242, would then be equivalent to connecting to, port 6667, via Tor.

What interests us most for Tor is that it supports socks4a redirection, allowing your client to connect to an hidden service. Assuming you want to join to an hidden irc server running on foo.onion on port 6667.

You might want to start a local tunnel that forwards connection for local port 4242 to this service using Tor.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050

Warning: socat versions up to and including had a bug that would use SOCKS4A only when a direct DNS resolution attempt failed, thus possibly revealing which DNS names you accessed through socat. See this post tor-dev for details.


Socat on OpenBSD


For enhanced security you can use socat like this:

## Connect to oftc on
/bin/systrace -e -a -t /usr/local/opt/bin/socat TCP4-LISTEN:6777,bind=localhost,range=,fork \,socksport=9050 > socat_log.$$ 2>&1 &

Now in irssi, you would just type /connect 6677 and it would connect you to through Tor.

Add /bin/systrace -e -a -t if you have a systrace policy for socat. Here's an example policy for IRC.

Policy: /usr/local/opt/bin/socat, Emulation: native
        native-__sysctl: permit
        native-issetugid: permit
        native-mmap: permit
        native-munmap: permit
        native-mprotect: permit
        native-mquery: permit
        native-break: permit
        native-write: permit
        native-close: permit
        native-exit: permit
        native-fcntl: permit
        native-fsread: filename eq "/etc/malloc.conf" then permit
        native-fsread: filename eq "/home/$USER" then deny
        native-fsread: filename eq "/home/$USER/." then deny
        native-fsread: filename eq "/var/mail/$USER" then deny
        native-fsread: filename eq "/var/run/" then permit
        native-fsread: filename eq "/usr/lib" then permit
        native-fsread: filename match "/usr/lib/*" then permit
        native-fsread: filename match "/usr/lib/*" then permit
        native-fsread: filename match "/usr/lib/*" then permit
        native-fsread: filename match "/usr/lib/*" then permit
        native-fsread: filename eq "/usr/share/nls/C/" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/US/Eastern" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/GMT" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/posixrules" then permit
        native-fsread: filename eq "/etc/resolv.conf" then permit
        native-fsread: filename eq "/etc/hosts" then permit
        native-fsread: filename eq "/etc/pwd.db" then permit
        native-fsread: filename eq "/etc/group" then permit
        native-fstat: permit
        native-getegid: permit
        native-geteuid: permit
        native-getgid: permit
        native-getpid: permit
        native-getppid: permit
        native-gettimeofday: permit
        native-getsockname: permit
        native-getuid: permit
        native-sigaction: permit
        native-sigprocmask: permit
        native-read: permit
        native-fsread: filename eq "/" then permit
        native-execve: filename eq "/usr/local/opt/bin/socat" and argv eq "/usr/local/bin/irssi" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
        native-connect: sockaddr eq "inet-[]:9050" then permit
        native-connect: sockaddr eq "inet-[]:53" then permit
        native-bind: sockaddr eq "inet-[]:6677" then permit
        native-bind: sockaddr eq "inet-[]:6777" then permit
        native-listen: permit
        native-accept: permit
        native-getpeername: permit
        native-fork: permit
        native-chroot: filename eq "/var/empty" then permit
        native-wait4: permit
        native-wait: permit
        native-sigreturn: permit
        native-pread: permit
        native-setgroups: permit
        native-select: permit
        native-shutdown: permit

Note' that the above native-shutdown refers to the function call shutdown(2) to shut down part of a full-duplex connection and not the command shutdown.

If you didn't use the configure line above, you will have to add more native-fsread statements for the extra libraries.

This also assumes that you have dsocks' setup to handle DNS requests on


Web browsers


Web browsing and Privoxy is also covered in the tor setup docs, specifically




Settings -> Configure Konqueror -> Proxy -> Manually Specify the proxy settings -> Setup

HTTP/S Proxy: port 8118

Or edit $HOME/.kde/share/config/kioslaverc:




Setup -> Network Options

HTTP Proxy: port 8118

Or edit /etc/links.cfg (system-wide) or $HOME/.links/links.cfg (per-user):





Lynx will respect the http_proxy enviroment variable, but you can edit /etc/lynx.cfg:





Open Tools -> Preferences -> Advanced -> Network -> Proxy Servers. Check HTTP and enter "" and "8118" as port or open about:config and enter "" in Proxy -> HTTP Server.


Mozilla Firefox


In later versions of Firefox, at least in the current version under Linux and Windows XP, you can enable the browser to do remote domain name lookups. The option network.proxy.socks_remote_dns is available via about:config and should look like

network.proxy.socks_remote_dns 	user set 	boolean 	true

At you can find an excellent step-by-step introduction on how to configure Firefox in this manner. Be careful, though: In some versions of Firefox, it is possible that even with this option set remote DNS resolution will not work. In this case, you may want to use Privoxy or similar projects. To find out whether your version implements remote DNS resolution correctly, you may try out a URL ending in .onion, like this one leading to the the Hidden Tor Wiki. If the Hidden Wiki shows up, remote DNS resolution works.

Otherwise, to use Privoxy with Firefox 1.5x on Windows, do the following in Firefox:

Tools -> Options -> General -> Connection Settings -> Manual proxy configuration

Set HTTP Proxy (or localhost), port 8118 and tick the box [X] Use for all protocols. Or you may explicitly set the Proxy information for SSL, FTP, and Gopher to localhost/8118 and then set the SOCKS Host information to localhost/9050, making sure to specify SOCKS v5.

Remember: Configuring Privoxy for FTP will break ftp:// URLs, but if you don't do this, your Firefox will leak your IP address for those sites. Use Filezilla for handling FTP traffic (Windows only) or read the FTP section below.

Also, Mac OS X users should change the above preferences by entering about:config in the URL bar because the firefox preferences dialog is a bit screwy.


Circumventing Tor blocks using open HTTP proxies


Some websites have blocked access from Tor users. Often, however, these websites still allow access from any of millions of open HTTP proxies on the internet. Unfortunately, using an open HTTP proxy directly is not very anonymous.

The solution is to chain an open HTTP proxy between Tor and the unfriendly website. This provides all the anonymity benefits of Tor, while obscuring the fact that you're using Tor from the website.


One method involves Privoxy. This example config will send all requests through Tor, only chaining an open HTTP proxy after Tor for a select site. Replace with the proxy's address and port.

forward-socks4a / localhost:9050 .
forward-socks4a * localhost:9050


Another method requires Socat. This will forward all connections to localhost:8080 to an open HTTP proxy through Tor. Just configure your browser to use localhost:8080 as an HTTP proxy. Once again, replace with the proxy's address and port.

socat TCP4-LISTEN:8080,bind=localhost,fork SOCKS4A:localhost:,socksport=9050


Download and install (may need compiling) the 3proxy proxy server. Create a configuration file (plain text) like this:

# put 3proxy in background mode. For Windows replace with "service"
# set archiver to compress log files. Remove or replace for Windows.
archiver gz /bin/gzip %F
# we'll have 2 log files
rotate 2
# format of log record
logformat "- +_L%d.%m %H:%M:%S srv=%N:%p err=%E src=%C:%c dst=%R:%r out=%O in=%I %T"
# path to log file (CHANGE IT BECAUSE IT'S NOT SECURE!), rotate it monthly
log /tmp/3proxy.log M
# set timeouts above defaults, because tor may be a bit slow
timeouts 30 30 60 60 180 1800 60 120
# this is required to use ACLs and redirections
auth iponly
# preventing DNS requests leak
# redirect all traffic
allow *
# first redirection hop is tor
parent 1000 socks4+ 9050
# and the second hop is an open HTTP proxy. Replace " 80" with the proxy's address and port.
parent 1000 http 80
# now, start anonymous HTTP proxy on localhost:8080, configure this in
# your browser as single proxy for all protocols
proxy -a -i127.0.0.1 -p8080

(you should edit at least the log path) and start 3proxy, giving the configuration file name on the command line. For Linux, this may look something like ./3proxy ./3proxyrc.







This isn't the most elegant solution, but it works. Rename your /etc/init.d/fetchmail file to {fetchmail-orig, for example, then save the script below as /etc/init.d/fetchmail, and restart fetchmail with /etc/init.d/fetchmail restart. Your mail will now be fetched through the Tor network.

# Fetchmail+Tor init script

set -e

# Defaults

test -f $DAEMON || exit 0

case "$1" in
		$DAEMON $FMINIT restart
		$DAEMON $FMINIT try-restart
		$DAEMON $FMINIT awaken
		$DAEMON $FMINIT debug-run
		echo "Usage: /etc/init.d/fetchmail {start|stop|restart|force-reload|awaken|debug-run}"
		echo "  start - starts system-wide fetchmail service"
		echo "  stop  - stops system-wide fetchmail service"
		echo "  restart, force-reload - starts a new system-wide fetchmail service"
		echo "  awaken - tell system-wide fetchmail to start a poll cycle immediately"
		echo "  debug-run [strace [strace options...]] - start a debug run of the"
		echo "    system-wide fetchmail service, optionally running it under strace"
		exit 1

exit 0

An alternative configuration for fetchmail for those that prefer to start it on a per-user basis. Add the following to the user's .bashrc:


  function FetchMailAlive () {
    if test -f $CONF_FILE && test -f $FETCHMAIL; then
      if test -f $PID_FILE; then
        if ! kill -0 `cut -d \  -f1 $PID_FILE` 2>/dev/null; then
          eval $($TSOCKS $FETCHMAIL)
          echo New FetchMail started. >&2
        eval $($TSOCKS $FETCHMAIL)
        echo New FetchMail started. >&2
      echo Fetchmail not installed or configured properly. >&2

# Call it

Then it checks for a running fetchmail daemon every time a new shell is opened and starts one if needed.

You may want to look up your mail server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

If you are lazy you can also just call torify fetchmail or torify fetchmail -d 900.


Mozilla Thunderbird


Install the Torbutton extension and enable Tor in Thunderbird by clicking on the onion in the toolbar (if it has a red cross).

Just remember to exclude all your SMTP servers in the Connection settings (Edit-Preferences-General or Tools-Options-General) dialog box, otherwise you probably won't be able to send any mail.

If you're using the same server name for receiving and sending mail but still want to recieve mail through Tor, change your SMTP server's name to it's IP and exclude the IP from being proxied. This way, mail will be received from your mail server by it's name (and through Tor), but sent by the same server without Tor.


3proxy as a POP3 proxy


Download and install (may need compiling) the 3proxy proxy server.

Let's say you have a POP3 account with settings below:

E-mail: testaccount@…

POP3 server:

Account name: testaccount@…


First, you need to configure and start 3proxy as a pop3 proxy with redirection to tor. Create a configuration file (plain text) like this:

# put 3proxy in background mode. For Windows replace with "service"
# set archiver to compress log files. Remove or replace for Windows.
archiver gz /bin/gzip %F
# we'll have 2 log files
rotate 2
# format of log record
logformat "- +_L%d.%m %H:%M:%S srv=%N:%p err=%E src=%C:%c dst=%R:%r out=%O in=%I %T"
# path to log file (CHANGE IT BECAUSE IT'S NOT SECURE!), rotate it monthly
log /tmp/3proxy.log M
# set timeouts above defaults, because tor may be a bit slow
timeouts 30 30 60 60 180 1800 60 120
# this is required to use ACLs and redirections
auth iponly
# preventing DNS requests leak
# redirect all traffic
allow *
# redirect traffic to Tor
parent 1000 socks4+ 9050
# now, start pop3 proxy on port
# you can run it on alternative port, if port 110 is in use or not accessible
pop3p -i127.0.0.1 -p110

(you should edit at least the log path) and start 3proxy, giving the configuration file name on the command line. For Linux, this may look something like {{{./3proxy ./3proxyrc}}}.

Now,  you  must  configure  your  e-mail  agent  (any with POP3 support:
Eudora,  Outlook  Express,  Outlook,  Apple Mail). Specify 3proxy server
(localhost  in  example)  as  a POP3 server and add address of real POP3
server  to  account  login  name  after  '@'  characcter. That is, e-mail agent
settings are now:


 POP3 server:

 Account name:

 Pasword: ******

If the POP3 proxy on a different port than 110, you should also change
POP3 port settings in your mail agent.

== SMTP with "Submission" protocol and 3proxy portmapping ==
[#SMTP3proxy (link)]

As   a  measure  against  spammers,  Tor  doesn't  allow  outgoing  SMTP
connection to TCP/25 port, but some mail servers still may be reached by
alternative   ports. The most commonly used one is TCP/587 (submission).
"Submission"  is  actually  SMTP  protocol with moderate authentication.,, and many others are known
to  support  submission protocol. You can use e.g. portmapping (see 
[#TCP General TCP] below)
to  map  some  port  on  local  host  to port 587 of your preferred mail

Gmail example: for any 3proxy configuration above, like [#POP3_3proxy POP3],
add a line

{{{tcppm -i127.0.0.1 2525 587}}}

This maps local 2525 port to Submission port of

Now  set  up  SMTP host and SMTP port 2525 for your mail agent
and  configure  SMTP  authentication.  Currently  there is no SMTP proxy
server  support.  If  you  need a  second  submission  server, add a second
portmapping with different local port (e.g. 2526) to configuration.

Note:  some  mail agents, including Microsoft Outlook and Outlook Express
are  known  to  leak  sensitive information, including local IP address,
through mail headers.

== Sending mail using SMTP (the normal way) over SSH ==
[#SMTPviaSSH (link)]

If you have an SSH account which allows conncetion forwarding, you can send e-mail messages through a tunnel created with Tor and SSH. Add similar lines to your ssh configuration file (like ~/.ssh/config):

Host your_ssh_server
 User = your_username # may be ommitted
 LocalForward   7025    your_first_email_server:25
 LocalForward   7026    your_second_email_server:25
 LocalForward   7027    your_third_email_server:25

Then, execute {{{ ssh -f -N -q your_ssh_server }}}. Use {{{ netstat -aptun }}} to see, if {{{ssh}}} is really listening on the specified ports. If everything seems to be working fine, change your e-mail program settings to use "" and port 7025 instead of "your_first_email_server" port 25. Same goes for the rest.

= Instant messaging =
[#IM (link)]

== qip ==
[#qip (link)]

== ICQ ==
[#ICQ (link)]

First Step:

Second Step:

== Pidgin (formerly Gaim) ==
[#Pidgin (link)]

Preferences -> Network -> Proxy
Proxy type: Socks 5
Port: 9050

See the note on tsocks and DNS above.

== Konversation ==
[#Konversation (link)]

See the note on [#KDE KDE Applications] below. 

== Kopete ==
[#Kopete (link)]

See the note on [#KDE KDE Applications] below. 

== Psi ==
[#Psi (link)]

[ Psi] is a Jabber client with support for
additional [ Jabber JEP-0027 encryption],
with [ GnuPG] and Socks 5 proxy support.

Account Setup -> Modify -> Connection -> Proxy -> Edit -> New
Name: Tor
Type: SOCKS Version 5
Port: 9050

See the note on tsocks and DNS above.

== Miranda ==
[#Miranda (link)]
"M" Menu -> Options -> Network

Proxy Type: SOCKS5
Proxy Server: localhost or
Port: 9050

== Bitlbee ==
[#Bitlbee (link)]

Simply add the following to {{{/etc/bitlbee/bitlbee.conf}}} and connect with your favorite IRC client:
Proxy = socks5://localhost:9050

== Gadu-Gadu ==
[#GG (link)]

To use Gadu-Gadu (the Polish closed and insecure instant messaging network) with Tor, point your client program to Privoxy ( and port 8118). In [ Kadu], this is in: Menu - Konfiguracja - Siec. In [ EKG], go to the main window, type {{{set proxy}}}, then type {{{save}}} and reconnect.

[#IRC (link)]

== weechat ==
[#weechat (link)]

weechat is (afaik) the only console irc client with working socks5 support. Making it play nice with Tor is as easy as changing the following lines in the [proxy] section of ~/weechat/weechat.rc :

proxy_use = on
proxy_type = socks5
proxy_ipv6 = off
proxy_address = ""
proxy_port = 9050

This works fine with in-Tor IRC servers as well (notably ORC at irc://3d2et7ek4jjhnv3k.onion)

== Irssi ==
[#Irssi (link)]

If you are running Privoxy, as recommended, you can just configure irssi's own proxy settings to use Privoxy as an HTTP proxy.
Otherwise, you can run Irssi with {{{tsocks irssi}}}.  Unfortunately, as mentioned above, Irssi's own proxy configuration options are HTTP specific.

Alternative: {{{torify irssi}}}.  Note that torify is just a shell script that calls
tsocks after setting the config file to /etc/tor/tor-tsocks.conf.

For OpenBSD users, you can either hack tsocks to work (as of 3.6 there is no port) or you can use dante.
Dante is in the ports system.  A simple example config that works with irssi and Tor looks like this
for `/etc/socks.conf` (client configuration only)
route {
        from:   to:  via:  port = 9050
        proxyprotocol: socks_v4
and then you can run {{{socksify irssi}}} assuming that Tor is running on localhost:9050.

You may want to look up your IRC server's IP with {{{tor-resolve}}} and use the IP in place
of a hostname; see the [:#DNSNote: note on tsocks and DNS] above.

Add the following to your .irssi/config if you want to use Privoxy as your proxy:

settings = {
  core = {
    real_name = "TorUser";
    user_name = "TorUser";
    nick = "TorUser";
    proxy_password = "";
    use_proxy = "yes";
    proxy_string = "CONNECT %s:%d HTTP/1.0\n\n";
    proxy_port = "8118";
    proxy_address = "";

Don't forget to modify the limit-connect settings in the Privoxy .action files first. This is typically found in default.action, and is a filter that limits what ports Privoxy will connect to. Since Privoxy only listens on the local interface, it is safe to replace this line with '+limit-connect{1-}' which allows Privoxy to connect to all ports.

To minimize information leakage about your client and timezone add
ignores = ( { level = "CTCPS"; } );

or run 

/ignore * CTCPS

and then


== X-Chat ==
[#XChat (link)]

[ X-Chat] supports SOCKS 5 and does not leak DNS requests.

Settings-> Preferences -> Network -> Network setup -> Proxy server
Port: 9050
Type: Socks5

[ Unofficial builds] of X-Chat for Windows are free.

See the note on tsocks and DNS above.

== X-Chat Aqua 0.16.0 ==
[#XChatAqua (link)]

[ X-Chat Aqua is X-Chat with an Aqua interface for MacOS X. X-Chat Aqua uses the irc engine from X-Chat, and is designed to look and feel like the GTK+ front end.

This is a free IRC client for Macintosh OSX that works with TOR.

X-Chat Aqua-> Preferences -> Network -> Network setup
Address to bind to:
Proxy server: localhost
Port: 9050
Proxy type: Socks5

== SILC ==
[#SILC (link)]

Since the [ SILC] client is based on Irssi, you can follow the same procedure to make it use Tor. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at [ its website].

=== Silky ===
[#Silky (link)]

[ Silky] is a GTK2 SILC client. It does not currently support SOCKS, so the best way to make it work with Tor is using socat (IMO).:

{{{ socat TCP4-LISTEN:6666,socksport=9050 }}}

And then tell Silky to connect to localhost:6666.

== BitchX ==
[#BitchX (link)]

In order to use [ BitchX] with tor, you first need to get [ ProxyChains], a *NIX-only HTTP and SOCKS proxy client.  On Debian systems, install the {{{proxychains}}} package.  Once installed, just add

socks5 9050
http localhost 8118
to the ProxyChains config file at {{{~/.proxychains/proxychains.conf}}}.
Now that it is configured, type {{{proxychains bitchx}}} at the command line.

The gentoo build of proxychains seems to be broken on x86 arch.  Using {{{tsocks BitchX}}} or
{{{torify BitchX}}} works well.

You may want to look up your IRC server's IP with {{{tor-resolve}}} and use the IP in place
of a hostname; see the note on tsocks and DNS above.

== mIRC ==
[#mIrc (link)] [ Proxies and Firewalls]

File -> Options -> Connect -> Firewall

Older versions:
Mark the "Use SOCKS Firewall" box.
Newer versions (mIRC 6.0 and up):
Select "Both" from the "Firewall support" pulldown.

Protocol: SOCKS5
Port: 9050

Don't use SOCKS4. Use SOCKS5.

There is a way to automate this with two commands...

/firewall -cm5+d on localhost 9050

to activate it and...

/firewall -d off

to deactivate the proxy. You can add this commands to your personal commands menu by following these instructions:

 Press Alt+P to open the popup editor and type this bellow "Commands"
Anonymize:/firewall -cm5+d on localhost 9050
de-Anonymize:/firewall -d off

== Trillian ==
[#Trillian (link)]

Preferences -> Advanced Preferences -> Proxy Server
Use proxy server to resolve names.
Use proxy server.
Protocol: SOCKS5
Host: localhost or
Port: 9050

== KVIrc ==
[#KVIrc (link)]

[ KVIrc]

Settings -> Configure KVIrc -> Connection -> Proxy Hosts

Use proxy.
New proxy.
Proxy: tor
Port: 9050
IP Address:
Protocol: SOCKSv5

Since kVIrc does not support remote dns yet, you have to add a mapping to your tor config, if you want to connect to a hidden service. Do this  like: 
echo 'mapaddress  mejokbp2brhw4omd.onion' >> /etc/tor/torrc
pkill -HUP tor
and then connect to through your Tor proxy.

= BitTorrent =
[#BitTorrent (link)]

For bittorrent it is probably not so helpful to torrify data. Compared to the amount of damage you will do to your throughput and the amount of damage you will do to the Tor network, torryfing data is overkill for the protection you gain. Aside from search index logs and tracker http logs, the attacks needed to determine who is downloading a torrent are somewhat similar to attacks on Tor: the adversary has to be running torrent clients and watching to see who connects to them. This is hard to do on a large scale. You are probably much more at risk for showing up in the webserver logs for popular trackers and index sites. 

For this reason, you may want to use tor to communicate with the tracker. For this, just add {{{--tracker-proxy}}}:
btlaunchmanycurses --tracker_proxy <directory>

== µTorrent ==

Again, torifying the bittorrent traffic of µTorrent would just add more overhead and reduce your transfer throughput a lot. It also severely taxes the Tor network and is considered poor etiquette.
The following image shows how to configure µTorrent to torify tracker traffic. Note the unchecked {{{Use proxy server for peer-to-peer connections}}}. Checking this will severely limit transfer speeds and needlesly tax the Tor network.

== Azureus ==
[#Azureus (link)]

Again, pretty much all you really need to do here is to proxy tracker communications. There is an option for this under the connections pane in Azureus. Fill in 9050 for the SOCKS proxy for tracker data.

For more information on setting up torrents tracked via hidden service (which is not really taxing), and to be thoroughly confused by other possibilites, see: []. [ Super Seeding] is another option if you are the first to seed a file and want to optimally distribute it anonymously. This is an acceptable exception to the request not to torrify data.

rTorrent can use a proxy for communicating over HTTP. One merely has to edit ~/.rtorrent.rc and insert something like the following:
 http_proxy =

= FTP =
[#FTP (link)]

FTP requires 2 different connections: one for commands and one for data.
Data  connections  is  created  every  time directory listing or file is
transmitted.   Almost   any  FTP  server  nowdays  checks  both  control
connection  and  data  connection  to come from the same IP address. Tor
changes  circuit  for  new TCP connection every 10 minutes. It means, if
you  download  many files from the same FTP server (or browse content of
FTP server) you will fail approximately once in 10 minutes and will need
to  re-connect.  It  only affects new connections and does not interrupt
file download.

3proxy (see [#POP3_3proxy POP3]) may act as an FTP proxy with redirection to Tor. There are
2  different  types  of  FTP  proxies. First type is a FTP over HTTP proxy - it converts
listsings  and  file transfers between FTP and HTTP and it's mainly used
by  browsers  (Internet  Explorer,  Moziila, Opera, wget, etc). It leaks
support  for many FTP commands. Second type is a plain FTP proxy - it fully
supports the FTP protocol and is used in FTP clients (gFTP, NcFTP, CuteFTP).
3proxy  supports  both. For the real FTP proxy, 2 methods are supported: USER
extension  and SITE/OPEN extension. In order real FTP proxy to work with
Tor you need the latest devel version (0.6).

In the configuration file from [#POP3_3proxy POP3] replace (or add, to use both services) the string

{{{pop3p -i127.0.0.1 -p110}}}


{{{proxy -i127.0.0.1 -p110}}}

for HTTP proxy with FTP over HTTP support, and/or

{{{ftppr -i127.0.0.1 -p110}}}

for FTP proxy.

'''You may sometimes get 404 Errors (after a long time of waiting) when connecting to an FTP site. Don't worry, this is normal (I mean, this is neither 3proxy's fault nor a configuration problem). Just wait a few minutes and everything will be fine.'''

== Mozilla Firefox ==
[#FxFTP (link)]

Install and start 3proxy, as described above. Go to Edit-Preferences (that used to be Tools-Options on Windows) - General - Connection settings. Then type 'localhost' and port number ('110' using the above configuration) under the FTP Proxy entry. That should do it.

== Wget (FTP) ==
[#WgetFTP (link)]

Install and start 3proxy, as described above. Set the {{{ftp_proxy}}} environment variable to {{{}}}. You may also set this in the Wget configuration file.

== Opera ==
[#OperaFTP (link)]

Install and start 3proxy, as described above. Go to Tools-Preferences-Advanced-Network-Proxy servers. Enable FTP and type and port 110.

== Konqueror ==
[#KonquerorFTP (link)]

Install and start 3proxy, as described above. Go to Settings - Configure Konqueror - Manually Specify the proxy settings - Setup. Enter and port number 110 (or whatever number you chose) under the FTP Proxy.

== SmartFTP ==
[#SmartFTP (link)]

Install and start proxy. Go to Extras - Settings - Connection/Proxy. Choose Type "SOCKS 4" and Host "" Port "9050".

== File Zilla ==
[#FileZilla (link)]

Install and start proxy. Go to Extras - Settings - Connection/Proxy. Choose Type "SOCKS 4a" and Host "" Port "9050".

= Misc =
[#Misc (link)]

== APT ==
[#APT (link)]

'''Warning''': This will only work for HTTP because Privoxy does not support FTP. Look [#FTP above] for FTP.

Add the following line to {{{/etc/apt/apt.conf}}}:
Acquire::http::Proxy "";

== GnuPG: Method 1 (Privoxy) ==
[#GnuPGprivoxy (link)]

Add or edit the following lines in your {{{$HOME/.gnupg/gpg.conf}}}:
keyserver x-hkp://yod73zr3y6wnm2sw.onion
keyserver-options honor-http-proxy broken-http-proxy
You may obviously use any public keyserver, like {{{}}}, but hidden services are preferred. At the time of this writing. only two key servers running as hidden servers are publicly available -- [http://d3ettcpzlta6azsm.onion/ d3ettcpzlta6azsm.onion/ ] and [http://yod73zr3y6wnm2sw.onion yod73zr3y6wnm2sw.onion].

After that is done, just run
export http_proxy=
gpg --refresh-keys

If you don't want to write the export line every time, you can add {{{ alias gpg='http_proxy= gpg' }}} to your .bashrc file as well; if you have set the {{{http_proxy}}} environment variable, you may skip this step.

== GnuPG: Method 2 (torify) ==
[#GnuPGtorify (link)]

At least a couple of people have had problems with using GPG over Privoxy. It is possible to use GPG with torify instead. If you have {{{http_proxy}}} set, GPG will try to use it. Add {{{no-honor-http-proxy}}} to your {{{keyserver-options}}} to prevent that.

Remember that torify doesn't handle DNS! Use tor-resolve to get the IP of your keyserver and use that. Either add it to {{{$HOME/.gnupg/gpg.conf}}} as the {{{keyserver}}} option or put it on the command line.

Now run
torify gpg --refresh-keys


torify gpg --keyserver [result of tor-resolve] --refresh-keys

== Wget (HTTP) ==
[#Wget (link)]

Wget will also respect the http_proxy enviroment variable, but you can edit {{{/etc/wgetrc}}}:

http_proxy = http://localhost:8118
use_proxy = on

== SSH: Method 1 (torify) ==
[#SSHtorify (link)]

Simply run {{{torify ssh <parameters> host}}} if the host is not on a local network and you're done. You could additional use {{{tor-resolve}}} to transform the hostname into the IP address. Just use {{{torify ssh <parameters> $(tor-resolve host)}}}.

== SSH: Method 2 (connect) ==
[#SSHconnect (link)]

These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.

1 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka ''Panther'') - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version from the [ OpenSSH website]. If you're using Mac OS X, using [ fink] may be easier for you.

2  - Download and build the connect [ source code]. Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its [ website].

A pre-compiled version of {{{connect}}} for Mac OS X is available at []. (md5sum: b5180cb789813fc958209c58b99039fa)

Install connect into the {{{/usr/local/bin}}} directory.

3 - Add the following line to your {{{ssh_config}}} file located at: {{{/etc/ssh/ssh_config}}} (system-wide) or {{{$HOME/.ssh/config}}} (on a per-user basis).
  If you used fink to install OpenSSH, it is located at {{{/sw/etc/ssh/ssh_config}}}.

Host 10.*.*.*
ProxyCommand none
Host 172.16.*.*
ProxyCommand none
Host 172.17.*.*
ProxyCommand none
Host 172.18.*.*
ProxyCommand none
Host 172.19.*.*
ProxyCommand none
Host 172.20.*.*
ProxyCommand none
Host 172.21.*.*
ProxyCommand none
Host 172.22.*.*
ProxyCommand none
Host 172.23.*.*
ProxyCommand none
Host 172.24.*.*
ProxyCommand none
Host 172.25.*.*
ProxyCommand none
Host 172.26.*.*
ProxyCommand none
Host 172.27.*.*
ProxyCommand none
Host 172.28.*.*
ProxyCommand none
Host 172.29.*.*
ProxyCommand none
Host 172.30.*.*
ProxyCommand none
Host 172.31.*.*
ProxyCommand none
Host 192.168.*.*
ProxyCommand none
Host *
ProxyCommand /usr/local/bin/connect -4 -S %h %p

All SSH connections, except to the private address ranges defined by the IANA in RFC-1918, will now go through tor.

You may want to look up your SSH server's IP with {{{tor-resolve}}} and use the IP in place
of a hostname; see the note on tsocks and DNS above.

== SSH: Method 3 (socat) ==
[#SSHsocat (link)]

Use [ socat] as described above.  One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the {{{ProxyCommand}}} option in your {{{~/.ssh/config}}} file, as follows:

{{{Host MyHost-tor
  ProxyCommand socat -,socksport=9050}}}

Now you can simply use {{{ssh MyHost-tor}}}.

Similarly, if you have an SSH server running as a hidden service, then you will wish to ssh to it with minimal fuss.

{{{Host MyHost-tor
  ProxyCommand socat - SOCKS4A:localhost:MyHost.onion:22,socksport=9050}}}

This method is more secure than using {{{tsocks ssh MyHost.onion}}} because ssh will first resolve the hostname, and then try to connect to it. This means that you lose by giving away your IP address during the DNS lookup.

Using wildcards and parameter expansions features of SSH you can put a single configuration for all .onion addresses:

{{{Host *.onion
  ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}

If you want ''every'' SSH communication to go through Tor, you can even say :

Host *
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050

== Putty ==
[#Putty (link)]

Putty is a neat suite of programs for doing Telnet, SSH, SCP, etc.[[BR]]
[wiki:/Putty Configuration Details][[BR]]

== vpnd ==
[#vpnd (link)]

It is possible to run a (slow) vpnd through tor.
How to setup this up is explained at [].

== SubVersion (SVN) ==
[#svn (link)]

Simply add the following lines:
http-proxy-host = localhost
http-proxy-port = 8118 

('''NO''' spaces in front) to the "global" section in your '''servers''' file in your SubVersion's config directory ($HOME/.subversion on Linux).

This will only work for HTTP-based SVN connections, and you need a HTTP Proxy, like Privoxy. See [ Tor's docs] for Privoxy configuration details.

== YUM ==
[#yum (link)]

Install and start 3proxy, as described [#FTP above]. Add the following line:
to the '''main''' section of your YUM configuration file (usually, this is /etc/yum.conf).

== Any TCP-based protocol ==
[#TCP (link)]

For  any  TCP-based  protocol (telnet, ssh, nntp etc.), you can use TCP
portmapping with 3proxy. For example, to map port 2200 of the local computer
to port 22 (ssh) of my.ssh.server replace last string or add new string

{{{tcppm -i127.0.0.1 2200 my.ssh.server 22}}}

to the 3proxy configuration from [#POP3_3proxy POP3]. Now you can do

{{{ssh -p2200}}}

to connect via SSH to my.ssh.server.

== KsCD and KDE applications in general ==
[#KDE (link)]

Either [#Konqueror configure Konqueror for HTTP] and [#KonquerorFTP FTP] or go to the KDE Control Center - Network - Proxy and set everything as described [#Konqueror here] and [#KonquerorFTP here]. Works for KsCD.

KDE Applications such as Kopete, Konversation (basically everything that is not http) respect only the global Socks proxy settings. In order to use them with tor, you seed to first 'socksify' the environment, and redirect the socks proxy to tor. To socksify kde, we use [ dante-client]. Assuming you have  tor listening at, configure dante-client (the config file is usually at /etc/dante.conf) to forward all the requests to The comments in the default config file will help you edit it correctly. Then go to the Proxy settings in the KDE Control Panel -> Networking and enable socks support, choosing 'Dante'. Most other KDE applications should start working.

Warning : DNS requests will not go through tor, and can probably be insecure. Also, depending on your network configuration or on an incorrect setting in dante.conf, it might not be possible to access the DNS server. You can try connecting via the IP address of the host to solve both problems. 

= Remailing =
[#Remailing (link)]

[:TheOnionRouter/RemailingAndTor:see Remailing: achieve strong remailing anonymity/security via. Tor and Stunnel]

= For the Crazy and Lazy =
[#CrazyAndLazy (link)]

If you are lazy and don't want to repeat most of the steps laid out here every time you call the program (and who would?) you can have a look at [ the tor aliases project].

= Credits =
[#Credits (link)]

Thomas Sjogren with Northern Security started this howto and still maintains a copy at:

Other Contributing Authors:
        * Dave Vehrs
        * Nick Mathewson
        * Thomas Hardly
        * tyranix
	* thalunil
        * BogdanDrozdowski (FTP stuff, 3proxy stuff with great help from it's author - 3APA3A, Gadu-Gadu, TB, SVN, Yum and KDE stuff)