wiki:doc/TorifyHOWTO

Version 392 (modified by trac, 10 years ago) (diff)

--

#pragma section-numbers on ## Copyright (c) 2004 Thomas Sjogren. ## Copyright (C) 2004, 2005, 2006, 2007 Contributors ## Distributed under the MIT license, ## See ./LegalStuff for a full text [:../:up to Tor]

Torifying software HOWTO

This document explains how to configure particular programs to use Tor. It was originally written for a Linux/UNIX environment, but it should include some instructions for Windows and OS X users too. Please add your own Windows configurations to this document.

Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at tor.eff.org first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV (/etc/init.d/ startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific.

Feel free to edit this page --- it's a Wiki, after all. One note: use only link identifiers which start with a letter or the underscore character (_) and don't use identifiers with spaces inside them. Things like that make the page invalid (X)HTML and nobody wants that.

~+Table of Contents+~

TableOfContents?

Anchor(BasicConfigIssues)?

Basic Configuration Issues

(link)

Anchor(UnixLinuxConfiguration)?

Unix and Linux Configuration

(link)

First, we assume you installed Privoxy. Many applications can be set to use an http proxy, and that will make your life much easier.

Under Unix and GNU/Linux, most HTTP capable applications, like lynx, wget and curl, will honor the value of the http_proxy environment variable. Some applications use all lower case, some all upper, so specify both to be safe.

Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:

http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

Anchor(DNSNote)?

About DNS and tsocks

(link)

tsocks correctly replaces connect(2) calls with calls to your SOCKS proxy (Tor), but it doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.

Other applications that use SOCKS 4 or SOCKS 5 directly often have the same shortcoming.

Tor 0.0.8 (or later) has a workaround for this problem; until we can hack tsocks (or a work-alike) to support DNS, instead of using a hostname directly, first use tor-resolve to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.

See [:TheOnionRouter/TorFAQ#SOCKSAndDNS: the FAQ] for more information.

NOTE: There is now a patch to the tsocks code that handles dns leaks and .onion addresses, tordns

Anchor(Socat)?

About socat

(link)

socat is a multipurpose relay for bidirectional data transfer. It is possible to use socat as a general means by which programs agnostic of SOCKS can use Tor by connecting to a local TCP port.

Socat (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging and tracing, different modes for interprocess communication and many more options.

It can be used, for example, as a TCP relay (one-shot or daemon), as an external socksifier, as a shell interface to Unix sockets, as an IPv6 relay, as a netcat and rinetd replacement, to redirect TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts inside network connections.

Suppose that you wanted to connect to an IRC server running on barbaz.com, port 6667.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:barbaz.com:6667,socksport=9050

Connecting to localhost, port 4242, would then be equivalent to connecting to barbaz.com, port 6667, via Tor.

What interests us most for Tor is that it supports socks4a redirection, allowing your client to connect to an hidden service. Assuming you want to join to an hidden irc server running on foo.onion on port 6667.

You might want to start a local tunnel that forwards connection for local port 4242 to this service using Tor.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050

Warning: socat versions up to and including 1.3.2.2 had a bug that would use SOCKS4A only when a direct DNS resolution attempt failed, thus possibly revealing which DNS names you accessed through socat. See this post tor-dev for details.

Anchor(SocatOpenBSD)?

Socat on OpenBSD

(link)

For enhanced security you can use socat like this:

## Connect to oftc on 127.0.0.1:6777
/bin/systrace -e -a -t /usr/local/opt/bin/socat TCP4-LISTEN:6777,bind=localhost,range=127.0.0.1/32,fork \
SOCKS4A:127.0.0.1:irc.oftc.net:6667,socksport=9050 > socat_log.$$ 2>&1 &

Now in irssi, you would just type /connect 127.0.0.1 6677 and it would connect you to irc.oftc.net:6667 through Tor.

Add /bin/systrace -e -a -t if you have a systrace policy for socat. An example policy for IRC can be found at /SystracePolicy

How to torify several programs

The following pages have good explanations of how you can configure programs to use Tor. Please follow the below mentioned links.

  • [:/WebBrowsers:Web Browsers]
  • [:/EMail: E-mail]
  • [:/InstantMessaging:Instant Messaging]
  • [:/IrcSilc:IRC/SILC]
  • [:/BitTorrent:Bittorrent]
  • [:/FTP:FTP]
  • [:/Misc:Misc]

Anchor(Remailing)?

Remailing

(link)

[:TheOnionRouter/RemailingAndTor:see Remailing: achieve strong remailing anonymity/security via. Tor and Stunnel]

Anchor(CrazyAndLazy)?

For the Crazy and Lazy

(link)

If you are lazy and don't want to repeat most of the steps laid out here every time you call the program (and who would?) you can have a look at the tor aliases project.

Anchor(TorCredits)?

Credits

(link)

Thomas Sjogren with Northern Security started this howto and still maintains a copy at:

http://www.northernsecurity.net/articles/torify.html

Other Contributing Authors:

  • Dave Vehrs
  • Nick Mathewson
  • Thomas Hardly
  • tyranix
  • thalunil
  • BogdanDrozdowski (FTP stuff, 3proxy stuff with great help from it's author - 3APA3A, Gadu-Gadu, TB, SVN, Yum and KDE stuff)