wiki:doc/TorifyHOWTO

Version 42 (modified by trac, 10 years ago) (diff)

--

## Copyright (c) 2004 Thomas Sjogren. ## Distributed under the MIT license, ## See ./LegalStuff for a full text ##Original version available at http://www.northernsecurity.net/articles/torify.html [:../:up to Tor]

TORifying software HOWTO

Note that this is a very brief document on how to make various software use Tor as a proxy, you should read the documentation at freehaven/tor first. Second, since most software, web browsers for example, uses similar locations for various settings the following examples will get you going most of the time. If you're using anything that needs a bit of configuration besides the ordinary or your distribution doesn't use /etc/init.d/ for example, this guide is a bit Bash and Debian specific, feel free to edit this page. It's Wiki after all.

0. Basic Configuration Issues

0.1 Unix and Linux Configuration

Under Unix and GNU/Linux, most HTTP capable applications (i.e. lynx, wget, curl, etc.) will honor the value of the http_proxy environmental variable (some apps use all lower case, some all upper so specify both to be safe).

Add the following lines to your .*profile, .bashrc, or env settings:

http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

0.2 About DNS and tsocks

tsocks correctly replaces 'connect' calls with calls to your SOCKS proxy (Tor). But tsocks doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.

Tor 0.0.8 has a workaround for this problem, until we can hack tsocks (or a work-alike) to support DNS. Instead of using a hostname directly, first use 'tor-resolve' to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.

1. Web browsers

1.1 Konqueror

Settings -> Configure Konqueror -> Proxy -> Manually Specify the proxy settings -> Setup

HTTP/S Proxy: 127.0.0.1 port 8118

Or edit $HOME/.kde/share/config/kioslaverc

ProxyType=1
NoProxyFor=127.0.0.1,localhost
httpProxy=http://127.0.0.1:8118
httpsProxy=http://127.0.0.1:8118

Setup -> Network Options

HTTP Proxy:  127.0.0.1 port 8118

Or edit $HOME/.links/links.cfg

http_proxy "127.0.0.1:8118"

1.3 Lynx

Lynx will respect the http_proxy enviromental variable or you can edit /etc/lynx.cfg

http_proxy:http://127.0.0.1:8118/
https_proxy:http://127.0.0.1:8118/
no_proxy:localhost,127.0.0.1

1.4 Mozilla Firefox

Edit -> Preferences -> General -> Connection Settings -> Manual proxy configuration

HTTP Proxy: 127.0.0.1 port 8118
SSL Proxy: 127.0.0.1 port 8118
SOCKS v5

To change the default configuration for the Firefox installation, edit the /usr/lib/mozilla-firefox/greprefs/all.js file.

...
pref("network.proxy.type",                  1);
...
pref("network.proxy.http",         "127.0.0.1");
pref("network.proxy.http_port",          8118);
pref("network.proxy.ssl",          "127.0.0.1");
pref("network.proxy.ssl_port",           8118);
pref("network.proxy.socks",                 "");
pref("network.proxy.socks_port",            0);
pref("network.proxy.socks_version",         5);
pref("network.proxy.no_proxies_on",         "localhost, 127.0.0.1");
...

2. Email

2.1 Fetchmail

This isn't the most beautiful solution but it works. Rename your /etc/init.d/fetchmail file to fetchmail-orig for example, use the script below as /etc/init.d/fetchmail, and restart fetchmail with /etc/init.d/fetchmail restart . Your mail is now fetched thrugh the Tor network.

#!/bin/sh
#
# Fetchmail+Tor init script
#

set -e

# Defaults
DAEMON=/usr/bin/tsocks
FMINIT=/etc/init.d/fetchmail-orig
PATH=/sbin:/bin:/usr/sbin:/usr/bin

test -f $DAEMON || exit 0

case "$1" in
	start)
		$DAEMON $FMINIT start	
		;;
	stop)
		$DAEMON $FMINIT stop	
		;;
	force-reload|restart)
		$DAEMON $FMINIT restart
		;;
	try-restart)
		$DAEMON $FMINIT try-restart
		;;
	awaken)
		$DAEMON $FMINIT awaken
		;;
	debug-run)
		$DAEMON $FMINIT debug-run
		;;
	*)
		echo "Usage: /etc/init.d/fetchmail {start|stop|restart|force-reload|awaken|debug-run}"
		echo "  start - starts system-wide fetchmail service"
		echo "  stop  - stops system-wide fetchmail service"
		echo "  restart, force-reload - starts a new system-wide fetchmail service"
		echo "  awaken - tell system-wide fetchmail to start a poll cycle immediately"
		echo "  debug-run [strace [strace options...]] - start a debug run of the"
		echo "    system-wide fetchmail service, optionally running it under strace"
		exit 1
		;;
esac

exit 0

An alternative configuration for Fetchmail for those that prefer to start it on a per user basis. Add the following to the users .bashrc:

CONF_FILE="$HOME/.fetchmailrc"
PID_FILE="$HOME/.fetchmail.pid"
FETCHMAIL="/usr/bin/fetchmail"
TSOCKS="/usr/bin/tsocks"

  function FetchMailAlive () {
    if test -f $CONF_FILE && test -f $FETCHMAIL; then  
      if test -f $PID_FILE; then 
        if ! kill -0 `cut -d \  -f1 $PID_FILE` 2>/dev/null; then
          eval $($TSOCKS $FETCHMAIL)
          echo New FetchMail started. >&2
        fi
      else   
        eval $($TSOCKS $FETCHMAIL)
        echo New FetchMail started. >&2
      fi
    else
      echo Fetchmail not installed or configured properly. >&2
    fi
  }

# Call it
FetchMailAlive

Then it checks for a running fetchmail daemon everytime a new shell is openned and starts one if needed.

3. Instant messaging

3.1 Gaim

Preferences -> Network -> Proxy

Proxy type: Socks 5
Host: 127.0.0.1
Port: 9050

Tor servers usually forbids port 5190 tunnelling which is required for ICQ so we have to use Socks instead of the HTTP proxy.

4. IRC/SILC

4.1 Irssi

Add alias irssi='tsocks irssi' to your .bashrc file.

4.2 Xchat

Settings-> Preferences -> Network -> Network setup -> Proxy server

Hostname: 127.0.0.1
Port: 8118
Type: Socks5 

4.3 SILC-client

Since the SILC-client is based on irssi just add alias silc='tsocks silc' to your .bashrc file. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at www.silcnet.org.

5. Misc

5.1 GnuPG

Add or edit the following lines in your .gnupg/gpg.conf:

keyserver x-hkp://3hiaswzzt6pm324m.onion/
keyserver-options honor-http-proxy broken-http-proxy

The key server can of course be any key server available, subkeys.pgp.net for example, but hidden services are always nice. At the time of this writing only two key servers with a onion-address is publicly available: 3hiaswzzt6pm324m.onion and d3ettcpzlta6azsm.onion.

After that's done just do

export http_proxy=http://127.0.0.1:8118/
gpg --refresh-keys

If you don't want to write the export line every time you can add alias gpg='export http_proxy=http://127.0.0.1:8118/ ; gpg' to your .bashrc file as well.