wiki:doc/TorifyHOWTO

Version 97 (modified by trac, 10 years ago) (diff)

--

#pragma section-numbers on ## Copyright (c) 2004 Thomas Sjogren. ## Copyright (C) 2004, 2005, 2006 Contributors ## Distributed under the MIT license, ## See ./LegalStuff for a full text [:../:up to Tor]

Torifying software HOWTO

This document explains how to configure particular programs to use Tor. It was originally written for a Linux/UNIX environment, but it should include some instructions for Windows and OS X users too. Please add your own Windows configurations to this document.

Note that this is a very brief document on how to make various programs use Tor as a proxy; you should read the documentation at tor.eff.org first. Since most programs use similar locations for various settings, the following examples will get you going most of the time. If you're using anything that needs some exotic workarounds, or your distribution doesn't use SysV (/etc/init.d/ startup scripts), for example, this guide currently won't help you a lot, since it is a bit bash and Debian specific. Feel free to edit this page --- it's a Wiki, after all.

Table of Contents TableOfContents?

Anchor(BasicConfigIssues)?

Basic Configuration Issues

[link]

Anchor(UnixLinuxConfiguration)?

Unix and Linux Configuration

[link]

First, we assume you installed Privoxy. Many applications can be set to use an http proxy, and that will make your life much easier.

Under Unix and GNU/Linux, most HTTP capable applications, like lynx, wget and curl, will honor the value of the http_proxy environment variable. Some applications use all lower case, some all upper, so specify both to be safe.

Add the following lines to your $HOME/.bash_profile, $HOME/.bashrc, or env settings:

http_proxy=http://127.0.0.1:8118/
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

Anchor(DNSNote)?

About DNS and tsocks

[link]

tsocks correctly replaces connect(2) calls with calls to your SOCKS proxy (Tor), but it doesn't do anything about requests to your DNS server. This means that if you refer to any machines by hostname when you're using tsocks, you'll be sending that hostname over the network, perhaps leaking the fact that you are about to connect to the corresponding server.

Other applications that use SOCKS 4 or SOCKS 5 directly often have the same shortcoming.

Tor 0.0.8 (or later) has a workaround for this problem; until we can hack tsocks (or a work-alike) to support DNS, instead of using a hostname directly, first use tor-resolve to resolve the hostname into an IP (via Tor) and then use that IP address with your tsocks-ified application.

See [:TheOnionRouter/TorFAQ#SOCKSAndDNS: the FAQ] for more information.

NOTE: There is now a patch to the tsocks code that handles dns leaks and .onion addresses, tordns

Anchor(Socat)?

About socat

[link]

socat is a multipurpose relay for bidirectional data transfer. It is possible to use socat as a general means by which programs agnostic of SOCKS can use Tor by connecting to a local TCP port.

Socat (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them. Data channels may be files, pipes, devices (terminal or modem, etc.), or sockets (Unix, IPv4, IPv6, raw, UDP, TCP, SSL). It provides forking, logging and tracing, different modes for interprocess communication and many more options.

It can be used, for example, as a TCP relay (one-shot or daemon), as an external socksifier, as a shell interface to Unix sockets, as an IPv6 relay, as a netcat and rinetd replacement, to redirect TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts inside network connections.

Suppose that you wanted to connect to an IRC server running on barbaz.com, port 6667.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:barbaz.com:6667,socksport=9050

Connecting to localhost, port 4242, would then be equivalent to connecting to barbaz.com, port 6667, via Tor.

What interests us most for Tor is that it supports socks4a redirection, allowing your client to connect to an hidden service. Assuming you want to join to an hidden irc server running on foo.onion on port 6667.

You might want to start a local tunnel that forwards connection for local port 4242 to this service using Tor.

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050

Warning: socat versions up to and including 1.3.2.2 had a bug that would use SOCKS4A only when a direct DNS resolution attempt failed, thus possibly revealing which DNS names you accessed through socat. See this post tor-dev for details.

Anchor(SocatOpenBSD)?

Socat on OpenBSD 3.7

[link]

There is no port or package for socat in OpenBSD. It compiles cleanly from the source. If you only use socat for Tor, I'd suggest trying these configure options:

./configure --disable-file --disable-creat --disable-gopen --disable-pipe --disable-unix --disable-exec \
            --disable-system --disable-pty --disable-readline --prefix=/usr/local/opt
gmake && gmake install

to install everything into /usr/local/opt (to avoid overwriting normal ports).

Instead of the above socat command, you can also make it bind only to localhost:

## Connect to oftc on 127.0.0.1:6777
/bin/systrace -e -a -t /usr/local/opt/bin/socat TCP4-LISTEN:6777,bind=localhost,range=127.0.0.1/32,fork \
SOCKS4A:127.0.0.1:irc.oftc.net:6667,socksport=9050 > socat_log.$$ 2>&1 &

Now in irssi, you would just type /connect 127.0.0.1 6677 and it would connect you to irc.oftc.net:6667 through Tor.

Add /bin/systrace -e -a -t if you have a systrace policy for socat. Here's an example policy for IRC.

Policy: /usr/local/opt/bin/socat, Emulation: native
        native-__sysctl: permit
        native-issetugid: permit
        native-mmap: permit
        native-munmap: permit
        native-mprotect: permit
        native-mquery: permit
        native-break: permit
        native-write: permit
        native-close: permit
        native-exit: permit
        native-fcntl: permit
        native-fsread: filename eq "/etc/malloc.conf" then permit
        native-fsread: filename eq "/home/$USER" then deny
        native-fsread: filename eq "/home/$USER/." then deny
        native-fsread: filename eq "/var/mail/$USER" then deny
        native-fsread: filename eq "/var/run/ld.so.hints" then permit
        native-fsread: filename eq "/usr/lib" then permit
        native-fsread: filename match "/usr/lib/libssl.so.*" then permit
        native-fsread: filename match "/usr/lib/libcrypto.so.*" then permit
        native-fsread: filename match "/usr/lib/libutil.so.*" then permit
        native-fsread: filename match "/usr/lib/libc.so.*" then permit
        native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/US/Eastern" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/GMT" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/posixrules" then permit
        native-fsread: filename eq "/etc/resolv.conf" then permit
        native-fsread: filename eq "/etc/hosts" then permit
        native-fsread: filename eq "/etc/pwd.db" then permit
        native-fsread: filename eq "/etc/group" then permit
        native-fstat: permit
        native-getegid: permit
        native-geteuid: permit
        native-getgid: permit
        native-getpid: permit
        native-getppid: permit
        native-gettimeofday: permit
        native-getsockname: permit
        native-getuid: permit
        native-sigaction: permit
        native-sigprocmask: permit
        native-read: permit
        native-fsread: filename eq "/" then permit
        native-execve: filename eq "/usr/local/opt/bin/socat" and argv eq "/usr/local/bin/irssi" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
        native-connect: sockaddr eq "inet-[127.0.0.1]:9050" then permit
        native-connect: sockaddr eq "inet-[127.0.0.1]:53" then permit
        native-bind: sockaddr eq "inet-[127.0.0.1]:6677" then permit
        native-bind: sockaddr eq "inet-[127.0.0.1]:6777" then permit
        native-listen: permit
        native-accept: permit
        native-getpeername: permit
        native-fork: permit
        native-chroot: filename eq "/var/empty" then permit
        native-wait4: permit
        native-wait: permit
        native-sigreturn: permit
        native-pread: permit
        native-setgroups: permit
        native-select: permit
        native-shutdown: permit

Note' that the above native-shutdown refers to the function call shutdown(2) to shut down part of a full-duplex connection and not the command shutdown.

If you didn't use the configure line above, you will have to add more native-fsread statements for the extra libraries.

This also assumes that you have dsocks' tor-dns-proxy.py setup to handle DNS requests on 127.0.0.1:53.

Anchor(#WebBrowsers)?

Web browsers

[link]

Web browsing and Privoxy is also covered in the tor setup docs, specifically

Anchor(Konqueror)?

Konqueror

[link]

Settings -> Configure Konqueror -> Proxy -> Manually Specify the proxy settings -> Setup

HTTP/S Proxy: 127.0.0.1 port 8118

Or edit $HOME/.kde/share/config/kioslaverc:

...
ProxyType=1
...
NoProxyFor=127.0.0.1,localhost
...
httpProxy=http://127.0.0.1:8118
httpsProxy=http://127.0.0.1:8118

Anchor(Links)?

[link]

Setup -> Network Options

HTTP Proxy:  127.0.0.1 port 8118

Or edit /etc/links.cfg (system-wide) or $HOME/.links/links.cfg (per-user):

...
http_proxy 127.0.0.1:8118
...

Anchor(Lynx)?

Lynx

[link]

Lynx will respect the http_proxy enviroment variable, but you can edit /etc/lynx.cfg:

...
http_proxy:http://127.0.0.1:8118/
https_proxy:http://127.0.0.1:8118/
...
no_proxy:localhost,127.0.0.1
...

Anchor(Opera)?

Opera

[link]

Open Tools -> Preferences -> Advanced -> Network -> Proxy Servers. Check HTTP and enter "127.0.0.1" and "8118" as port or open about:config and enter "127.0.0.1:8118" in Proxy -> HTTP Server.

Anchor(MozillaFirefox)?

Mozilla Firefox

[link]

In later versions of Firefox, at least in the current version 1.5.0.1 under Linux and Windows XP, you can enable the browser to do remote domain name lookups. The option network.proxy.socks_remote_dns is available via about:config and should look like

network.proxy.socks_remote_dns 	user 	set 	boolean 	true

At http://www.imperialviolet.org/deerpark.html you can find an excellent step-by-step introduction how to do this. Be careful, though: In some versions of Firefox this option may exist without doing anything. In this case, you may want to use privoxy or similar projects. To find out whether your version implements remote DNS resolution correctly, you may try out a URL ending in .onion, like this one leading to the the Hidden Tor Wiki. If the Hidden Wiki shows up, remote DNS resolution works.

Otherwise, for Privoxy, do the following: Edit -> Preferences -> General -> Connection Settings -> Manual proxy configuration

Set HTTP Proxy 127.0.0.1 port 8118 and tick the box [X] Use for all protocols

Remember: Configuring Privoxy for FTP will break ftp:// URLs, but if you don't do this, your Firefox will leak your IP address for those sites. Use Filezilla for handling FTP traffic

http://wiki.noreply.org/images/firefox_proxy.png

Also, Mac OS X users should change the above preferences by entering about:config in the URL bar because the firefox preferences dialog is a bit screwy.

Anchor(OpenHTTPProxies)?

Circumventing Tor blocks using open HTTP proxies

[link]

Some websites have blocked access from Tor users. Often, however, these websites still allow access from any of millions of open HTTP proxies on the internet. Unfortunately, using an open HTTP proxy directly is not very anonymous.

The solution is to chain an open HTTP proxy between Tor and the unfriendly website. This provides all the anonymity benefits of Tor, while obscuring the fact that you're using Tor from the website.

Privoxy

One method involves Privoxy. This example config will send all requests through Tor, only chaining an open HTTP proxy after Tor for a select site. Replace 0.0.0.0:80 with the proxy's address and port.

forward-socks4a / localhost:9050 .
forward-socks4a *.wikipedia.org localhost:9050 0.0.0.0:80

Socat

Another method requires Socat. This will forward all connections to localhost:8080 to an open HTTP proxy through Tor. Just configure your browser to use localhost:8080 as an HTTP proxy. Once again, replace 0.0.0.0:80 with the proxy's address and port.

socat TCP4-LISTEN:8080,bind=localhost,fork SOCKS4A:localhost:0.0.0.0:80,socksport=9050

Anchor(Email)?

Email

[link]

Anchor(Fetchmail)?

Fetchmail

[link]

This isn't the most elegant solution, but it works. Rename your /etc/init.d/fetchmail file to {fetchmail-orig, for example, then save the script below as /etc/init.d/fetchmail, and restart fetchmail with /etc/init.d/fetchmail restart. Your mail will now be fetched through the Tor network.

#!/bin/sh
#
# Fetchmail+Tor init script
#

set -e

# Defaults
DAEMON=/usr/bin/tsocks
FMINIT=/etc/init.d/fetchmail-orig
PATH=/sbin:/bin:/usr/sbin:/usr/bin

test -f $DAEMON || exit 0

case "$1" in
	start)
		$DAEMON $FMINIT start
		;;
	stop)
		$DAEMON $FMINIT stop
		;;
	force-reload|restart)
		$DAEMON $FMINIT restart
		;;
	try-restart)
		$DAEMON $FMINIT try-restart
		;;
	awaken)
		$DAEMON $FMINIT awaken
		;;
	debug-run)
		$DAEMON $FMINIT debug-run
		;;
	*)
		echo "Usage: /etc/init.d/fetchmail {start|stop|restart|force-reload|awaken|debug-run}"
		echo "  start - starts system-wide fetchmail service"
		echo "  stop  - stops system-wide fetchmail service"
		echo "  restart, force-reload - starts a new system-wide fetchmail service"
		echo "  awaken - tell system-wide fetchmail to start a poll cycle immediately"
		echo "  debug-run [strace [strace options...]] - start a debug run of the"
		echo "    system-wide fetchmail service, optionally running it under strace"
		exit 1
		;;
esac

exit 0

An alternative configuration for fetchmail for those that prefer to start it on a per-user basis. Add the following to the user's .bashrc:

CONF_FILE="$HOME/.fetchmailrc"
PID_FILE="$HOME/.fetchmail.pid"
FETCHMAIL="/usr/bin/fetchmail"
TSOCKS="/usr/bin/tsocks"

  function FetchMailAlive () {
    if test -f $CONF_FILE && test -f $FETCHMAIL; then
      if test -f $PID_FILE; then
        if ! kill -0 `cut -d \  -f1 $PID_FILE` 2>/dev/null; then
          eval $($TSOCKS $FETCHMAIL)
          echo New FetchMail started. >&2
        fi
      else
        eval $($TSOCKS $FETCHMAIL)
        echo New FetchMail started. >&2
      fi
    else
      echo Fetchmail not installed or configured properly. >&2
    fi
  }

# Call it
FetchMailAlive

Then it checks for a running fetchmail daemon every time a new shell is opened and starts one if needed.

You may want to look up your mail server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

If you are lazy you can also just call torify fetchmail or torify fetchmail -d 900.

Anchor(IM)?

Instant messaging

[link]

Anchor(Gaim)?

Gaim

[link]

Preferences -> Network -> Proxy

Proxy type: Socks 5
Host: 127.0.0.1
Port: 9050

See the note on tsocks and DNS above.

Anchor(Psi)?

Psi

[link]

Psi is a Jabber client with support for additional Jabber JEP-0027 encryption, with GnuPG and Socks 5 proxy support.

Account Setup -> Modify -> Connection -> Proxy -> Edit -> New

Properties:
Name: Tor
Type: SOCKS Version 5
Settings:
Host: 127.0.0.1
Port: 9050

See the note on tsocks and DNS above.

Anchor(Miranda)?

Miranda

[link] "M" Menu -> Options -> Network

Proxy Type: SOCKS5
Proxy Server: localhost or 127.0.0.1
Port: 9050

Anchor(Bitlbee)?

Bitlbee

[link]

Simply add Proxy = socks5://localhost:9050 to /etc/bitlbee/bitlbee.conf and connect with your favorite IRC client.

Anchor(IRC)?

IRC/SILC

[link]

Anchor(Irssi)?

Irssi

[link]

If you are running Privoxy, as recommended, you can just configure irssi's own proxy settings to use Privoxy as an HTTP proxy. Otherwise, you can run Irssi with tsocks irssi. Unfortunately, as mentioned above, Irssi's own proxy configuration options are HTTP specific.

Alternative: torify irssi. Note that torify is just a shell script that calls tsocks after setting the config file to /etc/tor/tor-tsocks.conf.

For OpenBSD users, you can either hack tsocks to work (as of 3.6 there is no port) or you can use dante. Dante is in the ports system. A simple example config that works with irssi and Tor looks like this for /etc/socks.conf (client configuration only)

route {
        from: 0.0.0.0/0   to: 0.0.0.0/0  via: 127.0.0.1  port = 9050
        proxyprotocol: socks_v4
}

and then you can run socksify irssi assuming that Tor is running on localhost:9050.

You may want to look up your IRC server's IP with tor-resolve and use the IP in place of a hostname; see the [:#DNSNote: note on tsocks and DNS] above.

Add the following to your .irssi/config if you want to use Privoxy as your proxy:

settings = {
  core = {
    real_name = "TorUser";
    user_name = "TorUser";
    nick = "TorUser";
    proxy_password = "";
    use_proxy = "yes";
    proxy_string = "CONNECT %s:%d HTTP/1.0\012\012";
    proxy_port = "8118";
    proxy_address = "127.0.0.1";
  };
};

Don't forget to modify the limit-connect settings in the Privoxy .action files first. This is typically found in default.action, and is a filter that limits what ports Privoxy will connect to. Since Privoxy only listens on the local interface, it is safe to replace this line with '+limit-connect{1-}' which allows Privoxy to connect to all ports.

To minimize information leakage about your client and timezone add

ignores = ( { level = "CTCPS"; } );

or run

/ignore * CTCPS

and then

/save

Anchor(XChat)?

X-Chat

[link]

X-Chat supports SOCKS 5 and does not leak DNS requests.

Settings-> Preferences -> Network -> Network setup -> Proxy server

Hostname: 127.0.0.1
Port: 9050
Type: Socks5

Unofficial builds of X-Chat for Windows are free.

See the note on tsocks and DNS above.

Anchor(SILC)?

SILC

[link]

Since the SILC client is based on Irssi, you can follow the same procedure to make it use Tor. Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet. More information about SILC is available at its website.

Anchor(Silky)?

Silky

[link]

Silky is a GTK2 SILC client. It does not currently support SOCKS, so the best way to make it work with Tor is using socat (IMO).:

socat TCP4-LISTEN:6666 SOCKS4A:localhost:silc.silcnet.org:706,socksport=9050

And then tell Silky to connect to localhost:6666.

Anchor(BitchX)?

BitchX

[link]

In order to use BitchX with tor, you first need to get ProxyChains, a *NIX-only HTTP and SOCKS proxy client. On Debian systems, install the proxychains package. Once installed, just add

socks5 127.0.0.1 9050
http localhost 8118

to the ProxyChains config file at ~/.proxychains/proxychains.conf. Now that it is configured, type proxychains bitchx at the command line.

The gentoo build of proxychains seems to be broken on x86 arch. Using tsocks BitchX or torify BitchX works well.

You may want to look up your IRC server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

Anchor(mIrc)?

mIRC

[link]

Mirc.co.uk: Proxies and Firewalls

File -> Options -> Connect -> Firewall

Older versions: Mark the "Use SOCKS Firewall" box. Newer versions (mIRC 6.0 and up): Select "Both" from the "Firewall support" pulldown.

Protocol: SOCKS5
Hostname: 127.0.0.1
Port: 9050

http://wiki.noreply.org/images/mirc_firewall.png

Don't use SOCKS4. Use SOCKS5.

There is a way to automate this with two commands...

/firewall -cm5+d on localhost 9050

to activate it and...

/firewall -d off

to deactivate the proxy. You can add this commands to your personal commands menu by following these instructions:

Press Alt+P to open the popup editor and type this bellow "Commands"

Anonymize:/firewall -cm5+d on localhost 9050
de-Anonymize:/firewall -d off

Anchor(Trillian)?

Trillian

[link]

Preferences -> Advanced Preferences -> Proxy Server

Use proxy server to resolve names.
Use proxy server.
Protocol: SOCKS5
Host: localhost or 127.0.0.1
Port: 9050

Anchor(KVIrc)?

KVIrc

[link]

KVIrc

Settings -> Configure KVIrc -> Connection -> Proxy Hosts

Use proxy.
New proxy.
Proxy: tor
Port: 9050
IP Address: 127.0.0.1
Protocol: SOCKSv5

http://img143.imageshack.us/img143/6898/kvirc5er.png

Anchor(BitTorrent)?

BitTorrent

[link]

BitTorrent is already using a mechanism similiar to tor to communicate with other peers. torifying the bittorrent traffic would just add more overhead and reduce throughput. You may want to use tor to communicate with the tracker, though. For this, just add --tracker-proxy 127.0.0.1:8118:

btlaunchmanycurses --tracker-proxy 127.0.0.1:8118 <directory>

Anchor(Azureus)?

Azureus

[link]

See http://azureus.sourceforge.net/doc/AnonBT/.

Anchor(Misc)?

Misc

[link]

Anchor(APT)?

APT

[link]

Warning: This will only work for HTTP because Privoxy does not support FTP.

Add the following line to /etc/apt/apt.conf:

Acquire::http::Proxy "http://127.0.0.1:8118/";

Anchor(GnuPGprivoxy)?

GnuPG: Method 1 (Privoxy)

[link]

Add or edit the following lines in your $HOME/.gnupg/gpg.conf:

keyserver x-hkp://yod73zr3y6wnm2sw.onion
keyserver-options honor-http-proxy broken-http-proxy

You may obviously use any public keyserver, like subkeys.pgp.net, but hidden services are preferred. At the time of this writing. only two key servers running as hidden servers are publicly available -- d3ettcpzlta6azsm.onion/ and yod73zr3y6wnm2sw.onion.

After that is done, just run

export http_proxy=http://127.0.0.1:8118/
gpg --refresh-keys

If you don't want to write the export line every time, you can add alias gpg='http_proxy=http://127.0.0.1:8118/ gpg' to your .bashrc file as well; if you have set the http_proxy environment variable, you may skip this step.

Anchor(GnuPGtorify)?

GnuPG: Method 2 (torify)

[link]

At least a couple of people have had problems with using GPG over Privoxy. It is possible to use GPG with torify instead. If you have http_proxy set, GPG will try to use it. Add no-honor-http-proxy to your keyserver-options to prevent that.

Remember that torify doesn't handle DNS! Use tor-resolve to get the IP of your keyserver and use that. Either add it to $HOME/.gnupg/gpg.conf as the keyserver option or put it on the command line.

Now run

torify gpg --refresh-keys

or

torify gpg --keyserver [result of tor-resolve] --refresh-keys

Anchor(Wget)?

Wget

[link]

Wget will also respect the http_proxy enviroment variable, but you can edit /etc/wgetrc:

...
http_proxy = http://localhost:8118
use_proxy = on
...

Anchor(SSHtorify)?

SSH: Method 1 (torify)

[link]

Simply run torify ssh <parameters> if the host is not on a local network and you're done.

Anchor(SSHconnect)?

SSH: Method 2 (connect)

[link]

These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.

1 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka Panther) - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version from the OpenSSH website. If you're using Mac OS X, using fink may be easier for you.

2 - Download and build the connect source code. Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on connect, please visit its website. Note: the site appears to be down at the moment, we've mirrored the script at https://savannah.gnu.org/maintenance/connect.c

A pre-compiled version of connect for Mac OS X is available at http://members.lycos.co.uk/hardapple/tools/connect.tar. (md5sum: b5180cb789813fc958209c58b99039fa)

Install connect into the /usr/local/bin directory.

3 - Add the following line to your ssh_config file located at: /etc/ssh/ssh_config (system-wide) or $HOME/.ssh/config (on a per-user basis).

If you used fink to install OpenSSH, it is located at /sw/etc/ssh/ssh_config.

Host 10.*.*.*
ProxyCommand none
Host 172.16.*.*
ProxyCommand none
Host 172.17.*.*
ProxyCommand none
Host 172.18.*.*
ProxyCommand none
Host 172.19.*.*
ProxyCommand none
Host 172.20.*.*
ProxyCommand none
Host 172.21.*.*
ProxyCommand none
Host 172.22.*.*
ProxyCommand none
Host 172.23.*.*
ProxyCommand none
Host 172.24.*.*
ProxyCommand none
Host 172.25.*.*
ProxyCommand none
Host 172.26.*.*
ProxyCommand none
Host 172.27.*.*
ProxyCommand none
Host 172.28.*.*
ProxyCommand none
Host 172.29.*.*
ProxyCommand none
Host 172.30.*.*
ProxyCommand none
Host 172.31.*.*
ProxyCommand none
Host 192.168.*.*
ProxyCommand none
Host *
ProxyCommand /usr/local/bin/connect -4 -S 127.0.0.1:9050 %h %p

All SSH connections, except to the private address ranges defined by the IANA in RFC-1918, will now go through tor.

You may want to look up your SSH server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

Anchor(SSHsocat)?

SSH: Method 3 (socat)

[link]

Use socat as described above. One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the ProxyCommand option in your ~/.ssh/config file, as follows:

{{{Host MyHost-tor

ProxyCommand socat - SOCKS4A:localhost:barbaz.com:22,socksport=9050}}}

Now you can simply use ssh MyHost-tor.

Similarly, if you have an SSH server running as a hidden service, then you will wish to ssh to it with minimal fuss.

{{{Host MyHost-tor

ProxyCommand socat - SOCKS4A:localhost:MyHost.onion:22,socksport=9050}}}

This method is more secure than using tsocks ssh MyHost.onion because ssh will first resolve the hostname, and then try to connect to it. This means that you lose by giving away your IP address during the DNS lookup.

Using wildcards and parameter expansions features of SSH you can put a single configuration for all .onion addresses:

{{{Host *.onion

ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050}}}

If you want every SSH communication to go through Tor, you can even say :

Host *
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050

Anchor(Putty)?

Putty

[link]

Putty is a neat suite of programs for doing Telnet, SSH, SCP, etc.
Configuration Details?

Anchor(vpnd)?

vpnd

[link]

It is possible to run a (slow) vpnd through tor. How to setup this up is explained at http://www.vanheusden.com/Linux/tt.html.

Anchor(Remailing)?

Remailing

[link]

[:TheOnionRouter/RemailingAndTor:see Remailing: achieve strong remailing anonymity/security via. Tor and Stunnel]

Anchor(CrazyAndLazy)?

For the Crazy and Lazy

[link]

If you are lazy and don't want to repeat most of the steps laid out here every time you call the program (and who would?) you can have a look at the tor aliases project.

Anchor(Credits)?

Credits

[link]

Thomas Sjogren with Northern Security started this howto and still maintains a copy at:

http://www.northernsecurity.net/articles/torify.html

Other Contributing Authors:

  • Dave Vehrs
  • Nick Mathewson
  • Thomas Hardly
  • tyranix