wiki:doc/torsocks

Torsocks

Torsocks is a torifying wrapper that is primarily used to redirect all the network traffic of individual SOCKS-friendly applications through the Tor network. It also ensures DNS queries are handled correctly and explicitly blocks all UDP traffic from the application in question. Torsocks is the successor of tsocks and is still actively maintained. It is simply packaged as torsocks and is available (and often automatically included with the tor package) in many *nix based distributions.

Download

There are packages for different distributions.

The code lives at torsocks.git, you can get a copy with

git clone https://git.torproject.org/torsocks.git

For further instructions have a look at the README.

Usage

Once you have installed torsocks, just launch it like so:

  torsocks [application]

For example, you can use ssh to a some.ssh.com by doing:

  torsocks ssh username @ some.ssh.com 

or launch pidgin by doing:

  torsocks pidgin 

An alternative command is torify. It is only provided for backward compatibility, and unless it is entirely necessary, you should use torsocks at all times. Example:

 torify pidgin

Security

The tables below contains a small list of applications commonly used in conjunction with torsocks / torify. At the moment a 100% guarantee of being safe to operate with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.

The following administrative applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
ssh M Y Potential for identity leaks through login.
telnet M Y Potential for identity leaks through login and password.
svn M Y
gpg Y Y GPG implemented --use-tor. See GnuPG.

The following messaging applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
pidgin M Y Potential for identity leaks through login and password.
kopete M Y Potential for identity leaks through login and password.
konversation M Y Potential for identity leaks through login and password.
irssi M Y Potential for identity leaks through login and password.
silc M Y Potential for identity leaks through login and password.

The following email applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
claws-mail * * Use TorBirdy (Tor Button for Thunderbird) instead!
thunderbird * * Use TorBirdy (Tor Button for Thunderbird) instead!

The following file transfer applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
wget M Y Possibility of identity leaks through http headers.
ftp M Y Passive mode works well generally.

Table legend:

DNS: DNS requests safe for Tor?
           N - The application is known to leak DNS requests when used with torsocks.
           Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
           N - Anonymity issues suspected, see comments column.
           M - Safe enough in theory, but either not fully researched or anonymity can be compromised 
               through indiscreet use (e.g. email address, login, passwords).
           Y - Application has been researched and documented to be safe with Tor.


Older Information

WARNING: The information below is heavily depreciated and it is highly advised to not follow it.

uwt - modified torsocks to improve Tor stream isolation

This is a modified torsocks to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.

Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.

*nix only, because torsocks/torify is not available for Windows.1
1 Perhaps a modified proxychains might work. Modified a similar way.

Additional SocksPorts

You need to add additional SocksPorts to your torrc.

Add to /etc/tor/torrc.

SocksPort 9052
SocksPort 9053

Don't forget to restart Tor.

uwt

uwt, the torsocks wrapper. (It's a fork of torsocks from the torsocks package.)

nano /usr/local/bin/uwt

UPDATE 17

Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.

Thanks to intrigeri for reporting the issue!

Moved to github.

https://github.com/Whonix/uwt/blob/master/usr/bin/uwt

Manual use

Example for manual usage invoked by command line.

uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.org
sudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgrade

Wrapper use

For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.

nano /usr/local/bin/wget

Insert the following.

#!/bin/bash
#echo "This is uwt /usr/local/bin/wget wrapper."
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*

In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.

Thanks to intrigeri, for bringing up this suggestion!

Related discussion

Workaround for IPv6 leak bug

As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...

If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.

Workaround: Add to /etc/sysctl.conf.

net.ipv6.conf.all.disable_ipv6 = 1

Run

sysctl -p

to activate. (Will remain activated after reboot.)

Of course you can and should only apply this workaround if you don't depend on IPv6.


Tickets

Torsocks

Ticket Summary Status Priority Keywords Owner
#14132 Add SocksPort Unix support to torsocks assigned Medium sysrqb
#29659 WARNING torsocks[6254]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:605) needs_review Medium
#3711 Application support for optimistic data: Torsocks needs_revision Medium performance roundtrip sysrqb
#6228 NSS module for .onion DNS name resolution new Low nss dns usability onion tor-hs
#8702 Support advanced polling features in OS new Medium
#11579 Torsocks should support Java new Medium
#11724 Check recvmmsg() FD passing on Unix socket for TCP socket new Medium
#11727 Support shared onion pool for DNS resolution in separate process new Medium
#13184 Add an option to whitelist networks new Medium
#14322 torsocks fails to wrap setcap binaries new Medium setcap setuid LD_PRELOAD torsocks
#16934 youtube-dl (recent), torsocks 2.1.0 and TBB5+ failure new Medium
#19407 Support FD passing on Unix socket new Medium
#19700 torsocks does not work with "connectx" (in netcat / nc) new High
#19793 Torsocks - only torify .onion domains new Low
#21227 Ship a git-remote-tor helper new Medium
#23872 torsocks hangs recent firefox versions new Medium FUTEX_WAIT_PRIVATE hangs torsocks
#24037 Use syscall blacklist rather than whitelist for torsocks new Medium
#24116 Torsocks deadlocks every Rust program new Medium torsocks deadlock rust jemalloc
#25884 add support for exitmap requirements new Medium network-health
#26580 torsocks complains about unknown system call #417 on FreeBSD new Medium
#26821 [torsocks] configure script from the tarball breaks new Medium
#26831 Feature: conditionally allow non-localhost inbound connections with command-line flag new Medium
#26889 torsocks: option to disable all network traffic new Low torsocks, option, disable network
#27920 "Resolve destination buffer too small" is unclear new Medium
#28538 [regression] torsocks uses linux-specific tsocks_libc_accept4 on FreeBSD new High
#28627 [torsocks] AAAA replies from tor not handled new Medium
#28688 torsocks: Unsupported syscall errors in version 2.3.0 new Medium
#28998 torsocks popcon: [syscall] Unsupported syscall number 288 new Medium
#28999 Mention dependencies in INSTALL new Very Low
#29000 Let torsocks run from source directory new Very Low
#29311 Unsupported syscall number 427 and 180 on OS X on torsocks 2.2.0 new Medium
#29769 [syscall] Unsupported syscall number 316. Denying the call (in tsocks_syscall() at syscall.c:615) new Medium
#30658 Unsupported syscalls (292/dup3, 293/pipe2, 332/statx) new Medium
#30729 Possible memory leak in torsocks 2.2.0 new Medium
#31365 Tor Proxy new Medium proxy
#32491 Build fails with uClibc (and maybe some other non-standard libc's) sometimes new Medium
#32577 torsocks is not fully capable of performing required downloads new Medium
#32599 ERROR: ld.so: object '/usr/lib/torsocks/libtorsocks.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS64): ignored. new Medium torsocks
#32953 torsocks: Unsupported syscall 157 (prctl) new Medium
#33096 on x64: torsocks --shell: [syscall] Unsupported syscall number 157 new Medium
#33552 Unsupported syscall number 229 on Debian on torsocks 2.3.0 new Very Low
#34199 torsocks irssi weird bug new High tor irssi bug debug weird

History

Moved to torsocks/History.

Last modified 2 years ago Last modified on Sep 19, 2018, 9:26:17 PM