wiki:doc/torsocks

Torsocks

Torsocks is a torifying wrapper that is primarily used to redirect all the network traffic of individual SOCKS-friendly applications through the Tor network. It also ensures DNS queries are handled correctly and explicitly blocks all UDP traffic from the application in question. Torsocks is the successor of tsocks and is still actively maintained. It is simply packaged as torsocks and is available (and often automatically included with the tor package) in many *nix based distributions.

Download

There are packages for different distributions.

The code lives at torsocks.git, you can get a copy with

git clone https://git.torproject.org/torsocks.git

For further instructions have a look at the README.

Usage

Once you have installed torsocks, just launch it like so:

  torsocks [application]

For example, you can use ssh to a some.ssh.com by doing:

  torsocks ssh username @ some.ssh.com 

or launch pidgin by doing:

  torsocks pidgin 

An alternative command is torify. It is only provided for backward compatibility, and unless it is entirely necessary, you should use torsocks at all times. Example:

 torify pidgin

Security

The tables below contains a small list of applications commonly used in conjunction with torsocks / torify. At the moment a 100% guarantee of being safe to operate with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.

The following administrative applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
ssh M Y Potential for identity leaks through login.
telnet M Y Potential for identity leaks through login and password.
svn M Y
gpg Y Y GPG implemented --use-tor. See GnuPG.

The following messaging applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
pidgin M Y Potential for identity leaks through login and password.
kopete M Y Potential for identity leaks through login and password.
konversation M Y Potential for identity leaks through login and password.
irssi M Y Potential for identity leaks through login and password.
silc M Y Potential for identity leaks through login and password.

The following email applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
claws-mail * * Use TorBirdy (Tor Button for Thunderbird) instead!
thunderbird * * Use TorBirdy (Tor Button for Thunderbird) instead!

The following file transfer applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
wget M Y Possibility of identity leaks through http headers.
ftp M Y Passive mode works well generally.

Table legend:

DNS: DNS requests safe for Tor?
           N - The application is known to leak DNS requests when used with torsocks.
           Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
           N - Anonymity issues suspected, see comments column.
           M - Safe enough in theory, but either not fully researched or anonymity can be compromised 
               through indiscreet use (e.g. email address, login, passwords).
           Y - Application has been researched and documented to be safe with Tor.


Older Information

WARNING: The information below is heavily depreciated and it is highly advised to not follow it.

uwt - modified torsocks to improve Tor stream isolation

This is a modified torsocks to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.

Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.

*nix only, because torsocks/torify is not available for Windows.1
1 Perhaps a modified proxychains might work. Modified a similar way.

Additional SocksPorts

You need to add additional SocksPorts to your torrc.

Add to /etc/tor/torrc.

SocksPort 9052
SocksPort 9053

Don't forget to restart Tor.

uwt

uwt, the torsocks wrapper. (It's a fork of torsocks from the torsocks package.)

nano /usr/local/bin/uwt

UPDATE 17

Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.

Thanks to intrigeri for reporting the issue!

Moved to github.

https://github.com/Whonix/uwt/blob/master/usr/bin/uwt

Manual use

Example for manual usage invoked by command line.

uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.org
sudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgrade

Wrapper use

For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.

nano /usr/local/bin/wget

Insert the following.

#!/bin/bash
#echo "This is uwt /usr/local/bin/wget wrapper."
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*

In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.

Thanks to intrigeri, for bringing up this suggestion!

Related discussion

Workaround for IPv6 leak bug

As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...

If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.

Workaround: Add to /etc/sysctl.conf.

net.ipv6.conf.all.disable_ipv6 = 1

Run

sysctl -p

to activate. (Will remain activated after reboot.)

Of course you can and should only apply this workaround if you don't depend on IPv6.


Tickets

Torsocks

Ticket Summary Status Priority Keywords Owner
#11579 Torsocks should support Java accepted Medium dgoulet
#11724 Check recvmmsg() FD passing on Unix socket for TCP socket accepted Medium dgoulet
#11727 Support shared onion pool for DNS resolution in separate process accepted Medium dgoulet
#13184 Add an option to whitelist networks accepted Medium dgoulet
#14322 torsocks fails to wrap setcap binaries accepted Medium setcap setuid LD_PRELOAD torsocks dgoulet
#16934 youtube-dl (recent), torsocks 2.1.0 and TBB5+ failure accepted Medium dgoulet
#19407 Support FD passing on Unix socket accepted Medium dgoulet
#19793 Torsocks - only torify .onion domains accepted Low dgoulet
#8702 Support advanced polling features in OS assigned Medium dgoulet
#14132 Add SocksPort Unix support to torsocks assigned Medium sysrqb
#19700 torsocks does not work with "connectx" (in netcat / nc) needs_information High dgoulet
#19376 Fix a few torsocks bugs caused by unquoted variables needs_review Medium dgoulet
#24037 Use syscall blacklist rather than whitelist for torsocks needs_review Medium dgoulet
#24116 Torsocks deadlocks every Rust program needs_review Medium torsocks deadlock rust jemalloc dgoulet
#3711 Application support for optimistic data: Torsocks needs_revision Medium performance roundtrip sysrqb
#24967 torsocks fails to check SIP if the path itself is a symlink needs_revision Medium Hello71
#6228 NSS module for .onion DNS name resolution new Low nss dns usability onion tor-hs dgoulet
#21227 Ship a git-remote-tor helper new Medium dgoulet
#23872 torsocks hangs recent firefox versions new Medium FUTEX_WAIT_PRIVATE hangs torsocks dgoulet
#25884 add support for exitmap requirements new Medium dgoulet
#26580 torsocks complains about unknown system call #417 on FreeBSD new Medium dgoulet
#26794 tsocks_gethostbyname_r does not assign result new High dgoulet
#26821 [torsocks] configure script from the tarball breaks new Medium dgoulet
#26831 Feature: conditionally allow non-localhost inbound connections with command-line flag new Medium dgoulet
#26888 torsocks: --quiet option new Medium torsocks, quiet, option dgoulet
#26889 torsocks: option to disable all network traffic new Low torsocks, option, disable network dgoulet
#27920 torsocks fails to open socks 4 connection: [socks5] Resolve destination buffer too small (in socks5_recv_resolve_reply() at socks5.c:707) new Medium dgoulet

History

Moved to torsocks/History.

Last modified 4 weeks ago Last modified on Sep 19, 2018, 9:26:17 PM