Torsocks
Torsocks is a torifying wrapper that is primarily used to redirect all the network traffic of individual SOCKS-friendly applications through the Tor network. It also ensures DNS queries are handled correctly and explicitly blocks all UDP traffic from the application in question. Torsocks is the successor of tsocks and is still actively maintained. It is simply packaged as torsocks and is available (and often automatically included with the tor package) in many *nix based distributions.
Download
There are packages for different distributions.
The code lives at torsocks.git, you can get a copy with
git clone https://git.torproject.org/torsocks.gitFor further instructions have a look at the README.
Usage
Once you have installed torsocks, just launch it like so:
torsocks [application]For example, you can use ssh to a some.ssh.com by doing:
torsocks ssh username @ some.ssh.com or launch pidgin by doing:
torsocks pidgin An alternative command is torify. It is only provided for backward compatibility, and unless it is entirely necessary, you should use torsocks at all times. Example:
torify pidginSecurity
The tables below contains a small list of applications commonly used in conjunction with torsocks / torify. At the moment a 100% guarantee of being safe to operate with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.
The following administrative applications are known to be compatible with torsocks:
| Application | 100% Safe | DNS | Comments |
|---|---|---|---|
ssh |
M | Y | Potential for identity leaks through login. |
telnet |
M | Y | Potential for identity leaks through login and password. |
svn |
M | Y | |
gpg |
Y | Y | GPG implemented --use-tor. See GnuPG. |
The following messaging applications are known to be compatible with torsocks:
| Application | 100% Safe | DNS | Comments |
|---|---|---|---|
pidgin |
M | Y | Potential for identity leaks through login and password. |
kopete |
M | Y | Potential for identity leaks through login and password. |
konversation |
M | Y | Potential for identity leaks through login and password. |
irssi |
M | Y | Potential for identity leaks through login and password. |
silc |
M | Y | Potential for identity leaks through login and password. |
The following email applications are known to be compatible with torsocks:
| Application | 100% Safe | DNS | Comments |
|---|---|---|---|
claws-mail |
* | * | Use TorBirdy (Tor Button for Thunderbird) instead! |
thunderbird |
***** | * | Use TorBirdy (Tor Button for Thunderbird) instead! |
The following file transfer applications are known to be compatible with torsocks:
| Application | 100% Safe | DNS | Comments |
|---|---|---|---|
wget |
M | Y | Possibility of identity leaks through http headers. |
ftp |
M | Y | Passive mode works well generally. |
Table legend:
DNS: DNS requests safe for Tor?
N - The application is known to leak DNS requests when used with torsocks.
Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
N - Anonymity issues suspected, see comments column.
M - Safe enough in theory, but either not fully researched or anonymity can be compromised
through indiscreet use (e.g. email address, login, passwords).
Y - Application has been researched and documented to be safe with Tor.Older Information
WARNING: The information below is heavily depreciated and it is highly advised to not follow it.
uwt - modified torsocks to improve Tor stream isolation
This is a modified torsocks to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.
Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.
*nix only, because torsocks/torify is not available for Windows.^1^
,, ^1^ Perhaps a modified proxychains might work. Modified a similar way.
Additional SocksPorts
You need to add additional SocksPorts to your torrc.
Add to /etc/tor/torrc.
SocksPort 9052
SocksPort 9053Don't forget to restart Tor.
uwt
uwt, the torsocks wrapper. (It's a fork of torsocks from the torsocks package.)
nano /usr/local/bin/uwtUPDATE 17
<h1 style="text-align: left; color: red">
Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.
</h1>Thanks to intrigeri for reporting the issue!
Moved to github.
https://github.com/Whonix/uwt/blob/master/usr/bin/uwtManual use
Example for manual usage invoked by command line.
uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.orgsudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgradeWrapper use
For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.
nano /usr/local/bin/wgetInsert the following.
#echo "This is uwt /usr/local/bin/wget wrapper."
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.
Thanks to intrigeri, for bringing up this suggestion!
Related discussion
- tor-talk How to force redirect each application through separate SocksPorts? (preventing identity correlation)
- Tails-dev Tails's plans for Tor's stream isolation in Tor 0.2.3?
- Privoxy feature request: support IsolateSOCKSAuth (preventing identity correlation) - ID: 3541363
- tails-dev bug reports, test and discussion
Workaround for IPv6 leak bug
As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...
If you on a IPv6 enabled network and use usewithtor , then IPv6 traffic will be send in the clear, thus de-anonymzing you.
Workaround: Add to /etc/sysctl.conf.
net.ipv6.conf.all.disable_ipv6 = 1Run
sysctl -pto activate. (Will remain activated after reboot.)
Of course you can and should only apply this workaround if you don't depend on IPv6.
Tickets
Torsocks
[[TicketQuery(component=Core Tor/Torsocks,order=status,status=!closed,format=table,col=id|summary|status|priority|keywords|owner|)]]
History
Moved to torsocks/History.