wiki:doc/torsocks

Version 22 (modified by proper, 6 years ago) (diff)

Workaround for IPv6 leak bug

Modified usewithtor to support setting ip and port by command line parameter by proper

To prevent identity correlation through circuit sharing.

*nix only, because torsocks/usewithtor is not available for Windows.1
1 Perhaps a modified proxychains might work. Modified a similar way.

Additional SocksPorts

You need to add additional SocksPorts to your torrc.

Add to /etc/tor/torrc.

SocksPort 9052
SocksPort 9053

Don't forget to restart Tor.

uwt

uwt, the torsocks wrapper. (It's a usewithtor from the torsocks package.)

nano /usr/local/bin/uwt

UPDATE 11

#! /bin/sh
# ***************************************************************************
# *                                                                         *
# *   Copyright (C) 2008-2011 Robert Hogan <robert@roberthogan.net>         *
# *                                                                         *
# *   This program is free software; you can redistribute it and/or modify  *
# *   it under the terms of the GNU General Public License as published by  *
# *   the Free Software Foundation; either version 2 of the License, or     *
# *   (at your option) any later version.                                   *
# *                                                                         *
# *   This program is distributed in the hope that it will be useful,       *
# *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
# *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
# *   GNU General Public License for more details.                          *
# *                                                                         *
# *   You should have received a copy of the GNU General Public License     *
# *   along with this program; if not, write to the                         *
# *   Free Software Foundation, Inc.,                                       *
#*   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
# ***************************************************************************
# *                                                                         *
# *   This is a modified version of a source file from the Tor project.     *
# *   Original copyright notice from tsocks source file follows:            *
# ***************************************************************************

# Wrapper script for use of the tsocks(8) transparent socksification library
# See the tsocks(1) and torify(1) manpages.

# Copyright (c) 2004, 2006 Peter Palfrader
# Modified by Jacob Appelbaum <jacob@appelbaum.net> April 16th 2006
# Modified by Marcus Griep <marcus@griep.us> June 16 2009
# May be distributed under the same terms as Tor itself

# Note:
# -v (verbose) and the UWT_VERBOSE environment variable set to 1
# will break many graphical applications, which use applications,
# which will call applications, which we wrapped to use uwt.

# You can also type in shell:
# 	export UWT_VERBOSE="1"
# to enable verbose output.
# Note: When running applications as root, you also have to set and
#       export that variable as root.

# Define and ensure we have tsocks
# XXX: what if we do not have which?
TORSOCKS="`which torsocks`"
PROG=
VERBOSE=

usage () {
	echo "Usage: $0 [-h] [-v] [ <command> [<options>...]"
}

set_id () {
	echo "ERROR: $1 is set${2}id. usewithtor will not work on a set${2}id executable." >&2
	exit 1
}

# Check for any argument list
if [ "$#" = 0 ]; then
	usage >&2
	exit 1
fi

# TODO:
# IP and PORTS can be set below.

while [ "$1" ]; do
	case "$1" in
		-h|--h*)
			usage
			exit 0
			;;
		-v|--v*)
			VERBOSE=YesPlease
			shift
			;;
		*)
			break;
	esac
done

exe="`which $1`"
if [ "$exe" = "" ]; then
	echo "UWT ERROR: $1 does not exist!" >&2
	exit 1
fi

if [ -u `which "$1"` ]; then
	set_id $1 u
elif [ -g `which "$1"` ]; then
	set_id $1 g
fi

if [ -x "$TORSOCKS" ]; then
	PROG=torsocks
else
	echo "$0: Unable to find torsocks in PATH." >&2
	echo "    Perhaps you have not installed it?" >&2
	exit 1
fi

if [ "$VERBOSE" ]; then
	echo "We are armed with the following torsocks: $TORSOCKS"
	echo "We are attempting to use $PROG for all tor action."
fi

if [ "$PROG" = "torsocks" ]; then
	# Define our torsocks config file.
        TORSOCKS_CONF_FILE="/tmp/$(whoami)_torsocks_temp"
	export TORSOCKS_CONF_FILE
	#echo "TORSOCKS_CONF_FILE: $TORSOCKS_CONF_FILE"

	echo "
		# Temporary torsocks configuration file created by uwt.
		# Safe to delete.
		local = 127.0.0.0/255.128.0.0
		local = 127.128.0.0/255.192.0.0
		local = 169.254.0.0/255.255.0.0
		local = 172.16.0.0/255.240.0.0
		local = 192.168.0.0/255.255.0.0
		server = $ip
		server_type = 5
		server_port = $port
	" > $TORSOCKS_CONF_FILE

	# Check that we have got a torsocks config file
	if [ -r "$TORSOCKS_CONF_FILE" ]; then
		# echo "1 UWT_VERBOSE: $UWT_VERBOSE"

		if [ -z $UWT_VERBOSE ]; then
			# echo "UWT_VERBOSE: did not exist."
			UWT_VERBOSE=0
		else
			if [ $UWT_VERBOSE -eq "1" ]; then
				VERBOSE=YesPlease
			fi
		fi
		# echo "2 UWT_VERBOSE: $UWT_VERBOSE"
		if [ $VERBOSE ]; then
			echo "uwt"
			echo "ip: $ip port: $port"
		fi

                UWT_LOCALHOST="0"

                case "$*" in
                   *127.0.0.1*)
                      UWT_LOCALHOST="1"
                   ;;
                   *localhost*)
                      UWT_LOCALHOST="1"
                   ;;
                   *)
                      # do nothing
                      sleep 0
                   ;;
                esac

                if [ "$UWT_LOCALHOST" = "1" ]; then
                   if [ $VERBOSE ]; then
                      echo "UWT_LOCALHOST: $UWT_LOCALHOST NOT using torsocks."
  		      echo "exec torsocks \"$@\""
                   fi
                   exec "$@"
                else
                   if [ $VERBOSE ]; then
                      echo "UWT_LOCALHOST: $UWT_LOCALHOST USING torsocks."
  		      echo "exec torsocks \"$@\""
                   fi
                   exec torsocks "$@"
                fi
	else
		# Since identity corelation through circuit sharing is at risk,
		# we should no longer let torsocks default to 9050.
		echo "$0: Missing torsocks configuration file \"$TORSOCKS_CONF_FILE\."
		exit 1
	fi
fi

# We should have hit an exec. If we get here, we did not exec
echo "$0: failed to exec $PROG $@" >&2
exit 1
# End of uwt script.

Manual use

Example for manual usage invoked by command line.

ip=127.0.0.1 port=9053 uwt gpg
sudo ip=127.0.0.1 port=9054 uwt apt-get update

Wrapper use

For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.

nano /usr/local/bin/gpg

Insert the following.

#!/bin/bash
ip=127.0.0.1 port=9054 uwt /usr/bin/gpg $*

In this example, if you want to use gpg, you don't have to type 'ip=127.0.0.1 port=9053 uwt gpg <gpg options>', you can simply use 'gpg <gpg options>'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 127.0.0.1, port 9054.

Thanks to intrigeri, for bringing up this suggestion!

Related discussion

Workaround for IPv6 leak bug

As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...

If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.

Workaround: Add to /etc/sysctl.conf.

net.ipv6.conf.all.disable_ipv6 = 1

Run

sysctl -p

to activate. (Will remain activated after reboot.)

Of course you can and should only apply this workaround if you don't depend on IPv6.

torsocks

Once you have installed torsocks, just launch it like so:

  usewithtor [application]

So, for example you can use ssh to a some.ssh.com by doing:

  usewithtor ssh username @ some.ssh.com 

or launch pidgin by doing:

  usewithtor pidgin 

An alternative to usewithtor is torsocks:

  torsocks pidgin

The tables below list applications that usewithtor/torsocks will send through Tor. At the moment a 100% guarantee of safe interoperability with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.

The following administrative applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
ssh M Y Potential for identity leaks through login.
telnet M Y Potential for identity leaks through login and password.
svn M Y
gpg M Y gpg --refresh-keys works well enough.

The following messaging applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
pidgin M Y Potential for identity leaks through login and password.
kopete M Y Potential for identity leaks through login and password.
konversation M Y Potential for identity leaks through login and password.
irssi M Y Potential for identity leaks through login and password.
silc M Y Potential for identity leaks through login and password.

The following email applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
claws-mail M Y http://rorschachstagebuch.wordpress.com/2008/11/02/claws-mail-zweit-profil-fur-tor/ in German or http://lists.nongnu.org/archive/html/gnewsense-users/2010-04/msg00131.html in English
thunderbird N Y Probable identity leaks through javascript, mail headers. Potential for identity leaks through login, password.

The following file transfer applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
wget N N Probable identity leaks through http headers. Leaks DNS and connects directly in certain cases when used with polipo and torsocks. http://pastebin.com/iTHbjfqM http://pastebin.com/akbRifQX
ftp M Y Passive mode works well generally.

Table legend:

DNS: DNS requests safe for Tor?
           N - The application is known to leak DNS requests when used with torsocks.
           Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
           N - Anonymity issues suspected, see comments column.
           M - Safe enough in theory, but either not fully researched or anonymity can be compromised 
               through indiscreet use (e.g. email address, login, passwords).
           Y - Application has been researched and documented to be safe with Tor.

Differences between torsocks and tsocks

A complete history of changes is maintained in the http://code.google.com/p/torsocks/source/browse/trunk/ChangeLog The initial working copy of torsocks was obtained through the following steps in June 2008:

To help with reconstructing the above steps a list of applied patches is available in the http://code.google.com/p/torsocks/source/browse/trunk/patches subdirectory of the torsocks http://code.google.com/p/torsocks/source/browse/trunk/ tree.

Enhancements unique to torsocks

The first release of torsocks contained the following enhancements:

  • Torifying reverse DSN requests through gethostbyaddr()
  • Blocking of UDP traffic from sendto() and its variants.
  • Use of Tor-friendly defaults if no configuration file available.
  • The addition of all RFC defined private address ranges to the default configuration.