wiki:doc/torsocks

Version 35 (modified by proper, 8 years ago) (diff)

history moved to https://trac.torproject.org/projects/tor/wiki/doc/torsocks/History

uwt - modified usewithtor to improve Tor stream isolation

This is a modified usewithtor to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.

Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.

*nix only, because torsocks/usewithtor is not available for Windows.1
1 Perhaps a modified proxychains might work. Modified a similar way.

Additional SocksPorts

You need to add additional SocksPorts to your torrc.

Add to /etc/tor/torrc.

SocksPort 9052
SocksPort 9053

Don't forget to restart Tor.

uwt

uwt, the torsocks wrapper. (It's a fork of usewithtor from the torsocks package.)

nano /usr/local/bin/uwt

UPDATE 17

Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.

Thanks to intrigeri for reporting the issue!

Moved to github.

https://github.com/adrelanos/Whonix/blob/master/whonix_shared/usr/local/bin/uwt

Manual use

Example for manual usage invoked by command line.

uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.org
sudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgrade

Wrapper use

For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.

nano /usr/local/bin/wget

Insert the following.

#!/bin/bash
#echo "This is uwt /usr/local/bin/wget wrapper."
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*

In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.

Thanks to intrigeri, for bringing up this suggestion!

See also

You may also be interested in wpolipo - polipo manger init script to improve Tor stream isolation, see Polipo.

Related discussion

Workaround for IPv6 leak bug

As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...

If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.

Workaround: Add to /etc/sysctl.conf.

net.ipv6.conf.all.disable_ipv6 = 1

Run

sysctl -p

to activate. (Will remain activated after reboot.)

Of course you can and should only apply this workaround if you don't depend on IPv6.

Tickets

Torsocks

Tickets are currently being migrated from Google Code to torproject.org trac.

Ticket Summary Status Priority Keywords Owner
No tickets found

Torify

adrelanos comment: the Torify component should probable be merged with the Torsocks component.

Ticket Summary Status Priority Keywords Owner
#99 connect.c "let's try to resolve it anyway, why not" bug closed Very Low
#1056 "torify" command leaks DNS on "master" 2.2 alpha branch closed High
#1204 Case when check.torproject.org does not show if Tor is used closed Very High
#1230 Scope Of Content Writing As A Career Option closed Low
#2333 net-proxy/tsocks-1.8_beta5-r5 segfaults if tor patch is used closed Medium
#2364 tor-resolve man page doesn't list its defaults closed Medium easy
#3498 tor accept tcp not udp traffic closed Medium tbb windows
#3530 torify script may use tsocks closed Medium
#5180 torify uses tsocks when torsocks is unavailable closed Very High

usage

Once you have installed torsocks, just launch it like so:

  usewithtor [application]

So, for example you can use ssh to a some.ssh.com by doing:

  usewithtor ssh username @ some.ssh.com 

or launch pidgin by doing:

  usewithtor pidgin 

An alternative to usewithtor is torsocks:

  torsocks pidgin

The tables below list applications that usewithtor/torsocks will send through Tor. At the moment a 100% guarantee of safe interoperability with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.

The following administrative applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
ssh M Y Potential for identity leaks through login.
telnet M Y Potential for identity leaks through login and password.
svn M Y
gpg M Y gpg --refresh-keys works well enough.

The following messaging applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
pidgin M Y Potential for identity leaks through login and password.
kopete M Y Potential for identity leaks through login and password.
konversation M Y Potential for identity leaks through login and password.
irssi M Y Potential for identity leaks through login and password.
silc M Y Potential for identity leaks through login and password.

The following email applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
claws-mail M Y http://rorschachstagebuch.wordpress.com/2008/11/02/claws-mail-zweit-profil-fur-tor/ in German or http://lists.nongnu.org/archive/html/gnewsense-users/2010-04/msg00131.html in English
thunderbird N Y Probable identity leaks through javascript, mail headers. Potential for identity leaks through login, password.

The following file transfer applications are known to be compatible with usewithtor:

Application 100% Safe DNS Comments
wget N N Probable identity leaks through http headers. Leaks DNS and connects directly in certain cases when used with polipo and torsocks. http://pastebin.com/iTHbjfqM http://pastebin.com/akbRifQX
ftp M Y Passive mode works well generally.

Table legend:

DNS: DNS requests safe for Tor?
           N - The application is known to leak DNS requests when used with torsocks.
           Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
           N - Anonymity issues suspected, see comments column.
           M - Safe enough in theory, but either not fully researched or anonymity can be compromised 
               through indiscreet use (e.g. email address, login, passwords).
           Y - Application has been researched and documented to be safe with Tor.

History

Moved to torsocks/History.