wiki:doc/torsocks

Version 49 (modified by Jaruga, 16 months ago) (diff)

Updated table. Sliced out irrelevant section. Formatting adjustment

  1. Torsocks
    1. Usage
    2. Security
  2. Older Information
    1. uwt - modified torsocks to improve Tor stream isolation
    2. Additional SocksPorts
    3. uwt
    4. Manual use
    5. Wrapper use
    6. Related discussion
    7. Workaround for IPv6 leak bug
  3. Tickets
    1. Torsocks
    2. Torify
  4. History

Torsocks

Torsocks is a torifying wrapper that is primarily used to redirect all the network traffic of individual SOCKS-friendly applications through the Tor network. It also ensures DNS queries are handled correctly and explicitly blocks all UDP traffic from the application in question. Torsocks is the successor of tsocks and is still actively maintained. It is simply packaged as torsocks and is available (and often automatically included with the tor package) in many *nix based distributions.

Usage

Once you have installed torsocks, just launch it like so: 

  torsocks [application]

For example, you can use ssh to a some.ssh.com by doing: 

  torsocks ssh username @ some.ssh.com

or launch pidgin by doing: 

  torsocks pidgin

Security

The tables below contains a small list of applications commonly used in conjunction with torsocks / torify. At the moment a 100% guarantee of being safe to operate with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.

The following administrative applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
ssh M Y Potential for identity leaks through login.
telnet M Y Potential for identity leaks through login and password.
svn M Y
gpg Y Y GPG implemented --use-tor. See GnuPG.

The following messaging applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
pidgin M Y Potential for identity leaks through login and password.
kopete M Y Potential for identity leaks through login and password.
konversation M Y Potential for identity leaks through login and password.
irssi M Y Potential for identity leaks through login and password.
silc M Y Potential for identity leaks through login and password.

The following email applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
claws-mail * * Use TorBirdy (Tor Button for Thunderbird) instead!
thunderbird * * Use TorBirdy (Tor Button for Thunderbird) instead!

The following file transfer applications are known to be compatible with torsocks:

Application 100% Safe DNS Comments
wget M Y Possibility of identity leaks through http headers.
ftp M Y Passive mode works well generally.

Table legend: 

DNS: DNS requests safe for Tor?
           N - The application is known to leak DNS requests when used with torsocks.
           Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
           N - Anonymity issues suspected, see comments column.
           M - Safe enough in theory, but either not fully researched or anonymity can be compromised 
               through indiscreet use (e.g. email address, login, passwords).
           Y - Application has been researched and documented to be safe with Tor.


Older Information

WARNING: The information below is heavily depreciated and it is highly advised to not follow it.

uwt - modified torsocks to improve Tor stream isolation

This is a modified torsocks to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.

Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.

*nix only, because torsocks/torify is not available for Windows.1
1 Perhaps a modified proxychains might work. Modified a similar way.

Additional SocksPorts

You need to add additional SocksPorts to your torrc.

Add to /etc/tor/torrc. 

SocksPort 9052
SocksPort 9053

Don't forget to restart Tor.

uwt

uwt, the torsocks wrapper. (It's a fork of torsocks from the torsocks package.) 

nano /usr/local/bin/uwt

UPDATE 17

Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.

Thanks to intrigeri for reporting the issue!

Moved to github. 

https://github.com/Whonix/uwt/blob/master/usr/bin/uwt

Manual use

Example for manual usage invoked by command line. 

uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.org

sudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgrade

Wrapper use

For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable. 

nano /usr/local/bin/wget

Insert the following. 

#!/bin/bash
#echo "This is uwt /usr/local/bin/wget wrapper."
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*

In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.

Thanks to intrigeri, for bringing up this suggestion!

Related discussion

Workaround for IPv6 leak bug

As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...

If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.

Workaround: Add to /etc/sysctl.conf. 

net.ipv6.conf.all.disable_ipv6 = 1

Run 

sysctl -p

to activate. (Will remain activated after reboot.)

Of course you can and should only apply this workaround if you don't depend on IPv6.


Tickets

Torsocks

Tickets are currently being migrated from Google Code to torproject.org trac.

Ticket Summary Status Priority Keywords Owner
#6228 NSS module for .onion DNS name resolution assigned Low nss dns usability onion tor-hs
#8702 Support advanced polling features in OS assigned Medium
#11579 Torsocks should support Java assigned Medium
#11724 Check recvmmsg() FD passing on Unix socket for TCP socket assigned Medium
#11727 Support shared onion pool for DNS resolution in separate process assigned Medium
#13184 Add an option to whitelist networks assigned Medium
#14132 Add SocksPort Unix support to torsocks assigned Medium sysrqb
#14322 torsocks fails to wrap setcap binaries assigned Medium setcap setuid LD_PRELOAD torsocks
#16934 youtube-dl (recent), torsocks 2.1.0 and TBB5+ failure assigned Medium
#19407 Support FD passing on Unix socket assigned Medium
#19700 torsocks does not work with "connectx" (in netcat / nc) assigned High
#19793 Torsocks - only torify .onion domains assigned Low
#21227 Ship a git-remote-tor helper assigned Medium
#23872 torsocks hangs recent firefox versions assigned Medium FUTEX_WAIT_PRIVATE hangs torsocks
#24037 Use syscall blacklist rather than whitelist for torsocks assigned Medium
#24116 Torsocks deadlocks every Rust program assigned Medium torsocks deadlock rust jemalloc
#25884 add support for exitmap requirements assigned Medium
#26580 torsocks complains about unknown system call #417 on FreeBSD assigned Medium
#26821 [torsocks] configure script from the tarball breaks assigned Medium
#26831 Feature: conditionally allow non-localhost inbound connections with command-line flag assigned Medium
#26889 torsocks: option to disable all network traffic assigned Low torsocks, option, disable network
#27920 "Resolve destination buffer too small" is unclear assigned Medium
#28538 [regression] torsocks uses linux-specific tsocks_libc_accept4 on FreeBSD assigned High
#28627 [torsocks] AAAA replies from tor not handled assigned Medium
#28688 torsocks: Unsupported syscall errors in version 2.3.0 assigned Medium
#28998 torsocks popcon: [syscall] Unsupported syscall number 288 assigned Medium
#28999 Mention dependencies in INSTALL assigned Very Low
#29000 Let torsocks run from source directory assigned Very Low
#29311 Unsupported syscall number 427 and 180 on OS X on torsocks 2.2.0 assigned Medium
#29659 WARNING torsocks[6254]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:605) assigned Medium
#29769 [syscall] Unsupported syscall number 316. Denying the call (in tsocks_syscall() at syscall.c:615) assigned Medium
#30658 Unsupported syscalls (292/dup3, 293/pipe2, 332/statx) assigned Medium
#30729 Possible memory leak in torsocks 2.2.0 assigned Medium
#801 Torify+dsocks: A listener connection returned a socket with a mismatched family closed Low dgoulet
#6155 Import torsocks from google code to torproject.org trac closed High mwenge
#6542 curl 7.27.0 doesn't work with torsocks closed High dgoulet
#7564 [PATCH] Use libdir instead of prefix in torsocks wrapper closed Medium make install robinson
#8006 Unnecessary test in torsocks script closed Medium
#8038 Allow torsocks to interact with TBB in a useful way closed Medium
#8043 various torsocks/ttdnsd errors and discrepancies closed Medium
#8052 merge torify trac component with torsocks trac component closed Medium
#8053 add stream isolation support to torsocks closed Medium dgoulet
#8063 torsocks on doesn't work. closed Medium shell
#8066 usewithtor + irssi + ssl = "Socks version 22 not recognized" closed Medium
#8067 Three harmless compiler warnings in 1.2 and 1.3 closed Medium ioerror
#8068 Missing symbol namespacing closed Medium ioerror
#8070 Memory leaks on error in dead_pool.c closed Medium ioerror
#8137 add option to allow connections to local addresses closed Medium dgoulet
#8220 add TORSOCKS_CONF_FILE to debug output closed Medium ioerror
#8221 add configuration to debug output closed Medium ioerror
#8272 torsocks.c warning says to file bugs at code.google.com closed Medium ioerror
#8315 Please support multiarch library paths closed Medium ioerror
#8316 cvs via torsocks causes a segfault in libtorsocks.so closed Medium ioerror
#8398 res_query warning in torsocks closed Low torsocks res_query ioerror
#8495 Please remove "Call to connect received on completed request 3" closed Medium ioerror
#8585 Figure out why weechat+ssl don't play nice with torsocks closed Medium sysrqb
#8597 Catch res_n* functions on systems that support them closed Medium sysrqb
#8659 INSTALL references obsolete Makefile.cvs closed Medium ioerror
#8743 Add IPv6 support closed Medium ioerror
#8744 The show_msg() does not save correctly the errno value closed Medium ioerror
#8745 Add thread safe support with documentation closed Medium ioerror
#8754 Remove mentions of code.google.com closed Medium ioerror
#9745 libtorsocks symbol was not found closed Medium torify, torsocks, libtorsocks, symbol, not found ioerror
#10007 Code review of torsocks 2.x closed Medium ioerror
#10119 libtorsocks, torify, __res__query() (and a few others) symbol not found ERROR closed High libtorsocks __res_query symbol dgoulet
#11090 torsocks should log errors to stderr and not stdout closed Medium dgoulet
#11205 [PATCH] gethostbyname2 needs to be supported in addition to gethostbyname closed Medium ioerror
#11456 'make test' should run the tests closed Medium dgoulet
#11541 torsocks Does Not Work with dig on Fedora 20 closed Medium dgoulet
#11723 Support res_* API of libresolv closed Medium dgoulet
#11725 Support the complete list of dangerous syscall numbers with syscall() closed Medium dgoulet
#11726 choosing ip / port by command line closed Medium dgoulet
#11810 Connection through torsocks(1) impossible closed Medium dgoulet
#13256 torsocks 1.3 possibly leaks username closed High leak dgoulet
#13294 futex support closed Medium syscall futex dgoulet
#13571 torsocks doesnt compile under MacOSX 10.10 (SO_DOMAIN linux only?) closed Medium dgoulet
#13896 torsocks prints wrong error messages about setuid/setgid executables closed Medium dgoulet
#13909 Torsocks GitHub and Track failed usage closed High dgoulet
#14021 torsocks: remove tsocks from wikistart closed Medium dgoulet
#14166 torsock's configure.ac: avoid tests which have both -pie and -static closed Medium dgoulet
#14210 Enhance torsocks with ControlPort GETINFO communication skills and additional Socks* options closed Medium dgoulet
#14265 Torsocks works badly with default VirtualAddrNetworkIPv4 ranges closed Medium dgoulet
#14268 torsocks "make check" target broken in out of tree builds closed Low easy, makefiles dgoulet
#14281 Add option to allow connections to custom local addresses closed Medium dgoulet
#15497 torsock's getpeername() implementation is broken. closed Medium dgoulet
#15504 torsocks's getaddrinfo() is broken. closed Medium dgoulet
#15584 Linking libtorsocks with libtcmalloc results in SIGSEGV closed Medium sigsegv libtcmalloc libtorsocks torsocks ld_preload dgoulet
#16006 torsocks should support isolating on a per process basis. closed Medium isolation dgoulet
#16183 torsocks upgrade broke OpenSSH connection sharing closed Medium ssh dgoulet
#16223 Torsocks v2.1.0 fails to build on RHEL/CentOS 5.x closed Medium prehistoric, glibc, centos dgoulet
#16308 Attempts to resolve local hostname using tor closed Medium dgoulet
#16349 Need to merge GigHub pull requests closed Medium dgoulet
#16355 [PATCH] Add usleep to data_impl functions closed Very Low torsocks cpu spike hang dgoulet
#16432 patches for NetBSD closed Medium netbsd dgoulet
#16433 infinite recursion in torsocks log timestamps closed Medium netbsd dgoulet
#16434 fix miscellaneous compiler warnings closed Medium dgoulet
#16435 torsocks needlessly depends on perl for test suite closed Medium dgoulet
#16627 torsocks 2.1 doesn't work with Oracle Java 8 (Mac OS X 10.9.5) closed Medium dgoulet
#16628 tordns_enable option to disable dns resolving via tor closed Medium dgoulet
#16765 torsocks should allow UDP connections to localhost when AllowOutboundLocalhost is set closed Medium dgoulet
#16991 I think I've figured out why torsocks-ci-linux is failing on Jenkins! closed Medium dgoulet
#17340 Add support for specifying Tor address and port from the command line closed Medium dgoulet
#17475 Overflow when parsing config lines with many arguments closed Medium dgoulet
#17478 Fix typos in comments closed Very Low dgoulet
#17479 Allow port 65535 closed Low dgoulet
#17618 Segfault in tsocks_accept4() if called through syscall() closed Medium dgoulet
#17743 [torsocks] Detect elevated capability executables closed Medium dgoulet
#17760 Torsocks doesn't quote variables, will choke on spaces and special characters in paths closed Medium easy dgoulet
#17936 torsocks fails open on Mac OS X 10.11 closed Medium dgoulet
#17980 Torify/Torsocks - Possible bug with OSX's default curl binary closed High dgoulet
#19376 Fix a few torsocks bugs caused by unquoted variables closed Medium dgoulet
#20871 Regression in Torsocks 2.2.0 breaks wget, among others closed High dgoulet
#21022 Add several syscalls to src/lib/syscall.c (Torsocks breaks seccomp) closed High dgoulet
#21088 Hide getcap error message in torsocks closed Low AffectsTails dgoulet
#21626 Make error: undefined reference to 'helper_is_default_tor_running' closed Medium dgoulet
#22068 Make it explicit that Torsocks won't work correctly in certain scenarios in the README closed Medium easy, doc dgoulet
#23667 Always send ATYP 0x03 (domain name) with a plain IP address closed Medium dgoulet
#23715 Support `memfd_create(2)` closed Medium dgoulet
#23876 Torsocks getpeername() is broken for .onion addresses closed Medium dgoulet
#24081 Torsocks logging to a file can cause a crash or corrupt application files. closed High dgoulet
#24140 When I "torify ssh root@abcdefghijklmnop.onion" I get a error closed High dgoulet
#24960 Torsocks not builds on old kernels where epoll_pwait isn't implemented closed Medium dgoulet
#24967 torsocks fails to check SIP if the path itself is a symlink closed Medium Hello71
#24979 torsocks could support ptrace sandboxing closed Low dgoulet
#25586 gethostbyaddr_r doesn't populate h_addrtype field of output hostent struct closed Medium dgoulet
#25627 tsocks_gethostbyaddr_r scribbles garbage over data->hostname and then relies on it closed Medium dgoulet
#25785 Torsocks error. Symbol res_query, res_search, res_domain, res_querydomian not found. closed High dgoulet
#26794 tsocks_gethostbyname_r does not assign result closed High dgoulet
#26888 torsocks: --quiet option closed Medium torsocks, quiet, option dgoulet
#28539 Build breaks on FreeBSD: undefined reference to `handle_mmap' closed Medium dgoulet
#28861 torsocks: Unsupported syscall number 217 closed Medium torsocks, syscall, 217 dgoulet
#29092 Unsupported syscall number 220 (getdents64) closed Medium syscall dgoulet
#29236 After updating tor to 8.0.5, socks5 started to not work closed Immediate bug socks5 dgoulet
#3711 Application support for optimistic data: Torsocks needs_revision Medium performance roundtrip sysrqb

Torify

adrelanos comment: the Torify component should probable be merged with the Torsocks component.

Ticket Summary Status Priority Keywords Owner
#99 connect.c "let's try to resolve it anyway, why not" bug closed Very Low
#1056 "torify" command leaks DNS on "master" 2.2 alpha branch closed High
#1204 Case when check.torproject.org does not show if Tor is used closed Very High
#1230 Scope Of Content Writing As A Career Option closed Low
#2333 net-proxy/tsocks-1.8_beta5-r5 segfaults if tor patch is used closed Medium
#2364 tor-resolve man page doesn't list its defaults closed Medium easy
#3498 tor accept tcp not udp traffic closed Medium tbb windows
#3530 torify script may use tsocks closed Medium
#5180 torify uses tsocks when torsocks is unavailable closed Very High

History

Moved to torsocks/History.