Torsocks
Torsocks is a torifying wrapper that is primarily used to redirect all the network traffic
of individual SOCKS-friendly applications through the Tor network. It also ensures DNS queries
are handled correctly and explicitly blocks all UDP traffic from the application in question.
Torsocks is the successor of tsocks and is still actively maintained. It is simply packaged as
torsocks and is available (and often automatically included with the tor package)
in many *nix based distributions.
Usage
Once you have installed torsocks, just launch it like so:
torsocks [application]
For example, you can use ssh to a some.ssh.com by doing:
torsocks ssh username @ some.ssh.com
or launch pidgin by doing:
torsocks pidgin
Security
The tables below contains a small list of applications commonly used in conjunction with torsocks / torify. At the moment a 100% guarantee of being safe to operate with Tor can only be given for a few of them. This is because the operation of the applications and the data they transmit has not been fully researched, so it is possible that a given application can leak user/system data at a level that neither Tor nor torsocks can control.
The following administrative applications are known to be compatible with torsocks
:
Application | 100% Safe | DNS | Comments
|
ssh | M | Y | Potential for identity leaks through login.
|
telnet | M | Y | Potential for identity leaks through login and password.
|
svn | M | Y |
|
gpg | Y | Y | GPG implemented --use-tor . See GnuPG.
|
The following messaging applications are known to be compatible with torsocks
:
Application | 100% Safe | DNS | Comments
|
pidgin | M | Y | Potential for identity leaks through login and password.
|
kopete | M | Y | Potential for identity leaks through login and password.
|
konversation | M | Y | Potential for identity leaks through login and password.
|
irssi | M | Y | Potential for identity leaks through login and password.
|
silc | M | Y | Potential for identity leaks through login and password.
|
The following email applications are known to be compatible with torsocks
:
Application | 100% Safe | DNS | Comments
|
claws-mail | * | * | Use TorBirdy (Tor Button for Thunderbird) instead!
|
thunderbird | * | * | Use TorBirdy (Tor Button for Thunderbird) instead!
|
The following file transfer applications are known to be compatible with torsocks
:
Application | 100% Safe | DNS | Comments
|
wget | M | Y | Possibility of identity leaks through http headers.
|
ftp | M | Y | Passive mode works well generally.
|
Table legend:
DNS: DNS requests safe for Tor?
N - The application is known to leak DNS requests when used with torsocks.
Y - Testing has shown that application does not leak DNS requests.
100% Safe: Fully verified to have no interoperability issues with Tor?
N - Anonymity issues suspected, see comments column.
M - Safe enough in theory, but either not fully researched or anonymity can be compromised
through indiscreet use (e.g. email address, login, passwords).
Y - Application has been researched and documented to be safe with Tor.
WARNING: The information below is heavily depreciated and it is highly advised to not follow it.
uwt - modified torsocks to improve Tor stream isolation
This is a modified torsocks to support setting proxy type, ip and port by command line parameter to prevent identity correlation through circuit sharing.
Written by Whonix developer proper/adrelanos. The Tails developers contributed feedback and a patch.
*nix only, because torsocks/torify is not available for Windows.1
1 Perhaps a modified proxychains might work. Modified a similar way.
Additional SocksPorts
You need to add additional SocksPorts to your torrc.
Add to /etc/tor/torrc.
SocksPort 9052
SocksPort 9053
Don't forget to restart Tor.
uwt
uwt, the torsocks wrapper. (It's a fork of torsocks from the torsocks package.)
nano /usr/local/bin/uwt
UPDATE 17
Applies to non-Whonix users. Some versions prior UPDATE 15 were affected by a security issue. If you command included localhost or 127.0.0.1 it leaked.
Thanks to intrigeri for reporting the issue!
Moved to github.
https://github.com/Whonix/uwt/blob/master/usr/bin/uwt
Manual use
Example for manual usage invoked by command line.
uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/wget -c https://check.torproject.org
sudo uwt -t 5 -i 127.0.0.1 -p 9050 /usr/bin/apt-get --yes dist-upgrade
Wrapper use
For example, if you wish enforce the proxy settings without entering such a long command every time, you can use a wrapper, . The wrapper has to be placed in PATH ('echo $PATH') before the real executable.
nano /usr/local/bin/wget
Insert the following.
#!/bin/bash
#echo "This is uwt /usr/local/bin/wget wrapper."
/usr/local/bin/uwt -t 5 -i 192.168.0.10 -p 9109 /usr/bin/wget $*
In this example, if you want to use wget, you don't have to type 'uwt -t 5 -i 192.168.0.10 -p 9109 -c "/usr/bin/wget -c https://check.torproject.org"', you can simply use 'wget -c https://check.torproject.org'. The wrapper calls uwt and uwt calls torsocks. Your request will be routed through socks5, IP 192.168.0.10, port 9109.
Thanks to intrigeri, for bringing up this suggestion!
Workaround for IPv6 leak bug
As long as this bug https://code.google.com/p/torsocks/issues/detail?id=37 isn't fixed...
If you on a IPv6 enabled network and use usewithtor <some-IPv6-aware-application>, then IPv6 traffic will be send in the clear, thus de-anonymzing you.
Workaround: Add to /etc/sysctl.conf.
net.ipv6.conf.all.disable_ipv6 = 1
Run
sysctl -p
to activate. (Will remain activated after reboot.)
Of course you can and should only apply this workaround if you don't depend on IPv6.
Tickets
Torsocks
Tickets are currently being migrated from Google Code to torproject.org trac.
Ticket
|
Summary
|
Status
|
Priority
|
Keywords
|
Owner
|
#11579 |
Torsocks should support Java
|
accepted
|
Medium
|
|
dgoulet
|
#11724 |
Check recvmmsg() FD passing on Unix socket for TCP socket
|
accepted
|
Medium
|
|
dgoulet
|
#11727 |
Support shared onion pool for DNS resolution in separate process
|
accepted
|
Medium
|
|
dgoulet
|
#13184 |
Add an option to whitelist networks
|
accepted
|
Medium
|
|
dgoulet
|
#14322 |
torsocks fails to wrap setcap binaries
|
accepted
|
Medium
|
setcap setuid LD_PRELOAD torsocks
|
dgoulet
|
#16934 |
youtube-dl (recent), torsocks 2.1.0 and TBB5+ failure
|
accepted
|
Medium
|
|
dgoulet
|
#19407 |
Support FD passing on Unix socket
|
accepted
|
Medium
|
|
dgoulet
|
#19793 |
Torsocks - only torify .onion domains
|
accepted
|
Low
|
|
dgoulet
|
#8702 |
Support advanced polling features in OS
|
assigned
|
Medium
|
|
dgoulet
|
#14132 |
Add SocksPort Unix support to torsocks
|
assigned
|
Medium
|
|
sysrqb
|
#801 |
Torify+dsocks: A listener connection returned a socket with a mismatched family
|
closed
|
Low
|
|
dgoulet
|
#6155 |
Import torsocks from google code to torproject.org trac
|
closed
|
High
|
|
mwenge
|
#6542 |
curl 7.27.0 doesn't work with torsocks
|
closed
|
High
|
|
dgoulet
|
#7564 |
[PATCH] Use libdir instead of prefix in torsocks wrapper
|
closed
|
Medium
|
make install
|
robinson
|
#8006 |
Unnecessary test in torsocks script
|
closed
|
Medium
|
|
|
#8038 |
Allow torsocks to interact with TBB in a useful way
|
closed
|
Medium
|
|
|
#8043 |
various torsocks/ttdnsd errors and discrepancies
|
closed
|
Medium
|
|
|
#8052 |
merge torify trac component with torsocks trac component
|
closed
|
Medium
|
|
|
#8053 |
add stream isolation support to torsocks
|
closed
|
Medium
|
|
dgoulet
|
#8063 |
torsocks on doesn't work.
|
closed
|
Medium
|
shell
|
|
#8066 |
usewithtor + irssi + ssl = "Socks version 22 not recognized"
|
closed
|
Medium
|
|
|
#8067 |
Three harmless compiler warnings in 1.2 and 1.3
|
closed
|
Medium
|
|
ioerror
|
#8068 |
Missing symbol namespacing
|
closed
|
Medium
|
|
ioerror
|
#8070 |
Memory leaks on error in dead_pool.c
|
closed
|
Medium
|
|
ioerror
|
#8137 |
add option to allow connections to local addresses
|
closed
|
Medium
|
|
dgoulet
|
#8220 |
add TORSOCKS_CONF_FILE to debug output
|
closed
|
Medium
|
|
ioerror
|
#8221 |
add configuration to debug output
|
closed
|
Medium
|
|
ioerror
|
#8272 |
torsocks.c warning says to file bugs at code.google.com
|
closed
|
Medium
|
|
ioerror
|
#8315 |
Please support multiarch library paths
|
closed
|
Medium
|
|
ioerror
|
#8316 |
cvs via torsocks causes a segfault in libtorsocks.so
|
closed
|
Medium
|
|
ioerror
|
#8398 |
res_query warning in torsocks
|
closed
|
Low
|
torsocks res_query
|
ioerror
|
#8495 |
Please remove "Call to connect received on completed request 3"
|
closed
|
Medium
|
|
ioerror
|
#8585 |
Figure out why weechat+ssl don't play nice with torsocks
|
closed
|
Medium
|
|
sysrqb
|
#8597 |
Catch res_n* functions on systems that support them
|
closed
|
Medium
|
|
sysrqb
|
#8659 |
INSTALL references obsolete Makefile.cvs
|
closed
|
Medium
|
|
ioerror
|
#8743 |
Add IPv6 support
|
closed
|
Medium
|
|
ioerror
|
#8744 |
The show_msg() does not save correctly the errno value
|
closed
|
Medium
|
|
ioerror
|
#8745 |
Add thread safe support with documentation
|
closed
|
Medium
|
|
ioerror
|
#8754 |
Remove mentions of code.google.com
|
closed
|
Medium
|
|
ioerror
|
#9745 |
libtorsocks symbol was not found
|
closed
|
Medium
|
torify, torsocks, libtorsocks, symbol, not found
|
ioerror
|
#10007 |
Code review of torsocks 2.x
|
closed
|
Medium
|
|
ioerror
|
#10119 |
libtorsocks, torify, __res__query() (and a few others) symbol not found ERROR
|
closed
|
High
|
libtorsocks __res_query symbol
|
dgoulet
|
#11090 |
torsocks should log errors to stderr and not stdout
|
closed
|
Medium
|
|
dgoulet
|
#11205 |
[PATCH] gethostbyname2 needs to be supported in addition to gethostbyname
|
closed
|
Medium
|
|
ioerror
|
#11456 |
'make test' should run the tests
|
closed
|
Medium
|
|
dgoulet
|
#11541 |
torsocks Does Not Work with dig on Fedora 20
|
closed
|
Medium
|
|
dgoulet
|
#11723 |
Support res_* API of libresolv
|
closed
|
Medium
|
|
dgoulet
|
#11725 |
Support the complete list of dangerous syscall numbers with syscall()
|
closed
|
Medium
|
|
dgoulet
|
#11726 |
choosing ip / port by command line
|
closed
|
Medium
|
|
dgoulet
|
#11810 |
Connection through torsocks(1) impossible
|
closed
|
Medium
|
|
dgoulet
|
#13256 |
torsocks 1.3 possibly leaks username
|
closed
|
High
|
leak
|
dgoulet
|
#13294 |
futex support
|
closed
|
Medium
|
syscall futex
|
dgoulet
|
#13571 |
torsocks doesnt compile under MacOSX 10.10 (SO_DOMAIN linux only?)
|
closed
|
Medium
|
|
dgoulet
|
#13896 |
torsocks prints wrong error messages about setuid/setgid executables
|
closed
|
Medium
|
|
dgoulet
|
#13909 |
Torsocks GitHub and Track failed usage
|
closed
|
High
|
|
dgoulet
|
#14021 |
torsocks: remove tsocks from wikistart
|
closed
|
Medium
|
|
dgoulet
|
#14166 |
torsock's configure.ac: avoid tests which have both -pie and -static
|
closed
|
Medium
|
|
dgoulet
|
#14210 |
Enhance torsocks with ControlPort GETINFO communication skills and additional Socks* options
|
closed
|
Medium
|
|
dgoulet
|
#14265 |
Torsocks works badly with default VirtualAddrNetworkIPv4 ranges
|
closed
|
Medium
|
|
dgoulet
|
#14268 |
torsocks "make check" target broken in out of tree builds
|
closed
|
Low
|
easy, makefiles
|
dgoulet
|
#14281 |
Add option to allow connections to custom local addresses
|
closed
|
Medium
|
|
dgoulet
|
#15497 |
torsock's getpeername() implementation is broken.
|
closed
|
Medium
|
|
dgoulet
|
#15504 |
torsocks's getaddrinfo() is broken.
|
closed
|
Medium
|
|
dgoulet
|
#15584 |
Linking libtorsocks with libtcmalloc results in SIGSEGV
|
closed
|
Medium
|
sigsegv libtcmalloc libtorsocks torsocks ld_preload
|
dgoulet
|
#16006 |
torsocks should support isolating on a per process basis.
|
closed
|
Medium
|
isolation
|
dgoulet
|
#16183 |
torsocks upgrade broke OpenSSH connection sharing
|
closed
|
Medium
|
ssh
|
dgoulet
|
#16223 |
Torsocks v2.1.0 fails to build on RHEL/CentOS 5.x
|
closed
|
Medium
|
prehistoric, glibc, centos
|
dgoulet
|
#16308 |
Attempts to resolve local hostname using tor
|
closed
|
Medium
|
|
dgoulet
|
#16349 |
Need to merge GigHub pull requests
|
closed
|
Medium
|
|
dgoulet
|
#16355 |
[PATCH] Add usleep to data_impl functions
|
closed
|
Very Low
|
torsocks cpu spike hang
|
dgoulet
|
#16432 |
patches for NetBSD
|
closed
|
Medium
|
netbsd
|
dgoulet
|
#16433 |
infinite recursion in torsocks log timestamps
|
closed
|
Medium
|
netbsd
|
dgoulet
|
#16434 |
fix miscellaneous compiler warnings
|
closed
|
Medium
|
|
dgoulet
|
#16435 |
torsocks needlessly depends on perl for test suite
|
closed
|
Medium
|
|
dgoulet
|
#16627 |
torsocks 2.1 doesn't work with Oracle Java 8 (Mac OS X 10.9.5)
|
closed
|
Medium
|
|
dgoulet
|
#16628 |
tordns_enable option to disable dns resolving via tor
|
closed
|
Medium
|
|
dgoulet
|
#16765 |
torsocks should allow UDP connections to localhost when AllowOutboundLocalhost is set
|
closed
|
Medium
|
|
dgoulet
|
#16991 |
I think I've figured out why torsocks-ci-linux is failing on Jenkins!
|
closed
|
Medium
|
|
dgoulet
|
#17340 |
Add support for specifying Tor address and port from the command line
|
closed
|
Medium
|
|
dgoulet
|
#17475 |
Overflow when parsing config lines with many arguments
|
closed
|
Medium
|
|
dgoulet
|
#17478 |
Fix typos in comments
|
closed
|
Very Low
|
|
dgoulet
|
#17479 |
Allow port 65535
|
closed
|
Low
|
|
dgoulet
|
#17618 |
Segfault in tsocks_accept4() if called through syscall()
|
closed
|
Medium
|
|
dgoulet
|
#17743 |
[torsocks] Detect elevated capability executables
|
closed
|
Medium
|
|
dgoulet
|
#17760 |
Torsocks doesn't quote variables, will choke on spaces and special characters in paths
|
closed
|
Medium
|
easy
|
dgoulet
|
#17936 |
torsocks fails open on Mac OS X 10.11
|
closed
|
Medium
|
|
dgoulet
|
#17980 |
Torify/Torsocks - Possible bug with OSX's default curl binary
|
closed
|
High
|
|
dgoulet
|
#19376 |
Fix a few torsocks bugs caused by unquoted variables
|
closed
|
Medium
|
|
dgoulet
|
#20871 |
Regression in Torsocks 2.2.0 breaks wget, among others
|
closed
|
High
|
|
dgoulet
|
#21022 |
Add several syscalls to src/lib/syscall.c (Torsocks breaks seccomp)
|
closed
|
High
|
|
dgoulet
|
#21088 |
Hide getcap error message in torsocks
|
closed
|
Low
|
AffectsTails
|
dgoulet
|
#21626 |
Make error: undefined reference to 'helper_is_default_tor_running'
|
closed
|
Medium
|
|
dgoulet
|
#22068 |
Make it explicit that Torsocks won't work correctly in certain scenarios in the README
|
closed
|
Medium
|
easy, doc
|
dgoulet
|
#23667 |
Always send ATYP 0x03 (domain name) with a plain IP address
|
closed
|
Medium
|
|
dgoulet
|
#23715 |
Support `memfd_create(2)`
|
closed
|
Medium
|
|
dgoulet
|
#23876 |
Torsocks getpeername() is broken for .onion addresses
|
closed
|
Medium
|
|
dgoulet
|
#24081 |
Torsocks logging to a file can cause a crash or corrupt application files.
|
closed
|
High
|
|
dgoulet
|
#24140 |
When I "torify ssh root@abcdefghijklmnop.onion" I get a error
|
closed
|
High
|
|
dgoulet
|
#24960 |
Torsocks not builds on old kernels where epoll_pwait isn't implemented
|
closed
|
Medium
|
|
dgoulet
|
#24967 |
torsocks fails to check SIP if the path itself is a symlink
|
closed
|
Medium
|
|
Hello71
|
#24979 |
torsocks could support ptrace sandboxing
|
closed
|
Low
|
|
dgoulet
|
#25586 |
gethostbyaddr_r doesn't populate h_addrtype field of output hostent struct
|
closed
|
Medium
|
|
dgoulet
|
#25627 |
tsocks_gethostbyaddr_r scribbles garbage over data->hostname and then relies on it
|
closed
|
Medium
|
|
dgoulet
|
#25785 |
Torsocks error. Symbol res_query, res_search, res_domain, res_querydomian not found.
|
closed
|
High
|
|
dgoulet
|
#26794 |
tsocks_gethostbyname_r does not assign result
|
closed
|
High
|
|
dgoulet
|
#26888 |
torsocks: --quiet option
|
closed
|
Medium
|
torsocks, quiet, option
|
dgoulet
|
#28539 |
Build breaks on FreeBSD: undefined reference to `handle_mmap'
|
closed
|
Medium
|
|
dgoulet
|
#28861 |
torsocks: Unsupported syscall number 217
|
closed
|
Medium
|
torsocks, syscall, 217
|
dgoulet
|
#29092 |
Unsupported syscall number 220 (getdents64)
|
closed
|
Medium
|
syscall
|
dgoulet
|
#29236 |
After updating tor to 8.0.5, socks5 started to not work
|
closed
|
Immediate
|
bug socks5
|
dgoulet
|
#19700 |
torsocks does not work with "connectx" (in netcat / nc)
|
needs_information
|
High
|
|
dgoulet
|
#26889 |
torsocks: option to disable all network traffic
|
needs_information
|
Low
|
torsocks, option, disable network
|
dgoulet
|
#24037 |
Use syscall blacklist rather than whitelist for torsocks
|
needs_review
|
Medium
|
|
dgoulet
|
#24116 |
Torsocks deadlocks every Rust program
|
needs_review
|
Medium
|
torsocks deadlock rust jemalloc
|
dgoulet
|
#28538 |
[regression] torsocks uses linux-specific tsocks_libc_accept4 on FreeBSD
|
needs_review
|
High
|
|
dgoulet
|
#28999 |
Mention dependencies in INSTALL
|
needs_review
|
Very Low
|
|
dgoulet
|
#3711 |
Application support for optimistic data: Torsocks
|
needs_revision
|
Medium
|
performance roundtrip
|
sysrqb
|
#29000 |
Let torsocks run from source directory
|
needs_revision
|
Very Low
|
|
dgoulet
|
#6228 |
NSS module for .onion DNS name resolution
|
new
|
Low
|
nss dns usability onion tor-hs
|
dgoulet
|
#21227 |
Ship a git-remote-tor helper
|
new
|
Medium
|
|
dgoulet
|
#23872 |
torsocks hangs recent firefox versions
|
new
|
Medium
|
FUTEX_WAIT_PRIVATE hangs torsocks
|
dgoulet
|
#25884 |
add support for exitmap requirements
|
new
|
Medium
|
|
dgoulet
|
#26580 |
torsocks complains about unknown system call #417 on FreeBSD
|
new
|
Medium
|
|
dgoulet
|
#26821 |
[torsocks] configure script from the tarball breaks
|
new
|
Medium
|
|
dgoulet
|
#26831 |
Feature: conditionally allow non-localhost inbound connections with command-line flag
|
new
|
Medium
|
|
dgoulet
|
#27920 |
"Resolve destination buffer too small" is unclear
|
new
|
Medium
|
|
dgoulet
|
#28627 |
[torsocks] AAAA replies from tor not handled
|
new
|
Medium
|
|
dgoulet
|
#28688 |
torsocks: Unsupported syscall errors in version 2.3.0
|
new
|
Medium
|
|
dgoulet
|
#28998 |
torsocks popcon: [syscall] Unsupported syscall number 288
|
new
|
Medium
|
|
dgoulet
|
#29311 |
Unsupported syscall number 427 and 180 on OS X on torsocks 2.2.0
|
new
|
Medium
|
|
dgoulet
|
Torify
adrelanos comment: the Torify component should probable be merged with the Torsocks component.
History
Moved to torsocks/History.