Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

HowTo: Set Up TOR for a Single User, or as a LAN Gateway

~~   Forward   ~~

The TOR Project (“The Onion Router”) is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.   It provides the foundation for a range of applications which allow organizations Torand individuals to share information over public networks without compromising their privacy.

  • Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, email, instant messaging services, IRC, or the like when these are blocked by their local Internet providers.   Tor’s ‘hidden services’ let users publish web sites and other services without needing to reveal the location of the site.   Individuals also use Tor for socially sensitive communication:   chat rooms and web forums for rape and abuse survivors, or people with illnesses.
  • Journalists use Tor to communicate more safely with whistleblowers and dissidents.
  • Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization.
  • Groups such as Indymedia recommend Tor for safeguarding their members’ online privacy and security.   Groups including the Electronic Frontier Foundation (EFF) recommend TOR as a mechanism for maintaining civil liberties online.
  • A branch of the U.S. Navy (as well as other agencies) uses Tor for intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently.
  • Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

TOR is funded by the Electronic Frontier Foundation, Google, and the US National Science Foundation, among others.

We are going to have our choice of installing the TOR daemon for a single user, or into a VirtualBox virtual machine, so if there is a compromise they are trapped in the unprivileged VM.   VirtualBox isn’t my favorite and we’ll be switching over to Xen soon.   This TOR daemon will then be made available to all machines on the LAN through reverse SSH tunnels, as a generalized service.

~~   Background   ~~

He who cannot draw on 3,000 years, lives from hand to mouth.
   — Goethe

The first thing is to understand some concepts.   The way it works is you install a TOR daemon, which connects to the TOR network.   When you make a request it sends your packets into the TOR network, through a series of ‘relays’, and out an ‘exit node’ and onward to its destination.   The reason for this is the same as the old MixMaster system, to send your packets through various nodes and routes and stripping header data to obscure and eliminate any info showing where and who these packets may have come from.   Your packets are encrypted all the way, in many layers.

How do we know TOR is secure?   Because Anonymous uses it, and whatever their politics, they know their security.   They have never been caught except when they turned each other in, lol.   Because the Chinese Military hackers use TOR, and they were only caught when one of them visited his Facebook page through TOR and then without it, exposing his IP and identity.   Because when Silk Road was taken down, not one of the users was arrested, even as some were selling hard drugs.   And because the NSA hasn’t cracked it, at least as of two years ago, after eight years of trying.

Why would you want to be in such company?   Because they don’t define TOR, and they certainly aren’t the majority of users.   A number of very highly-regarded institutions have actually put up money for TOR because they know the quiet heroic work that’s being done on the system.   It’s just like any other effective tool — it can be used for good or bad.

TOR has ‘hidden services‘, which are various functions you can use (only through TOR) such as IRC.   Freenode has two hidden services (p4fsi4ockecnea7l.onion, lgttsalmpw3qo4no.onion) which you just set as your IRC server;   I name mine Freenode-Tor. It’s easiest to use a TOR hidden service if your client has native SOCKS5 support;   I use Quassel.   Sometimes the hidden services go down because they’re being DDoSed all their virtual circuits are taken, so I also have a backup regular Freenode account with another identity just in case.   Freenode requires that you be ‘registered’ in order to use the hidden service (which is counter-productive), so register a nick at the local library or on a business trip, and do not use that nick or the email with it on non-TOR services, if you’re serious about security.

Other hidden services are various underground websites, from the best to the worst.   Such as the ‘Silk Road’ (named after this), which is a TOR marketplace where all kinds of legal and illegal things were sold for bitcoins and eGold.   They were taken down by law enforcement a while back.   If you’re wondering, it was because the site owner actually bypassed TOR to administer it, amazingly.   The FBI claimed no dependence on the NSA, but compromised the site through a misconfiguration in the login screen.   The FBI said it typed “miscellaneous” information into the login, prompting an error message.   That error message contained the Icelandic IP address of the actual Silk Road server, lol.   And as Ross Ulbricht had allegedly administered it directly, his IP was in the logs, whereas users had only accessed it through TOR.

So how to get on to TOR?   This article is long because I’ve written it so you can learn;   it is not just rote commands.   So if you have the patience, you will be rewarded with more than success.   You won’t find this information any. where. else.

There are two over-arching ways to set up for TOR:

  • On your local machine running TOR Browser Bundle, or
  • By setting up a VirtualBox virtual machine running its own OS and TOR Browser Bundle.

By far, the more secure solution is the virtual machine as, if someone manages to compromise your TOR daemon, they will only end up in your (highly secure, stripped-down) virtual machine, with no way to get out.   Also with the VM, you can use different firewall rules than on your host machine, enhancing security.   And you can use it to route -all- of your internet traffic through TOR;   apt, irc, ftp, email, git, everything.   But you must not use the VM for anything else to preserve this isolation.

~~   Setting Up TOR Browser Bundle for One Machine   ~~

We’ll start with just installing on your local machine.   Go here and download the TOR Browser Bundle.   This is a complete and highly analyzed package that includes the TOR daemon, and the Tor Browser, which is Firefox 29 LTR highly modified to stop information leaks.   Install is easy enough, just de-archive it and put it in your user home directory.   This means move tor-browser_en-US (…or whatever nation you’re in) into your /home/{USER} directory, and set permissions all the way down for your user. ($ sudo chown -R {USER}:{GROUP} /home/{USER}/tor-browser_en-US)

TOR outgoing is going to want to use all of your outgoing ports, but don’t let it.   That is just way too many ports to have open.   On your firewall only open the main TOR ports outgoing, and you’ll be fine:   TCP   443, 4404, 9001, 9090, 9101.

To run it:
$ ~/tor-browser_en-US/start-tor-browser
… and it will start the TOR daemon. (-Never- run it as sudo or as #)   The TOR daemon will connect to the TOR network, and then start the TOR Browser, whereupon you can start surfing.   To make it easier, let’s make a Menu item (XFCE):
– Start|Settings|MainMenuEditor
– Click Internet and New Item.
   * Name:   Tor Browser
   * Command:   ~/tor-browser_en-US/start-tor-browser
   * Icon:   one of these      Firefox-tor      Tor2

Now you will find TOR Browser in Start|Internet.

Needless to say, this will be a separate browser from the one you usually use, and it will always go through TOR.   You can export/import your regular bookmarks, but they will be lost the next time you upgrade TBB, so be sure before you upgrade, to Bookmarks|ShowAllBookmarks|Backup somewhere safe.

Can you set your regular browser for the TOR SOCKS5 proxy (9150)?   Sure but it’s not a good idea because, unless specifically hardened, any browser absolutely leaks information, particularly IE and Chrome.   If you (unwisely) decide to do this anyway, do not set any proxy other than SOCKS.

You’ll always know when an upgrade for the TBB is available;   the Torbutton (onion in upper-right) will start flashing a warning.

To upgrade just:

  • Backup bookmarks;
  • Download the new version
  • Unarchive, set aside your old one (.old), and put the new one there;
  • Set permissions;
  • Install addons
  • Restore bookmarks.
  • No other changes are necessary.   This is a very good approach as, who knows what ne’er-do-wells will figure out how to stuff tracking and other junk into your files, and with this method you always start fresh.   It is a good idea to upgrade when TorButton starts flashing, because there is always a good reason for the new version.   It is not a good idea to install any addons other than those recommended by the TOR Project, as they could be a vector for compromise or leakage.

    Check your Tor Browser Addons and you may find they are disabled — so enable them.   You’ll find that the TOR Browser has the NoScript addon.   This will break many sites, but will protect you when it is needed the most as almost all drive-by malware is propagated with Javascript.   If you are sure, you can use the NoScript pulldown to enable any site you think is safe, but don’t enable more than is necessary.   I Temporarily Allow alot, and I mark known troublemakers like doubleclick, as Untrusted.   NoScript needs some settings set, so right-click NoScript and Options:

  • Appearance – Check Contextual, Allow, Temp Allow, Mark Untrusted, Allow Scripts Globally, About, Blocked Objects, Temp allow all this page, Revoke temp permission.
  • Consider also installing HTTPSAnywhere from the EFF, RefControl to spoof your referrer (‘Forge’), and maybe Adbock Edge and Element Hiding Helper.

    Now that you’re onboard the DarkNet, the https://kpvz7ki2v5agwt35.onion.to/wiki/index.php/Main_Page – Hidden Wiki is a must-see.   Don’t worry about looking around, as long as you don’t disable NoScript.

    ~~   Setting Up a TOR Browser Bundle Gateway for the LAN   ~~

    If running the Tor Browser Bundle on one machine and only for browsing, is too limited for you, you might consider setting up a Tor Gateway Server.   There are several advantages.   With it:

    • The Tor Browser Bundle is running in a stripped-down virtual machine, so if the daemon is ever compromised they will end up confined in the VM, as a non-prived user.
    • You have one Tor Gateway which serves your whole LAN, to ease multiple configuration.
    • You can set up any app which accesses The Internets to route through the TOR network, including apt-get, wget, git, svn, and everything else.

    This section is intended for the intermediate to advanced Linux user, but it is written in such a way that a determined n00b could probably suss it out.   It is Debian-centric.

    == Creating the Virtual Machine ==

    Science Content

    When you reach through TOR to a destination, you have made a persistent ‘virtual circuit’.   TCP is “stateful”, meaning that it maintains this virtual circuit throughout the session and always knows what’s going on with it, as opposed to UDP which is a one-shot deal but much faster.   The problem is, staying on one circuit for too long as TCP does could conceivably make you traceable, however remote the possibility.   So it is good practice to change ports in some way, for the best possible security.   TOR does this automatically at least every 10 minutes or so, and we will do this for non-Browser apps with a utility called proxychains4.   But the important thing to know for now is that you need multiple TOR ports served to the LAN to make this work.   I have fifteen, which I have proxychains4 rotate randomly through for me.   Ten ports may be reasonable.

    In my case, I run most daemons (servers) on my home theater computer, which is the biggest machine on the LAN.   It’s on this machine where we’ll build the Tor Gateway in a VirtualBox virtual machine, so get thee to that server machine forthwith and with alacrity.

    ON THE SERVER MACHINE

    $ pacman -S virtualbox linux38-virtualbox-host-modules virtualbox-guest-dkms virtualbox-guest-iso virtualbox-guest-utils virtualbox-host-dkms net-tools qt4 lsof
    … assuming you’re running linux kernel 3.8. (# uname -r) Otherwise substitute whatever you have, for 38.
    Add your user to the right group:
    $ gpasswd -a {USER} vboxusers
    … (substitutiong your username for {USER})

    You should now be able to run the vbox manager from Start|System|OracleVMVirtualBox . (I always put my VMs on Desktop 3 with DevilsPie, but that’s optional) New, and
    *Name: Gateway
    *Type: Linux
    *Version: Arch Linux (64bit)
    *
    *Memory: 717MB
    *
    *Create a virtual hard drive now
    *
    *VMDK (so you can mount it later with FUSE)
    *
    *Dynamically allocated
    *
    *Size: 10GB
    *and

    Now you have your new instantiation in the list, named Gateway. Click that, and Settings.
    * General|Advanced and Clipboard and DragNDrop Disabled.
    * System|Motherboard and IO APIC and Hardware clock in UTC x-ed.
    * System|Acceleration and make sure that both are x-ed. Also when the first one is x-ed, you -must- make sure that Virtualization Support is enabled in your machine’s BIOS. If you get a weird error when trying to start the VM, uncheck Enable VT-x.
    * Display|Video|VideoMemory 128MB
    * Storage|(Empty CD) check Live CD, then click the CD image and “Choose a CD/DVD Disk File”, and point it at your shiny new Manjaro.iso image on the Server.
    NOTE: If you’ll be using BTRFS (as I do) there have been reports that OS disk images would not start if they were attached via a virtual SATA device. This can be fixed by enabling in Controller:SATA, use of the host I/O cache (which is disabled by default).
    * Network|Adapter1 Set it to BridgedAdapter, eth0 — This is our internet-looking interface. It bridges -around- the Server (host) system and sets its interface right on the LAN next to the Server’s, looking at the router (gateway setting).
    * Network|Adapter2 Set it to Enable, NAT — This interface is our internal LAN adapter, and it is how we will pass our inward-looking Tor ports to the Server (host) system. We will set the ports to forward from inside the virtual machine at 127.0.0.1, to the Server (host) system at 127.0.0.1. These will be the many TOR ports we set up, for random use. I have 15, but a reasonable number is probably 10. So, Advanced and hit Port Forwarding, set the lines to:

    Name !! Protocol !! HostIP !! Host Port !! Guest IP Guest Port

    9151 || TCP || 127.0.0.1 || 9151 || || 9151

    9152 || TCP || 127.0.0.1 || 9152 || || 9152

    9153 || … || || || ||

    }
    And so on, down to 9160. These can be any arbitrary set of ports you want, as long as they are non-privileged. It is important to leave GuestIP -blank-, so it will automatically fill in whatever IP the Guest gets from vbox via DHCP.
    * Hit .
    * USB and de-x Enable USB controller. Any extras constitute a security hazard.
    * Shared Folders, don’t bother to add one because we will not be installing Guest Additions. (Again, for security) If you need to transfer files to, or backup from the VM you can mount the virtual disk with the FUSE module.

    Save your Settings, and your new VM is ready.

    ===Install Manjaro and Tor Browser Bundle in the Virtual Machine===

    Now hit Gateway and Start. You should come up with the Manjaro GUI Install screen. No need to choose the non-free option (as you usually would), so just hit the first one. It will boot to the Live desktop and you’re ready to install.

    But first:
    *”If the IPs on your network are static” (not DHCP)(static is recommended), the first thing to do is on the Gateway Manjaro desktop, right-click the Network icon in the upper-left and EditConnections. Set Interface 1 to some unused IP in your class C range and save. You might ping somewhere to confirm it works.
    *”If you use DHCP” then it will work without change.

    Hit the Install icon in the lower-left and do a normal install of Manjaro. I won’t go into detail, but I would set it up with
    */dev/sda1 100MB, ext3, /boot
    */dev/sda2 (remainder), jfs, /
    *… and encrypt /.
    *Nope, no swap; this is a limited machine and we should never run out of memory unless something goes wrong.

    Please don’t use ext4; it still has a corruption problem on power-fails, and does alot of unnecessary disk access. And choose a different username than you usually do, maybe of a hero like oh, for example nader.

    Then shut down the install when it’s done. In vbox manager hit Gateway|Settings|Storage and uninstall that Manjaro.iso from DVD. Save, and boot your new OS.

    Now you have your Gateway OS booted and ready to set up. Use the NetworkMangler icon in the system tray to set up the interfaces.
    *Set interface 1 to a static IP that’s not yet used on your LAN, Netmask 255.255.255.0 and Gateway to the IP of your router. Remember that interface 1 is set to Bridging, which means it reaches around the host system and has an interface sitting next to the Host’s right on your LAN. This means that, unlike NAT, its accesses never go through the Host machine; the Host is never involved in the Guest’s transactions, increasing security. (Diversion is done in Layer 2, so is quite secure)
    *Set interface 2 to DHCP so it will get a private IP from the vbox driver, probably in the 10.0.3.* range.

    You should now have internet.

    $ sudo passwd root
    {password: manjaro}
    {Change your root password. – No, [https://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ your usual one is not secure]. Take a sentence from a poem by Frost, [https://en.wikipedia.org/wiki/Edgar_Allan_Poe#Selected_list_of_works Poe], or [https://en.wikipedia.org/wiki/Walden;_or,_Life_in_the_Woods Thoreau], and use the first letter of each word (including commas), scattering a number or symbol or two in there. Memorize that sentence and you have it made}
    $ pacman -S lsof

    Right away, set up the firewall of your choice. (I use Shorewall) You may want to start by editing /etc/services, which is where you define the name for ports. It may help in setting up your firewall, and at the least will be a reference to help you remember the ports. At the top of the file:
    #*********************************************
    tor1 4404/tcp
    tor2 9001/tcp
    tor3 9090/tcp
    tor4 9101/tcp
    tor51 9151/tcp
    tor52 9152/tcp
    tor53 9153/tcp
    tor54 9154/tcp
    tor55 9155/tcp
    tor56 9156/tcp
    tor57 9157/tcp
    tor58 9158/tcp
    tor59 9159/tcp
    tor60 9160/tcp
    #*********************************************
    … and save services.

    This is long enough already so I won’t explain how to set up Shorewall, but here is the relevant part of my rules file:
    # Silently DROP FIN scans, etc:
    Invalid(DROP) net all tcp

    ACCEPT $FW net tcp http,https,tor1,tor2,tor3,tor4 –
    ACCEPT $FW net udp https –
    ACCEPT local $FW tcp tor51,tor52,tor53,tor54,tor55,tor56,tor57,tor58,tor59,tor60 –
    So, this allows TOR outgoing ports from the Guest to the internet, and allows TOR incoming ports from the LAN to the Guest. Nothing else can get in or out. (My ”https/udp” is dnscrypt, which is a whole ‘nother bag of worms)

    So our firewall is set and running in the Guest. Now we go get [https://www.torproject.org/projects/torbrowser.html.en TOR Browser Bundle]. Be sure to get the Linux 64bit version, and de-archive it into your user directory. In my case it is /home/nader/tor-browser_en-US.

    To make this more convenient to run, let’s make a menu entry. Start|MainMenuEditor and hit Internet and New Item.
    *Name: Tor Gateway
    *Command: /home/nader/tor-browser_en-US/start-tor-browser
    *Icon: (one of the icons above)

    Now you have easy access in Start|Internet|Tor Gateway. Let’s try it! It should first come up with Vidalia, the TOR client, which will cogitate as it works to establish connexions with TOR servers out there. When it’s ready it’ll come up with that sweet green [[File:tor2.png|15 px]]. Then it will automatically invoke Tor Browser, which should come up Connected to TOR. Well that’s great, but it’s not quite ready yet, so kill the browser and hit Vidalia Exit.

    Wouldn’t it be nice to be able to upgrade the TOR Browser Bundle whenever we want, with only a minimum of fuss? Let’s set that up.
    $ sudo mkdir /etc/tor
    $ cd /home/nader/tor-browser_en-US/Data/Tor
    $ sudo mv torrc /etc/tor
    $ ln -s /etc/tor/torrc .
    $ cd /etc/tor

    Edit torrc and put these lines toward the top:
    #*********************************************
    AvoidDiskWrites 1

    # Take advantage of randomizer in proxychains
    SocksPort 10.0.3.15:9151
    SocksPort 10.0.3.15:9152
    SocksPort 10.0.3.15:9153
    SocksPort 10.0.3.15:9154
    SocksPort 10.0.3.15:9155
    SocksPort 10.0.3.15:9156
    SocksPort 10.0.3.15:9157
    SocksPort 10.0.3.15:9158
    SocksPort 10.0.3.15:9159
    SocksPort 10.0.3.15:9160
    #*********************************************
    Of course substitute your interface2 IP for my 10.0.3.15. (Get the IP with # ifconfig)

    Save that file, and test Vidalia. First of all make sure it goes to the [[File:Tor2.png|15 px]], and second that there are no Messages. If it runs, let’s check our ports!
    $ sudo lsof -i -n -P |grep 9151
    ”ssh 2157 root 4u IPv4 20749 0t0 TCP 127.0.0.1:9151 (LISTEN)”
    $ sudo lsof -i -n -P |grep 9152
    ”ssh 2158 root 4u IPv4 17925 0t0 TCP 127.0.0.1:9152 (LISTEN)”
    … etc.

    Now let’s set TBB to start whenever the machine boots.
    :Start|Settings|SessionAndStartup|ApplicationAutostart and Add

    :*Name: Tor Gateway
    :*Command: /home/nader/tor-browser_en-US/start-tor-browser
    :.

    With this, you now have your Gateway complete. The TOR server is running, its listening ports are set, and all are forwarded to the Host for service.

    Every couple of months a new release of the TBB comes out, and it is important to upgrade when that happens as there is always a good reason. You’ll know because the [[File:Tor2.png|15 px]] will unmistakeably flash a [[File:warning.png|15 px]]. To upgrade all you’ll have to do is download the new version, set aside the old, and de-archive the new version there.

    ”’BUT you must put in your notes to –not fail– to”’ symlink /home/nader/tor-browser_en-US/Data/Tor/torrc from /etc/tor/torrc (as above), or else none of your normal ports will present. /etc/tor/torrc has your permanent custom settings.

    ===Setting Up On Client Machines===

    So now we have our Server machine, which is running the Tor Gateway in a vbox VM. This VM is forwarding the TOR ports (9151-9160) to its host, the Server. The server should now have all of these ports listening, so check it:
    $ sudo lsof -i -n -P | grep 915
    ”ssh 4248 root 4u IPv4 49401 0t0 TCP 127.Linux 0.0.1:9158 (LISTEN)”
    ”ssh 4249 root 4u IPv4 50290 0t0 TCP 127.0.0.1:9155 (LISTEN)”
    ”ssh 4250 root 4u IPv4 49403 0t0 TCP 127.0.0.1:9153 (LISTEN)”
    ”ssh 4253 root 4u IPv4 49428 0t0 TCP 127.0.0.1:9151 (LISTEN)”
    ”ssh 4256 root 4u IPv4 49431 0t0 TCP 127.0.0.1:9156 (LISTEN)”
    ”ssh 4257 root 4u IPv4 49433 0t0 TCP 127.0.0.1:9157 (LISTEN)”
    ”ssh 4259 root 4u IPv4 49437 0t0 TCP 127.0.0.1:9152 (LISTEN)”
    ”ssh 4261 root 4u IPv4 49438 0t0 TCP 127.0.0.1:9159 (LISTEN)”
    ”ssh 4262 root 4u IPv4 49440 0t0 TCP 127.0.0.1:9154 (LISTEN)”

    The next thing is we want to extend those ports to other machines on the LAN or elsewhere, ”securely”. The way I suggest to do that is with ‘[[Port Forwarding With Reverse SSH Tunnels|reverse SSH tunnels]]’, which means the Client machine reaches out to the Server to set up an SSH tunnel, which then transports the Server’s port to the Client machine. I am told that port-forwarding can be done with VPN, but I don’t trust that; you know that every corporation in the world uses VPN, and there are lots of ‘sploits.

    Please go through my article on this and set up tunnels on each client machine you wish to use the TOR Gateway on. Once this is done, on each Client you should be able to lsof and see all of the TOR ports on 127.0.0.1, as above.

    It’s important to understand that you can only TORify TCP traffic. So no ping or DNS. For traceroute I recommend tcptraceroute. For DNS it has to be dnscrypt+unbound, but that’s for another article.

    Good job, we’re almost there.

    ===Tor Browser===

    On my Client machines, for browsing I use the Tor Browser 90% of the time. Install the Tor Browser Bundle on each client by de-archiving it and putting it in /home/{USER}/tor-browser_en-US. (or whatever country you’re in) BUT we won’t be running the whole TBB, only the browser, so we’re going to set it up a special way. No changes are required to the TBB (unlike on the Gateway), so it is easy to upgrade. We will make a special menu entry and a special settings directory though, so you can set bookmarks and settings all you want and never lose them.

    :$ cd ~
    :$ mkdir .mozilla-tor
    :$ cp tor-browser_en-US/Data/prof* .mozilla-tor
    :… so all the secure Tor Browser settings are transferred to a known and obvious place.

    Start|Settings|MainMenuEditor|Internet and New Item

    :*Name: Tor Browser
    :*Command: /home/{USER}/tor-browser_en-US/App/Firefox/firefox-bin -profile /home/{USER}/.mozilla-tor/profile
    :*Icon: {the tor-browser icon above}
    :

    Start your Tor Browser, but it will find that it is not on the TOR network.
    :Edit|Preferences|Advanced|Network|Connection|Settings
    :… and make sure that only the SOCKS proxy has info in it. Change SOCKS5 IP and port to 127.0.0.1:9156, or any of the others we’ve set up, and .

    That’s not all. The TorButton is an addon which sets and maintains security settings, and is just to the right of the Reload button. Left-click and Preferences. Set your same TOR port here too, and OK.

    Now you’re ready to TOR. Reload the TOR check page and it should find that you are TORring. Feel free now to visit the [https://kpvz7ki2v5agwt35.onion.to/wiki/index.php/Main_Page Hidden Wiki] and other .onion sites. Check some of my tips [[Tor_Anonymisation#Setting_Up_TOR_Browser_Bundle_for_One_Machine.2C_Browsing_Only|above]].

    True, you aren’t rotating ports here, but that’s not a feature of the Tor Browser yet. We’ll rotate ports with other apps.

    One addon that comes with Tor Browser is [https://addons.mozilla.org/en-us/firefox/addon/noscript/ NoScript]. This prevents execution of Java and Javascript, which is the only vector for drive-by virii on malicious web pages. It keeps you safe. But sometimes it blocks desired behavior like pulldown menus on a news site, so you can selectively enable sites with the NoScript pullup button. About 5% of sites that I’ve come across simply do not work in the Tor Browser, so for those I use Konqueror with no proxy.

    Half the time, browsing on TOR is OK for speed, but at times it can get pretty slow. So I’ve installed an addon to my Tor Browser called Proxy Selector. This lets me change proxies with an easy pull-down button which I’ve put up next to the TorButton. In Proxy Selector I’ve created one called Tor, and another called squid. Squid is a web object cacher which greatly speeds up surfing, and if [[Squid Web Object Cacher |set up correctly]] it will anonymize your headers (preventing info leaks) and make you look like a Google bot. (User Agent) So it is easy to choose TOR or Squid as I like, with a nice pulldown. Please consider doing my Squid tutorial to give yourself a choice, because on those slow TOR days, you’ll want it. Needless to say, Squid will run on the Server and the port will be shared through a reverse SSH tunnel.

    I always leave everything running on TOR all the time, except some web browsing. The dwell time is negligible.

    ===EMail===

    ====Thunderbird====

    The next app you may be concerned with is email. I use Thunderbird, which has native SOCKS5 support. It’s OK to use SOCKS4a and SOCKS5, but –do not– use SOCKS4 because it transmits your credentials in the clear. TOR is Socks5. So install Thunderbird and the [https://addons.mozilla.org/en-us/thunderbird/addon/torbirdy/ TorBirdy addon].
    :*Edit|Preferences|Advanced|Network|Settings
    :*Set SOCKS host to 127.0.0.1:9160 (or whatever other TOR port you want)
    :
    Again, with native SOCKS support we lose port randomization, but you can’t have everything. I believe that you must also set the proxy port in Tools|Addons|TorBirdy|Preferences, but I’m not in a position to check that.

    :::==== Editorial Comment ====
    :::Now, TorBirdy is going to disable some features that you might like, such as automatic email checking (!), and HTML emails both directions. But what’s the use of email if it doesn’t check automatically? Their rationale is that checks on a regular basis could be subject to a correlation attack, but I just set the check interval to a different time for each account. And as to no HTML email; I see where they’re hyper-coming from, but as long as you’re set to not download outside references (webbugs, iframes) or execute javascript (all, defaults), and as long as you don’t claim your ‘winnings’ from that lottery you didn’t enter, or open random attachments, or buy penis pills, you’ll be fine. So I installed TorBirdy and let it make its settings, and then I disabled it and set interval email checking and HTML for most accounts. Then I went through this [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail/Thunderbird hardening tutorial].

    ===IRC===

    I dig IRC. You can get instant answers to almost all questions (as long as you’re polite and respectful). You want to look for an IRC client which natively supports SOCKS5 proxying. I use Quassel.

    ====Quassel====

    Set up ”’irc.mozilla.org”’ (#firefox, #thunderbird) and others that do not have a TOR hidden service. You are still TORring them all:
    :*Settings|ConfigureQuassel|IRC|Networks and Add.
    :*Add a server
    :*Set proxy in Advanced to 127.0.0.1:9158 (or whatever TOR port)

    ”’Freenode”’ is the largest IRC server in the world. I don’t really like it though because you can not set a TOR proxy without logging in, because they’ll G-line you. BUT they do have two hidden services, which are TOR aliases to their system. There is a catch, and that is you must have a registered nick with Freenode, or they won’t let you use the hidden service. It’s a sneaky way of getting your IP because by definition you must register a nick in the clear. So my advice is to register your nick at the library, or on a business trip; and use an email for it that you don’t use for anything else. (TorMail?) Choose a nick that you’ll only use in TOR IRC. Then you can set up your Freenode service. In Quassel:
    :*Settings|ConfigureQuassel|IRC|Networks|Add and ManuallySpecify:
    :::NetworkName: Freenode-Tor
    :::ServerAddress: p4fsi4ockecnea7l.onion
    :::Port: 7000
    :::ServerPassword: {your password}
    :::UseSecure: {checked}
    :::
    :Now you’ll see Freenode-Tor in the upper list and its hidden service in the lower one.
    ::*Hit the wrench and set your TOR nick.
    ::*In the lower pane hit Add, so we can add the second Freenode hidden service:
    ::::ServerAddress: lgttsalmpw3qo4no.onion
    ::::Port: 7000
    ::::ServerPassword: {your password}
    ::::UseSecure: {checked}
    ::*Then Advanced:
    ::::SSL Version: SSLv3
    ::::UseProxy: {checked}
    ::::ProxyType: Socks 5
    ::::Proxy Host: 127.0.0.1
    ::::Port: 9156 {or whatever}
    ::::
    ::*Now edit p4fsi4ockecnea7l.onion and set its proxy.
    ::
    And now set a #channel and try it! You are fully TORred, and SSLed from end-to-end.

    ”’OFTC””s hidden service is 37lnq2veifl4kar7.onion and SSL port 6697. (#tor, #nottor, #tor-dev, #https-everywhere) Remember to set the TOR port in Advanced|Proxy, or else you won’t get in to TOR.

    ===Other Apps===

    You can TOR any application that hits the internet. But you must do this by routing its calls through a ‘torifier’ called proxychains. It’s easy, it works great, and you only have to set up one time. On your client machine:
    :$ yaourt -S proxychains-ng
    Now edit /etc/proxychains.conf and make it look like this:

    # proxychains.conf  VER 4.x
    #
    #        HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.
    
    
    # The option below identifies how the ProxyList is treated.
    # only one option should be uncommented at time,
    # otherwise the last appearing option will be accepted
    #
    #dynamic_chain
    #
    # Dynamic - Each connection will be done via chained proxies
    # all proxies chained in the order as they appear in the list
    # at least one proxy must be online to play in chain
    # (dead proxies are skipped)
    # otherwise EINTR is returned to the app
    #
    #strict_chain
    #
    # Strict - Each connection will be done via chained proxies
    # all proxies chained in the order as they appear in the list
    # all proxies must be online to play in chain
    # otherwise EINTR is returned to the app
    #
    random_chain
    #
    # Random - Each connection will be done via random proxy
    # (or proxy chain, see  chain_len) from the list.
    # this option is good to test your IDS :)
    
    # Make sense only if random_chain
    #chain_len = 2
    chain_len = 1
    
    # Quiet mode (no output from library)
    #quiet_mode
    
    # Proxy DNS requests - no leak for DNS data
    proxy_dns 
    
    # set the class A subnet number to use for the internal remote DNS mapping
    # we use the reserved 224.x.x.x range by default,
    # if the proxified app does a DNS request, we will return an IP from that range.
    # on further accesses to this ip we will send the saved DNS name to the proxy.
    # in case some control-freak app checks the returned ip, and denies to 
    # connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x.
    # of course you should make sure that the proxified app does not need
    # *real* access to this subnet. 
    # i.e. dont use the same subnet then in the localnet section
    #remote_dns_subnet 127 
    #remote_dns_subnet 10
    remote_dns_subnet 224
    
    # Some timeouts in milliseconds
    tcp_read_time_out 15000
    tcp_connect_time_out 8000
    
    ### Examples for localnet exclusion
    ## localnet ranges will *not* use a proxy to connect.
    ## Exclude connections to 192.168.1.0/24 with port 80
    # localnet 192.168.1.0:80/255.255.255.0
    
    ## Exclude connections to 192.168.100.0/24
    # localnet 192.168.100.0/255.255.255.0
    
    ## Exclude connections to ANYwhere with port 80
    # localnet 0.0.0.0:80/0.0.0.0
    
    ## RFC5735 Loopback address range
    ## if you enable this, you have to make sure remote_dns_subnet is not 127
    ## you'll need to enable it if you want to use an application that 
    ## connects to localhost.
    # localnet 127.0.0.0/255.0.0.0
    
    ## RFC1918 Private Address Ranges
    # localnet 10.0.0.0/255.0.0.0
    # localnet 172.16.0.0/255.240.0.0
    # localnet 192.168.0.0/255.255.0.0
    
    localnet {YOUR LAN CLASS C HERE}/255.255.255.0
    
    # ProxyList format
    #       type  ip  port [user pass]
    #       (values separated by 'tab' or 'blank')
    #
    #       only numeric ipv4 addresses are valid
    #
    #
    #        Examples:
    #
    #            	socks5	192.168.67.78	1080	lamer	secret
    #		http	192.168.89.3	8080	justu	hidden
    #	 	socks4	192.168.1.49	1080
    #	        http	192.168.39.93	8080	
    #		
    #
    #       proxy types: http, socks4, socks5
    #        ( auth types supported: "basic"-http  "user/pass"-socks )
    #
    [ProxyList]
    # add proxy here ...
    # meanwile
    # defaults set to "tor"
    #socks5 	127.0.0.1 9050
    socks5 	127.0.0.1 9151
    socks5 	127.0.0.1 9152
    socks5 	127.0.0.1 9153
    socks5 	127.0.0.1 9154
    socks5 	127.0.0.1 9155
    socks5 	127.0.0.1 9156
    socks5 	127.0.0.1 9157
    socks5 	127.0.0.1 9158
    socks5 	127.0.0.1 9159
    socks5 	127.0.0.1 9160

    You’ll notice this is where we have it choose a random port from our compliment. I’ve checked the randomizer algo and it is good. The dev is great to work with on IRC; he was surprised with what I was doing.

    Then all you have to do is make the intercept script. Check where Linux looks for commands you specify:
    :$ echo $PATH
    :”/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/cuda5-toolkit/bin:/opt/cuda/bin:/usr/bin/vendor_perl:/usr/bin/core_perl:/usr/local/share/android-sdk-linux/tools:/usr/local/share/android-sdk-linux/platform-tools”

    Notice that /usr/local/bin comes before /usr/bin? /usr/bin is where most commands are located, so when you put an intercept script in /usr/local/bin, -it- will be what’s executed rather than the normal one, since $PATH defines search order. So, we want to proxy pacman through TOR.
    :$ sudo nano /usr/local/bin/pacman

    #!/bin/bash
    
    /usr/local/bin/proxychains4 /usr/bin/pacman $*
    
    

    :(Always make sure to have an empty line after the command, so it will get executed)
    :o to save, x to exit
    :$ sudo chmod +x /usr/local/bin/pacman

    Now try it:
    :$ pacman -Syu
    :”[proxychains] config file found: /etc/proxychains.conf”
    :”[proxychains] preloading /usr/local/lib/libproxychains4.so”
    :”[proxychains] DLL init”
    :”:: Synchronizing package databases…”
    :”[proxychains] Random chain … 127.0.0.1:9165 … spiralinear.org:80 … OK”
    :” core 111.0 KiB 118K/s 00:01 [############################] 100%”
    :”[proxychains] Random chain … 127.0.0.1:9151 … spiralinear.org:80 … OK”
    :”error: failed retrieving file ‘extra.db’ from spiralinear.org : Operation too slow. Less than 1 bytes/sec transferred the last 10 seconds”
    :”[proxychains] Random chain … 127.0.0.1:9156 … mirror.jmu.edu:80 … OK”
    :” extra 1552.4 KiB 253K/s 00:06 [############################] 100%”
    :”[proxychains] Random chain … 127.0.0.1:9165 … spiralinear.org:80 … OK”
    :” community 1954.0 KiB 167K/s 00:12 [############################] 100%”
    :”[proxychains] Random chain … 127.0.0.1:9163 … spiralinear.org:80 … OK”
    :”[proxychains] Random chain … 127.0.0.1:9157 … spiralinear.org:80 … OK”
    :” multilib 106.2 KiB 77.3K/s 00:01 [############################] 100%”
    :”:: Starting full system upgrade…”

    See what happened? Does that rock?

    Intercept scripts I have so far are git, gpg, pacman, svn, wget, and yaourt, and they all work perfectly.

    What about pamac? (in the Menu, “Add/Remove Software”) pamac lives in /usr/share/applications/Add/Remove Software. We can set this the easy way… or the hard way. The hard way protects you from future upgrades that might eliminate your torifier.

    But first the easy way:
    :*Start|Settings|MainMenuEditor|SystemTools|Add/RemoveSoftware and Properties.
    :*Change:
    :::pamac-manager to
    :::proxychains4 gksu pamac-manager

    This will not only run pamac through TOR, it will run it as superuser so you don’t get that damned permissions error. It could be argued that you should never reach out on the internet as root, but we are doing things so obscurely that it would take big money to subvert us. Besides, you can’t install unless root.

    The hard way (the safe way) is:
    :*$ cp /usr/share/applications/pamac-manager.desktop /home/{USER}/Utilities/updates/linux/applications/System
    :*Edit it and change
    :::Name=Add/Remove Software [color=darkred]to[/color]
    :::Name=Add/Remove Software SU
    :::Exec=pamac-manager to
    :::Exec=proxychains4 gksu pamac-manager
    :*Save the file and
    :::$ cd /home/{USER}/.local/share/applications
    :::$ ln -s /home/{USER}/Utilities/updates/linux/applications/System/pamac-manager.desktop .

    Now it will show up in Start|System as ‘Add/Remove Software SU’, and will never be overwritten by an upgrade.

    If you ever need to run an app without TOR for some reason, you can just:
    :$ /usr/bin/git

    ==Join Us!==

    And I will close with a Plea: Please consider financing an Exit Node. It’s only $15-$20/month using Amazon’s cheapest AWS plan. Pay once/year and be done with it.

    Or [https://cloud.torproject.org/ be a Bridge]; they have pre-made ECC Bridge images for TOR.

    Or at the very least [https://www.torproject.org/docs/tor-relay-debian.html.en be a Relay]; that doesn’t cost anything. You will have major street cred with the movement, and will be helping dissidents in Iran, China, and elsewhere, as well as whistleblowers worldwide, and those who just don’t like to be tracked.

    This was a long journey, but it was well worth it. Enjoy!

    ==Support==

    [https://forum.manjaro.org/index.php?topic=5436.msg47404#msg47404 Here’s the Forum thread], in case you have any questions.

    [[Category:Contents Page]]

    ,'after' => '

    ') )