The Onion Router

This article describes how to install and configure TOR - The Onion Router for your home LAN, in order to encrypt your network traffic and improve your privacy and security on the Internet. It is a translation of an article I wrote for the Croatian Linux Users Group last year, which is still available in Croatian.


TOR basics

TOR is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. TOR provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. If you want to know more you can read the TOR Overview.

Just about every major GNU/Linux distribution has TOR packaged and ready to install but I will cover the basics of manual installation. I will also go trough the configuration of tsocks (a tool that allows use of SOCKS proxies to applications that usually don't support them), and proxy configuration of a few applications that do support SOCKS.

Installing TOR

As I wrote earlier TOR packages are available on many distributions, and the configuration practice of the packager differs from distro to distro. The most important (and most often different) are the user and group under which TOR daemon will run, and the location of directories with configuration, run-time or log files. TOR depends on openssl, libevent and tsocks packages, this last one should be installed on clients too, but more about this later.

After installing libevent (from a package, or by building it your self) you should create a user for the TOR daemon (i.e. tor_d):
# useradd -g daemon -s /bin/false -c "Tor Internet Anonymizer" -d /var/run/tor tor_d
When building a new version of TOR I usually compile with these options:
# ./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/man \
--enable-eventdns \
--with-tor-user=tor_d \
Let's bisect the above commands. Executable files tor and torify will be installed in /usr/bin. Configuration files will be in /etc/tor and TOR will use the following directories for log and run-time files; /var/lib/tor /var/log/tor and /var/run/tor - last of these was also set as the $HOME directory of user tor_d in the above useradd example.

When it builds you can proceed with make and make install to install TOR, or maybe checkinstall to build a package for your distribution.

Configuring TOR

If you didn't install the package provided by your distribution note that the TOR source tarball is distributed with a few init scripts which you can use to control TOR (and start it when your system boots). They can be found in the contrib directory. Pick one and change those variables/options that point to the configuration directories, executable files or TOR user/group (all according to how you built TOR earlier).

The actual TOR configuration is done in the file called torrc, a sample configuration file called "torrc-sample" you can find in the /etc/tor directory. If you don't want to deal with any minor details (i.e. owner contact), or setup your TOR as a relay the sample file is ready to use with your TOR daemon (in the role of a client on the TOR Network), all you need to do is rename it to torrc.

However if there are multiple computers in your LAN and you are building a TOR gateway (assumption on which this article is based) you need to change one setting in the torrc file. The SocksListenAddress option needs to be pointed to the IP address of the network interface which is connected with the rest of the network (i.e.
#SocksListenAddress  # Accept connections only from localhost
SocksListenAddress # Accept connections only from the LAN
In the same configuration directory you will also find the tor-tsocks.conf file, the tsocks configuration file for use with the TOR daemon. Once more point the configuration to your internal network. Following the earlier IP example, the tor-tsocks.conf might look like this:
server =
server_port = 9050
# We specify local as - because the
# Tor MAPADDRESS virtual IP range is the rest of net 127.
local =
local =
local =

Using TOR

TOR is distributed with the torify shell script (mentioned earlier), which is a wrapper around the tsocks utility. Torify calls tsocks and points it to the above tor-tsocks.conf file. When we want to use TOR with an application that usually doesn't support SOCKS proxies we can call that application with torify. For example to start the popular IRC client irssi we would execute:
$ torify irssi
To use the same "trick" on other computers in the LAN, which are connecting to the TOR daemon, you need to install tsocks on them too. After you install it you should copy the torify script and the tor-tsocks.conf file to each client. For example you can install them to /usr/local/bin and /usr/local/etc respectively. Make sure that the "TSOCKS_CONF_FILE" variable in the script points to the configuration.

Note: Last tsocks release was in 2002 and since then a new project was started to improve on that code. Project is called torsocks and is developed specifically with TOR in mind. Consider installing it instead of tsocks. You can use the same configuration file you prepared earlier, with the difference of using usewithtor instead of torify.

When an application does support SOCKS (i.e. Firefox, X-Chat, Gajim...) you only need to point its proxy configuration to the IP address and port of your TOR daemon. Following the above examples that would be:
Port: 9050
Type: SOCKS5
Step by step instructions for using various other applications with TOR can be found on the project wiki.

Notes on DNS

For a long time Firefox did not send DNS queries trough the SOCKS5 proxy so often people had to use the Privoxy - SOCKS4a proxy server with it. Today it is no longer needed and you can avoid Privoxy (assuming you don't want to use it for its ad filtering or caching abilities). However the option to send queries trough the proxy is not enabled by default in Firefox. To enable it go to the about:config dialog, find the item network.proxy.socks_remote_dns and set it to true.

TOR also had problems with DNS queries and people had to resort to various tricks (tor-resolve, ttdnsd...), but in the 0.2.x series TOR also work as a DNS forwarder/DNS proxy. In short; first check the DNSPort and DNSListenAddress configuration options in the tor (1) manual page, then set your TOR gateway as the primary DNS server on the clients (for added ensurance you can use iptables to force all DNS traffic to go trough the DNSPort). Note that the implementation only understands queries for A and PTR records. Consult the documentation and the manual for more details.

Related projects

Multiproxy Switch
- quickly switch between different proxy settings in Firefox
User Agent Switcher
- despite TOR your Firefox is steal leaking user-agent information
TorK Controller
- TorK is an advanced TOR controller for KDE
Vidalia Controller
- Vidalia is an advanced TOR controller using the QT framework

Note: Consider running your TOR server as a relay or an exit node, donate a piece of your bandwidth and help the community. Running a node/relay is not just about giving, but you also get something in return; for instance newer implementation of the protocol allocates more bandwidth for relays... let's also mention that if someone was to monitor your traffic it would be very difficult to for them to identify traffic originating from your network, from the traffic that is only passing trough your node.

Copyright Adrian C. Licensed under the terms of the CC Att-SA license.