This article describes how to install and configure
TOR - The Onion Router for
your home LAN, in order to encrypt your network traffic and improve
your privacy and security on the Internet. It is a translation of an
article I wrote for the Croatian Linux
Users Group last year, which is still
available in
Croatian.
Topics:
TOR basics
TOR is a network of virtual tunnels that allows people and groups to
improve their privacy and security on the Internet. TOR provides the
foundation for a range of applications that allow organizations and
individuals to share information over public networks without
compromising their privacy. If you want to know more you can read the
TOR
Overview.
Just about every major GNU/Linux distribution has TOR packaged and
ready to install but I will cover the basics of manual installation. I
will also go trough the configuration of
tsocks (a tool that
allows use of
SOCKS proxies to applications that usually don't
support them), and proxy configuration of a few applications that do
support
SOCKS.
Installing TOR
As I wrote earlier TOR packages are available on many distributions,
and the configuration practice of the packager differs from distro to
distro. The most important (and most often different) are the user and
group under which TOR daemon will run, and the location of directories
with configuration, run-time or log files. TOR depends
on
openssl,
libevent and
tsocks packages, this
last one should be installed on clients too, but more about this
later.
After installing
libevent (from a package, or by building it
your self) you should create a user for the TOR daemon
(i.e.
tor_d):
# useradd -g daemon -s /bin/false -c "Tor Internet Anonymizer" -d /var/run/tor tor_d
When building a new version of TOR I usually compile with these
options:
# ./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/man \
--enable-eventdns \
--with-tor-user=tor_d \
--with-tor-group=daemon
Let's bisect the above commands. Executable files
tor
and
torify will be installed in
/usr/bin. Configuration
files will be in
/etc/tor and TOR will use the following
directories for log and run-time files;
/var/lib/tor
/var/log/tor and
/var/run/tor - last of these was also set
as the $HOME directory of user
tor_d in the
above
useradd example.
When it builds you can proceed with
make and
make
install to install TOR, or maybe
checkinstall to build a
package for your distribution.
Configuring TOR
If you didn't install the package provided by your distribution note
that the TOR source tarball is distributed with a few
init
scripts which you can use to control TOR (and start it when your
system boots). They can be found in the
contrib directory. Pick
one and change those variables/options that point to the configuration
directories, executable files or TOR user/group (all according to how
you built TOR earlier).
The actual TOR configuration is done in the file called
torrc, a sample configuration file called "
torrc-sample"
you can find in the
/etc/tor directory. If you don't want to
deal with any minor details (i.e. owner contact), or setup your TOR as
a relay the sample file is ready to use with your TOR daemon (in the
role of a client on the TOR Network), all you need to do is rename it
to
torrc.
However if there are multiple computers in your LAN and you are
building a TOR gateway (assumption on which this article is based) you
need to change one setting in the
torrc
file. The
SocksListenAddress option needs to be pointed to the
IP address of the network interface which is connected with the rest
of the network (i.e.
192.168.0.1):
#SocksListenAddress 127.0.0.1 # Accept connections only from localhost
SocksListenAddress 192.168.0.1 # Accept connections only from the LAN
In the same configuration directory you will also find
the
tor-tsocks.conf file, the
tsocks configuration file
for use with the TOR daemon. Once more point the configuration to
your internal network. Following the earlier IP example,
the
tor-tsocks.conf might look like this:
server = 192.168.0.1
server_port = 9050
# We specify local as 127.0.0.0 - 127.191.255.255 because the
# Tor MAPADDRESS virtual IP range is the rest of net 127.
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0
local = 192.168.0.0/255.255.255.0
Using TOR
TOR is distributed with the
torify shell script (mentioned
earlier), which is a wrapper around the
tsocks utility. Torify
calls
tsocks and points it to the above
tor-tsocks.conf
file. When we want to use TOR with an application that usually doesn't
support
SOCKS proxies we can call that application with
torify. For example to start the popular
IRC
client
irssi we would execute:
$ torify irssi
To use the same "trick" on other computers in the LAN, which are
connecting to the TOR daemon, you need to install
tsocks on
them too. After you install it you should copy the
torify
script and the
tor-tsocks.conf file to each client. For example
you can install them to
/usr/local/bin
and
/usr/local/etc respectively. Make sure that the
"
TSOCKS_CONF_FILE" variable in the script points to the
configuration.
Note: Last
tsocks release was in 2002 and since then a
new project was started to improve on that code. Project is
called
torsocks and
is developed specifically with TOR in mind. Consider installing it
instead of
tsocks. You can use the same configuration file you
prepared earlier, with the difference of using
usewithtor
instead of
torify.
When an application does support
SOCKS (i.e.
Firefox,
X-Chat, Gajim...) you only need to point its proxy configuration
to the IP address and port of your TOR daemon. Following the above
examples that would be:
IP: 192.168.0.1
Port: 9050
Type: SOCKS5
Step by step instructions for using various other applications with
TOR can be found on
the
project
wiki.
Notes on DNS
For a long time
Firefox did not send DNS queries trough the
SOCKS5 proxy so often people had to use the
Privoxy - SOCKS4a
proxy server with it. Today it is no longer needed and you can
avoid
Privoxy (assuming you don't want to use it for its ad
filtering or caching abilities). However the option to send queries
trough the proxy is not enabled by default in
Firefox. To
enable it go to the
about:config dialog, find the
item
network.proxy.socks_remote_dns and set it
to
true.
TOR also had problems with DNS queries and people had to resort to
various tricks (
tor-resolve, ttdnsd...), but in
the
0.2.x series TOR also work as a DNS forwarder/DNS proxy. In
short; first check the
DNSPort and
DNSListenAddress
configuration options in the
tor (1) manual page, then set your
TOR gateway as the primary DNS server on the clients (for added
ensurance you can use
iptables to force all DNS traffic to go
trough the
DNSPort). Note that the implementation only
understands queries for
A and
PTR records. Consult
the
documentation
and
the
manual
for more details.
Related projects
- Multiproxy Switch
- - quickly switch between different proxy settings in Firefox
- User Agent Switcher
- - despite TOR your Firefox is steal leaking user-agent information
- TorK Controller
- - TorK is an advanced TOR controller for KDE
- Vidalia Controller
- - Vidalia is an advanced TOR controller using the QT framework
Note: Consider running your TOR server as a relay or an exit
node, donate a piece of your bandwidth and help the community. Running
a node/relay
is
not
just about giving, but you also get something in return; for
instance newer implementation of the protocol allocates more bandwidth
for relays... let's also mention that if someone was to monitor your
traffic it would be very difficult to for them to identify traffic
originating from your network, from the traffic that is only passing
trough your node.