TORified network howto


Please note: this document is outdated! Especially the use of the squid web cahing proxy should be avoided with tor!


Some tipps about configuring your machine to use the TOR routing system


Introduction

Prevent packet headers from sending a lot of unwanted informations to the internet. Anonymise your connection with a squid-privoxy-tor combination. Bounce your packets through an anonimous and encrypted chain of servers.
Anonimity is never 100% secure, but here we work out a good solution for being anonimous for someone sniffing us from the internet. That means: neither "what we do" nor "where we go" gets anonymised, just "where do we come from"; somebody controlling what we do from the internet cannot see who we are (but it doesn't work if somebody is controlling our internal network, ex. through wireless, or our connection from our network until the first tor router, ex. controlling through our internet provider).
So if somebody in Turkey is sniffing my emails, he/she will not be able to understand where do I write from, but will still be able to intercept what I do write on the mail; if somebody got the authorisation from my internet-provider to sniff all my traffic on the internet, than the anonimisation we use here will be unuseful.

Another very interesting toping using the tor solution is the possibility of setting up HIDDEN SERVICES: we can run an http/https, irc, whatever we want server on the internet, and clients connecting to it DO NOT contact the server itself, but CLIENT AND SERVER MEET IN THE MIDDLE OF AN ONION ROUTER CHAIN - that means that nobody will know where are we comeing from, and also that nobody will understand where the service we are using is hosted from!!!


here a little explanation on how the combination works for html pages:

Browser <> squid host:3128 <> privoxy host:8118<> tor host:9050 <> tor onion router chains <>webserver


TOR (The Onion Routing, http://tor.eff.org) is a sistem that uses an entry point, than communications are bounced around a distributed network of servers going finally out through an exit point. Each "onion router" nows only the server before and the server after him in the chain, and communicates with an AES128 key to them.



Step to step to a working TOR connection


1- Install tor and privoxy

Debian packages have been uploaded to the set of official unstable Debian packages. If you are running stable or testing Debian, you must first add these lines to /etc/apt/sources.list:

deb http://mirror.noreply.org/pub/tor stable main
deb-src http://mirror.noreply.org/pub/tor stable main

To install the packages, issue the following commands:

		
root@yourcomputer:# apt-get update
root@yourcomputer:# apt-get install tor privoxy


2- Configure privoxy for use with TOR

After installing and starting Privoxy, privoxy works standard at port 8118. The privoxy configuration can also be managed through a webinterface, at the address http://p.p/To be able to use privoxy with TOR, we have to edit the /etc/privoxy/config file:

root@yourcomputer:# vim /etc/privoxy/config

interesting configuration variables are:

5.2. forward-socks4 and forward-socks4a
forward-socks4a / 127.0.0.1:9050 .

This enables forwarding all requests to TOR - don't forget the dot (.) at the end!

We can comment "logfile" and "jarfile" to disable logs (to reduce information left on our own computer)

2.5. logfile

# logfile logfile


2.6. jarfile

# jarfile jarfile


3*- (eventually) Set up squid

Squid is a normal http-caching program, a http proxy. What we really like at squid, to use in conjunction with tor, is it's configurable feature to remove http headers, that means informations send to the internet by your web browser.
A problem useing squid, is that it cannot require DNS remotely (what privoxy CAN do). Useing squid we could leak DNS information, a serious thread to our anonimity!!!

IF you want to install and configure squid:

root@yourcomputer:# apt-get install squid

Squid's client mode configuration: suitable for a workstation with caching proxy in stand alone mode (Privoxy on localhost:8118): squid requires some configuration values to be modified in order to function as a caching proxy.

root@yourcomputer:# vim /etc/squid.conf

Search for the following key values and set them accordingly:

http_port 3128

http_access allow localhost

cache_peer   localhost    parent   8118   7   no-query default

# the following forces the use of privoxy/tor in all cases:
never_direct allow all

visible_hostname localhost

# If transparent gateway mode is used, the following must also be set!
# (actually it is not a good idea to use a transparent gateway!!!)
# (insert your subnets as required):
acl home_network src 192.168.1.0/24
http_access allow home_network
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# The following settings are helpful in removing some sensitive
# HTTP headers which could divulge unwanted information:
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
# NOTE: some sites may require a User-Agent or Referer to
# function correctly.

# Or, to reproduce the old 'http_anonymizer paranoid' feature
# you should use:
header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access All deny all

# Default:
# none

Be sure to run '~/sbin/squid -z' to create the cache directories before starting the Squid proxy with '~/bin/RunCache'.

Using your browser configuration utility update the HTTP/HTTPS proxy settings to point to localhost at port 3128. At this point all of your web traffic will be going through the Squid proxy, into Privoxy for protocol cleaning, and finally into Tor for delivery of requests and responses. The reduced latency of Squid serving cached pages should be readily visible as you browse various sites.

squid without caching

If you decide to use squid only in conjunction with TOR, it could be a good idea to disable the chaching funcion.You can use the no_cache access list to make Squid never cache any response:

acl all src 0/0

no_cache deny all

cache_dir null /tmp

Note: a null cache_dir does not disable caching, but it does save you from creating a cache structure if you have disabled caching with no_cache.
Note: the directory (e.g., /tmp) must exist so that squid can chdir to it, unless you also use the coredump_dir option. To configure Squid for the ``null'' storage module, specify it on the configure command line:"./configure --enable-storeio=ufs,null ..."


(optional) Disable squid's log files
cache_access_log none

cache_store_log none

cache_log /dev/null

Note : It is a bad idea to disable the cache.log because this file contains many important status and debugging messages. However, if you really want to, you can. Warning : If /dev/null is specified to any of the above log files, logfile rotate must also be set to 0 or else risk Squid rotating away /dev/null making it a plain log file.


4- Check if everything is working fine

Now it's time to check if our tor ir running the way it should be...
First of all, configure your browser to use a proxy (a very practical solution for Firefox/Iceweasel is the "Torbutton" add-on)
In your browser's configuration, add, as proxy, "localhost" and, as port, "8118" (if you only use privoxy), or "3148" (if you use squid before privoxy).
To check if everything is working ok, use "etherreal if you know how to, or, more simply, load this practical webpage (copyrighted) that shows you all the information leaked by your browser: http://leader.ru/secure/who.html

REMEMBER: if you use squid, your DNS request could still leak informations, if they don't go through tor (ex. with SOCKS4a). you can still use "tor-resolve" (included in the tor package) to eliminate this problem...


5- Torify your software

You can run a lot of different applications (ssh, irc, fetchmail, gaim, ...) through the TOR onion routing. Follow the instructions on this webpage: http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO


Interesting is the possibility to run your SSH connection trough TOR. In order to do this, first of all we need to install the "socat" package"

root@yourcomputer:# apt-get install socat

You will then need to set up SSH accordingly, enabling TOR for internet connections, and disabling it foru your Local Network connections.
Edit the /etc/ssh/ssh_config file:

root@yourcomputer:# vim /etc/ssh/ssh_config

Remember to adjust this settings for your own needs, adding the "proxycommand none" setting for all the machines, or subnetworks, that you still want to reach without TOR!!!
Add the following lines to your ssh_config file:

    Host 192.168.*.*
    ProxyCommand none

    Host *.lan
    ProxyCommand none

    Host *
    ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050


6- Hidden Services

A very interesting and useful function of the TOR/privoxy combination, is the possibility to use or set up "hidden services", services running on machines running inside the TOR onion routing, and contactable only within the onionr routingsystem. This helps us, as an example, in running a censorship-resistant service (http, ssh, irc, ...). Remember, anyway, that anonimity is NEVER 100% guaranteed!. The best place to start from, is the hidden wiki. Try to contact it clicking on this link: http://6sxoyfb3h2nvok2d.onion/tor/
If you cannot contact the hidden wiki, it could be because the TOR networ is sometimes VERY slow. So, just click on "try it again", and you will be able to connect...

If you are interested in setting up a Hidden service, the configuration is very easy and is located in the /etc/tor/torrc file itself. Mind the logs on your computer! They could be a prove of interesting information. And, if you want to set up an hidden HTTP server, consider avoiding apache, and setting up some lightweight HTTP server instead, because it is quite difficult to set up apache not to leak any important information.
Please refer to http://tor.eff.org/docs/tor-hidden-service.html.en to set up an hidden service.



-----------------------------
last update: inputs_marmalade 16/5/2007

###
contributions / feedback / questions


gpg public key
http://ram.squat.net/tech/inputs.marmalade.asc
###