Tor: Difference between revisions

From NixOS Wiki
imported>Fadenb
Created page with "= How Tor is set up by default in NixOS = By default Tor in NixOS provides 2 different SOCKS proxies. 9050 is a "slow" SOCKS port which can be used for email, git and pretty..."
 
Layer-09 (talk | contribs)
m Made Tips and Tricks titles bigger
 
(38 intermediate revisions by 14 users not shown)
Line 1: Line 1:
= How Tor is set up by default in NixOS =
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;"><strong>Tor is not a panacea.</strong> To achieve effective anonymity with Tor, you must understand its <strong>caveats</strong> and adjust your <strong>browsing habits</strong>. The Tor Project provides a crucial [https://support.torproject.org/faq/staying-anonymous/ list of tips] that you should read before using Tor.</div>
</div>


By default Tor in NixOS provides 2 different SOCKS proxies.
<strong>Tor (The Onion Router)</strong> is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include <strong>anonymity</strong>, <strong>privacy</strong>, and <strong>censorship circumvention</strong>. It supports hidden services with <strong>.onion domains</strong> for additional anonymity.


9050 is a "slow" SOCKS port which can be used for email, git and pretty much any other protocol
Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called <strong>onion routing</strong>, ensures no single point knows both the origin and destination.
but HTTP(S) since a new circuit will be created for each destination IP. This is a safe
default which complicates identity corellation attacks, although isn't sufficient to
completely thwart them.


9063 is the "fast" SOCKS port suitable for a browser. A new circuit is established every 10 minutes.
Commonly used by <strong>journalists</strong>, <strong>activists</strong>, and <strong>privacy-conscious individuals</strong>, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.


== torsocks, torsocks-faster vs tsocks difference ==
For more information, you can visit the official [https://www.torproject.org/ Tor Project website].


Both torsocks and tsocks wrappers route traffic via Tor.
== Installation ==


However, neither of the wrappers reliably prevent an application from establishing
==== Using nix-shell ====
connections outside of Tor network, but merely ensure that non-malicious code has
<syntaxhighlight lang="bash" start="3">
its direct connection attempts routed via Tor. Some applications, such as those
nix-shell -p tor-browser
using KDE KIO framework, don't make direct connections and instead use kdeinit4
</syntaxhighlight>
to spawn worker processes, rendering the wrappers useless.


For more security, you need to run an application inside a virtual machine and
==== Using Global Configuration ====
configure its networking to be routed via Tor only.
<syntaxhighlight lang="text">
environment.systemPackages = [
  pkgs.tor-browser
];
</syntaxhighlight>After modifying your configuration, apply the changes by running:<syntaxhighlight lang="bash">
sudo nixos-rebuild switch
</syntaxhighlight>


torsocks is a bit more secure because it blackholes UDP traffic and private IP traffic,
==== Using Home Configuration ====
such as LAN traffic.
<syntaxhighlight lang="text">
home.packages = [
  pkgs.tor-browser
];
</syntaxhighlight>After updating your configuration, apply the changes by running:<syntaxhighlight lang="bash">
home-manager switch
</syntaxhighlight>


You should use torsocks where possible. Use torsocks-faster/fast port/Privoxy for HTTP(due to performance)
== Configuration ==
and protocols which break if used from several IPs. Examples: ICQ login requires contacting different servers
and checks that it is done from the same IP; FTP transfers are performed via separate connection
which must originate from the same IP.


tsocks is the weakest wrapper which is nevertheless necessary if your application needs to make local
==== Basic ====
connections or makes DNS queries in a way not handled by torsocks. Example: Kopete's XMPP plugin
only works with tsocks and obviously leaks DNS queries.


== tsocks as a "guard" wrapper ==
<syntaxhighlight lang="nix">
services.tor = {
  enable = true;
  openFirewall = true;
};
</syntaxhighlight>


Some applications have native support for HTTP/SOCKS proxies, and it is tempting to use it.
==== Advanced ====
However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy
<syntaxhighlight lang="nix">
settings or settings getting lost. Using torsocks wrapper can be more reliable.
services.tor = {
  enable = true;


An alternative approach is use both tsocks and built-in proxy support. This way, if the application's proxy
  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
support fails, the connection is likely to be caught by tsocks and if you run the application without
  enableGeoIP = false;
tsocks by mistake, the connections are still likely to be proxied.


== Privoxy ==
  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;


By default, privoxy is enabled if you enable Tor client functionality and configured to route
  # Enable the Tor client
to the fast SOCKS port.
  client = {
    enable = true;
  };


== KDE and Tor ==
  # Enable and configure the Tor relay
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };


In KDE, proxy server configuration is set for all applications at once.
  # Configure Tor settings
You should set the SOCKS proxy to Tor's default 9050 port, and set HTTP proxy to Privoxy(port 8118).
  settings = {
Without Privoxy, KDE apps using either KHTML or WebKit KPart such as Konqueror, Rekonq, KTorrent, Akregator
    Nickname = "YourNickname"; 
would become nearly unusable and cause excessive load to the Tor network.
    ContactInfo = "your-email@example.com";


Another possibility is to run "tsocks kdeinit4", which would cause kdeinit4 to respawn in a wrapped state.
    # Bandwidth settings
All KDE applications started after this, will be wrapped with tsocks.
    MaxAdvertisedBandwidth = "100 MB"
    BandWidthRate = "50 MB"; 
    RelayBandwidthRate = "50 MB"; 
    RelayBandwidthBurst = "100 MB";


=== Kopete ===
    # Restrict exit nodes to a specific country (use the appropriate country code)
    ExitNodes = "{ch} StrictNodes 1"; 
   
    # Reject all exit traffic
    ExitPolicy = "reject *:*"; 


Kopete makes direct connections and ignores KDE settings. Kopete torification
    # Performance and security settings
dependins on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.
    CookieAuthentication = true; 
    AvoidDiskWrites = 1;
    HardwareAccel = 1; 
    SafeLogging = 1;
    NumCPUs = 3; 


=== KDE PIM ===
    # Network settings
    ORPort = [443];
  };
};


KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between your mailboxes.
# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};
</syntaxhighlight>


== How to see what's going on, and work around bans ==
The Tor relay will require some days to advertise in the network, to the [https://metrics.torproject.org/rs.html relay index] and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.


Vidalia is convenient for troubleshooting and changing circuits should your
In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.
current exit node be banned by a particular site.
Vidalia needs an active control port:
<pre>
  services.tor.controlPort = 9051;
</pre>


Vidalia allows you to change Tor configuration on the fly, which you should
== Tips and Tricks ==
avoid doing and instead use NixOS config to control your Tor instance.
=== Location of Option ===
The only useful features are "new Identity" and "network map".
The global options are listed on [https://mynixos.com/search?q=tor MyNixOS].  


If you do change something else by accident, you will have to manually edit
=== Relay Management ===
Vidalia's configuration file ~/.vidalia/vidalia.conf and replace
Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.
all "Changed = true" with "Changed = false", otherwise Vidalia and NixOS
 
will fight for the control of the Tor service process.
'''Types of Relays'''
* '''Entry (Guard) Relays:''' These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
* '''Middle Relays:''' These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
* '''Exit Relays:''' These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.
 
'''Performance Considerations'''
* '''Bandwidth:''' The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
* '''Latency:''' Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
* '''Load Balancing:''' The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.
 
'''Security Risks'''
* '''Malicious Relays:''' Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
* '''Exit Relay Monitoring:''' Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
* '''Correlation Attacks:''' Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.
 
'''Legal Issues'''
* '''Jurisdiction:''' Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
* '''Liability:''' Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.
 
=== Client Bridge ===
<div style="border: 1px solid #D33; background: #FFEBEB; padding: 30px; border-radius: 5px; margin: 10px 0px; display: flex; align-items: center;">
    <div style="color: #D33; font-size: 40px; margin-right: 15px; background: #FFEBEB; display: flex; line-height: 0;  align-items: center;">⚠</div>
    <div style="color: #D33; font-size: 15px; font-style: normal; font-weight: 400; line-height: normal; text-align: left;">Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.</div>
</div>
 
Tor can be enabled as a system service by enabling options {{nixos:option|services.tor.enable}}. Configuration of tor service is an example of [https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules Freeform module], so you can pass not only explicitly supported {{nixos:option|services.tor.settings}}, but all other [https://2019.www.torproject.org/docs/tor-manual.html.en torrc] options. For example, client bridge config can be set like this:
 
<syntaxhighlight lang="nix">
services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};
</syntaxhighlight>
 
By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.
 
By also enabling {{nixos:option|services.tor.client.enable}}, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.
 
=== Sandboxing ===
 
You can also run the [[Tor Browser in a Container]].
 
Alternatively, Tor can be configured together with the [[Firejail#Torify_application_traffic|Firejail]] sandboxing solution.
 
=== Faster Reconnects on Network Switch ===
Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.
 
'''Guard Wrappers'''
Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.
 
An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.
 
=== KDE Integration ===
'''KDE Proxy Configuration'''
In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).
 
Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.
 
Another possibility is to run <tt>tsocks kdeinit4</tt>, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.
 
'''Kopete'''
Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires <tt>tsocks</tt>. ICQ requires <tt>torsocks-faster</tt>.
 
'''KDE PIM'''
KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.
 
=== DNS over Tor ===
<syntaxhighlight lang="nix">
services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};
 
networking.nameservers = [ "127.0.0.1" ];
</syntaxhighlight>
 
Please refer to [https://wiki.archlinux.org/title/Tor#TorDNS ArchWiki] for details.
 
== References ==
 
# https://support.torproject.org/tbb/tbb-9
# https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
# https://2019.www.torproject.org/docs/tor-manual.html.en
# https://wiki.archlinux.org/title/Tor#TorDNS
# https://mynixos.com/search?q=tor
 
 
[[Category:Networking]]
[[Category:Applications]]
[[Category:Server]]
[[Category:Security]]
[[Category:Privacy]]

Latest revision as of 17:47, 4 July 2024

Tor is not a panacea. To achieve effective anonymity with Tor, you must understand its caveats and adjust your browsing habits. The Tor Project provides a crucial list of tips that you should read before using Tor.

Tor (The Onion Router) is a free, open-source software that enables anonymous internet communication. It protects users' privacy by routing traffic through a global network of volunteer-operated servers, masking IP addresses and online activities. Tor's key features include anonymity, privacy, and censorship circumvention. It supports hidden services with .onion domains for additional anonymity.

Tor works by encrypting data multiple times and sending it through a series of nodes (entry, middle, and exit), each decrypting a layer. This process, called onion routing, ensures no single point knows both the origin and destination.

Commonly used by journalists, activists, and privacy-conscious individuals, Tor helps bypass censorship and protect against surveillance. However, it can be slower than direct connections and has been associated with illegal activities due to its anonymity.

For more information, you can visit the official Tor Project website.

Installation

Using nix-shell

nix-shell -p tor-browser

Using Global Configuration

environment.systemPackages = [
  pkgs.tor-browser
];

After modifying your configuration, apply the changes by running:

sudo nixos-rebuild switch

Using Home Configuration

home.packages = [ 
  pkgs.tor-browser
];

After updating your configuration, apply the changes by running:

home-manager switch

Configuration

Basic

services.tor = {
  enable = true;
  openFirewall = true;
};

Advanced

services.tor = {
  enable = true; 

  # Disable GeoIP to prevent the Tor client from estimating the locations of Tor nodes it connects to
  enableGeoIP = false;

  # Enable Torsocks for transparent proxying of applications through Tor
  torsocks.enable = true;

  # Enable the Tor client
  client = {
    enable = true;
  };

  # Enable and configure the Tor relay
  relay = {
    enable = true;
    role = "relay";  # Set the relay role (e.g., "relay", "bridge")
  };

  # Configure Tor settings
  settings = {
    Nickname = "YourNickname";  
    ContactInfo = "your-email@example.com"; 

    # Bandwidth settings
    MaxAdvertisedBandwidth = "100 MB";  
    BandWidthRate = "50 MB";  
    RelayBandwidthRate = "50 MB";  
    RelayBandwidthBurst = "100 MB"; 

    # Restrict exit nodes to a specific country (use the appropriate country code)
    ExitNodes = "{ch} StrictNodes 1";  
    
    # Reject all exit traffic
    ExitPolicy = "reject *:*";  

    # Performance and security settings
    CookieAuthentication = true;  
    AvoidDiskWrites = 1; 
    HardwareAccel = 1;  
    SafeLogging = 1; 
    NumCPUs = 3;   

    # Network settings
    ORPort = [443];
  };
};

# Operating a Snowflake proxy helps others circumvent censorship. Safe to run.
services.snowflake-proxy = {
  enable = true;
  capacity = 10;
};

The Tor relay will require some days to advertise in the network, to the relay index and start generating traffic. You can query metrics about your relay on the relay index page using the name or email from the settings.

In case your Tor relay is running behind a NAT network, be sure to forward the ORPort to your server running Tor.

Tips and Tricks

Location of Option

The global options are listed on MyNixOS.

Relay Management

Tor relays are servers that help anonymize internet traffic by routing it through a series of nodes. Each relay in the Tor network plays a crucial role in maintaining the privacy and security of users by ensuring that no single point can trace the origin and destination of the data. The primary purpose of Tor relays is to facilitate anonymous communication and protect users from network surveillance and traffic analysis.

Types of Relays

  • Entry (Guard) Relays: These are the first relays that Tor clients connect to. They are responsible for receiving traffic from the user and passing it to the middle relays. Entry relays are chosen carefully to ensure stability and reliability.
  • Middle Relays: These relays pass traffic between the entry and exit relays. They add an additional layer of encryption and help obscure the path of the data.
  • Exit Relays: These are the final relays that traffic passes through before reaching its destination. Exit relays decrypt the last layer of encryption and send the data to the intended recipient. They are crucial for accessing non-Tor websites and services.

Performance Considerations

  • Bandwidth: The speed and performance of the Tor network depend on the bandwidth provided by the relays. Higher bandwidth relays can handle more traffic and improve overall network performance.
  • Latency: Due to the multiple layers of encryption and the routing through several relays, Tor can introduce latency, making it slower than direct internet connections.
  • Load Balancing: The Tor network uses load balancing to distribute traffic evenly across relays, preventing any single relay from becoming a bottleneck.

Security Risks

  • Malicious Relays: Some relays may be operated by malicious actors attempting to intercept or manipulate traffic. The Tor network mitigates this risk through its layered encryption, but users should remain cautious.
  • Exit Relay Monitoring: Since exit relays decrypt the final layer of encryption, they can potentially monitor unencrypted traffic. Users should use end-to-end encryption (e.g., HTTPS) to protect their data.
  • Correlation Attacks: Adversaries with the ability to monitor both the entry and exit points of the Tor network may attempt to correlate traffic patterns and de-anonymize users.

Legal Issues

  • Jurisdiction: Tor relays operate in various jurisdictions, each with its own legal framework. Relay operators should be aware of local laws and regulations regarding data privacy and internet usage.
  • Liability: Exit relay operators may face legal scrutiny if their relays are used for illegal activities. It is important for operators to understand the potential legal implications and take appropriate measures to protect themselves.

Client Bridge

Do not attempt to use Tor with any web browsers other than Tor Browser. Tor Browser integrates custom modifications to Firefox to enhance anonymity and ensure that information leakage does not occur. Using another web browser with Tor is likely to result in imperfect anonymity and is unsafe.

Tor can be enabled as a system service by enabling options services.tor.enable. Configuration of tor service is an example of Freeform module, so you can pass not only explicitly supported services.tor.settings, but all other torrc options. For example, client bridge config can be set like this:

services.tor.settings = {
      UseBridges = true;
      ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird";
      Bridge = "obfs4 IP:ORPort [fingerprint]"
};

By default, Tor in NixOS provides one SOCKS proxy on port 9050. Port 9050 is a "slow" SOCKS port which can be used for email, git, and pretty much any other protocol except HTTP(S). This is a safe default which complicates identity correlation attacks, although it isn't sufficient to completely thwart them.

By also enabling services.tor.client.enable, an additional SOCKS service on port 9063 can be enabled. This is a "fast" SOCKS port suitable for browser use; a new circuit is established every ten minutes.

Sandboxing

You can also run the Tor Browser in a Container.

Alternatively, Tor can be configured together with the Firejail sandboxing solution.

Faster Reconnects on Network Switch

Using Systemd/networkd/dispatcher it is possible to restart the Tor daemon every time a network reconnect is performed. This avoids having to wait for Tor network timeouts and reestablishes a new connection faster.

Guard Wrappers Some applications have native support for SOCKS proxies, and it is tempting to use such support. However, it isn't unheard of for proxy support to have bugs or for application plugins to ignore proxy settings or for settings to get lost. Using a wrapper such as torsocks can be more reliable.

An alternative approach is use both a wrapper and built-in proxy support. This way, if the application's proxy support fails, the connection is likely to be caught by the wrapper and if you run the application without the wrapper by mistake, the connections are still likely to be proxied.

KDE Integration

KDE Proxy Configuration In KDE, proxy server configuration is set for all applications centrally. You should set the SOCKS proxy to Tor's default SOCKS port (127.0.0.1:9050), and set the HTTP proxy to Privoxy (127.0.0.1:8118).

Without Privoxy, KDE applications using either KHTML or WebKit KPart (such as Konqueror, Rekonq, KTorrent, Akregator) would become nearly unusable and cause excessive load to the Tor network.

Another possibility is to run tsocks kdeinit4, which would cause kdeinit4 to respawn in a wrapped state. All KDE applications started after this will be wrapped with tsocks.

Kopete Kopete makes direct connections and ignores KDE settings. Kopete torification depends on what plugins you use. XMPP requires tsocks. ICQ requires torsocks-faster.

KDE PIM KMail respects KDE-wide proxy settings, and the "safe" SOCKS port offers good isolation between mailboxes.

DNS over Tor

services = {
  tor = {
    enable = true;
    client.dns.enable = true;
    settings.DNSPort = [{
      addr = "127.0.0.1";
      port = 53;
    }];
  };
  resolved = {
    enable = true; # For caching DNS requests.
    fallbackDns = [ "" ]; # Overwrite compiled-in fallback DNS servers.
  };
};

networking.nameservers = [ "127.0.0.1" ];

Please refer to ArchWiki for details.

References

  1. https://support.torproject.org/tbb/tbb-9
  2. https://nixos.org/manual/nixos/stable/index.html#sec-freeform-modules
  3. https://2019.www.torproject.org/docs/tor-manual.html.en
  4. https://wiki.archlinux.org/title/Tor#TorDNS
  5. https://mynixos.com/search?q=tor